Speech: Ambassador Gardner’s Remarks on Data Protection, AmCham Belgium (May 25, 2016)

Data drives the modern economy.  It should by now be clear to all of us that for the full potential of the digital economy to be realized, governments, the private sector, and civil society need to work together, to collaborate to strike an appropriate balance that respects fundamental rights of individuals and allows continued innovation and growth in commercial applications.  It is also clear that we need to help national security and law enforcement authorities to carry out their duties in the public interest, particularly in the face of current threats.  But we must also respect the fundamental right to privacy.

Intelligence Reforms in the United States

As a starting point, it’s important to recall that the United States Government has implemented important reforms to its intelligence practices since the Snowden disclosures.  Through Presidential Policy Directive 28, published in 2014, President Obama directed our intelligence agencies to institute important new controls and transparency mechanisms, which have now been put into practice.

And in what I would characterize as an unprecedented step in providing greater transparency about intelligence practices, those controls and limitations, some new and some long-standing, have been made publicly available, both in a Tumblr account called “IC on the Record” – that includes both the PPD-28 directive and subsequent status reports on its implementation – as well as in a letter from the General Counsel from the Office of the Director of National Intelligence which is included as an annex to the European Commission’s draft adequacy decision in support of the Privacy Shield framework, which is also available online at the DG JUSTICE website.

As for actions by the legislative branch, in the last year, the U.S. Congress has passed the USA Freedom Act and the Judicial Redress Act – two important pieces of legislation that ended the U.S. Government’s bulk collection of telephone metadata under Section 215 of the Patriot Act and provided European citizens with the same rights of judicial redress afforded to Americans under our Privacy Act.

Those of you who follow U.S. domestic politics know how difficult it is within the current climate for President Obama to get any significant piece of legislation passed by the Congress, but in this case, both of these Acts enjoyed broad bipartisan support backed by strong advocacy by the White House as well as important lobbying efforts by the U.S. tech sector who have recognized how important it is to their business interests for the U.S. and the EU to work together to rebuild the trust that was lost as a result of the Snowden disclosures.

DPPA

As another important step in rebuilding this trust, last September, we concluded our negotiations with the European Commission on the U.S.-EU Data Protection and Privacy Agreement, more commonly known in Brussels as the Umbrella Agreement, which will enhance the protection of personal data transferred for law enforcement purposes.  We hope this Agreement will soon be endorsed by the Council and the Parliament so that these protections can promptly take effect.

Beyond Privacy Shield and the GDPR, which I’ll turn to in a moment, let me also underline the importance of addressing the matter of data flows in two other major projects with tremendous implications for the transatlantic economy – TTIP and the EU’s Digital Single Market or DSM.

Data flows in TTIP and DSM

It is clear that a model 21st century trade agreement cannot neglect the importance of the free flow of data to trade, investment, and business operations.  Enabling cross-border data flows is particularly important for our small and medium sized enterprises that want to reach new customers on either side of the Atlantic.

The recent finalization of the GDPR and the imminent approval of the Privacy Shield framework should provide an opportunity to incorporate the promotion and protection of data flows within TTIP.  In particular, just as we have negotiated in the Trans Pacific Partnership Agreement, in TTIP we need to fully enable cross-border data flows, promote free and open access to the Internet for all legitimate commercial purposes, eliminate customs duties for digital products, prevent data localization barriers, and secure the non-discriminatory treatment of digital products. And we believe we can do all of this in a manner that respects the privacy regimes that have evolved on both sides of the Atlantic.

We believe that the Free Flow of Data Initiative that is being developed within the framework of the EU’s Digital Single Market strategy is an important step, and a policy that should logically be extended to ensure the free flow of data not only within the European Union but also between Europe and the United States.  Clearly the EU’s ambitions for the DSM of promoting digital innovation, e-commerce, e-government, digitalization of industry, cloud computing, big data analytics, and the Internet of Things cannot be realized if the data that would be the lifeblood of these applications is unable to flow freely across borders, of course with necessary and reasonable measures in place for personal data protection and cybersecurity.

Privacy Shield

Let me now take a moment to make a few important points about Privacy Shield.

For over two years, starting well before the ECJ ruling in the Schrems case, the Department of Commerce and the U.S. Federal Trade Commission (FTC), with support from the Department of State and the US Intelligence and Law Enforcement communities, worked closely with the European Commission to strengthen and modernize the Safe Harbor Framework that was initially put into place in 2000, at a time when the technological and commercial landscapes were much different than what we see today.

