Out-Law News | 19 Oct 2017 | 1:36 pm | 2 min. read
The Commission concluded that the Privacy Shield, which enables US businesses that self-certify to a number of privacy principles to transfer personal data from the EU to the US in line with the requirements of EU data protection law, "continues to ensure an adequate level of protection for the personal data transferred".
More than 2,500 businesses have self-certified with the US Department of Commerce (DoC) under the framework since it became operational in August 2016.
Despite endorsing the Privacy Shield in its report on the first annual review, which EU and US officials conducted jointly in September, the Commission made a number of recommendations to improve the way the framework functions.
The Commission said that US businesses "should not be able to publicly refer to their Privacy Shield certification before the certification is finalised by the DoC" and called on the DoC to be more "proactive" in searching for false claims of participation in the Privacy Shield by businesses.
The DoC should also conduct "regular checks" of whether businesses self-certified under the Privacy Shield are complying with the framework's privacy principles, the Commission said.
"Compliance checks could for example take the form of compliance review questionnaires sent to a representative sample of certified companies on a specific 'thematic' issue (e.g. onward transfers, data retention), or the DoC could systematically request to be provided with the annual compliance reports (which can be either a self-assessment or on outside compliance review) of certified companies seeking to be re-certified," the Commission said in its report.
EU data protection authorities and US authorities were also advised to work together to "develop guidance on the interpretation of certain concepts in the Privacy Shield that need further clarification", while the Commission also called on US law makers to strengthen privacy protections in US surveillance laws and appoint a permanent ombudsperson to handle complaints relating to the accessing of EU citizens' personal data by US intelligence agencies, in line with the requirements set out in the Privacy Shield agreement.
Věra Jourová, EU justice commissioner, said: "Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It's a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards."
US secretary of commerce, Wilbur Ross, welcomed the Commission's report.
"We have worked closely with our partners across the EU during the past year as we implemented the Privacy Shield program," Ross said. "That cooperative approach led to a stronger program and a successful first annual review held in late September. We look forward to continuing to work together with our colleagues on the European Commission and across all of the EU member states as we continually strive to ensure that the Privacy Shield program serves all stakeholders well."
In a statement, the Article 29 Working Party, a committee made up of representatives from data protection authorities from across the EU, said that although it was consulted on the contents of the Commission's report, it would conduct its own analysis of the conclusions reached and publish its own report in November.
The Working Party has previously raised concerns about aspects of the Privacy Shield, including in relation to protections against bulk processing of EU citizens' data by US authorities and the independence of the Privacy Shield ombudsperson.
A motion put forward by MEPs earlier this year cited concerns with the Privacy Shield, including how the scheme addresses US bulk surveillance powers and accounts for judicial redress for EU citizens in the US. It also highlighted concerns about limitations on the rights of data subjects and inconsistencies in wording compared with EU data protection law.
The Privacy Shield has also drawn criticism from privacy campaigners and is the subject of legal challenges.