On October 23, 2019, the European Commission published its report after its third annual review on the functioning of the EU-U.S. Privacy Shield. The Privacy Shield, which became operational in August 2016, details procedures and safeguards for transatlantic data transfers from the European Union (EU) to the United States. With more than an estimated 5,000 participating companies, it is a frequently used alternative to standard contractual clauses for employers to transfer human resources data between their EU and U.S. operations.

The content of the report is based on meetings held in Washington, D.C., in September 2019 between the EU Commission and representatives of U.S. authorities involved with the Privacy Shield, including the Department of Commerce, the Federal Trade Commission, the Office of the Director of National Intelligence, the Department of Justice, and members of the Privacy and Civil Liberties Oversight Board. Its content is also based on input from Privacy Shield-certified companies, EU data protection authorities, and nongovernmental organizations active in the field of digital rights and privacy.

The report confirmed that the Privacy Shield continues to ensure an adequate level of protection for personal data. Since the last review undertaken in October 2018, the European Commission noted that there had been several improvements and steps taken to implement previous Commission recommendations. These included the appointment of a Privacy Shield ombudsman, Keith Krach, an improvement in enforcement action taken by the Federal Trade Commission, progress in relation to the adequacy of redress mechanisms that allow individuals to make use of their rights under the Privacy Shield, and more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the Department of Commerce.

However, while there were notable improvements, employers should also take note of the recommendations for improving the functioning of the Privacy Shield highlighted within the report. These include recommendations for

  • strengthening the (re)certification process for companies that want to participate by shortening the time for (re)certification, with a suggested maximum period of 30 days;
  • expanding compliance checks, including the development of tools to detect false claims of participation in the framework;
  • an increase in investigation efforts by the Federal Trade Commission into compliance with substantive requirements of the Privacy Shield and the provision of information regarding ongoing investigations to the Commission and EU data protection authorities; and
  • the development of joint guidance between the Department of Commerce, Federal Trade Commission, and EU data protection authorities for companies in relation to human resources data.

The Commission has stated its intention to continue to closely monitor further developments concerning specific elements of the Privacy Shield framework, including the functioning of the ombudsperson mechanism, and it has welcomed a comprehensive approach to privacy and data protection in the United States to increase the cohesion between EU and U.S. systems.

Although the reconfirmation of the Privacy Shield’s adequacy provides some certainty for employers, that may only be temporary as a decision of the Court of Justice of the European Union on EU-U.S. data transfers is awaited in the so-called Schrems II case (case C-311/18), which was heard in July 2019.