On October 18, 2017, the EU Commission ("Commission")
published its report and other working
documents ("Report") on its first annual review of
the EU-US Privacy Shield Framework ("Privacy Shield").
The Report summarizes that the Privacy Shield "works but
implementation can be improved."
The Privacy Shield has been quite popular as a means to ensure the
legality of data transfers to recipients in the US, and, so far
more than 2,400 US companies have certified.
In the Report, the Commission takes the view that, overall, the
Privacy Shield continues to ensure an adequate level of protection
for personal data that is transferred from the EU to the US. It
also indicates that US authorities have set up the necessary
structures and procedures, such as new redress possibilities for EU
individuals, to ensure the correct functioning of the Privacy
Shield. The Report also states that complaint-handling and
enforcement procedures have been established and cooperation with
the European data protection authorities has been properly
established.
The Report provides several recommendations to help ensure the
continued proper functioning of the Privacy Shield, including the
following:
- The US Department of Commerce ("Department") should conduct more proactive and regular monitoring of companies' compliance with their Privacy Shield obligations. The Department should also conduct regular searches of companies making false claims about their participation in the Privacy Shield.
- There should be awareness-raising for EU individuals about how they can exercise their rights under the Privacy Shield, particularly on how to lodge complaints.
- Appointing a permanent Privacy Shield Ombudsperson as soon as possible, and filling the empty posts on the Privacy and Civil Liberties Oversight Board.
- The relevant Privacy Shield enforcers, including the Department, the Federal Trade Commission and the EU data protection authorities should cooperate more closely and develop guidance on the legal interpretation of certain concepts in the Privacy Shield (e.g. with regard to the principle of accountability for onward transfers and the definition of human resources data).
- As Section 702 of the US Foreign Intelligence Surveillance Act is set to expire in December 2017, the Commission recommends that US Congress enshrine the protection for non-Americans offered by Presidential Policy Directive 28 in further reform proposals.
The Commission will work with US authorities to implement its
recommendations in the coming months and will continue to closely
monitor the functioning of the Privacy Shield Framework. Věra
Jourová, Commissioner for Justice, Consumers and Gender
Equality, stated: "Our first review shows that the Privacy
Shield works well, but there is some room for improving its
implementation. The Privacy Shield is not a document lying in a
drawer. It's a living arrangement that both the EU and US must
actively monitor to ensure we keep guard over our high data
protection standards."
We keep in mind, of course, that as with any new endeavor, there
are bound to be a few "hic-ups" along the way for the
transfers of personal data outside the European Union and the
European Economic Area. Currently one such drawback is that the
Privacy Shield is under legal review regarding the adequate
protection of the privacy rights of EU citizens. This "action
for annulment" was launched by the Privacy Advocacy Group
"Digital Rights Ireland" (case number T-670/16) in hopes of
invalidating the Commission's Adequacy Decision, which approved
and adopted the Privacy Shield. For good measure, the Irish High
Court recently ruled that questions relating to European Commission
decisions regarding standard contractual clauses should be referred
to the Court of Justice of the European Union for a preliminary
ruling. It is inevitable that this will raise fundamental issues
regarding the current EU legal system for legitimizing transfers of
personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.