On December 19, 2018, the European Commission (the “Commission”) issued a press release regarding the publication of the Commission’s second annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”).

Background

On July 12, 2016, the Commission adopted an adequacy decision on the basis that the EU-U.S. Privacy Shield ensured an adequate level of protection to personal data transferred from the European Economic Area (“EEA”) to the participating companies in the U.S. The Commission also concluded that the EU-U.S. Privacy Shield framework could be improved. On that basis, the Commission annually reviews the framework and issue recommendations.

Findings after this second year

This year’s Report concludes that the U.S. still ensures an adequate level of protection to the personal data transferred from the EEA to U.S. companies under the EU-U.S. Privacy Shield. The U.S. authorities have taken measures to implement the Commission’s recommendations from last year and several aspects of the functioning of the framework have improved. Some of these measures have been recently adopted and further developments need to be monitored.

The Report highlights the following concerns:

  • New tools to ensure compliance with the Privacy Shield principles and to identify false claims of participation to the Privacy Shield framework: On the basis of last year’s recommendation, the Department of Commerce (“Department”) implemented new tools to proactively monitor certified companies’ compliance with the Privacy Shield Principles and to detect potential compliance issues. The Department also has proactively searched for false claims of participation in the Privacy Shield framework. To date, 56 companies were referred to the Federal Trade Commission (“FTC”) for issues of non-compliance with the Privacy Shield Principles or false claims of participation. The third review of the EU-U.S. Privacy Shield will assess the effectiveness of these methods.
  • Privacy Shield enforcement measures: The FTC has committed to proactive monitoring of the certified companies’ compliance with the Privacy Shield principles. Accordingly, the FTC has issued administrative subpoenas to request information from a number of Privacy Shield participants. The Commission concluded that developments in this area should be closely monitored.
  • Cooperation between authorities: The Department of Commerce and the European Data Protection Authorities have cooperated to develop guidance on Privacy Shield principles. The Commission welcomes and encourages this cooperation, including, when appropriate, the participation of the Federal Trade Commission, as clarification of various concepts is still needed. (The notion of Human Resources data, for example, is understood differently by different authorities).
  • The appointment of a Privacy Shield ombudsman on a permanent basis: Despite last year’s recommendation, a permanent Privacy Shield ombudsman has yet to be appointed. The Commission reiterates its call and expects that the U.S. government will fill the position by February 28, 2019. If this is not done, the Commission will adopt the necessary measures in accordance with the GDPR.
  • Effectiveness of how the ombudsman deals with complaints: The ombudsman has not yet received any requests. The Commission intends to monitor how complaints will be handled and resolved.

Commission’s next steps

The Commission will monitor the developments and expects to receive information with regard to concerns noted above in order to control the effectiveness of the measures adopted. The Commission also intends to follow the ongoing developments in the U.S. legal framework. In this respect, the Commission encourages the U.S. to adopt a comprehensive legal framework with regard to privacy and data protection and to ratify the Council of Europe’s Convention 108.

A detailed analysis of each aspects of the Privacy Shield framework reviewed after this second year can be found in the Commission Staff Working Document from the Commission to the European Parliament and the Council On The Second Annual Review Of The Functioning Of The EU-U.S. Privacy Shield.