My friend Cam Kerry, in a recent Lawfare post expressed concern that actions of the Trump Administration are undermining the Privacy Shield, the important agreement between the United States and the European Union that permits transatlantic data flows. Kerry fears that “the damage the president and his administration have done to relationships with Europe and perceptions of the United States as a trusted partner” will make it hard to sustain the Privacy Shield.
While the President’s ignorance, incompetence and vanity have no doubt damaged relations with our European allies, it is important that our allies be assured that the Privacy Shield is unaffected. The Privacy Shield rested upon a series of representations by the United States about the operation of our laws and policies, and the establishment of a variety of institutional processes to ensure compliance by U.S. companies with the terms of the agreement. The work of the Departments of Commerce and State and the Federal Trade Commission to set up those institutions has continued uninterrupted, and the relevant laws and policies remain unchanged. In short, Privacy Shield remains today as it was originally agreed upon and approved.
An important part of the Privacy Shield framework was a series of letters from the U.S. government (including letters that I signed as General Counsel for the Office of the Director of National Intelligence) outlining the legal framework under which law enforcement and national security agencies can obtain access to data transferred to the U.S. pursuant to the Privacy Shield. The European Commission concluded that these representations established that “the United States ensures an adequate level of protection for personal data” transferred under the Privacy Shield.
Nothing that underlay these representations has changed in the Trump Administration. The Administration has not made any changes to Presidential Policy Directive (PPD) 28, President Obama’s important directive outlining the limitations on our signals intelligence collection activities. Nor has it made any efforts to change the statutory framework governing intelligence activities, including the Foreign Intelligence Surveillance Act, and in particular Section 702 of that Act. On the contrary, Deputy Attorney General Rosenstein and leaders of the Intelligence Community recently testified publicly that the Administration wanted Section 702 reauthorized without change. In fact, under the Trump Administration the National Security Agency has actually taken steps to narrow the scope of collection under Section 702, by stopping so-called “about” collection, which allowed collection not only of communications to or from a target, but of communications that included mention of a selector such as an email address.
Most importantly, the Privacy Shield framework established a joint annual review, under which both the EU and the US can examine how Privacy Shield functions in practice. The first such review will happen this September and will afford the European Commission an opportunity to verify that the U.S. is fully complying with its commitments.
In short, whatever differences between Europe and the current Administration may arise, the fundamental bases of the Privacy Shield remain unchanged. There are good reasons for this. The Privacy Shield is essential to allowing companies to move data from Europe to the United States and supports over $300 billion in transatlantic trade. Data transferred to the United States creates untold thousands of jobs processing that data here; if changes in U.S. law or policy led to the abrogation of the Privacy Shield, those jobs would move out of the U.S. A president who was elected based on his promises to bring jobs back to this country is unlikely to take steps to ship jobs overseas. Backing away from the Privacy Shield commitments would thus run counter to the core of the Administration’s announced policies.
For these reasons, Europe should have no doubt that our firm commitment to the Privacy Shield is not wavering. But on the other hand, Europeans should not view Privacy Shield as a “gift” to the United States as suggested by former Commissioner Viviane Reding. Rather, it is an arrangement to enable commerce and protect privacy that benefits both sides. The business relationships that Privacy Shield enables are as important to Europe as they are to the United States. Moreover, European security services depend vitally on information U.S. intelligence agencies obtain lawfully, legitimately, and subject to robust oversight, to protect their own citizens. It is not in our shared interests to demand restrictions on that activity at a time when terrorist attacks in Europe are on the rise.