On October 18, 2017, the EU Commission (“Commission”) released its report and accompanying working document on the first annual review of the EU-U.S. Privacy Shield framework (collectively, the “Report”). The Report states that the Privacy Shield framework continues to ensure an adequate level of protection for personal data that is transferred from the EU to the U.S. It also indicates that U.S. authorities have put in place the necessary structures and procedures to ensure the proper functioning of the Privacy Shield, including by providing new redress possibilities for EU individuals and instituting appropriate safeguards regarding government access to personal data. The Report also states that Privacy Shield-related complaint-handling and enforcement procedures have been properly established.
The Report provides a number of recommendations to help ensure the continued proper functioning of the Privacy Shield, including the following:
- The U.S. Department of Commerce (“Department”) should conduct more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations. The Department should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
- There should be more awareness-raising for EU individuals about how they can exercise their rights under the Privacy Shield, especially with respect to submitting complaints.
- The relevant Privacy Shield enforcers, including the Department, the Federal Trade Commission and the EU data protection authorities should more closely cooperate and develop guidance for companies and enforcers.
- A permanent Privacy Shield Ombudsperson should be appointed as soon as possible, and the empty posts on the Privacy and Civil Liberties Oversight Board should be filled.
The Report will now be sent to be sent to the European Parliament, the Council, the Article 29 Working Party and U.S. authorities. The Commission will then work with U.S. authorities to implement its recommendations.
Below are a few key statements from EU and U.S. officials regarding the release of the Report:
- Andrus Ansip, Commissioner for the Digital Single Market, stated: “The Commission stands strongly behind the Privacy Shield arrangement with the U.S. Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs. This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.”
- Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, stated: “Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards.”
Maureen K. Ohlhausen, Acting Federal Trade Commission Chairman, stated: “We welcome the positive outcome of the first EU-U.S. Privacy Shield Annual Review. Enforcing international privacy frameworks such as Privacy Shield is an integral part of our Privacy and Data Security program, as highlighted in three recently announced Privacy Shield enforcement actions. We look forward to continuing to work with our European counterparts to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows.”