To meet the more stringent requirements laid out in the EU-U.S. Privacy Shield pact inked Tuesday, organizations are going to have to up their data protection game and Congress must accelerate passage of the Judicial Redress Act, a Federal Trade Commission (FTC) commissioner said during a Thursday webcast.
“The Judicial Redress Act is an important element – not just for the umbrella agreement – but for the Privacy Shield as well,” FTC Commissioner Julie Brill said in an interview with Robert Atkinson, president of the Information Technology and Innovation Foundation (ITIF) during the webcast.
The act, which would provide citizens of major U.S. allies a course of redress regarding information shared with U.S. law enforcement, was okayed by the Senate Judiciary committee last week and sent to the full Senate for a vote Friday. So far, though, the lawmakers have not acted.
Experts feared that the Senate's slow action on Judicial Redress, seen as a good-faith signal that the U.S. was taking privacy seriously, would run afoul of a Jan. 31 deadline and prevent the EU and the U.S. from reaching an agreement on a follow-up to Safe Harbor, which was ruled invalid by a European court in October.
But Tuesday, negotiators struck a new data-transfer deal, the Privacy Shield pact, which will "provide stronger obligations on companies in the U.S. to protect the personal data of Europeans,” according to a release.
The deal calls for “clear safeguards and transparency obligations on U.S. government access,” as well as “effective protection of EU citizens' rights with several redress possibilities.”
In addition, stronger obligations must be in place “with respect to controllers that have data on EU citizens and transfer that data to another controller or processor,” said Brill at the FTC. “Companies will have to examine these more robust principles that are going to be in place, and make sure they can abide by them.”
Under the terms of the pact, stronger monitoring and enforcement will be provided by the Commerce Department and the FTC.
Brill made it clear that the FTC will continue to enforce privacy cases the way it always has, but will beef up the process for cooperating with Article 29 Working Party, the EU data protection authorities (DPAs) specified in 1995 under the Directive 95/46/EC.
The Commission has already begun flexing its enforcement muscle over the last year or so, referring to itself publicly “as the new sheriff on the block,” Kenneth Rashbaum, an attorney at Barton LLP, said at the LegalTech Show in New York. “We're going to see a lot more FTC action.” In absence of federal legislation, the commission has stepped in with notable enforcement wins. And Rashbaum pointed out that the FTC is seemingly “well-funded” and “protected from the federal hiring freeze.”
But, Chris Gallagher, senior vice president, National Discovery Solutions & LPO Services, remained dubious that the Privacy Shield pact will have an impact. Unless the ruling comes out in the next three months and gives teeth to it and delineates the processes and responsibilities of the Commerce Dept., FTC and others charged with monitoring and enforcing it, he said the agreement will be like many others. “You're all excited about it, then realize nothing really happened,” he said on a LegalTech panel.
Fellow panelist Brian Corbin, vice president, discovery program manager at JPMorgan Chase & Co., agreed, saying, “We need some teeth on law before we see a sea change.”
Corbin did predict an uptick in privacy auditing as organizations scramble to fulfill their obligations under the act. “Corporate legal departments will need to manage,” he said, predicting that once big fines are on the table, companies are going to do “almost anything” to comply. One big company gets dinged up – likely not for a few more years – and that changes everything, he said.