EU-U.S. Privacy Shield – One Year Review

By Maria E. Sturm

On 12 July 2016, the European Commission issued its implementing decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (Decision 2016/1250).  It became necessary after the ECJ declared the safe harbor policy of the EU Commission concerning the USA invalid in Maximilian Schrems v Data Protection Commission (C – 362/14). The new privacy shield contained several alterations to its predecessor, as well as the commitment to an annual review to asses, if an adequate level of data protection is still ensured. The first annual report has been published on 18 October 2017. It is based on meetings between the EU Commission and all relevant U.S. authorities, as well as on input from several stakeholders (companies, NGOs, data protection authorities of the Member States, etc.).

The review covered all aspects of the privacy shield. Those are formally, its implementation, administration, supervision and enforcement and with regard to its content the commercial aspects, as well as aspects of governmental access to personal data. So far, 2400 companies have been certified under the new privacy shield. This means first, that it is used actively and second, that the review commission had sufficient data to examine, if it works and where there are possibilities for improvement and refinement.

The U.S. authorities have introduced complaint-handling and enforcement mechanisms, as well as procedures to protect individual right, including the Ombudsperson mechanism. Furthermore, the relevant safeguards concerning access to personal data by public authorities, namely Presidential Policy Directive 28 (PPD-28), are still in force. Therefore, the report states, that in general, the United States provide an adequate level of protection as required by the European Court of Justice. However, the Commission still made some recommendations for further improvement:

  1. Companies should not be able to publicly refer to their Privacy Shield certification before the certification is finalized by the Department of Commerce (DoC): some companies referred to their certification after their application, but before the process had been finalized. This discrepancy can lead to wrong public information and can undermine the shield’s credibility.
  2. The DoC should search proactively and regularly for false claims: this refers to companies who initiated, but never completed the certification process, as well as to companies who never applied for a certification but still publicly suggest they comply with the requirements.
  3. The DoC should monitor compliance with the Privacy Shield Principles continuously: this could be done e.g. via compliance review questionnaires and/or annual compliance reports (either self-assessment or outside compliance review). The results could be used as starting point for follow up action, in case particular deficiencies are detected.
  4. DoC and Data Protection Authorities (DPA) should further strengthen awareness rising: in particular, EU citizens should receive information about their rights and how to lodge complaints.
  5. DoC, DPAs and Federal Trade Commission (FTC) should improve their cooperation: more intensive cooperation between all involved authorities on both sides of the Atlantic can help to implement and enforce the Shield.
  6. Protections of PPD-28 should be enshrined in the Foreign Intelligence Surveillance Act: this could ensure stability and continuity with regard to the protections of non-US persons.
  7. Privacy Shield Ombudsperson should be appointed as soon as possible: although the Ombudsperson mechanism already works, the Ombudsperson itself still has not been appointed. This should be done as soon as possible to complete this tool.
  8. Privacy and Civil Liberties Oversight Board (PCLOB) members should be appointed swiftly: here the same argument applies as in point 7. The board itself already started its work, but is not completely manned and therefore not as efficient as it could be.
  9. Reports should be released timely and publicly: the U.S. administration should release publicly the PCLOB’s report on the implementation of PPD-28, due to its relevance. In addition, the U.S. authorities should provide the Commission with comprehensive reports on recent relevant developments.

Furthermore, on behalf of the Commission, a study on automated decision-making will take place to collect further information and assess the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield.

After just one year, on could not expect everything to work perfectly, but the report gives an optimistic evaluation. Thus, with some further refinement, it seems, that the United States and the EU have found a helpful and viable tool that balances the companies’ and the government’s need for data with the individuals’ right to protect their data from unauthorized access.