The Privacy Shield enables US businesses that self-certify to a number of privacy principles to transfer personal data from the EU to the US in line with the requirements of EU data protection law. The Privacy Shield has been operational since August 2016.
The Privacy Shield replaced the Safe Harbour scheme which previously helped facilitate EU-US data transfers until that framework was effectively invalidated by the Court of Justice of the EU (CJEU) in 2015.
The European Commission, via a so-called adequacy decision, has deemed that EU-US data transfers handled in line with the Privacy Shield's requirements comply with EU data protection laws. However, the Privacy Shield has met with criticism, including from MEPs, privacy rights activists and data protection authorities in Europe.
Last autumn, the European Commission endorsed the Privacy Shield following the first annual review of the framework. However, in December 2017 EU data protection authorities acting together under the Article 29 Working Party – a body now replaced by the European Data Protection Board – gave the US government until 25 May this year to address its "prioritised concerns" about the framework.
Specifically, the watchdogs said the US must appoint a permanent ombudsperson to handle complaints relating to the accessing of EU citizens' personal data by US intelligence agencies, in line with the requirements set out in the Privacy Shield agreement, and further explain and declassify "the rules of procedure" that apply. The Working Party also said members of another oversight body, the US Privacy and Civil Liberties Oversight Board, should also be appointed by the same date.
In a statement, the European Commission explained what the second annual review, which will take place over two days, will look at.
It said: "The review will focus on the commercial aspects on the first day, notably on questions related to the oversight and enforcement of the Shield. The second day will cover developments concerning the collection of personal data by US authorities for purposes of law enforcement or national security. Following these two days, the European Commission will then analyse the information gathered and publish its conclusions in a report end of November."
Data protection law expert Rif Kapadi of Pinsent Masons, the law firm behind Out-Law.com, said: "Together with the ongoing litigation in relation to standard contractual clauses (SCC), the uncertainty around international data transfer solutions, sadly for business, continues. Despite all the attention, the Privacy Shield remains and given the procedural and timetable hurdles ahead in relation to the SCC litigation, it seems most unlikely that these current solutions will be invalidated any time soon. This provides a degree of interim breathing space, but there is no doubt this topic will continue to generate news which is worthy of close attention, well into 2019."