[co-author: Rossana Fol]
On October 18, 2017, the European Commission (EU Commission) published its report on the first annual review of the EU-U.S. Privacy Shield Framework (Privacy Shield).1 The EU Commission confirms that the Privacy Shield ensures an adequate level of protection for EU personal data that is transferred to the U.S., but calls on the U.S. government to implement a number of recommendations.
Certified companies can continue to rely on the Privacy Shield to receive EU personal data in compliance with EU data protection law. This is an important validation of a key mechanism used by EU and U.S. companies transferring data to the U.S., particularly in light of the current uncertainty around data transfers arising from court challenges to the Standard Contractual Clauses2 and the Privacy Shield.3
Background
EU data protection law restricts the transfer of personal data outside of the EU. The Privacy Shield is an agreement between the U.S. and the EU Commission that permits certified U.S. companies to receive personal data from the EU.4 The Privacy Shield agreement was adopted in July 2016 to replace the Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (CJEU) in Schrems5 in October 2015.6 Today, more than 2,500 U.S. companies have self-certified to the Privacy Shield.
When approved, negotiators agreed that annual reviews would be conducted to assess the continued adequacy of protection afforded by the Privacy Shield. Officials from the U.S. Government, the EU Commission, and EU data protection authorities (DPAs) participated in the first annual review, which took place on September 18 and 19, 2017, in Washington, D.C. The report reflects the EU Commission's findings on the implementation and enforcement of the Privacy Shield in its first year of operation.
Privacy Shield Deemed Adequate, but Its Implementation Can Be Improved
The EU Commission stands strongly behind the Privacy Shield, and continues to believe that it ensures an adequate level of protection for transferred EU personal data. The report acknowledges that the U.S. implemented the necessary administrative structures for Privacy Shield to function (in particular with regard to complaint-handling and enforcement), and that the U.S. maintains the safeguards regarding data access for national security purposes that had been agreed upon.
However, the EU Commission recommends certain measures7 to improve the Privacy Shield. The key recommendations are:
-
Prohibiting companies from publicly referring to their Privacy Shield certification until the certification process with the Department of Commerce is finalized.
-
Strengthening awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
-
Conducting (i) regular searches for false claims of participation in the Privacy Shield, for example, through internet searches, including for companies that have never applied for certification; and (ii) compliance checks, for example, by sending certified companies compliance review questionnaires focusing on specific issues.
-
Developing guidance on certain concepts in the Privacy Shield, such as the accountability for onward transfers and the definition of HR data, in cooperation with EU DPAs.
-
Including the protection for non-U.S. citizens offered by the Presidential Policy Directive 28 (PPD-28)8 into the Foreign Intelligence Surveillance Act (FISA).
-
Appointing a permanent Privacy Shield Ombudsperson and filling positions for the Privacy and Civil Liberties Oversight Board (PCLOB) as soon as possible.
-
Making public the PCLOB's report on the implementation of PPD-28.
Next Steps
The Article 29 Working Party—the body of EU DPAs—will comment on the report and provide its own non-binding assessment of the Privacy Shield in November 2017.
Both the EU Commission and the U.S. will continue to actively monitor and periodically review the adequacy of the Privacy Shield. In its report, the EU Commission indicated some specific topics that it plans to cover during the 2018 review (e.g., automated decision-making).
In parallel, the question of the validity of Standard Contractual Clauses will be referred to the CJEU once the Irish High Court rules on the text of the preliminary questions later this year,9 and two actions for annulment of the Privacy Shield are pending before the Court; both may have an impact on the next Privacy Shield review.
We will continue to closely monitor news related to EU-U.S. data transfers and will update you on any significant developments.