The urgency of our work increased following the Court’s invalidation of the European Commission’s 2000 Safe Harbor adequacy determination. This ruling left thousands of companies on both sides of the Atlantic with limited options to transfer personal data used for commercial transactions to the United States in compliance with EU data protection laws.  This challenge was particularly acute for small and medium-sized businesses, which accounted for over 60 percent of Safe Harbor participants.

During the four months that followed the court ruling, our consultations intensified.  We worked hard to ensure that the Framework we were building fully met the Court’s requirements – focusing in particular on the Framework’s many recourse mechanisms, and on providing a strong basis for the Commission to make the necessary findings about the limitations and safeguards on government access for law enforcement, national security, and public interest purposes.

As a result of this extensive work with the Commission and other stakeholders this new Framework known as Privacy Shield represents a significant achievement for privacy, for individuals and for businesses and includes new privacy protections to be implemented by companies; new U.S. Government commitments and resources to administer the Shield and oversee compliance These significant improvements over Safe Harbor respond to the concerns raised by the ECJ in its Schrems decision.  The new framework meets the Court’s standard of essential equivalence.

To understand how the Framework will operate, it is important to understand its components, which fall into three categories: (1) the principles under which companies make legally enforceable commitments; (2) commitments from U.S. Government agencies to ensure the effective administration, oversight and enforcement of the Privacy Shield; and (3) explanations about the U.S. legal framework on access for national security, law enforcement, and public interest purposes.

Based on this full package, the Commission had a very strong basis for proposing a revised adequacy decision in support of Privacy Shield.   That decision is now being reviewed by the EU Member States within the so-called Article 31 Committee, which is expected to vote on the new Framework in the coming weeks.  And while the European Parliament has no formal role in the approval of Privacy Shield, both we and the European Commission have engaged with the Parliament and sought to respond to their questions and concerns.

Likewise, we are seeking to provide clarifications to address some of the questions and concerns of European Data Protection Authorities as expressed in the non-binding opinion of the Article 29 Working Party.  I do not think we were surprised by what they reported. There are some elements in the agreement that can be made clearer to resolve concerns, and we are working with closely with the Commission to do so.

  • Specifically, I would highlight the following elements of the Agreement: Letters from the Secretary of Commerce and Under Secretary of Commerce for International Trade describe the Department of Commerce’s commitments to ensure the effective operation of the Privacy Shield.
  • Letters from the Chairwoman of the FTC and Secretary of Transportation also describe their respective enforcement of the Privacy Shield. While the FTC is the primary enforcement agency, the Department of Transportation enforces the Framework with regard to a small number of companies under their jurisdiction, including airlines and ticket agents.
  • A letter from the Secretary of State and accompanying memorandum describes the role of the Privacy Shield Ombudsperson for submission of inquiries regarding the United States’ signals intelligence practices.
  • A letter from the Office of the Director of National Intelligence clearly spells out safeguards and limitations applicable to U.S. national security authorities.
  • A letter from the Department of Justice describes safeguards and limitations on U.S. government access for law enforcement and public interest purposes.
  • Under the Privacy Shield, an individual may bring a complaint directly to a Privacy Shield participant company, and the company must respond to the individual within a fixed period of time.
  • Privacy Shield participant companies must now provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be expeditiously resolved.
  • If an individual submits a complaint to a DPA in the EU, the Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within a fixed period of time.
  • The FTC has committed to vigorous enforcement of the Privacy Shield Framework, including prioritization of referrals from EU DPAs and the provision of enforcement assistance to DPAs. The FTC has also committed that each time it conducts a privacy related investigation in the United States, it always checks whether the company is certified under Privacy Shield and may be violating its Privacy Shield commitments.
  • Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms. Such arbitration is reviewable under the U.S. Federal Arbitration Act. This is a completely new element specifically designed for the Privacy Shield to ensure that no complaints can fall through the cracks and that judicial review is available.
  • The data protections provided under the Privacy Shield will flow with the data if it is transferred on to third parties, and organizations will remain accountable for data processed by others on their behalf.
  • Privacy Shield must inform individuals of their rights to access their personal data, their choices for limiting use and disclosure, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the Framework, and the organization’s liability in cases of onward transfer of data to third parties.
  • The Department of Commerce has committed to robust administration and supervision of the Framework, including conducting periodic reviews and assessments of the program. Commerce has also committed to establishing a dedicated point of contact to act as a liaison with DPAs.
  • The FTC has also committed to work closely with DPAs, including to provide enforcement assistance, which, in appropriate cases, could include information sharing and investigative assistance pursuant to the U.S. SAFE WEB Act. To better enable handling of EU DPA referrals, the FTC will create a standardized referral process, designate a point of contact at the agency for EU DPA referrals, and exchange information with referring enforcement authorities, subject to confidentiality laws and restrictions.
  • To ensure the Privacy Shield remains a living framework subject to active supervision, the Department of Commerce, the FTC, and other agencies as appropriate will hold annual meetings with the European Commission and interested EU DPAs to discuss the functioning of and compliance with Privacy Shield. We view this annual review as a critical component of the new Framework, but it is important to highlight that we see the annual review as only a small component of the regular ongoing cooperation with European Data Protection authorities which we are committing to and which is essential to the success of the new Framework.

