Nov 62017

European Commission Publishes its First Annual Review of EU-U.S. Privacy Shield

William RM Long, Edward R. McNicholas, Francesca Blythe and Eleanor Dodding
, , ,

The EU-U.S. Privacy Shield has survived its infancy, although the October 18, 2017 European Commission report on its first annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”) leaves uncertainty as to the long-term future of EU-U.S. Privacy Shield if the U.S. is unwilling or unable to adopt further Commission “recommendations”. The Report details the Commission’s findings on the implementation and enforcement of the Privacy Shield during its first year of operation.

The Report concludes that the U.S. “continues to ensure an adequate level” of protection for personal data transferred under the Privacy Shield from the EU to the U.S. The Report recognises that necessary structures and procedures have been put in place to ensure the effective functioning of the Privacy Shield and that co-operation with European Data Protection Authorities (“DPAs”) has improved. In particular, the certification process is functioning well, with over 2,400 companies now certified by the U.S. Department of Commerce (“DoC”).

However, the Report also specifies areas for improvement and recommends to the U.S. to ensure the successful functioning of the Privacy Shield as a “digital bridge” between the EU and U.S. economies.  These recommendations include:

  • more proactive and regular monitoring of companies’ compliance by the DoC (e.g. a compliance review questionnaire sent to a sample of certified companies on a specific issues such as data retention, or an annual compliance report for those seeking to be re-certified);
  • the appointment of a permanent Privacy Shield ombudsman “as soon as possible”;
  • improved cooperation between the DoC and DPAs to develop guidance for both companies and regulators;
  • providing more information to citizens about the Privacy Shield and the forms of redress, including how to lodge complaints. The Report notes that although there have been few complaints received to date, this may be indicative of insufficient awareness by individuals as to how they can exercise their rights;
  • ensuring the Commission is updated with timely and comprehensive information about any developments that could be of relevance for the Privacy Shield;
  • proactive and regular searches for companies claiming false adherence to the Privacy Shield as well as ensuring awareness that Privacy Shield certification cannot be publicly referred to until the certification is finalised (and the company is included on the Privacy Shield list); and
  • maintaining the protections afforded to non-U.S. data subjects as set forth in Presidential Policy Directive 28, preferably including codifying these protections in any potential reform of the Foreign Intelligence Surveillance Act.

The Report should provide some certainty to companies who have certified under the Privacy Shield (or who are in the process of reviewing a potential application) as to the adequacy of the Privacy Shield as a method for transferring personal data from the EU to the U.S. In line with the Report’s recommendations, companies should now expect a greater enforcement effort on the part of both U.S. and EU authorities in relation to data transfers carried out on the basis of the Privacy Shield. Meanwhile, the Article 29 Working Party is due to publish its first-year review in November.

A copy of the full Report can be found here.

William RM Long

London

wlong@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.