‘Sensitive’ to EU Concerns Over Privacy Shield – USA

1

The White House is “working diligently” to appoint a permanent privacy referee at the State Department to keep in place a trans-Atlantic data transfer pact, a U.S. official said.

The U.S. is making progress toward permanently filling that role as promised, James M. Sullivan, deputy assistant secretary for services at the U.S. Department of Commerce, told reporters on a Dec. 20 call.

Below is a full rush transcript of the press conference by JAMES M. SULLIVAN , Deputy Assistant Secretary for Services at International Trade Administration, U.S. Department of Commerce.

DAS Sullivan: I’m the Deputy Assistant Secretary for Services in the International Trade Administration at the U.S. Commerce Department. Among other things I oversee the office and the team that administers the Privacy Shield Program. So on behalf of the Department and the International Trade Administration, I do appreciate this opportunity to discuss the successful and what we regard as a very positive second annual review of the EU-U.S. Privacy Shield.

As everyone already knows very well, yesterday the European Commission issued its report on that review and made very clear we think the Privacy Shield is a success and that it’s working well, and that U.S.-EU collaboration over the last year has really further enhanced the functioning of the Privacy Shield Program.

My boss, Secretary of Commerce Wilbur Ross, very much welcomed the report. He’s very proud of our work together to support Privacy Shield and advance the transatlantic economic relationship. Both he and we are extremely mindful that the Privacy Shield supports the cross-border information flows that allows both our citizens and our businesses to connect and that play such an increasingly critical role in our society and economy today.

With that said, I am going to give a very brief overview of the Commission’s report and the review and then I’m more than happy to take your questions.

Privacy Shield has now finished its second year and it really owes its continued success to the work of several stakeholders — the U.S. government and the European Union. In October at the Review we had more than 50 senior U.S. government officials from across our interagency and they joined representatives from the European Commission and the European Data Protection Board in Brussels for the review. Again, Secretary Ross was there with European Commissioner for Justice Věra Jourová. They opened the review together, alongside the Chairman of our Federal Trade Commission, Joseph Simons and the Chair of the European Data Protection Board Andrea Jelinek. Their opening remarks were then followed by two very intense days of detailed discussions that covered both the commercial aspects and the national security related elements of the Privacy Shield framework.

The review itself really focused on the functioning, the implementation, the administration, supervision and enforcement of the Privacy Shield Program. I think both sides agree that it afforded a very useful opportunity to discuss how the program and the framework are actually functioning in practice.

Just to elaborate a bit on the U.S. delegation and the 50 or so officials we had in Brussels. It includes senior officials of course from the Department of Commerce, from the State Department, the Justice Department, our office, the Director of National Intelligence, the Privacy and Civil Liberties Oversight Board commonly referred to as the PCLOB, the Federal Trade Commission which is our enforcement agency on these issues, and the Department of Transportation as well.

In the report, I think the Commission acknowledge extensively the very significant work that’s been undertaken by the U.S. government over the last year or so to enhance privacy and elaborated on the roles of each of these agencies. I think the report did a good job of describing how the program, Privacy Shield Program, has benefited from these efforts, in particular by the Commerce Department to enhance oversight and compliance of the program, to expand our education and outreach efforts on the framework so that stakeholders, companies, organizations and individuals really understand what Privacy Shield is. And our efforts, as well, to engage with our EU partners to address the recommendations generated out of the first annual review last year.

The report was very welcoming of the FTC’s enforcement efforts. There were eight Privacy Shield enforcement cases that were touched on, and I think they lauded the FTC’s proactive efforts to monitor compliance of Privacy Shield as well.

The report touched as well on the participation at the review of the Privacy Shield on this person, Manisha Singh at the State Department. And then finally, the report acknowledged the transparency efforts and initiatives undertaken by our intelligence community including the Privacy Enhancing Amendments to the Foreign Intelligence Surveillance Act, commonly known as FISA; the administration’s affirmation that PPD 28, Presidential Policy Directive 28 does still apply to non-U.S. citizens; the fact that the PCLOB, the Privacy and Civil Liberties Oversight Board has been restored to a quorum status and that they have publicly released their report on PPD 28; as well as several other U.S. legal developments that tend to bolster privacy and data protection measures.

So I think all in all the Commission’s report really does echo Secretary Ross’ comments at the review, but also in his OpEd a few days prior to the review that was in The Financial Times, the bottom line of which is Privacy Shield works.

