On October 18, 2017, the European Commission (Commission) published its first report evaluating the functioning of the EU-U.S. Privacy Shield, which launched in August 2016. As discussed in a previous Privacy & Cybersecurity Update, the Privacy Shield, which governs the cross-border flows of personal data, replaced the EU/U.S. Safe Harbor invalidated by the European Court of Justice in October 2015. When it launched the Privacy Shield, the Commission committed to reviewing it annually.

Based on meetings with U.S. governmental authorities, major companies and non-governmental organizations, the Commission concluded that the Privacy Shield continues to ensure adequate protection for personal data transferred from the EU to participating U.S. companies. In particular, the report determined that U.S. authorities have in place the infrastructure and procedures needed to ensure the Privacy Shield functions properly. These findings permit the Privacy Shield to continue in force, at least for another year.

The Commission further noted enhanced U.S. public and private cooperation with the European Data Protection Authorities (DPAs) and that the certification process appears to be functioning well, highlighting that the U.S. Department of Commerce has now certified over 2,400 companies under the Privacy Shield.

The report also contains recommendations to improve the Privacy Shield, suggesting, among other things, that:

  • The U.S. Department of Commerce enhance its monitoring of companies’ compliance with their Privacy Shield obligations and conduct regular searches for companies making false claims about their participation in the Privacy Shield.
  • Steps be taken to educate EU individuals about how to exercise their rights under the Privacy Shield, especially how to lodge complaints.
  • There be closer cooperation between privacy enforcers, including the U.S. Department of Commerce, Federal Trade Commission and DPAs, particularly to develop guidance for companies and enforcers.
  • The privacy protections from surveillance activities for non-U.S. persons offered by Presidential Policy Directive 28 be given the force of law.
  • A permanent Privacy Shield Ombudsperson be appointed as soon as practicable.

The Commission will follow up with the U.S. authorities on its recommendations in the coming months.

We will continue to keep you updated as more information or guidance on compliance with the Privacy Shield becomes available.