US government seeks to influence Privacy Shield court challenges

20 April 2017. By Vesela Gladicheva.

The US government has sought to intervene in EU court actions filed by Irish and French civil-society groups to annul the EU-US Privacy Shield accord for commercial data transfers, a US government official who led talks with the European Commission on the eight-month-old agreement said on Thursday.

"The United States has filed applications to intervene in the two cases challenging the Privacy Shield before the [EU's] General Court" in Luxembourg, Caitlin Fennessy, a senior policy advisor on data flows and privacy at the US Department of Commerce, told attendees at a conference* in Washington.

"We stand behind the Privacy Shield and are certainly prepared to explain our safeguards in the litigations," said Fennessy, who works for the International Trade Administration, an agency of the Department of Commerce tasked with putting the accord in place.

Before the General Court can decide whether to allow the US government to intervene in the cases, it must decide on applications by the commission asking judges to dismiss the lawsuits.

The Privacy Shield arrangement entered into force last August and aims to improve the flow of personal data for commercial purposes across the Atlantic.

The accord was drawn up to replace a "safe harbor" that was struck down in 2015 by Europe's highest court because the arrangement failed to sufficiently safeguard EU citizens' personal data. Some 4,500 companies — including Google and Coca-Cola — signed up for the safe harbor.

Digital Rights Ireland and La Quadrature du Net, a collection of French civil-society groups, took court action against the Privacy Shield last autumn.

Fennessy said that during her agency's nearly three-year-long talks with the commission on the Privacy Shield, the US government said the framework can withstand a court challenge.

The government worked toward meeting the legal standards set by the EU court in 2015, as well as specific concerns from European data-protection regulators, such as US authorities' access to EU citizens' personal data for national security purposes.

Fennessy also said that the US government had finalized over 2,000 certifications to the Privacy Shield from companies and was in the process of assessing several hundred other companies' applications. That's an "impressive achievement," she said.

Annual review

The Privacy Shield will be put to the test in September, when the commission and the Department of Commerce carry out its first annual review. Fennessy said the review was scheduled to take place in Washington and would analyze the US government's work to implement the Privacy Shield.

That evaluation is already underway.

The commission will in the coming weeks start seeking feedback from companies or their industry representatives on how well the Privacy Shield works, Bruno Gencarelli, who heads the commission's data-protection unit, said at the same panel. That input will focus on certain aspects of companies' compliance with the accord, their practices and policies, he said.

The commission will also examine closely legal developments in the US that could negatively affect the functioning of the Privacy Shield, Gencarelli said.

He said that an executive order signed by President Donald Trump directing all federal agencies to strip the privacy rights of non-US citizens wasn't "directly relevant" to the Privacy Shield. But such developments "don't show a particularly positive attitude to certain aspects of privacy," he said.

*IAPP Global Privacy Summit 2017, April 17-April 20, 2017. Washington, DC.

Privacy report