European Commission Publishes its First Annual Review of EU-U.S. Privacy Shield

The EU-U.S. Privacy Shield has survived its infancy, although the October 18, 2017 European Commission report on its first annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”) leaves uncertainty as to the long-term future of EU-U.S. Privacy Shield if the U.S. is unwilling or unable to adopt further Commission “recommendations”. The Report details the Commission’s findings on the implementation and enforcement of the Privacy Shield during its first year of operation.

The Report concludes that the U.S. “continues to ensure an adequate level” of protection for personal data transferred under the Privacy Shield from the EU to the U.S. The Report recognises that necessary structures and procedures have been put in place to ensure the effective functioning of the Privacy Shield and that co-operation with European Data Protection Authorities (“DPAs”) has improved. In particular, the certification process is functioning well, with over 2,400 companies now certified by the U.S. Department of Commerce (“DoC”).

However, the Report also specifies areas for improvement and recommends to the U.S. to ensure the successful functioning of the Privacy Shield as a “digital bridge” between the EU and U.S. economies.  These recommendations include:

  • more proactive and regular monitoring of companies’ compliance by the DoC (e.g. a compliance review questionnaire sent to a sample of certified companies on a specific issues such as data retention, or an annual compliance report for those seeking to be re-certified);
  • the appointment of a permanent Privacy Shield ombudsman “as soon as possible”;
  • improved cooperation between the DoC and DPAs to develop guidance for both companies and regulators;
  • providing more information to citizens about the Privacy Shield and the forms of redress, including how to lodge complaints. The Report notes that although there have been few complaints received to date, this may be indicative of insufficient awareness by individuals as to how they can exercise their rights;
  • ensuring the Commission is updated with timely and comprehensive information about any developments that could be of relevance for the Privacy Shield;
  • proactive and regular searches for companies claiming false adherence to the Privacy Shield as well as ensuring awareness that Privacy Shield certification cannot be publicly referred to until the certification is finalised (and the company is included on the Privacy Shield list); and
  • maintaining the protections afforded to non-U.S. data subjects as set forth in Presidential Policy Directive 28, preferably including codifying these protections in any potential reform of the Foreign Intelligence Surveillance Act.

The Report should provide some certainty to companies who have certified under the Privacy Shield (or who are in the process of reviewing a potential application) as to the adequacy of the Privacy Shield as a method for transferring personal data from the EU to the U.S. In line with the Report’s recommendations, companies should now expect a greater enforcement effort on the part of both U.S. and EU authorities in relation to data transfers carried out on the basis of the Privacy Shield. Meanwhile, the Article 29 Working Party is due to publish its first-year review in November.

A copy of the full Report can be found here.