Privacy & Information Security Law Blog

On March 26, 2018, the U.S. Department of Commerce posted an update on the actions it has taken between January 2017 and March 2018 to support the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”). The update details measures taken in support of commercial and national security issues relating to the Privacy Shield.

With regard to the commercial aspects, the Department of Commerce has taken measures to ensure:

• An enhanced certification process through implementing more rigorous company reviews and reducing opportunities for false claims;
• Additional monitoring of companies through expanded compliance reviews, random spot checks for certified organizations and proactive checks for false claims online;
• Active complaint resolution by confirming a full list of arbitrators to ensure that EU individuals have recourse to arbitration. A call for applications for inclusion on the list of arbitrators for the arbitration mechanism for Swiss individuals is currently open until April 30, 2018;
• Strengthened enforcement through continued oversight by the Federal Trade Commission (“FTC”) and the nomination of four FTC Commissioners. The FTC announced three Privacy Shield-related false claims actions in September 2017; and
• Expanded outreach and education through consistent official reaffirmation of the U.S. commitment to the Privacy Shield, and the development of user friendly guidance on the Privacy Shield Framework for individuals, businesses and authorities.

In relation to national security, the Department of Commerce has taken measures to ensure:

• Robust limitations and safeguards regarding national security endeavors, including confirmation that Presidential Policy Directive 28 remains in place without amendment, and a reaffirmation by the Intelligence Community of its commitment to civil liberties, privacy and transparency through the updating and re-issuing of Intelligence Community Directive 107;
• Independent oversight through the nomination of three individuals to the Privacy and Civil Liberties Oversight Board with the aim of restoring the independent agency to quorum status;
• Individual redress through the creation of the Privacy Shield Ombudsperson mechanism which provides EU and Swiss individuals with an independent review channel in relation to the transfer of their data to the U.S.;
• U.S. legal developments take into account the Privacy Shield framework. Congress, for example, in reauthorizing Foreign Intelligence Surveillance Act’s Section 702, maintained all elements on which the European Commission’s Privacy Shield adequacy determination was based, and enhanced the advisory and oversight functions of the Privacy and Civil Liberties Oversight Board. The government also has informed the European Commission about material developments in the law relevant to Privacy Shield.