On 18 October 2017, the European Commission (“Commission”) published its first annual report on the functioning of the US-EU Privacy Shield (“the Report”), the successor to the Safe Harbor framework after its invalidation in Schrems. The Report will be widely welcomed by businesses on both sides of the Atlantic as the Commission continues to back the Privacy Shield. In particular, the finding that the United States continues to ensure an adequate level of protection for personal data transferred from the EU to self-certified organizations in the US under the Privacy Shield sends a positive signal to businesses that rely on transatlantic data flows. This is especially important in light of the ongoing judicial challenges that the Commission’s approved standard contractual clauses, also referred to as model clauses, currently face.

The Commission has made ten recommendations to improve the practical implementation of the Privacy Shield framework further, but most of these were predictable for those who have closely followed the discussion over this international transfer instrument. On a broad policy level, the Commission recommends more awareness training for EU individuals to understand their rights under Privacy Shield and how to exercise them, and closer cooperation between all enforcement entities (US Department of Commerce, Federal Trade Commission and EU Data Protection Authorities).

In terms of business impact, self-certified companies will be eager to see how the recommendation on proactive and regular monitoring of compliance by the US Department of Commerce (“DoC”) will be implemented. More specifically, the Commission has recommended that self-certified companies be required to respond to compliance review questionnaires or file annual compliance reports with the DoC. In light of the recommendation that the DoC conduct proactive and regular searches for false claims, companies should not publicly refer to their Privacy Shield certification before the certification is finalized by the DoC.

The Commission recommends further reforms or actions in a number of other areas, some of which have been hot topics over the last year. This includes the continued debate on the Foreign Intelligence Surveillance Act (FISA) and privacy protections for non-US persons. The Commission has also renewed the call for a swift appointment of the Privacy Shield Ombudsperson and filling posts in the Privacy and Civil Liberties Oversight Board.

It remains to be seen whether the Article 29 Data Protection Working Party (“WP29”), the EU advisory body on data protection comprised of the representatives of the national data protection authorities, the European Data Protection Supervisor and the Commission, will share the Report’s findings. The WP29 is expected to publish its own non-binding opinion within the next few weeks. The European Parliament might also react. Regulators and human rights organizations will closely monitor the US actions taken in response to these recommendations. However, what is already clear: the Report will certainly not be the last word on this matter.

For more information:

  • The European Commission’s press release can be found here.
  • The European Commission Fact Sheet can be found here.