On October 18, 2017, the EU Commission (“Commission”) published its report and other working documents (“Report”) on its first annual review of the EU-US Privacy Shield Framework (“Privacy Shield”). The Report summarizes that the Privacy Shield “works but implementation can be improved.”
The Privacy Shield has been quite popular as a means to ensure the legality of data transfers to recipients in the US, and, so far more than 2,400 US companies have certified.
In the Report, the Commission takes the view that, overall, the Privacy Shield continues to ensure an adequate level of protection for personal data that is transferred from the EU to the US. It also indicates that US authorities have set up the necessary structures and procedures, such as new redress possibilities for EU individuals, to ensure the correct functioning of the Privacy Shield. The Report also states that complaint-handling and enforcement procedures have been established and cooperation with the European data protection authorities has been properly established.
The Report provides several recommendations to help ensure the continued proper functioning of the Privacy Shield, including the following:
- The US Department of Commerce (“Department”) should conduct more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations. The Department should also conduct regular searches of companies making false claims about their participation in the Privacy Shield.
- There should be awareness-raising for EU individuals about how they can exercise their rights under the Privacy Shield, particularly on how to lodge complaints.
- Appointing a permanent Privacy Shield Ombudsperson as soon as possible, and filling the empty posts on the Privacy and Civil Liberties Oversight Board.
- The relevant Privacy Shield enforcers, including the Department, the Federal Trade Commission and the EU data protection authorities should cooperate more closely and develop guidance on the legal interpretation of certain concepts in the Privacy Shield (e.g. with regard to the principle of accountability for onward transfers and the definition of human resources data).
- As Section 702 of the US Foreign Intelligence Surveillance Act is set to expire in December 2017, the Commission recommends that US Congress enshrine the protection for non-Americans offered by Presidential Policy Directive 28 in further reform proposals.
The Commission will work with US authorities to implement its recommendations in the coming months and will continue to closely monitor the functioning of the Privacy Shield Framework. Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, stated: “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards.”
We keep in mind, of course, that as with any new endeavor, there are bound to be a few “hic-ups” along the way for the transfers of personal data outside the European Union and the European Economic Area. Currently one such drawback is that the Privacy Shield is under legal review regarding the adequate protection of the privacy rights of EU citizens. This “action for annulment” was launched by the Privacy Advocacy Group “Digital Rights Ireland” (case number T-670/16) in hopes of invalidating the Commission’s Adequacy Decision, which approved and adopted the Privacy Shield. For good measure, the Irish High Court recently ruled that questions relating to European Commission decisions regarding standard contractual clauses should be referred to the Court of Justice of the European Union for a preliminary ruling. It is inevitable that this will raise fundamental issues regarding the current EU legal system for legitimizing transfers of personal data.