On October 18, 2017, the EU Commission released its report of the first annual review of the EU-U.S. Privacy Shield framework. The Privacy Shield is the successor of the Safe Harbor Agreement which was invalidated by the Court of Justice of the European Union in October 2015.
Under EU data privacy law, transfers of personal data outside of the European Economic Area (EEA) are prohibited unless the destination territory provides an “adequate” level of data protection. As summarized in our previous alert, the Privacy Shield is a key mechanism to ensure such protection.
The Privacy Shield: Design and Intent
The Privacy Shield, which became operational on August 1, 2016, was designed to provide stronger protection for EU citizens’ personal data transferred to the U.S. To achieve its objective, the Privacy Shield imposed a number of new elements not found in the previous Safe Harbor, including:
- Stricter privacy obligations on certified companies, e.g. limitations on data retention and new conditions on data transfers to third parties.
- New written assurances by the U.S. government, e.g. promises to follow clear limitations, safeguards and oversight mechanisms when accessing personal data for national security and law enforcement purposes.
- Opportunities for EU individuals to obtain redress, including via an Ombudsperson to address improper data access by national security agencies
- Stronger monitoring and enforcement by the U.S. Department of Commerce (DoC) and Federal Trade Commission (FTC).
- Increased cooperation between the U.S. and European Data Protection Authorities.
Progress Report: Key Findings in the Annual Review
As part of increased cooperation, the EU and U.S. agreed to annually review all functions of the Privacy Shield. This first Report generally concluded that the Privacy Shield continues to ensure adequate protection for personal data transferred from the EU to organisations in the U.S. The Commission found that the Privacy Shield self-certification process for companies is working in a satisfactory manner and that U.S. authorities have put in place appropriate complaint-handling and enforcement mechanisms to protect individuals’ rights. The Commission also highlighted the progress on the protection of personal data from public authorities, notably brought forward by U.S. Presidential Policy Directive 28, which sets out limitations and safeguards on the use of personal data by national security authorities, regardless of the individual’s nationality.
To ensure the continued satisfactory operation of the Privacy Shield, the Commission made a number of recommendations, including:
- More thorough oversight of companies making public representations about their Privacy Shield certification before DoC has finalized the certification.
- Proactive and regular searches for false claims of Privacy Shield certification by DoC.
- More regular Privacy Shield Principles compliance checks on companies by DoC.
- The appointment of a Privacy Shield Ombudsperson as soon as possible.
- Enhanced cooperation on enforcement between DoC and European Data Protection Authorities.
Implications for U.S. Businesses
The Report should reassure many U.S. businesses that feared the Privacy Shield, like Safe Harbor, would not stand up to legal and regulatory scrutiny. While Privacy Shield is not beyond challenge, the report is encouraging both for companies which have already certified and those which have been holding back to see how it works in practice.
However, the Report stresses that Privacy Shield certification cannot be a one-time-only exercise resulting in “a document lying in a drawer.” Certified U.S. companies can expect regular scrutiny and follow-up enforcement actions if their public representations do not reflect their actual privacy practices or if their practices fall short of regulatory requirements.