In reviewing the first year of implementation of the European Union-United States Privacy Shield, the Commission to the European Parliament and the Council declared it “adequate.”
The shield—the agreement between the U.S. and the EU established in 2016 to regulate the transatlantic transfer of data—was intended to enhance the protection of personal data when transferred to the United States as compared with the previous iteration of the agreement, the Safe Harbor, which the EU’s highest court struck down in 2015.
After examining the implementation, administration, supervision and enforcement of the Privacy Shield, the commission found that it “ensures an adequate level of protection for personal data that has been transferred from the European Union to organisations in the U.S.”
Authorities in the United States put in place the “necessary structures and procedures to ensure the correct functioning” of the shield, and the certification process was “handled in an overall satisfactory manner,” with more than 2,400 companies certified so far. The commission found cooperation with EU data protection authorities had “stepped up” under the new agreement and U.S. authorities had established the complaint-handling and enforcement mechanisms and procedures intended to safeguard individual rights.
However, the commission made several recommendations to improve the functioning of the shield.
Of particular concern: false claims of participation. Some companies that applied for certification began publicly referring to their status before having their certification finalized, the commission said. “Consequently, there may be a discrepancy between information that is publicly available, and the [Department of Commerce’s (DOC)] Privacy Shield list, which does not include a company before the certification is finalised.”
This type of inconsistency creates uncertainty for EU companies and individuals, increases the risk of false claims, and undermines the credibility of the whole framework, the commission wrote. The U.S. certification process should be changed so that companies cannot publicly refer to their adherence to the framework before being included on the list, the commission suggested.
In a similar vein, the commission advised the DOC to conduct proactive and regular searches for false claims of participation in the Privacy Shield (not simply in the context of certification, but more generally with Internet searches of any company making the claim) and to monitor compliance with the Privacy Shield principles on an ongoing basis.
“Compliance checks could, for example, take the form of compliance review questionnaires sent to a representative sample of certified companies on a specific ‘thematic’ issue (e.g., onward transfers, data retention), or the DOC could systematically request to be provided with the annual compliance reports … of certified companies seeking to be recertified,” according to the report.
Other recommendations included the strengthening of awareness raising, improving cooperation between enforcers on both sides of the Atlantic, appointing a permanent ombudsperson, and filling the vacancies on the Privacy and Civil Liberties Oversight Board.
Acting Federal Trade Commission Chairperson Maureen K. Ohlhausen welcomed the “positive outcome” of the first annual review. “Enforcing international privacy frameworks such as the Privacy Shield is an integral part of our Privacy and Data Security program, as highlighted in three recently announced Privacy Shield enforcement actions,” she said in a statement. “We look forward to continuing to work with our European counterparts to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows.”
To read the report, click here.
Why it matters: While the first year of implementation managed to receive an “adequate” rating, the commission had several recommendations for U.S. authorities to improve the functioning of the Privacy Shield. Most notably, the report advocates for increased vigilance with regard to false claims of certification and urges the United States to conduct compliance checks of those entities that have been certified—a potential increase in administration for those companies.