To wrap up I just want to share a couple of quick figures. Since Privacy Shield started operating in August of 2016 over 4200 companies have now made legally enforceable commitments to comply with the principles in the Privacy Shield framework. And these companies, I do want to be clear, and organizations, are not just large multinationals. They range from startups and small businesses to Global 1000 and Fortune 500 enterprises in every sector. Again, we’re not just talking about the tech sector or large platforms. We’re talking about companies in the manufacturing sector, in the agricultural sector, in retail. And I want to note that the majority of Privacy Shield participants are in fact small and medium-sized enterprises. I think that’s a fact that’s often overlooked.

So because of the certification of the Privacy Shield Program, those companies that do participate get to receive personal data from the EU and then use that data for a variety of purposes ranging from increasing efficiencies and productivity to using data to fuel technological advances, reforms of social interaction, economic growth, and a number of other things.

Again, I’m getting a little long-winded so I’ll conclude by saying we were very gratified that this year’s review facilitated yet another productive dialogue with our partners in the European Union and we look forward to continuing to work together and support Privacy Shield.

Question: I’ve heard some complaints from companies and from other attorneys on a backlog on recertifications. What may be causing that? And what steps should be taken to address that? A quick second question is: do you have any comments on Facebook’s Privacy Shield certification, given all the issues and international investigations going on into the company?

DAS Sullivan: Let me start at a high level and I’m going to address what I can on your questions. We are fortunate to be joined by our Privacy Shield team lead, Caitlin Fennessy who can probably go into some greater detail on the administrative aspects as she manages the team that oversees the day-to-day administration of the program.

But in terms of, I want to emphasize and make clear that with GDPR’s implementation of the General Data Protection Regulation in May of this year there was, again, I’m sure everyone on this call knows very well, a lot of media attention on data protection and privacy issues, particularly in Europe. This generated a significant increase in the number of applicants for self-certification to the Privacy Shield program. In response to that we have beefed up our team. I do want to make clear that one of the first things I did when I came on board was create a separate Privacy Shield team, again, which Caitlin Fennessy now heads. And we have expanded that team to make sure that we’re doing everything we need to do to comply with the terms of the framework.

DAS Sullivan: Mr. Stoller, I guess the second part of your question regarding Facebook, again, you’re well aware, the Federal Trade Commission has initiated a non-public investigation into Facebook’s privacy practices and they made clear in their announcement that the FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers, and foremost among these tools is enforcement actions against companies that fail to honor their privacy promises including as they pertain to Privacy Shield.

I alluded earlier to Secretary Ross’ OpEd, and I’ll just say we can’t get into much more detail on the Facebook situation since there is an ongoing investigation. And again, it’s FTC policy that those are not public, sharing details at this stage. But as Secretary Ross made clear in his OpEd and as the framework terms state, if there are participants that are persistently failing to comply with the promises they have made and the pledges they have made pursuant to the framework, then the Commerce Department will remove them from the program.

Question: Will the U.S. government be able to nominate a permanent ombudsman by the end of February following yesterday’s call by the European Commission? If not, what steps do you expect the EU to take in line with GDPR rules?

DAS Sullivan: Let me start at a high level. Obviously, the Privacy Shield ombudsperson was a central element, is a central element of the framework when it was negotiated. It’s one of many redress mechanisms that were added sort of to 2.0, building on Safe Harbor. And we discussed the ombudsperson at length at the annual review and how it functions. We also talked in great detail about the President’s recent decision to name a senior State Department official who was politically appointed, unanimously confirmed by the Senate, to serve as ombudsperson. Both sides, I want to make that clear, recognized the need for prompt progress on nominating what we see consistently characterized in Europe as a “permanent” Under Secretary. That’s a misnomer from our perspective. I do want to make clear that any acting official in the federal government is fully empowered. There is no distinction in terms of what they can or cannot do in terms of their roles and responsibilities. But that process of naming a new Under Secretary of State for Economic Growth, Energy, and the Environment is well underway. We are in close contact with the EU on this matter. We are very mindful of how important it is to our partners in the EU.

Again, I want to make clear that consistent with the President’s direction, I guess it was last fall, Assistant Secretary of State Manisha Singh who again has been unanimously confirmed by the Senate in late 2017, was designated to serve as the ombudsperson. She was at the review. She was an active participant. And she elaborated, along with several colleagues from the State Department on how the ombudsperson mechanism works.

So until a new Under Secretary is confirmed, she will have, again, the same authority to carry out the functions of the ombudsperson as her predecessor, Ambassador Judith Garber had as former Under Secretary in the last administration, Catherine Novelli had previously.

I do want to reiterate again in the United States this concept of a “permanent” official, no one, none of these individuals I just listed is “permanent” per se, and anyone serving as an ombudsperson including Manisha Singh currently, including Ambassador Garber previously and Catherine Novelli will always be independent, experienced and empowered exactly in accordance with the terms of the framework.

