The report is generally good news for Privacy Shield participants and those considering the program—but notes several areas for improvement.
On October 18, the European Commission published its much-anticipated first annual report on the EU-US Privacy Shield. To date, 2,520 companies have participated in the Privacy Shield certification process, and many have looked to this report as an important test for the viability of the Privacy Shield overall.
The report features good news for companies already participating in or considering the Privacy Shield; the European Commission concluded that the Privacy Shield is working and confirmed that it continues to ensure an adequate level of protection for personal data transferred from the European Union to the United States.
As described in our July 2016 LawFlash, the Privacy Shield framework went into effect in August 2016, precipitated by the Safe Harbor program being invalidated by the European Commission. In order to participate in the Privacy Shield program, US-based organizations must self-certify with the US Department of Commerce and publicly commit to comply with the Privacy Shield’s requirements. These require participating organizations to
- adopt an independent recourse mechanism to investigate individuals’ unresolved complaints regarding the organization’s compliance with the Privacy Shield;
- use a self- or third-party assessment program to verify compliance with the Privacy Shield;
- state in the organization's website privacy policies that the Privacy Shield Principles have been adhered to, and include a link to the Privacy Shield website as well as to a website or complaint submission form of the independent recourse mechanism available to investigate individual complaints; and
- pay an annual fee based on the organization’s annual revenue.
The Commission’s Findings
The report includes a number of positive findings about the Privacy Shield framework. For example, the European Commission found that US authorities have put in place the necessary structures and procedures to ensure the proper functioning of the Privacy Shield, including by providing new redress possibilities for EU individuals. The report specifically identifies the American Arbitration Association’s Privacy Shield Arbitration Panel and the Ombudsperson mechanism as “new additional redress avenues for EU individuals” established by US authorities to safeguard the rights of EU citizens.
Importantly, the report states that US authorities have implemented safeguards regarding government access to personal data. The European Commission also is satisfied with Privacy Shield–related complaint-handling and enforcement procedures. With respect to the Privacy Shield certification process, the European Commission found that it has been “handled in an overall satisfactory manner.”
Recommendations for Improvement
Although the report gave the Privacy Shield good marks, it did highlight areas for improvement, notably recommending
- that companies awaiting designation under the Privacy Shield should not be permitted to refer to their certification publicly before the Department of Commerce has finalized certification and included them on the Privacy Shield list, given concerns about false claims of participation and to reduce uncertainty about participation;
- improved monitoring by the US Department of Commerce of certified companies’ compliance with Privacy Shield obligations;
- increased awareness for EU residents on how to lodge complaints about the processing of personal data under the Privacy Shield;
- closer cooperation between enforcement authorities (Department of Commerce, Federal Trade Commission, and EU Data Protection Authorities);
- protection of non-US residents under Presidential Policy Directive 28; and
- appointment of a permanent Privacy Shield Ombudsman and filling vacant posts on the Privacy and Civil Liberties Oversight Board.
Practical Implications and the EU Data Privacy Regime
Organizations that have waited to self-certify pending the first annual review should feel more comfortable moving forward given the positive report and the fact that it appears that no significant changes will be made to the Privacy Shield Principles. In addition, organizations that already have self-certified do not need to do anything further (as some had feared) to comply with data transfer restrictions, given that the recommendations for improvement only relate to the way in which the Privacy Shield is enforced and the protection of the rights of EU residents.
Together with the new EU General Data Protection Regulation (effective May 2018)—which specifically includes obligations on organizations to notify EU residents of how their personal data is transferred outside Europe and of their rights to make regulatory complaints—the European data privacy regime is robust in its protection of EU individuals and their privacy rights. The European objective, of course, is to ensure that these rights are not “watered down” on the transfer of such data to the United States.
Both US and EU authorities recognize the need to continue transatlantic data transfers, and the Privacy Shield is a primary way to do so given that the program eliminates the need for written agreements between European exporters and non-European importers of personal data—as exists under the standard contractual clauses method to transfer personal data from the United States. Note, however, that the validity of these standard contractual clauses is currently being challenged in the European Court of Justice by Maximilian Schrems—the same individual whose claim invalidated the Safe Harbor framework. As such, the issue of data transfers likely will remain contentious for some time to come.