On October 18, 2017, the European Commission published its report on the functioning of the EU-U.S. Privacy Shield framework (the “Privacy Shield”), marking the conclusion of its first joint annual review of the regime.  The Privacy Shield, which is administered by the International Trade Administration within the U.S. Department of Commerce (“DOC”), provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.  To join the Privacy Shield, a U.S.-based organization is required to self-certify to the DOC and publicly commit to comply with the Privacy Shield requirements.  While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Privacy Shield requirements, the commitment will become enforceable under U.S. law.

The European Commission’s recent report found that the United States continued to ensure an adequate level of protection for personal data transferred from the Union to organisations in the United States, however, it has also proposed ten recommendations to improve the practical implementation of the Privacy Shield.

The European Commission based its report on the joint annual review meetings that took place in Washington D.C. on September 18 and 19, 2017. The meetings involved the participation of representatives from the European Commission, members of the Article 29 Working Party and the European Data Protection Supervisor, as well as representatives from the DOC, Federal Trade Commission, Department of Transportation, Department of Justice, State Department and National Intelligence. The review found that the U.S. authorities have implemented all necessary procedures for the Privacy Shield, including the certification process, complaint-handling and enforcement mechanisms. Approximately 2,400 companies have been certified under the Privacy Shield so far and the U.S. authorities have appointed an Ombudsperson and arbitration panel, although a permanent appointment for the former position is still pending.

The European Commission made 10 recommendations to improve on the practical implementations of Privacy Shield:

  1. Companies should not be able to publicly refer to their Privacy Shield certification before the certification is finalised by the DOC. Currently there is a discrepancy between information made available by companies and the Privacy Shield list of participants. This creates uncertainty for EU organisations when deciding on data transfers to the United States.
  2. The DOC should conduct proactive and regular searches for false claims of participation in the Privacy Shield. In this context, it is worth noting that last month the FTC has brought the first enforcement actions against U.S. companies making false claims concerning Privacy Shield compliance.
  3. The DOC should conduct ongoing monitoring of compliance with the Privacy Shield principles, including by way of compliance questionnaires or annual compliance reports.
  4. The DOC should continue and improve its efforts to raise awareness about the Privacy Shield and to inform EU citizens about their rights under it, such as their right to complain.
  5. The DOC and the EU Data Protection Authorities should cooperate further to produce guidance on areas in the Privacy Shield which need clarification, including the principle of accountability for onward transfers.
  6. The European Commission should commission a study to gather evidence and further judge the relevance of automated decision-making for transfers carried out under the Privacy Shield Privacy Shield.
  7. The European Commission has urged Congress to strengthen the protections offered in the Presidential Policy Directive (PPD)-28 to non-U.S. persons under the Foreign Intelligence Surveillance Act (FISA).
  8. The U.S. administration should appoint a permanent Ombudsperson as soon as possible.
  9. The U.S. administration should appoint the missing members of the Privacy and Civil Liberties Oversight Board (PCLOB) (an independent, bipartisan agency within the executive branch, comprising a board of five individuals with expertise in national security and civil liberties) and release the PCLOB’s report on the implementation of PPD-28.
  10. There should be more comprehensive and timely reporting of any relevant developments by the U.S. authorities.

The European Commission has stated its intention to work closely with the U.S. authorities in order to implement these recommendations over the next few months and that it will continue to monitor the U.S. authorities’ compliance with its commitments and the performance of the network closely.

The European Commission’s report is ultimately a positive one, but, as the recommendations suggest, there is room for further improvements in the regime’s practical implementation.

A link to the full report can be found here.