He made a list
He checked it twice
He was gonna find out who was naughty or nice
The EU Commission is not putting the Privacy Shield down
For certifying companies, Santa Claus has come to town
On December 19, the EU Commission ("Commission") published its report to the European Parliament and the Council on the second review of the functioning of the EU-US Privacy Shield (the "Report").
To the relief of the 3,850 US companies who have certified to the Privacy Shield, and those entities transferring personal data to them, the Commission concluded that the Privacy Shield framework ensures an adequate level of protection for personal data and, therefore, can still be used as one of the available transfer mechanisms under the General Data Protection Regulation ("GDPR"). Nonetheless, the review identified some immediate actions for the US government to take in order to continue to keep the Privacy Shield framework on secure footing.
This Legal Update focuses on the findings of the Report, its support of the Privacy Shield as a valid mechanism to transfer data and the improvements that the Commission is expecting for the mechanism to be sustained going forward.
Background: The Privacy Shield and Annual Reviews
On July 12, 2016, the Commission adopted an adequacy decision in which it found that the EU-US Privacy Shield provides an adequate level of protection for personal data that has been transferred from the EU to organizations in the United States that certified to the framework. The Privacy Shield replaced the Safe Harbor framework, which was struck down by the Court of Justice of the European Union in the Schrems case. (See our Legal Update on the adoption of the Privacy Shield framework.)
One component of the adequacy decision was an annual evaluation of the functioning of the framework by the Commission. The first annual review, which concluded in October 2017, recognized that the Privacy Shield framework offered adequate protection for personal data transferred to the United States. However, the Commission also recognized that the practical implementation of the Privacy Shield framework could be further improved, and it made 10 recommendations in that respect, mainly focused on suggestions for the US government. (See our Legal Update covering the first annual report.)
Outcome of the Second Annual Review
The second annual review took place in Brussels in October 2018. It focused on an assessment of the implementation of the recommendations from the first annual review. In its Report, the Commission noted the following areas of progress under the Privacy Shield framework (in addition to developments within the US legal system in the area of privacy):
- The US Department of Commerce has strengthened the certification process and introduced new oversight procedures;
- The US Department of Commerce has begun spot-checking and monitoring public reports about the privacy practices of Privacy Shield-certified companies in an effort to detect compliance issues;
- Enforcement activities have been launched by US authorities to monitor compliance with the Privacy Shield principles (e.g., issuance of administrative subpoenas requesting information from Privacy Shield participants); and
- Members of the Privacy and Civil Liberties Oversight Board were appointed.
Although the Commission concluded that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield, the Commission called out the need for the US government to appoint a permanent Privacy Shield ombudsperson and is expecting such appointment to be made by February 28, 2019.
It is now up to the US government to appoint a permanent Privacy Shield ombudsperson, a position which is currently filled by someone in an acting capacity.
The findings of the second annual review will not end the Privacy Shield debate in the European Union. The EU Parliament has voiced concerns on the Privacy Shield framework; in July 2018, it adopted a resolution that called on the Commission to suspend the agreement unless the United States was fully compliant by September 1, 2018.
Even if non-binding, the EU Parliament’s resolution indicated a level of discomfort of the mechanism that the EU put in place with the US, especially when compared to other frameworks (e.g., the upcoming adequacy decision with Japan).
The question of available transfer mechanisms under the GDPR will, like a Ghost of Christmas Past, come back to haunt those organizations that cannot rely on the Privacy Shield framework; the Standard Contractual Clauses, common mechanisms for personal data transfers, are being challenged before the Court of Justice of the European Union, and the upcoming Brexit will also require organizations to revisit the way they transfer personal data from and to the United Kingdom. Christmas may have passed, but there remain personal data privacy concerns for which many companies still have to “better watch out.”