The EU-US Privacy Shield is due for its first joint annual review in September 2017, which will be undertaken by the European Commission and the Article 29 Working Party (WP29) in the US.

The US Department of Commerce will be responsible for conducting the review while the US Department of State and the US Department of Justice are likely to participate (among others).

The annual review is expected to assess whether the EU-US Privacy Shield is functioning effectively and providing adequate safeguards for cross-border data flows, and is most likely to focus on law enforcement and national security issues.

The EU-US Privacy Shield arrangement

The EU-US Privacy Shield was agreed in August 2016 and aims to provide robust protections for the personal data of EU citizens when processed in the US. It reflects the requirements of the Court of Justice of the European Union, which declared the previous Safe Harbour framework invalid. The EU-US Privacy Shield imposes strong obligations on US companies who are certified under the EU-US Privacy Shield to protect European individual’s personal data and requires US authorities to implement oversight mechanisms to ensure US companies abide by these obligations.

The aims of the upcoming review

The review aims to ensure that the EU-US Privacy Shield keeps functioning effectively and maintains an adequate level of protection for EU citizens' personal data which is processed in the US. In a recent speech, the EU Commissioner for Justice stated that the review will focus on verifying that the key foundations of the EU-US Privacy Shield remain in place, in particular with respect to government access for national security reasons.

The relevant reviewing authorities will also monitor the compliance of US companies with the EU-US Privacy Shield principles in order to ensure the proper day-to-day implementation of the framework and identify any issues that may require a robust follow up.

Some other areas of concern to be included in the review identified by the EU Parliament's LIBE Committee and the WP29 are as follows:

  • Collection of bulk data for law enforcement purposes: In its April resolution, the EU Parliament's LIBE Committee stressed that the EU-US Privacy Shield does not contain any prohibitions in relation to the collection of bulk data for law enforcement reasons. This issue was also raised by the WP29 in its Privacy Shield statement which pointed out that evidence is needed in order to show that the collection of bulk data (when it exists) is limited and proportionate.
  • Automated decision-making: Both the WP29 and the Parliament's LIBE Committee consider that there should be legal guarantees regarding automated decision-making in view of the lack of specific rules on this issue.
  • Ombudsperson mechanism: The WP29 wants to tackle the issue of the ombudsperson appointment and the procedures governing the ombudsperson framework while the LIBE Committee emphasised the need for stricter assurances in relation to the independence and powers of the ombudsperson.

Comments and next steps

The first joint annual review will be critical to assessing robustness and efficiency of the EU-US Privacy Shield framework. As the EU-US Privacy Shield seeks to put in place an efficient and robust data transfer mechanism, the results of the review will be of interest to organisations that deal with the transfer of data outside the European Economic Area on the basis of the EU-US Privacy Shield framework.

Following the completion of the annual joint review of the EU-US Privacy Shield, the European Commission will issue a report which may be followed by a separate public report issued by the WP29.