This is a historic agreement, but we recognize that ensuring that the Article 31 Committee has all the information it needs to support the Commission’s adequacy decision is not the end of the process.  All of the U.S. agencies involved have been planning, in cooperation with the Commission, for the significant work needed to implement the commitments we have made under the Privacy Shield to ensure it is fully defensible in any future judicial challenge.

We have worked intensively with the European Parliament. Our lead PS negotiators and the ODNI General Counsel have travelled to Brussels to discuss PS with the LIBE Committee. The LIBE delegation that visited Washington last week was received by the White House, the State Department, Commerce, the FTC other agencies to discuss PS. Yesterday a joint resolution was negotiated among the major party groups regarding Privacy Shield. It is certainly preferable to alternative resolution tabled by the Greens that is politically inflammatory, inaccurate in parts, and counterproductive.

We hope the companies that you represent will find it in their interests to sign up to Privacy Shield and help us to make clear to EU stakeholders that U.S. companies and the U.S. government take very seriously our commitment to ensure that protection of the personal data of EU individuals sent to the United States will be essentially equivalent to the protection provided in Europe.

New EU data protection legislation

Now, let me turn to the new EU data privacy legislation.  Intra-EU negotiations to finalize the text of two new pieces of legislation governing the protection of personal data in the commercial context (the General Data Protection Regulation, or GDPR) and in the law enforcement context (the Data Protection Directive) were concluded in December.  After signature by the European Parliament and the Council at the end of April, these laws were published in the EU’s Official Journal on May 4.

The Directive is relatively unproblematic from the U.S. Government’s perspective.  In the GDPR, U.S. Government concerns have been focused primarily on minimizing the negative impact of an article (previously 43a) in the chapter on international transfers known as the “anti-FISA clause,” which was proposed by the European Parliament in response to the Snowden disclosures.  The final version of the article (now 48), complemented by derogations listed elsewhere in the Chapter and newly introduced recitals, is much better than earlier drafts in that it greatly diminishes the risk that the GDPR could be applied in such a manner as to hamper the ability of U.S. authorities (national security, law enforcement, and regulatory) to obtain personal data from companies in accordance with U.S. law.

However, we recognize that other elements the GDPR are concerning for U.S. business, including the definition of personal data, fines up to 4% of annual global revenue, expanded scope of liability to more companies, application of the “right to be forgotten,” new requirements for consent, and efforts to improve consistency and simplicity that, if not carefully implemented, could ultimately have the opposite effect.

The so-called ‘one-stop-shop’ measure was designed to allow EU residents to file complaints with data protection authorities in their home countries and companies to deal only with data protection authorities in the Member State where the company has its primary establishment: in other words, to minimize the bureaucratic hurdles of dealing with authorities in multiple EU Member States.  The GDPR creates a new consistency mechanism under which a newly created European Data Protection Board with binding authority   will be tasked to minimize disparities between data protection approaches taken by individual DPAs in Member States and will be able to resolve disputes between DPAs.  While we welcome the intention of this initiative, there is a risk that the mechanism might be too slow, complex, and cumbersome, and will still leave too much room for DPAs to take divergent approaches in different Member States.  We look forward to engaging with the Commission and the DPAs as they develop guidance on implementation.  And as always, we welcome input from U.S. companies as to the specific concerns you think we should raise.

On that note, I would like to close by making clear that, along with our partners at the U.S. Embassy, the U.S. Mission to the EU is always interested in hearing your questions and concerns, whether they be about Privacy Shield, the GDPR, TTIP, the DSM or any other matters of EU legislation or policy that you would like to discuss with us.

Thank you for your attention.