The EU Commission concluded its third annual review of the EU-U.S. Privacy Shield and found that it continues to provide an adequate level of protection for EU personal data. The program was created as a mechanism to facilitate transfers of personal data from the EU to the US. It is reviewed annually by the EU Commission, as we have discussed in prior posts. That body did express concern with some parts of the program. This included a fear that US Department of Commerce’s monthly pro-active checks of companies may be too surface level, and did not necessarily include review of the companies’ privacy provisions in vendor contracts.

Als of concern for the EU Commission was the focus -when trying to identify companies who falsely claimed to participate in the program- only on companies who had previously applied for certification. Instead, the Commission expressed, it would like to see all companies included in scope. The Commission also expressed its belief that there should have been more companies examined overall. Finally, the Commission recommended that the US Department of Commerce (that administers the program in the US), the FTC (which enforces compliance in the US), and the EU Data Protection Authorities work together more closely.

Putting it Into Practice: The Privacy Shield survived another review intact, however pending litigation in the EU may cause the program to be examined again prior to the next annual review. With this in mind, companies should keep in mind that it is only one of several potential avenues for the transfer of personal information between the EU and the US. For participants, we will be monitoring to see if the EU’s encouragement of increased enforcement plays out with actions from the Department of Commerce and the FTC.