One of the core principles of the EU-US Privacy Shield ("Privacy Shield") is its Joint Review mechanism, which obliges the European Commission, the US Department of Commerce and the Federal Trade Commission to jointly review the functioning of the Privacy Shield on an annual basis, together with its national security and law enforcement aspects. The very first Joint Review is scheduled for September 2017. This first review is considered especially important, as it will be the first opportunity for US and EU regulators to closely analyse the operation of the Privacy Shield, address possible concerns about its functioning, and seek to ensure that the Privacy Shield continues to be a valid legal basis for transfers of personal data from the EU to the US.
In preparing for the review, on 15 June 2017 Art 29 Working Party issued a letter to the European Commission in which it asked not only for its own participation but also for that of several US agencies as well as the US Department of Transport. It also suggested addressing several topics and questions to the US counterparts in advance in order to make the review process as efficient as possible. Thus even the initial steps in preparation for the first Annual Joint Review of the Privacy Shield show that its European contributors take this task seriously. Such a course of action corresponds with the understanding of the European Parliament in its Resolution of 6 April 2017, in which the Parliament acknowledged that "the EU-US Privacy Shield contains significant improvements regarding the clarity of standards compared with the former EU-US Safe Harbour and that US organisations self-certifying adherence to the EU-US Privacy Shield will have to comply with clearer data protection standards than under Safe Harbour."
There are no indications that the Annual Joint Review will be treated with less seriousness from the US side. Commerce Secretary Wilbur Ross expressed his commitment to the Privacy Shield framework at a meeting with the European Commissioner for the Digital Single Market earlier this year. And at the annual Global Privacy Summit in Washington, DC this year, the head of the FTC, Maureen Ohlhausen, emphasised her support for the EU-US Privacy Shield Framework by stating that the FTC is committing resources to ensure that European regulators view the FTC as an effective enforcer.
Such mutual commitment to cooperation was not always the case in the days of Safe Harbour – the predecessor to the Privacy Shield – and suggests that the intensified collaboration between Europe and the US under the Privacy Shield is more than just empty rhetoric.
The Privacy Shield has been subject to constant public scrutiny, beginning with the release of the draft text of the framework several months prior to its final release and lasting beyond the adoption of the Privacy Shield. The criticism was particularly loud at the beginning of this year, when President Trump issued an executive order excluding certain groups of people from protection under the US Privacy Act. However, the European Commission clarified that the Privacy Shield does not rely on the Privacy Act and therefore the executive order does not interfere with the standards of the Privacy Shield.
There are currently more than 2,000 organisations certified under the Privacy Shield. To date there appear to have been no significant complaints in respect of the Shield, that have not been properly addressed by these organisations.
The Privacy Shield therefore seems to have successfully passed its first year load test. Its first Joint Annual Review should nevertheless be deemed a significant milestone. In addition to covering national security and law enforcement aspects, regulators have indicated that they plan to incorporate feedback from companies that are self-certified under the Privacy Shield and from other interested organisations.
The Joint Annual Review as scheduled for September thus promises not only to help eliminate any perceived deficits in the Privacy Shield but will also be a significant step in the joint efforts of Europe and the US to carry forward data protection standards that help ensure safe data transfers between the two continents.