The Privacy Shield agreement struck between the European Commission (“EC”) and the U.S. Department of Commerce (“Commerce”) gave the EC a right of annual review to determine if all aspects of the Privacy Shield are being completely and adequately implemented by U.S. authorities.
The EC conducted its first such review in late September and published the resulting report on October 18, 2017. The outcome was favorable with the report stating, in relevant part, that “The Commission concludes that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield…”.
Given the juxtaposition of the EC report with the recent outcome of the so-called “Schrems 2.0” case in Ireland (which calls into doubt the validity of Model Clauses) and Article 46 of the upcoming GDPR, we strongly reiterate the advice we have been giving over the last year: choose Privacy Shield over Model Clauses, Ad Hoc Clauses and, for most companies, Binding Corporate Rules.
That is not to say that the EC report was without criticism. In fact, it made certain very pointed recommendations for the coming year. We outline those relevant to businesses (as opposed to national security and related matters) below. All-in-all, however, Privacy Shield remains, for the foreseeable future, the most reliable and efficient compliance mechanism for transferring personal information of employees and customers out of the EU.
Business-oriented Recommendations of the EC Report
Commerce should be more proactive in locating false claims of participation in the Privacy Shield. The Report suggests that this not only includes representations by companies having incomplete certifications, but also companies that make representations of any type suggesting compliance with the Privacy Shield framework. Misleading practices like these are “…not uncommon”.
Commerce should conduct more comprehensive and regular compliance checks. This could include compliance review questionnaires sent to a representative sample of certified companies, or setting up of a systematic process requiring production of “annual compliance reports” of companies seeking re-certification.
All participating EU member states and Commerce should focus on raising awareness of rights exercisable under the Privacy Shield (i.e., how to lodge a complaint).
The Commission will conduct a study to collect factual evidence and assess the relevance of automated decision making for transfers carried out on the basis of Privacy Shield.