US says it's had enough of talking about Privacy Shield; Brussels blustering bluff just got called

Profile picture for user slauchlan By Stuart Lauchlan October 4, 2018
Summary:
Brussels said it would do terrible things if the US didn't clean up its Privacy Shield act. Washington said, 'You reckon?'

US-EU-Flag
Timing is everything in politics, of course. So's it's very handy to find out that the US is now fully compliant with the requirements of the transatlantic Privacy Shield agreement and there’s no need for another word to be said on the matter!

Who says so? The US Ambassador to the European Union, that’s who, so once again, let that be an end to further discussion and churlish sniping!

Or at least that’s one reading of events this week when, weeks before the EU publishes its second review of the controversial data privacy and transfer deal, the US suddenly engaged with the complaint that it’s basically been ignoring its responsibilities for the past couple of years.

One of the main concerns that critics of Privacy Shield have pointed out time and again is that no-one in the US has been appointed to the crucial role of Ombudsperson to oversee complaints from non-US citizens. Lo and behold, suddenly someone’s got that job!

Well, sort of. No-one’s actually been given full-time oversight of Privacy Shield in the Trump administration, but the responsibility has been tacked on to the end of Manisha Singh’s ‘to do’ list. How long is that list? Well, given that her job title is Acting Under Secretary for Economic Growth, Energy and Environment, your guess is as good as mine.

But I’ll stick my neck out and say that dealing with Privacy Shield isn’t one of the things that’s likely to give her sleepless nights, especially as she was only confirmed to her new role last week.

Incidentally, her official White House job spec is:

advancing American prosperity, entrepreneurship and innovation worldwide. This includes levelling the playing field and providing opportunities for U.S. companies and their workers to compete and succeed.

How much attention Europeans complaining about breaches of data privacy is likely to get weighed against the bigger plan to Make America Great Again, well…

"We really don't want to discuss this"

But it’s enough for Ambassador Sondland at any rate, who told the media:

There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.

Surely though, given all the tough talking from EU Justice Commissioner Věra Jourová about taking action against the US if it didn’t buck up its ideas, this eleventh hour box-ticking isn’t going to be enough to declare the crisis over?

According to Sondland, it might just:

[The Europeans] response was ‘OK, let’s discuss things that have true relevance instead of discussing something where there is no problem'.

He’s probably right. The US has blinked just enough to allow the European Commission to grit its teeth and paint on a smile so as not to bring Privacy Shield crashing down and then actually have to put some proper regulation in its place.

To back up its 'taking this seriously' stance, the US will also point to last week’s settlement of four complaints around companies that falsely claimed Privacy Shield compliance. The companies are IDmission, MResource, SmartStart Employment Screening. and VenPath.

Specifically, the Federal Trade Commission (FTC) alleged IDmission did not complete the certification process, yet said it complies with Privacy Shield on its website. VenPath and MResource did get certification, but let it lapse. Finally VenPath and SmartStart are alleged to have not waited for the Department of Commerce to confirm their certification.

FTC’s Bureau of Consumer Protection director Andrew Smith said his organization is taking a tough line:

Companies need to know that if they fail to honour their Privacy Shield commitments, or falsely claim participation in the Privacy Shield framework, we will hold them accountable.

That’s all good and well and it’s certainly handy timing to have a few scalps to wave around given that another EU complaint has been lack of US enforcement actions. But…but…they’re not exactly very big scalps and they only bring the total of such enforcements to 8 over the two years that Privacy Shield has been in place.

As for punishment meted out, the FTC insists that all four companies cease “misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization”. Two of them have to agree to apply all EU-US Privacy Shield protections to data collected when they participated in the program, or must return or delete the information.

Scary, huh? Oh and those penalties aren’t even final. They’re now open for public comment until the 29 October at which time the FTC will decided whether to make the “consent orders” final. At which point they’ll all be told they’ve been very naughty and not to do it again.

Still, that’ll make future miscreants pause for thought, eh?

My take

I’m imagining Eurocrats in Brussels rummaging in their collective make-up bag for more lipstick to smear over the snout of the pig that is Privacy Shield.

I said all along that Europe’s threats of ‘we will do something, we will definitely do something, you just wait and see!’ would fall on deaf ears in a White House that regards the EU as a bigger enemy that Russia or China.

Of course, we’ll have to wait and see what happens with the formal review later this month, but my guess is that Washington has called Brussels bluff, doing just enough to give Jourová and her clique a chance to save face. Meanwhile our privacy piggy will be fattened up for another year rather than sent to its rightful fate as a bacon sandwich.

It would laughable were it not dealing with such a serious issue. Up to 4000 US companies boast of (self-certified0 compliance with Privacy Shield’s requirements. To date, the FTC proudly boasts of finding 8 companies that’s it’s found to be in breach. Can that really be the sum total? How hard have the US authorities been looking?

As for the enforcement when guilty parties are found, it amounts to little more than a public rap on the corporate knuckles. Privacy Shield is a framework, not a law. As such it lacks the punitive clout of, for example, GDPR (General Data Protection Regulation), which hits companies where it hurts - on the bottom line.

Frankly there’s little reason for US companies to take Privacy Shield seriously other than as a PR-friendly exercise. Of course, most reputable firms are going to take data privacy and protection seriously. But there are rotten apples in every barrel and it’s emptor caveat with them.

Still, the US is now fully-compliant with Privacy Shield requirements and playing its part in securing essential transatlantic data flows. So that should make all informed buyers feel completely confident, shouldn’t it? Er…shouldn’t it?