Nov 62017

European Commission Publishes its First Annual Review of EU-U.S. Privacy Shield

William RM Long, Edward R. McNicholas, Francesca Blythe and Eleanor Dodding
, , ,

The EU-U.S. Privacy Shield has survived its infancy, although the October 18, 2017 European Commission report on its first annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”) leaves uncertainty as to the long-term future of EU-U.S. Privacy Shield if the U.S. is unwilling or unable to adopt further Commission “recommendations”. The Report details the Commission’s findings on the implementation and enforcement of the Privacy Shield during its first year of operation.

The Report concludes that the U.S. “continues to ensure an adequate level” of protection for personal data transferred under the Privacy Shield from the EU to the U.S. The Report recognises that necessary structures and procedures have been put in place to ensure the effective functioning of the Privacy Shield and that co-operation with European Data Protection Authorities (“DPAs”) has improved. In particular, the certification process is functioning well, with over 2,400 companies now certified by the U.S. Department of Commerce (“DoC”).

However, the Report also specifies areas for improvement and recommends to the U.S. to ensure the successful functioning of the Privacy Shield as a “digital bridge” between the EU and U.S. economies.  These recommendations include:

  • more proactive and regular monitoring of companies’ compliance by the DoC (e.g. a compliance review questionnaire sent to a sample of certified companies on a specific issues such as data retention, or an annual compliance report for those seeking to be re-certified);
  • the appointment of a permanent Privacy Shield ombudsman “as soon as possible”;
  • improved cooperation between the DoC and DPAs to develop guidance for both companies and regulators;
  • providing more information to citizens about the Privacy Shield and the forms of redress, including how to lodge complaints. The Report notes that although there have been few complaints received to date, this may be indicative of insufficient awareness by individuals as to how they can exercise their rights;
  • ensuring the Commission is updated with timely and comprehensive information about any developments that could be of relevance for the Privacy Shield;
  • proactive and regular searches for companies claiming false adherence to the Privacy Shield as well as ensuring awareness that Privacy Shield certification cannot be publicly referred to until the certification is finalised (and the company is included on the Privacy Shield list); and
  • maintaining the protections afforded to non-U.S. data subjects as set forth in Presidential Policy Directive 28, preferably including codifying these protections in any potential reform of the Foreign Intelligence Surveillance Act.

The Report should provide some certainty to companies who have certified under the Privacy Shield (or who are in the process of reviewing a potential application) as to the adequacy of the Privacy Shield as a method for transferring personal data from the EU to the U.S. In line with the Report’s recommendations, companies should now expect a greater enforcement effort on the part of both U.S. and EU authorities in relation to data transfers carried out on the basis of the Privacy Shield. Meanwhile, the Article 29 Working Party is due to publish its first-year review in November.

A copy of the full Report can be found here.

William RM Long

London

wlong@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.