On January 22, 2019, the European Data Protection Board (“EDPB”) issued a report on the Second Annual Review of the EU-U.S. Privacy Shield (the “Report”). Although not binding on EU or U.S. authorities, the Report provides guidance to regulators in both jurisdictions regarding implementation of the Privacy Shield and highlights the EDPB’s ongoing concerns with regard to the Privacy Shield. We previously blogged about the European Commission’s report on the second annual review of the Privacy Shield, and the joint statement of the European Commission and Department of Commerce regarding the second annual review.
In the Report, the EDPB praised certain actions and efforts undertaken by U.S. authorities and the European Commission to implement the Privacy Shield, including the following:
- Efforts by the Department of Commerce to adapt the initial certification process to minimize inconsistencies between the Department’s Privacy Shield List and representations made by certifying organizations (in their privacy notices) regarding their participation in the Privacy Shield;
- Enforcement actions and other oversight measures taken by the Department of Commerce and Federal Trade Commission regarding compliance with the Privacy Shield; and
- Issuance of guidance for EU individuals on exercising their rights under the Privacy Shield, and for U.S. businesses to clarify the requirements of the Privacy Shield (g., the Department of Commerce’s FAQs available on PrivacyShield.gov).
The Report identifies continuing concerns of the EDPB, including the following key areas:
- According to the EDPB, “a majority of companies’ compliance with the substance of the Privacy Shield’s principles remain unchecked.” The EDPB indicated that the application of the Shield principles by certifying organizations has not yet been ascertained through oversight and enforcement action by U.S. authorities.
- With respect to the onward transfer principle, the EDPB suggested that U.S. authorities more closely monitor the implementation of this principle by certified entities, suggesting, for example, that the Department of Commerce exercise “its right to ask organizations to produce the contracts they have put in place with third countries’ partners” to assess whether the contracts provide the required safeguards and whether further guidance or action by the U.S. authorities is needed in this regard.
- The EDPB indicated that the re-certification process “needs to be further refined,” noting that the Privacy Shield list contains outdated listings, leading to confusion for data subjects.
- The Report highlights the uncertainty surrounding the application of the Privacy Shield to HR data, noting that conflicting interpretations of the definition of HR data has led to uncertainty as to what protections are available.
In addition, the Report notes that the EDPB is still awaiting the appointment of a permanent independent Ombudsperson to oversee the Privacy Shield program in the U.S. Until such time as an appointment is made, the EDPB cannot determine whether the Ombudsperson “is vested with sufficient powers to remedy non-compliance” with the Privacy Shield.