On October 23, 2019 the European Commission published its report on the third annual review of the functioning of the EU-U.S. Privacy Shield. The report confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S. Since the second annual review, there have been a number of improvements in the functioning of the framework, as well as appointments to key oversight and redress bodies, such as the Privacy Shield Ombudsperson. Being in the third year of the Shield's operation, the review focused on the lessons learnt from its practical implementation and day-to-day functionality. Today there are about 5,000 companies participating in this EU-U.S. data protection framework.
Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, stated: "With around 5,000 participating companies, the Privacy Shield has become a success story. The annual review is an important health check for its functioning. We will continue the digital diplomacy dialogue with our U.S. counterparts to make the Shield stronger, including when it comes to oversight, enforcement and, in a longer-term, to increase convergence of our systems.”
Among the improvements, the third review notes that the U.S. Department of Commerce is ensuring the necessary oversight in a more systematic manner by, for example, carrying out monthly checks of a sample of companies to verify compliance with Privacy Shield principles.
Enforcement action has improved with the Federal Trade Commission taking enforcement action related to the Privacy Shield in seven cases.
An increasing number of EU individuals are making use of their rights under the Privacy Shield and the relevant redress mechanisms are functioning well.
In addition to the appointment of the permanent Ombudsperson, the final two vacancies on the Privacy and Civil Liberties Oversight Board have been filled, ensuring that it is fully-staffed for the first time since 2016.
However, the Commission recommends that certain concrete steps be taken to better ensure the effective functioning of the Privacy Shield in practice. This includes further strengthening the (re)certification process for companies who want to participate by shortening the time of the (re)certification process; expanding compliance checks, including concerning false claims of participation in the framework; and developing additional guidance for companies related to human resources data. The Commission also expects the Federal Trade Commission to further step up its investigations into compliance with substantive requirements of the Privacy Shield and provide the Commission and the EU data protection authorities with information on ongoing investigations.
The EU-U.S. Privacy Shield decision was adopted on 12 July 2016 and the Privacy Shield framework became operational on 1 August 2016. It protects the fundamental rights of anyone in the EU whose personal data is transferred to certified companies in the United States for commercial purposes and brings legal clarity for businesses relying on transatlantic data transfers.
The Commission committed to reviewing the arrangement on an annual basis, to assess if it continues to ensure an adequate level of protection for personal data. The first and second annual review took place in September 2017 and October 2018, respectively.
On 12 September 2019, the Director-General for Justice, Consumers and Gender Equality, Tiina Astola, and the U.S. Secretary of Commerce, Wilbur Ross, launched the discussions for the third review of the EU-U.S. Privacy Shield (statement). The findings in this report are based on meetings with representatives of all U.S. government departments in charge of running the Privacy Shield, including the Department of Commerce, the Federal Trade Commission, the Office of the Director of National Intelligence and the Department of Justice, which took place in Washington in September 2019, as well as on input from a wide range of stakeholders, including feedback from companies and privacy NGOs. Representatives of the EU's independent data protection authorities also participated in the review. There is currently litigation pending before the Court of Justice of the European Union on EU-U.S. data transfers, which may also have an impact on the Privacy Shield. A hearing took place in July 2019 in case C-311/18 (Schrems II) and, once the Court's judgement is issued, the Commission will assess its consequences for the Privacy Shield.
For More Information
Report on the third annual review of the EU-U.S. Privacy Shield
EU-U.S. Joint Statement from the third annual review
EU-US Privacy Shield including Guide for Citizens
EU-U.S. Privacy Shield: Frequently Asked Questions