In a global data economy, ensuring data flows freely between nations is an absolute necessity: in fact, economic growth and innovation across all sectors of national economies increasingly depend on the unencumbered access and use of data. Over a decade (2005-2014), global data flows grew 45 times, increasing global GDP by 10%. This value totaled $7.8 trillion in 2014 alone, according to the Mckinsey Global Institute (2016). In its strategy on data flows published last January, the European Commission acknowledged that unjustified restrictions on the free movement of data would likely constrain the further development of the data economy.
To keep data flowing globally, adequate protections for individuals are needed. The European Union’s General Data Protection Regulation (GDPR), provides companies a strengthened and diversified legal toolkit for data transfers. One way to transfer personal data outside the EU is on the basis of a European Commission adequacy decision establishing that a non-EU country provides a sufficient level of data protection. The GDPR specifically calls out that for these adequacy decisions the European Commission should take into account “the existence and effective functioning of one or more independent supervisory authorities”. To date, the European Commission has approved as adequate only eleven countries, which are closely integrated with the European Union and its Member States. The great bulk of major economies (US, India, China, Japan, Korea, Brazil, and Russia) does not have adequacy status.
After the invalidation of the previous legal framework, “Safe Harbor”, the EU and the US reached an agreement in 2016 which permits transatlantic data flows and provides a greater degree of certainty for businesses to invest and innovate. The Privacy Shield represents an important tool for companies on both sides of the Atlantic, especially for those SMEs which don’t have the resources to adopt time consuming and more expensive instruments such as binding corporate rules or standard contractual clauses. The Privacy Shield is a robust accountability scheme that creates a favorable transatlantic environment for data transfers. American and European businesses are already adopting it far faster than they did the previous program: 2,190 organisations self-certified in a year vs 4,400 companies in about 15 years of Safe Harbor (Source: Department of Commerce). The provisions of the Privacy Shield include substantially stronger protections for data transfers than are available for almost any country outside of the EU. If the Privacy Shield is found not to be adequate, then it calls into question how the great majority of the world, not just the US, will continue to do business with the EU Member States. Preserving the Privacy Shield as an effective model for international data transfer is critical for the global economy.
This September marks the first review of the Privacy Shield. The European Parliament and the body representing EU Data Protection Authorities, the Article 29 Working Party (WP29), have expressed concerns about privacy safeguards for individuals and oversight guarantees made by the US authorities when agreeing on Privacy Shield. The Privacy and Civil Liberties Oversight Board (PCLOB), has been represented by the US government to play a prominent role in ensuring that the transatlantic legal framework works effectively. The PCLOB previous work on Section 702 of the Foreign Intelligence Surveillance Act, and Section 215 of the Patriot Act, was critically important in providing independent oversight of the US intelligence community. The PCLOB’s work demonstrates a model that other countries could use to provide more effective oversight of their intelligence agencies. Unfortunately, the Board has seen several members resign, and it is currently without an Executive Director and has only one serving member. The PCLOB is supposed to comprise five members and a quorum of three is needed for the Board to act.
“The WP29 stresses the need to obtain information concerning the nomination of the four missing members of the PCLOB,” the WP29 stated in a press release published on June 13th. In its resolution adopted last April, the European Parliament noted with great concern that “in a sub-quorum status the PCLOB is more limited in its authority and cannot undertake certain actions…thus seriously undermining the compliance and oversight guarantees and assurances made by US authorities…” In a recent letter to the editor in the New York Times, James Dempsey, Executive Director of the Berkeley Center for Law and Technology, and former member of the PCLOB, echoed this sentiment, calling the Board crippled. “At a time of heightened concern about terrorism worldwide and abiding worries about privacy in the digital age, the institution created after 9/11 to balance security and constitutional liberties in the country’s counterterrorism programs lies dormant,” Dempsey wrote.
A positive outcome of the Privacy Shield review would ensure the much-needed predictability of legal requirements for European and US companies and confirm the importance of the interoperability of legal systems to keep data flowing seamlessly around the world. Fundamental rights of EU and US citizens are at stake, as well as the societal benefits spurred by innovation and economic growth.
An adequately-staffed PCLOB, with members who have deep national security and privacy expertise, is necessary to create a favorable environment for responsible data processing and for investments on both sides of the Atlantic.
The PCLOB’s reports evidenced an understanding of the dual goals of providing national security and preserving individuals’ privacy rights. The unprecedented challenges ahead in the field of security and terrorism, as well as the fragile socio-economic environment make these decisions urgent. The appropriate legal instruments and institutional frameworks are already in place, inspired by shared privacy principles. We need now the right people to make sure that the long lasting EU-US relationship keeps being reflected in a successful cooperation in the field of data protection. Appointment of qualified individuals to PCLOB is an important element of that cooperation and should be a top priority.