The EU-US Privacy Shield (Privacy Shield) has passed its third annual review by the European Commission. A framework constructed by the US Department of Commerce and the European Commission to enable transfers of personal data for commercial purposes, the Privacy Shield enables companies from the EU and the US to comply with data protection requirements when transferring personal data from the EU to the US.

The Privacy Shield was approved by the European Commission on 12 July 2016, and was subject to annual reviews to try and avoid failures that resulted in the downfall of the Safe Harbor Principles, which it replaced. The reviews evaluate all aspects of the functioning of the Privacy Shield framework.

The European Commission published its report and staff working document on the Third Annual Review on the functioning of the EU-US Privacy Shield (COM(2019) 495 final), which confirmed that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to the US. Points to note from the report include the following:

  • There are approximately 5000 participating US companies, which is a significant increase in participant numbers since 2018.
  • Steps taken by the US authorities to implement recommendations made by the European Commission in the second annual review have improved the functioning of the Privacy Shield in practice.
  • The Schrems II case (challenging the adequacy of the framework) before the Court of Justice of the European Union (ECJ) was taken into account in the annual review with clarification obtained on aspects of the framework governing the collection of foreign intelligence information. The Privacy Shield framework may have to be reassessed once the ECJ makes its determination in this case. The Schrems I case resulted in the ECJ declaring the Safe Harbor Principles null and void.
  • It was noted that the lengthy grace and detection periods which enabled companies to remain on the Privacy Shield “active list” after the re-certification due date had lapsed, reduced the transparency and readability of the Privacy Shield list for both businesses and individuals in the EU.
  • While the European Commission welcomed proactive spot checks carried out by the Department of Commerce under a system introduced in April 2019 to check compliance with the framework, it noted that such checks were limited in scope and did not check compliance with substantive obligations, especially onward transfer of personal data.
  • It was noted that the Department of Commerce’s quarterly searches had successfully detected a significant number of companies which were previously part of the framework but had not re-certified and were making false claims of participation in the Privacy Shield. However, it was also noted that searches needed to be widened to detect those companies making false claims which had never applied to participate in the Privacy Shield. The European Commission noted that the Federal Trade Commission had concluded seven enforcement actions in relation to breaches of the framework.
  • The redress mechanism under the framework for EU data subjects was functioning well.
  • The appointment of Mr. Krach as Privacy Shield Ombudsperson, which ensures that the position is filled on a permanent basis, was welcomed by the European Commission.
  • The European Commission called for meaningful disclosure of enforcement activity by US authorities.