President Donald Trump’s administration is dragging its feet on a key portion of one of the United States’ most important online privacy agreements.
Last week, Privacy Shield, the United State–European Union data transfer agreement, passed its first annual review. This was expected, but the European Commission, the E.U.’s executive arm, has made a number of recommendations for improving the agreement.
It has called on the Trump administration to appoint a permanent ombudsperson, who will handle complaints made by Europeans if they believe their data has been improperly accessed by U.S. intelligence.
The ombudsperson falls under the remit of the Under Secretary for Economic Growth, Energy, and the Environment at the State Department, which is currently being handled by Assistant Secretary Judith Garber in the interim.
“It’s not so much that the current administration has been slow in filling the ombudsperson role as they’ve been slow in filling that general role,” said Susan Foster of U.K. law firm Mintz Levin. “It would be misreading the situation to think that this is a sign of lack of commitment to Privacy Shield.”
As the role is not a standalone one, it makes the timing for the appointment a little unclear amid the tumult of the change in Trump administration. A spokesperson for the State Department would not comment on the status of the role.
Under the agreement, if the U.S. is not complying, the E.U. can take steps to suspend Privacy Shield. “Those are quite radical. The suspension of the agreement is a last resort,” explained Maria Tzanou, a European law lecturer at Keele University. The issue of the ombudsperson is not considered extreme enough to make such a move, experts said.
“There’s nothing specific [the Commission] can do from a legal perspective right now about [the ombudsperson],” Foster added. It can only continue to push the matter before the 2018 review.
“You can hardly say that Judith Garber is overtasked given that there are no complaints in the first year,” said Foster. “It doesn’t appear that there is any harm being done by the fact that the appointment hasn’t been filled other than the symbolic issue.”
The position shows a level of commitment from the U.S., but its effectiveness remains “highly debatable,” Tzanou said. “Of course there is the issue of independence. Can we say this person is equivalent to a court or an independent authority?”
For now, it remains theoretical as there are no case studies to illustrate how the ombudsperson will investigate complaints of data mishandling by U.S. intelligence.
Surveillance has been a regular bugbear in Privacy Shield; and, to add to the debate, the European Commission even asked for changes to the Foreign Intelligence Surveillance Act (FISA) to provide greater protections for Europeans. A key provision in FISA, Section 702, gives U.S. intelligence the authority to collect the communications of people outside the U.S. It is set to expire on Dec. 31 unless Congress reauthorizes the provision.
The Commission also called on the Department of Commerce to do more to ensure companies are fully certified to comply with the agreement. It wants rules in place to prevent companies announcing they are certified until the Department of Commerce has finalized their applications. It also wants the department to police false claims of certification and conduct regular compliance checks on those that are certified.
The Department of Commerce did not respond to requests for comment.
Nevertheless, both the E.U. and U.S. consider Privacy Shield a success thus far, but the pact is facing two legal challenges from civil liberties groups that will likely be much harsher.
The European Court of Justice has a reputation in this area. It struck down the original Safe Harbor data transfer agreement and in July, it concluded that an E.U.–Canada airline passenger data transfer agreement was an “interference with the fundamental right to the protection of personal data.”
“The fate of Privacy Shield is not sure,” said Tzanou, “so we do not know if it will survive.”