Today, the European Commission published its report and other materials documenting its first Annual Review of the EU-U.S. Privacy Shield. The annual review is a means for the Commission to evaluate its finding that the Privacy Shield “ensures an adequate level of protection” for personal data transferred from the EU to the U.S. Among other things, the report examines the implementation of the Privacy Shield by U.S. authorities. Overall, the EU Commission’s report concludes that “the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organizations in the United States.”

Main Findings

The Commission’s review finds the Privacy Shield to have several novel elements that address the requirements laid down by the European Court of Justice in the Schrems case. Namely, the Commission reports that “[The Privacy Shield] provides for more regular and rigorous monitoring by the Department of Commerce and significantly strengthens the possibilities for EU individuals to obtain redress.”

It cites the American Arbitration Association’s Privacy Shield Arbitration Panel and the Ombudsperson mechanism as “new additional redress avenues for EU individuals” put in place by U.S. authorities to safeguard individual rights.

It also argues that “relevant safeguards” limiting access to personal data by national security agencies have been adopted, namely, Presidential Policy Directive 28, which applies to the personal data of all individuals regardless of nationality.

Moreover, the Commission finds that the certification process, in which more than 2,400 companies have participated so far, has been “handled in an overall satisfactory manner.”

Finally, the report finds that, “Cooperation [between U.S. and] European data protection authorities has been stepped up.” Examples of this described in the Staff Working Document on the Privacy Shield Annual Review include the formation of an informal panel of DPAs that provides “binding advice to Privacy Shield companies for unresolved complaints” as well as the creation of standardized complaint and referral forms.

Recommendations

The EU Commission’s first annual review of the Privacy Shield also puts forth several recommendations for how its practical implementation can be improved.

Its first recommendation is to no longer allow companies that are awaiting designation under the Privacy Shield to publicly refer to their certification before the Department of Commerce (DoC) has finalized it and included them on the Privacy Shield list. This is intended to prevent false claims of participation and to reduce uncertainty about which organizations participate in the framework.

The Commission also recommends that the DoC regularly and proactively conduct “[Internet] searches for false claims of participation in the Privacy Shield,” which “can weaken the credibility and solidity of the system as a whole.” Alongside this, the Commission recommends that the DoC regularly monitor compliance with the Privacy Shield by using compliance review questionnaires or requesting annual compliance reports.

Bolstering awareness, particularly of how EU citizens can exercise their rights and lodge complaints under the Privacy Shield, is another recommendation made by the Commission to both the DoC and European data protection authorities. Furthermore, the Commission recommends that cooperation between the U.S. Department of Commerce (and possibly the Federal Trade Commission) and European DPAs be improved for the purpose of developing “convergence in the interpretation” of concepts and rules in the Privacy Shield, which would give businesses “greater legal certainty.” It highlights accountability for onward transfers and human resources data as examples of concepts needing more clarification.

It also recommends conducting further study on automated decision-making for transfers carried out under the Privacy Shield, and will commission a report on this subject.

As Section 702 of the U.S. Foreign Intelligence Surveillance Act is set to expire in December 2017, the Commission recommends that U.S. Congress enshrine the protections of PPD-28 in future reform proposals.

The Commission also calls for “swift appointment” of a permanent Privacy Shield Ombudsperson to replace the Acting Ombudsperson, who is concurrently the State Department’s Under Secretary for Economic Growth, Energy, and the Environment. It also recommends swift appointment of the missing members of the Privacy and Civil Liberties Oversight Board (PCLOB), which is down from five to just one member

Lastly, the Commission advises U.S. authorities to give it “[m]ore timely and comprehensive” information about developments relevant to the Privacy Shield, or anything that might jeopardize the protections it provides.