On 12 July 2016, the European Commission issued its adequacy decision concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. The Privacy Shield formally entered in operation on 1 August 2016 and to date, more than 5,000 companies have been certified and are committed to comply with the data protection requirements. This covers most U.S. for-profit businesses, but excludes a number of banks, financial services companies, telecoms, and other businesses that are not subject to the jurisdiction of the Federal Trade Commission or Department of Transportation.
The EU-US Privacy Shield is reviewed on a yearly basis, to assess that it continues to ensure an adequate level of protection of personal data. The third annual joint review of the EU-U.S. Privacy Shield took place on 12 and 13 September 2019.
The reports on the first and second reviews can be found here. While the reviews on each occasion found that Privacy Shield continued to provide an adequate level of protection for data transferred from the EU to the U.S., on both occasions a number of recommendations were made with the aim of improving the functioning of the Privacy Shield.
Main Findings of the Third Annual Review
The third review again finds that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the U.S. Both the commercial and access to data aspects of the functioning of Privacy Shield were examined. On the commercial side, the report welcomes measures which increase the proactive enforcement of the agreement as well as action taken by the Federal Trade Commission, but notes some gaps. For example, companies tend to be awarded a grace period when they renew their certification and there is no action currently being taken to identify companies which have never applied for certification and yet claim that they are certified. The report recommends that steps be taken to address these shortcomings.
In terms of the access to and use of personal data by U.S. public authorities, the report welcomes the appointment of a permanent Privacy Shield Ombudsperson and the confirmations of two additional members to the Privacy and Civil Liberties Oversight Board. Though it was declared inadmissible, the first complaint has been processed by the Ombudsperson, and the Board has doubled its staff and embarked on ten ongoing oversight projects.
The report also notes that federal privacy legislation which takes a comprehensive approach to privacy and data protection would increase the convergence between the EU and U.S. systems, which would further strengthen the foundations on which the Privacy Shield framework has been developed.
What is Next?
Despite the overwhelmingly positive conclusions of the report, the validity of the European Commission’s original adequacy decision on Privacy Shield is currently subject to legal challenge before the Court of Justice of the European Union (CJEU) by the French activist organisation La Quadrature du Net. The progress of that case has, however, been halted until judgment has been given in a different case known as Schrems II. That case concerns the validity of European Commission’s Standard Contractual Clauses (SCCs) rather than the Privacy Shield, but the outcome could have implications for the Privacy Shield if the CJEU finds that the current controls on government access to data in the U.S. are not sufficient to meet the standards of European law.
The CJEU judgment is expected in early 2020, but the European Commission’s report is helpful in providing a degree of certainty about the future of the Privacy Shield.
Authored by Paula Garcia and Elizabeth Campion (Knowledge Paralegal)