The EU and US divide on privacy protection: Part 2

In my last post, I spoke about the fundamental differences between the EU General Data Protection Regulation (GDPR) and the EU-US Privacy Shield. The US has a different view on data privacy and therein lies the challenge.
US laws do not align with the EU GDPR

The pertinent law is Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S. Code § 1881a), which allows the US government – namely the NSA – to surveil foreigners outside of the US, regardless of whether they are suspected of a crime or have a connection to terrorism. Unlimited surveillance of EU residents would violate just about every principle and article of the GDPR.

In theory, the actions of the NSA are limited by a form of Executive Order called a Presidential Policy Directive. On January 17, 2014, President Obama signed Policy Directive/PPD-28 concerning Signals Intelligence Activities. This order imposed many restrictions on NSA powers to collect information, similar to those found in the GDPR.

Section 702 will expire at the end of the year; however, given the composition and political makeup of the US Congress, it will almost certainly be extended. Policy Directive/PPD-28 was signed by President Obama and still exists, but can be disposed of – in whole or in part – at any time by President Trump, who has shown a proclivity for reversing his predecessor’s policies.

But the extension of Section 702 and the further existence of Policy Directive/PPD-28 are both speculative. What is real is President Trump’s January 25, 2017 Executive Order. Sec. 14 states that the federal agencies must “ensure that their privacy policies exclude persons who are not United States resident’s or lawful permanent residents’ from the protections of the Privacy Act regarding personally identifiable information.” Although this only extends to federal agencies – arguably the Privacy Act never extended to non-US residents – its intent was clear and was enough to raise the hackles in Brussels. In theory, EU residents can sue the Federal government, but only in US federal courts.

In March 2017, the US Congress voted to overturn a rule promulgated by the Federal Communications Commission (FCC) that prevented US Internet service providers (ISPs) from selling a customer’s private browsing history. Although it is doubtful that US companies handling EU residents’ information would route that information through the network or DNS of a US-based ISP, the callous disregard for even the most basic of privacy rights by the US Congress has not made European governments happy about supporting the Privacy Shield.

Why Europe is still not satisfied with the Privacy Shield

In March 2017, European Commissioner Věra Jourová, who negotiated the Privacy Shield, visited the US. US Commerce Secretary Wilbur Ross assured her that he understands the importance of the EU-US Privacy Shield and its tasks – commitments that are under the Privacy Shield in place for the state administration. She tried to sooth European Parliament members by saying that US officials promised her “there are no changes foreseen” to the Directive, known as Presidential Policy Directive 28, or PPD 28.

But they weren’t soothed. The European Parliament’s Civil Liberties, Justice, and Home Affairs Committee (LIBE Committee) and its Chairman, Claude Moraes, narrowly voted in favor of a resolution declaring the Privacy Shield inadequate. Parliament agreed, with 76% of its members affirming the LIBE Committee’s resolution. The MEPs have requested that the European Commission conducts a robust periodic review of its decision that Privacy Shield protection is adequate.

The first review, which started in June 2017, is not going well. As part of the process, Chairman Moraes visited Washington, DC at the end of July 2017 to discuss the Privacy Shield. He wasn’t happy and said, “Deficiencies still remain and must be urgently resolved to ensure that the Privacy Shield does not suffer from critical weaknesses.” The problem is that Americans have been unable to solve even the simplest of the four objections: the appointment of the US ombudsperson.

The position of ombudsperson is presently held by Judith G. Garber, but only in an acting capacity. The agency tasked with enforcing the Privacy Shield, the Federal Trade Commission’s Privacy and Civil Liberties Oversight Board, currently lacks four of its five commissioners.

Anyone vaguely familiar with the present dysfunction of the executive and legislative branches of the US government might have grave doubts about its ability to do just about anything, let alone deal with European concerns about this important issue.

The conclusions from the European review are due to be released later this year, perhaps as early as September. Even Commissioner Jourová has admitted that, “If we are faced with any developments that could negatively affect the level of protection afforded under the Privacy Shield, the Commission will take responsibility and use all available mechanisms, be it review, suspension, revocation, repeal to promptly react.”

US companies need to prepare to meet the GDPR requirements now

Since compliance with the GDPR takes substantially longer than compliance with the Privacy Shield, affected companies should strongly consider taking the time before May 2018 to comply with the GDPR, rather than depend on the Privacy Shield.

IT Governance provides tools designed and developed by expert GDPR practitioners to help you with your GDPR project. Learn more >>