Tech & Sourcing @ Morgan Lewis


The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.

Good news: The report, titled Report from the Commission to the European Parliament and the Council on the Third Annual Review of the Functioning of the EU-US Privacy Shield, finds that the United States continues to provide an adequate level of protection for EU/EEA (European Economic Area) personal data transfers. The report states that since the second annual review, the United States has made various improvements, such as appointing a permanent Privacy Shield Ombudsman.

However, the EU Commission calls for further strengthening of the Privacy Shield framework, particularly regarding enforcement. So far, the US Federal Trade Commission (FTC) has overseen just seven enforcement cases on the Privacy Shield.

The EU Commission points out that certain concrete steps should be taken, such as:

  • Further strengthening the recertification process for companies that want to participate by shortening the time of the recertification process. The report indicates that companies remain on the Privacy Shield “active” list for too long, as significant “grace periods” are granted for companies that have not yet completed the recertification process by the expiration of the (re)certification period.
  • Expanding compliance checks. The report recommends expanding the scope of the current US Department of Commerce (DOC) “spot checks” from formal requirements only (e.g., lack of response from designated points of contact or inaccessibility of a company’s privacy policy online) to also cover more substantive obligations (e.g., compliance with the Accountability for Onward Transfers Principle). The EU Commission would also like to see an expansion in the search for companies making false claims of participation in the framework, including companies that have never applied for certification.
  • Developing additional guidance for companies for human resources data. The report notes the “real added value” possible in the development of a “joint guidance” issued by the DOC, FTC, and EU Data Protection Authorities (DPAs).
  • For the FTC to share information about ongoing investigations with the EU DPAs and the EU Commission. The report acknowledged that this can be difficult for confidentiality and political reasons, but should be possible in an aggregate and anonymous form in the spirt of cooperation among authorities on which the Privacy Shield is based.

The biggest risk for the Privacy Shield framework remains the pending proceedings at the European Court of Justice, as mentioned in the report. Access by US authorities (e.g., law enforcement and Homeland Security) to EU data remains an issue. We continue to expect a ruling on these proceedings in early 2020 and will keep you posted.