Letter: @USGAO Must Investigate #PrivacyShield Vacancy

Posted below is a copy of an open letter sent to the Comptroller General of the United States. The open letter calls for the Government Accountability Office to investigate whether the State Department has violated the Federal Vacancies Reform Act.


Rachael Tackett

April 24, 2017

Comptroller General of the United States
Government Accountability Office
Dear Comptroller General,

The US State Department may be in violation of the Federal Vacancies Reform Act. I strongly encourage you to open an investigation into this issue. Once the investigation is concluded, I also encourage you to publicly release your findings.

On April 6, 2017, I received an email from a State Department spokesperson stating:

Acting Assistant Secretary Garber was delegated the authorities of the Under Secretary for Economic Growth, Energy and the Environment (which includes those of the Ombudsperson under the E.U.-U.S. Privacy Shield), pursuant to Delegation of Authority No. 415, dated January 18, 2017. She can exercise those authorities until a new Under Secretary is in place, or until the delegation is revoked by competent authority.

This statement causes serious concerns, because Judith Garber was already filling a vacancy in a temporary capacity as Acting Assistant Secretary starting in April 28, 2014, according to the State Department’s website. Please note that in 2017, the US Supreme Court upheld the Federal Vacancies Reform Act in NLRB v. SW General, Inc. There is a serious legal question as to whether or not Judith Garber can be the first assistant under Federal Vacancies Reform Act, while she is also filling in for a vacancy of another PAS (presidential appointment with Senate confirmation) position.

In addition, please also note that the delegation of authority for Judith Garber was signed before President Trump was inaugurated on January 20, 2017. Another legal question to consider is whether a previous administration’s delegation of authority is still valid after a new President comes into office.

Under the Federal Vacancies Reform Act, the State Department is required to immediately notify the Government Accountability Office (GAO) of vacancies. In an email on April 11, 2017, a GAO employee informed me that the State Department has failed to notify the GAO of the Under Secretary vacancy.

The GAO must investigate whether Judith Garber has any legal authority to act as the Under Secretary or as the Privacy Shield Ombudsperson, under the Federal Vacancies Reform Act. In addition, the GAO must investigate and determine whether the State Department violated the Federal Vacancies Reform Act.


Rachael Tackett


Jason Chaffetz
Chairman for Committee on Government Oversight and Reform
US House of Representatives

Elijah Cummings
Ranking Member for Committee on Government Oversight and Reform
US House of Representatives

Claude Moraes
Chair for LIBE Committee
European Parliament

Vera Jourova
Commissioner for Justice, Consumers and Gender Equality
European Commission


Updated April 28, 2017 at 11am EST. Over the years, the US GAO has undergone several name changes. The GAO is called the “Government Accountability Office”, not the “General Accountability Office” as originally posted.


FTC Refuses Privacy Shield Investigation Disclosure

The US-EU Privacy Shield agreement is supposed to protect personal data transferred from the EU to the US. The Privacy Shield agreement has come under heavy criticism. On April 6, the European Parliament adopted a resolution criticizing Privacy Shield.

The Federal Trade Commission (FTC) is the main US government agency tasked with investigating and enforcing compliance with the Privacy Shield agreement. Last week, I sent the FTC a series of questions about Privacy Shield. Most surprising of the FTC’s responses is that the FTC admits that it has no employee solely assigned to Privacy Shield enforcement. Instead, the FTC has about 40 people in the Division of Privacy and Identity Protection, who must also focus on enforcing numerous other federal laws. The FTC also refuses to disclose if there are any active or closed investigations into Privacy Shield compliance. There is a real possibility that the FTC has not initiated any Privacy Shield investigations, but it is impossible to know since the FTC refuses to disclose.

It is also surprising that the FTC quotes its Chair Ohlhausen as being a staunch advocate for Privacy Shield, even though she also opposed the FCC’s broadband privacy rules.

FTC Q&A on Privacy Shield

1) For the fiscal year 2017, how many FTE (full time equivalent) employees have been assigned solely to Privacy Shield investigation and enforcement?

A: We have staff of about 40 people in our Division of Privacy and Identity Protection. These attorneys enforce a variety of laws, including the FTC Act, COPPA, GLB, and the FCRA. They also put together workshops, draft reports, blogs, speeches and testimony, stay current on privacy and security issues, and conduct Privacy Shield investigations. Although most of these people have worked on Privacy Shield issues, we have not assigned anyone to solely conduct Privacy Shield investigations. Staff from other parts of the agency also provide technical and investigative support on particular matters, and support for general operations, as appropriate.

2) How does the FTC plan to investigate and enforce Privacy Shield compliance?

A: Acting FTC Chairman Maureen K. Ohlhausen said in a speech last month that “Enforcing international privacy frameworks such as Privacy Shield is an integral part of our Data Security and Privacy program. We have used our authority to take action against nearly 40 companies for deceptively misrepresenting compliance with the predecessor Safe Harbor program, including Google and Facebook. We have also enforced against four companies that misrepresented their participation in the APEC Cross-border Privacy Rules System – a framework designed to facilitate data transfers in the Asia-Pacific region. Based on this background, our deep history of privacy enforcement, and our commitment to interoperable international privacy frameworks, we will vigorously enforce the Privacy Shield Framework. We have committed to investigate Privacy Shield companies on our own initiative. We will prioritize referrals from European Data Protection authorities. And we will monitor our orders to ensure compliance with the Framework. When companies don’t comply with orders, we will bring enforcement actions.”

3) As of April 4, 2017, how many active investigations on Privacy Shield compliance does the FTC have?

A: By law, FTC investigations are non-public, and we do not comment on any investigations or the existence of any investigation, except as otherwise authorized by our rules.

4) As of April 4, 2017, how many closed investigations on Privacy Shield compliance does the FTC have?

A: See answer above.

5) As of April 4, 2017, how many individual complaints has the FTC received on Privacy Shield compliance?

A: I understand you have requested that information from our FOIA Office, and they should be responding to that request soon.

Article by Rachael Tackett

Updated on April 12, 2017 at 10:35pm EST to clarify that there are about 40 people within the FTC’s Division of Privacy and Identity Protection.