In its third annual review, the European Union gave the EU-U.S. Privacy Shield a passing grade and noted that “the U.S. continues to ensure an adequate level of protection for personal data.”
The Privacy Shield—the agreement between the U.S. and the EU established in 2016 to regulate the transatlantic transfer of data—was intended to enhance the protection of personal data when it is transferred to the United States as compared with the previous iteration of the agreement, the Safe Harbor, which the EU’s highest court struck down in 2015.
In the first annual review, the Commission to the European Parliament (the Commission) made several recommendations to improve the practical functioning of the framework. The second annual review confirmed the adequacy finding but reiterated that improvements were still necessary.
For the third annual review, the Commission noted that with more than 5,000 participating companies—more than the number of Safe Harbor participants in that program’s entire 15-year existence—the Privacy Shield “has moved from the inception phase to a more operational phase.”
The report highlighted the progress made by the Department of Commerce on the recertification process, the effectiveness of the mechanisms introduced to proactively monitor compliance by certified companies (referred to as “spot checks”), the tools introduced to detect false claims, the progress and outcome of Federal Trade Commission (FTC) enforcement actions regarding violations of the Privacy Shield, and the developments concerning the guidance on human resources data.
Some concerns remain, however. For example, the Department of Commerce grants entities a grace period of more than three months to complete the recertification process, a length of time the Commission frowned upon.
“[S]uch a long period in which a company’s re-certification due date has lapsed while the company continues to be listed as active Privacy Shield participant reduces the transparency and readability of the Privacy Shield list for both businesses and individuals in the EU,” according to the report. “It also does not incentivize participating companies to rigorously comply with the annual re-certification requirement.”
The report also welcomed the spot checks conducted by the Department of Commerce but noted that they were limited to “formal requirements,” suggesting the checks be broadened to cover substantive obligations as well.
As for the FTC enforcement actions, all seven concerned false claims of participation in the framework and “the Commission would have expected a more vigorous approach regarding enforcement action on substantive violations of Privacy Shield Principles,” the report noted.
Why it matters: The Privacy Shield passed inspection, although the Commission suggested that “concrete steps” be taken to ensure effective functioning, such as shortening the grace period for recertification and assessing companies for compliances with the Privacy Shield Principles (and not just false claims about participation). The report also noted that the Commission continues to closely follow the ongoing debate about federal private legislation in the United States. “A comprehensive approach to privacy and data protection would increase the convergence between the EU and the U.S. systems and this would strengthen the foundations on which the Privacy Shield framework has been developed.”