Transatlantic data-transfer agreement Privacy Shield is facing its first major political hurdle as the inaugural joint review kicks off this week.
Agreed last summer, the deal between the European Union and the US aims to safeguard EU citizens' data when it is transferred across the pond.
The two-day review, launched today by EU justice commissioner Věra Jourová and US secretary of commerce Wilbur Ross, will assess whether the Privacy Shield agreement is working as it should. Although the review body will make recommendations for improvements, it is not expected to result in any major renegotiations.
The framework emerged from the ashes of the failed Safe Harbour agreement – which was ruled invalid as a result of Max Schrems' case against Facebook's data slurping – and has not had an easy start to life.
For one thing, it was facing legal challenges almost immediately – one from advocacy group Digital Rights Ireland, another as follow-up to Schrems' original case – while the change in the US administration poured more uncertainty into the mix.
Questions were also raised over whether president Donald Trump's executive orders on immigration, which limited citizens' privacy rights, undermined Privacy Shield.
A statement from Jourová after today's meeting with Ross indicated these concerns would be on the table, and that some reassurances had been made already.
"I am glad to be reassured that America First doesn't mean America only," she said. "EU-US Privacy Shield is an example where both sides can benefit, if it is implemented correctly and if we build trust.
"I'm also pleased that Secretary Ross understands the importance of data privacy in transatlantic relations. Transfer of data underpins our huge trade relations and is bread and butter for many European and American companies."
The review will also look at the role of US ombudsman for Privacy Shield. Rather than being formally filled, the role defaulted down a few layers to Judy Garber, the acting assistant secretary in the Bureau of Oceans and International Environmental and Scientific Affairs.
Jourová told the FT: "We are patient but cannot be patient forever... We will ask when we can expect the fully fledged heads of these important offices to be put in place."
Another issue will be how much the agreement is used in practice. Although 2,400 firms have signed up to the pact – a self-certification made to the US Department of Commerce – Kathryn Wynn, partner at Pinsent Masons, said that there wasn’t much evidence it was being relied on.
"There's not that many examples of it actually being used," she said, adding that anecdotally there was some nervousness around relying on Privacy Shield.
Wynn put this down to both the travel bans imposed by the new administration and the ongoing legal challenges, which might be "putting people off", in case the deal is rendered partly or wholly invalid in a year's time. She said the review might need to address any lack of confidence in the scheme.
Omer Tene, vice-president of research and education at the International Association of Privacy Professionals, agreed the review needs to look at how Privacy Shield is working in reality.
"The EU will no doubt take a hard and close look at the deployment of Privacy Shield on the ground, including not only adherence by companies and oversight by the FTC, but also checks on government surveillance under the new US administration," Tene said.
The joint report is expected to land in the second half of October, but that might not be the end of things from the European side.
The EU's Article 29 Working Party of the member states' data protection authorities has made no secret of its concerns about the agreement, but gave it a year to bed in, promising to hold off on a legal challenge until the review.
In a June statement setting out what it expected of a joint review, the working party said:
"Subject to the outcome of the joint review and the report of the Commission, the WP29 may also present a separate public report following the joint review and an updated assessment of the Privacy Shield in a separate statement based on the findings presented to the plenary by the review team of the working party." ®