On 23 October, The European Commission published its report on the third annual review of the functioning of the EU-US Privacy Shield. This report has confirmed that the United States guarantees, for the third consecutive year, an adequate degree of protection of personal data transferred from the EU to participating US companies under the Privacy Shield.
According to the Commissioner for Justice Vêra Jourová,
“With around 5,000 participating companies, the Privacy Shield has become a success story. The annual review is an important health check for its functioning. We will continue the digital diplomacy dialogue with our US counterparts to make the Shield stronger, including when it comes to oversight, enforcement and, in a longer-term, to increase convergence of our systems.”
In the Shield’s third year of operation, the exam has focused on the lessons drawn from its practical applications and day-to-day functionality. Among the improvements, it should be highlighted that the United States Department of Commerce now ensures the necessary supervision in a more systematic way. This is thanks to the monthly checks that are carried out on a sample of companies to verify their compliance with the principles of the Privacy Shield.
In addition, another update have been the appointments to the main supervisory and review bodies, such as that of the permanent role of Privacy Shield Ombudsperson. The last two vacancies have also been filled in the Privacy and Civil Liberties Oversight Board making it the first time they have been fully staffed since 2016.
Even though the improvements have received a good assessment, the Commission recommends that certain specific measures be taken to ensure improved performance from the EU-US Privacy Shield. They are as follows:
- Continue strengthening the process of re-certification for companies wishing to participate by reducing the duration of the re-certification process.
- Expand conformity controls, such as those relating to false claims of participation in the framework.
- Develop additional guidelines for companies related to human resources data.
Background
The European Union and the United States maintain strong commercial ties. Transfers of personal data constitutes an important and necessary part of the transatlantic relationship in today’s global digital economy in particular.
It is in the context of these operations that the Privacy Shield between the EU and the US exisits. The Privacy Shield allows personal data to be transferred from one EU company to another in the US, only if said company processes personal data in accordance with a series of well-defined protection and safeguard rules. The protection conferred on personal data is applied regardless of whether or not the user is a citizen of the European Union.
The EU-US Privacy Shield decision was adopted on 12 July 2016 with the Privacy Shield framework becoming operational on 1 August 2016. This framework protects the fundamental rights of any person in the EU whose personal data is transferred to certified companies in the United States for commercial purposes and provides legal clarity for companies that rely on transatlantic data transfers.
The Commission committed itself to examine the EU-US Privacy Shield every year in order to assess whether it still guarantees an adequate level of protection of personal data. The first and second annual exams were held in September 2017 and October 2018, respectively.