Ding ding! Round Two: Second annual review for transatlantic data flow deal Privacy Shield

The deal governing transatlantic data flows – branded not fit for purpose by privacy watchdogs – enters its second annual review today.

The Privacy Shield agreement was rushed through in the summer of 2016 after its predecessor Safe Harbor was scrapped following a legal challenge by activist and then-PhD student Max Schrems.

Despite offering more protections for personal data transferred from the EU to the US than its predecessor, progress to properly implement Privacy Shield has been slow, and most critics believe it is not even close to being up to scratch.

Under the terms of the deal, it is reviewed every year, and this time it's the EU's turn to host the bilateral talks, which will be led by EU justice commissioner Věra Jourová and US secretary of commerce Wilbur Ross.

They will be joined by execs from various US departments with skin in the game, including the Federal Trade Commission and state and justice departments, and members of the EU's data protection agencies.

Today, talks will focus on oversight and enforcement of Privacy Shield, which allows companies to self-certify, with almost 4,000 signed up so far.

The European Commission has called for more proactive and regular monitoring of this compliance, with last year's review also critical of vacant positions on oversight boards.

Tomorrow will turn to the collection of personal data by US authorities for law enforcement or national security. This is a major concern for the historically more privacy-minded members of the bloc, but one they ultimately have little control over.

Last year's review didn't set any hard deadlines, or make any threats to tear up the deal if they weren't met, and this year is likely to see more of the same.

Neither side wants another transatlantic data transfer agreement lying in tatters – hence the commission's reticence to impose a deadline or heed MEPs' calls to scrap Privacy Shield earlier this year.

Ditching the deal would damage businesses on both sides of the pond and mean starting negotiations all over again – and the commission's actions suggest it would rather keep plugging away at the agreement it already has instead.

That means performing something of a balancing act. In 2017, criticism meted out for vacant positions, poor oversight processes and surveillance directives were sandwiched between praise for the smallest hints of progress, like a website for the ombudsperson.

This time around, the US will claim greater victories. Earlier this month, the Senate finally approved three nominations to the Privacy and Civil Liberties Oversight Board, including the chair.

And at the end of September, the US ushered in Manisha Singh as Privacy Shield ombudsperson, alongside her role as acting under secretary of state for economic growth, energy and the environment.

Despite the glacial pace with which these positions have been filled, the US will use it as evidence that progress is being made in areas the EU and member states' privacy watchdogs have labelled priorities.

The US ambassador to the EU earlier this month took the bolshy stance that his nation was "fully complaint" with the deal, reportedly adding that the US "[doesn't] want to discuss this any further".

The EU may have concerns about the "acting" part of Singh's job title – stability in the role has been raised as an issue before – but the US will likely point out that there have, thus far, been just a handful of complaints and The Reg has been told no European data protection watchdogs have escalated any concerns to the FTC.

But underlying this is something of a new world order. Since the last review, the EU's General Data Protection Regulation has come into force and the Facebook-Cambridge Analytica data harvesting scandal catapulted privacy into the public's psyche on both sides of the Atlantic.

There are also legal challenges to the Privacy Shield framework looming – and the commission will be aware that any ruling from the EU's highest court could force both parties' hands.

The second annual review will report at the end of November, after which the European Data Protection Board, the supervisor and other interested parties are expected to issue their own opinions. ®