EU-US Privacy Shield 'continues to improve': Commission

In its third annual review of the EU-US Privacy Shield, the Commission said the framework is functioning well and that the US continues to ensure an “adequate level” of protection for personal data transferred from the EU to participating businesses on the other side of the Atlantic.

However, the Commission recommended that a number of “concrete steps” should be taken to better ensure the effective functioning of the Privacy Shield. These included US agencies reducing the time the certification and recertification process for participating businesses takes, and expanding their compliance checks, including into false claims of participation in the framework. Further  guidance for companies related to human resources data was also recommended.

In the review (10 page / 433KB PDF) the Commission said it also expected the US Federal Trade Commission (FTC) to increase its investigations into compliance with substantive requirements of the Privacy Shield, and provide the Commission and EU data protection authorities with information on ongoing investigations. However, it said the FTC had taken enforcement action related to the Privacy Shield in seven cases.

The Commission said an increasing number of EU individuals were making use of their rights under the Privacy Shield and the relevant redress mechanisms were functioning well.

The EU added that there have been a number of improvements in the functioning of the framework since the second annual review was published last year, including the appointment of Keith Krach as the Privacy Shield ombudsperson.

The review also found that the US Department of Commerce is also carrying out monthly checks of a sample of companies to verify compliance with Privacy Shield principles.

The third review focused on the lessons learned from the Privacy Shield’s implementation, and its day-to-day functionality.

EU justice commissioner Věra Jourová said: “With around 5,000 participating companies, the Privacy Shield has become a success story. The annual review is an important health check for its functioning. We will continue the digital diplomacy dialogue with our US counterparts to make the Shield stronger, including when it comes to oversight, enforcement and, in a longer-term, to increase convergence of our systems.”

The EU-US Privacy Shield became operational in August 2016. It replaced the Safe Harbour scheme which previously helped facilitate EU-US data transfers until that framework was effectively invalidated by the Court of Justice of the EU (CJEU) in 2015.