The European Union Commission (Commission) has issued a report on its findings from the third annual Privacy Shield review, which took place in September. In its report, the Commission confirmed that the EU-US Privacy Shield framework continues to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the United States. In concluding its report, the Commission provided additional action items necessary to ensure the continued functioning of Privacy Shield, including time limits for re-certifications and encouraging US authorities to expand their substantive review of Privacy Shield compliance spot-checks.
By way of brief background, the EU General Data Protection Regulation (GDPR) restricts the transfer of personal data to third countries unless such countries provide an adequate level of protection for personal data or an exception/derogation applies. The Commission may determine that a third country ensures an adequate level of protection by its domestic law or international commitments on data protection. On July 12, 2016, the Commission adopted a decision finding Privacy Shield ensures an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the US (1). The Commission’s 2016 adequacy decision also requires an annual review of Privacy Shield to evaluate the functioning of the framework. Currently, over 5,000 companies participate in the Privacy Shield program.
A press statement from the Commission on the third annual review noted that, “the review focused on the lessons learnt from [Privacy Shield’s] practical implementation and day-to-day functionality.” Participating in the review were US government departments overseeing enforcement of Privacy Shield, including the US Department of Commerce (Commerce), the US Federal Trade Commission (FTC), and newly appointed Privacy Shield Ombudsperson, Keith Krach.
In concluding that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU, the Commission noted the following next step action items to ensure the continued functioning of Privacy Shield:
- Re-certification. To increase the transparency and reliability of the Privacy Shield list for both businesses and individuals, grace periods for companies that have not completed their re-certifications should be limited to 30 days. If these companies have not completed their re-certification at the end of this period, Commerce should send them a warning letter.
- Spot-checking. In April 2019, Commerce introduced a system for checking 30 companies per month for Privacy Shield violations. While the Commission encourages such compliance checks, the review found that Commerce’s spot-checks focused on formal requirements, such as unresponsive points of contact at companies participating in the program or inaccessibility to the companies’ privacy policy. As a next step, the Commission encourages Commerce to review more substantive obligations, including the Accountability for Onward Transfers Principles, which would require Privacy Shield companies to produce their data sharing agreements.
- False claims. Commerce should expand its quarterly reviews for false Privacy Shield claims to include companies that have never applied for Privacy Shield.
- Human Resource Data Guidance. In the coming months, the EU Data Protection Authorities, Commerce and the FTC should develop guidance on the definition and treatment of human resources data.
- Authority sharing. The EU and US authorities should find ways to share meaningful information on ongoing investigations.
While the Commission’s report confirms that Privacy Shield continues to provide adequate protection for EU to US personal data transfers, an ongoing matter before the Court of Justice of the European Union raises questions regarding the validity of Privacy Shield (2). The Commission’s report does not address its position on this case, however, the Commission notes it will reassess Privacy Shield once the Court issues its judgement. For now, companies currently participating in the Privacy Shield or applying to the program should continue to evaluate and document their capabilities of meeting the Privacy Shield’s obligations.
_______________________________________________________________________________________
1 Adequacy decisions made prior to the new EU General Data Protection Regulation remain in force unless a Commission decision decides otherwise.
2 C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximilliam Schrems.
