Privacy Shield Works, says EU Commission

October 17, 2017

The European Commission has published its first annual report on the functioning of the EU- US Privacy Shield, the aim of which is to protect the personal data of anyone in the EU transferred to companies in the USA for commercial purposes.

Andrus Ansip, Commission Vice-President for the Digital Single Market, said: ‘The Commission stands strongly behind the Privacy Shield arrangement with the USA. Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs. This first annual review demonstrates our commitment to create a strong certification
scheme with dynamic oversight work.

’Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and USA must actively monitor to ensure we keep guard over our high data protection standards.

When it launched the Privacy Shield in August 2016, the Commission committed to reviewing the Privacy Shield on an annual basis, to assess if it continues to ensure an adequate level of protection for personal data. This report is based on meetings with all relevant US authorities, which took place in Washington mid-September 2017, as well as input from a wide range of stakeholders (including reports from companies and NGOs). Independent data protection authorities from EU Member States also participated in the review

Overall the report shows that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the USA. The US authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield, such as new redress possibilities for EU individuals. Complaint-handling and enforcement procedures have been set up, and cooperation with the European data protection authorities has been stepped up. The certification process is functioning well – over 2,400 companies have now been certified by the US Department of Commerce. As regards access to personal data by US public authorities for national security purposes, relevant safeguards on the US side remain in place.

The report and supporting documents can be accessed here.

Recommendations to further improve the functioning of the Privacy Shield:

The report suggests a number of recommendations to ensure the continued successful functioning of the Privacy Shield. These include:

  • More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the US Department of Commerce. The Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
  • More awareness-raising for EU individuals about
    how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
  • Closer cooperation between privacy enforcers, ie the US Department of Commerce, the Federal Trade Commission, and the EU DPAs, notably to develop guidance for companies and enforcers.
  • Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the USA on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
  • To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).

Next Step

The report will be sent to the European Parliament, the Council, the Article 29 Working Party of Data Protection Authorities and to the US authorities. The Commission will work with the US authorities on the follow-up of its recommendations in the coming months. The Commission will continue to closely monitor the functioning of Privacy Shield framework, including the US authorities’ compliance with their commitments.