On 26 March 2018 , the US Department of Commerce (DOC) published an update on action it has taken to support the EU-US and Swiss-US Privacy Shield frameworks. It highlights the oversight and enforcement measures taken in regard to the commercial and national security aspects of the Shield Frameworks.
It remains to be seen whether the measures taken will be sufficient to appease the Article 29 Working Party (WP29) who raised a number of concerns about the EU-US Privacy Shield last November 2017. The WP29, in particular, called for the appointment of an independent Ombudsperson to be prioritized and the exact powers of the Ombudsperson mechanism need to be clarified, including through the declassification of internal procedures, as well as the appointment of PCLOB members. It called for those prioritized concerns to be resolved by 25 May 2018, and its other concerns to be addressed at the latest at the second joint review. The WP29 warned that if no remedy was brought to address its the concerns in the given time-frames, the WP29 would take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling. Whilst the DOC’s update notes that President Trump has nominated three individuals to the PCLOB, it does not clarify whether Ambassador Judith G Garber, who has been ‘acting’ as Privacy Shield Ombudsman, has been permanently appointed to that role, nor is there any mention of declassification of the internal rules of procedure of the Ombudsperson.
On a positive note, the DOC’s update shows that the US has made efforts to address other concerns raised by the WP29, including publishing enhanced guidance on the self-certification process; strengthening monitoring and enforcement of the Shield, through random spot-checks on certified organisations and proactive checks for false certification claims, and developing user-friendly guidance material for individuals, businesses and authorities.
The DOC’s update also highlights that the US government has expressly confirmed that Presidential Policy Directive 28 (PPD-28), providing protection to individuals regardless of nationality with respect to signals intelligence information, remains in place without amendment. In addition, Congress has reauthorized FISA section 702, reportedly maintaining all elements on which the European Commission’s Privacy Shield determination was based.