European Commission publishes 3rd report on the operation of the Privacy Shield

October 23, 2019

The European Commission has published its report on the third annual review of the functioning of the EU-US Privacy Shield. The report confirms that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the US.

The Privacy Shield framework became operational on 1 August 2016. It aims to protect the fundamental rights of anyone in the EU whose personal data is transferred to certified companies in the United States for commercial purposes and to bring legal clarity for businesses relying on transatlantic data transfers.  The European Commission committed to reviewing the arrangement on an annual basis, to assess if it continues to ensure an adequate level of protection for personal data. The first and second annual reviews took place in September 2017 and October 2018, respectively.

Since the second annual review, the way the framework functions has improved in a number of respects, as well as appointments to key oversight and redress bodies, such as the Privacy Shield Ombudsperson. As the Shield has now been in operation for three years, the review focused on the lessons learnt from its practical implementation and day-to-day functionality. Currently, there are about 5,000 companies participating in the Shield.

The report notes that the U.S. Department of Commerce is ensuring the necessary oversight in a more systematic manner by, for example, carrying out monthly checks of a sample of companies to verify compliance with Privacy Shield principles.

Enforcement action has improved with the Federal Trade Commission taking enforcement action related to the Privacy Shield in seven cases.

An increasing number of EU individuals are making use of their rights under the Privacy Shield and according to the report, the relevant redress mechanisms are functioning well.

In addition to the appointment of the permanent Ombudsperson, the final two vacancies on the Privacy and Civil Liberties Oversight Board have been filled, ensuring that it is fully-staffed for the first time since 2016.

However, the European Commission recommends that certain concrete steps be taken to better ensure the effective functioning of the Privacy Shield in practice. This includes:

  • further strengthening the (re)certification process for companies who want to participate by shortening the time of the (re)certification process;
  • expanding compliance checks, including concerning false claims of participation in the framework; and developing additional guidance for companies related to human resources data.

The Commission also expects the Federal Trade Commission to further step up its investigations into compliance with substantive requirements of the Privacy Shield and provide the Commission and the EU data protection authorities with information on ongoing investigations.