In a positive development for companies relying on transatlantic data transfers, the European Commission (the Commission) recently announced that one year into the program, the EU-US Privacy Shield framework is functioning as intended.
The Privacy Shield is a framework between the United States and the European Union (and the United States and Switzerland) that arranges for the protection of personal data that is transferred from the European Union to the United States for commercial purposes. The Privacy Shield was borne out of the Shrems case where the European Court of Justice invalidated the prior Safe Harbor framework designed to protect personal data transferred from the European Union to the United States
For companies that are Privacy Shield certified, the framework imposes obligations on the protection of personal data transferred from the European Union, including strict obligations regarding the retention and sharing of such personal data. As part of the program, the Commission committed to conducting an annual review of its original decision that the Privacy Shield ensures an adequate level of protection for personal data that is transferred from the European Union to the United States.
The Commission’s Annual Review
On October 18, the Commission released its first annual report on the functioning of the EU-US Privacy Shield framework. The Commission stated that it focused on verifying that Privacy Shield mechanisms have been implemented as planned and confirming that US authorities met their commitments regarding the administration and supervision of the Privacy Shield.
Overall, the Commission found that “U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield” and that the United States “continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” from the European Union to companies in the United States. The Commission did, however, provide ten recommendations on how to further improve the practical implementation of the Privacy Shield. Most notably for the commercial aspects of the Privacy Shield, the Commission recommended that the US Department of Commerce conduct compliance checks on a regular basis, which may include questionnaires or annual compliance reports from certified companies. The Commission also recommended that the US Department of Commerce and EU Data Protection Authorities collaborate to develop legal interpretation guidance on Privacy Shield concepts.
Although the Privacy Shield is still in the early stages of implementation and further reports or opinions may be issued, the positive annual report from the Commission provides a couple of key takeaways for commercial contracts involving transatlantic data transfers. First, when engaging a service provider that will be managing or processing transatlantic data flows, Privacy Shield certification should remain an important consideration during the selection process. Second, if engaging a service provider that is not Privacy Shield certified, customer-side companies should consider adding a provision into their contracts obligating the service provider to provide at least the same level of data protection that is required by the principles of the Privacy Shield framework. For example, “Service Provider shall provide at least the same level of privacy and security protection for personal data as is required by the relevant principles of the Privacy Shield framework, which, as of the effective date, are available at https://www.privacyshield.gov/EU-US-Framework.”