So again, the process to nominate and appoint an Under Secretary of State to serve as ombudsperson is underway, but that office, that resource, it’s fully staffed, it’s been up and running for two years, and to date no complaints have been received.

Question: The European Commission announced yesterday that 100 companies have been checked, 21 had issues that have now been solved. Can you elaborate on what are the most common issues, and what are the measures taken for them?

DAS Sullivan: I appreciate that question. Again, since we are joined by two members of our Privacy Shield team, they can probably give a more technically detailed answer than I, so I’m going to turn it over, if I could, to one of our key team members, Rochelle Osei-Tutu: Essentially in regards to that question that pertains to the procedures that we’ve implemented in year two of the program to make sure that organizations who are certified are continuing to fulfill the self-certification requirements over the life cycle of their certification.

In order to do that effectively, we have started to conduct random spot checks where we select participants to verify that you know, the points of contact that are responsible for handling complaints or access requests or other issues arising under Privacy Shield are in fact available to address those concerns or inquiries.

We also make sure that an organization’s public facing web site includes the privacy policy and that it is in fact accessible.

Another thing we check is to make sure that within the privacy policy that it meets all of the self — continues to meet all of the self-certification requirements. And finally, we also checked to make sure that those organizations that are selected are still in fact registered with the independent recourse mechanism, that they’ve identified when they certified to be able to address escalated complaints.

So in regards to the companies that we have checked, of course, based on those elements, we reach out to them if something’s missing or if they in some way changed their policy of if it’s no longer, the link to the web site is no longer accessible. So those are some examples of the things that we’ve identified.

And I think part of the benefit of this process is to show that we’re still in contact with the organizations that are participating and in doing so we remind them of what they committed themselves to do, and we want to make sure that the information they provide is in fact correct and up to date until they’re due to re-certify a year later.

Question: If the U.S. is worried at all that Commissioner Jourová’s team will pull the Privacy Shield as she said in the past that she might do? How worried is the United States about the legal uncertainty that thousands of companies who signed up to the Shield could be thrown into yet again if that happens?

DAS Sullivan: Thank you for that question. We are always mindful of the uncertainty that can be generated from time to time around Privacy Shield. Again, we’re at the Commerce Department so one of our priorities is to try to do our utmost to avoid that kind of uncertainty for businesses and other stakeholders. There are some challenges to Privacy Shield. There are some legal challenges. We obviously have faced some political challenges.

As I said earlier on the ombudsperson, we’ve had extensive discussions over the last year and in the previous year, I might add, about the ombudsperson situation. Again, we have not had any complaints submitted to date, but we have had many, many close conversations, meetings, discussions about the ombudsperson. And after the first annual review which took place in the fall of 2017, we took the additional step, and I say we, the U.S. government, specifically the State Department, of publishing a Privacy Shield ombudsperson mechanism, unclassified implementation procedures, so that should really make it as clear as possible to stakeholders and others how the mechanism works.

So we are working very diligently, the White House is working very diligently on nominating someone for the Under Secretary position. I think I’m very confident that this issue should be resolved in short order. Again, we’d like to put this particular issue behind us since, again, we’re sensitive to EU concerns about this, but at the end of the day that resource, the ombudsperson mechanism, has been fully resourced for two years. And it is ready to go. Everything is in place to process any requests that have been referred by EU individuals about U.S. government access to their data.

So it is there, it’s functioning. I am not terribly concerned that this will continue to drag on.

DAS Sullivan: Just again, that we are very gratified with the outcome of the second annual review. I think we’ve built on a lot of great progress over the last two years, and certainly I do want to recognize the Privacy Shield team here at the Commerce Department. We have some very talented individuals, some of whom were instrumental in negotiating the framework and worked on its predecessor, Safe Harbor. So we have a very deep bench here when it comes to privacy issues and cross-border data flows and data protection.

We are continuing to work very closely and developed strong relationships over the last two years with our counterparts in the EU. And we do want to relay, on that last point that we just talked about, the critical importance of certainty for stakeholders. We have thousands of companies and other organizations that now rely on this mechanism for transatlantic data transfers. And as I alluded to there are some legal challenges out there that could inject some additional uncertainty.

So we are working very diligently to do what we can to avoid that kind of uncertainty and make sure that the thousands of companies and the hundreds of thousands of employees and the nearly 1.1 trillion dollars in transatlantic trade continue to benefit from Privacy Shield.

Again, thank you all for joining us this afternoon.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *