The report is generally good news for Privacy Shield participants and those considering the program—but notes several areas for improvement.
On October 18, the European Commission published its much-anticipated first annual report on the EU-US Privacy Shield. To date, 2,520 companies have participated in the Privacy Shield certification process, and many have looked to this report as an important test for the viability of the Privacy Shield overall.
The report features good news for companies already participating in or considering the Privacy Shield; the European Commission concluded that the Privacy Shield is working and confirmed that it continues to ensure an adequate level of protection for personal data transferred from the European Union to the United States.
As described in our July 2016 LawFlash, the Privacy Shield framework went into effect in August 2016, precipitated by the Safe Harbor program being invalidated by the European Commission. In order to participate in the Privacy Shield program, US-based organizations must self-certify with the US Department of Commerce and publicly commit to comply with the Privacy Shield’s requirements. These require participating organizations to
The report includes a number of positive findings about the Privacy Shield framework. For example, the European Commission found that US authorities have put in place the necessary structures and procedures to ensure the proper functioning of the Privacy Shield, including by providing new redress possibilities for EU individuals. The report specifically identifies the American Arbitration Association’s Privacy Shield Arbitration Panel and the Ombudsperson mechanism as “new additional redress avenues for EU individuals” established by US authorities to safeguard the rights of EU citizens.
Importantly, the report states that US authorities have implemented safeguards regarding government access to personal data. The European Commission also is satisfied with Privacy Shield–related complaint-handling and enforcement procedures. With respect to the Privacy Shield certification process, the European Commission found that it has been “handled in an overall satisfactory manner.”
Although the report gave the Privacy Shield good marks, it did highlight areas for improvement, notably recommending
Organizations that have waited to self-certify pending the first annual review should feel more comfortable moving forward given the positive report and the fact that it appears that no significant changes will be made to the Privacy Shield Principles. In addition, organizations that already have self-certified do not need to do anything further (as some had feared) to comply with data transfer restrictions, given that the recommendations for improvement only relate to the way in which the Privacy Shield is enforced and the protection of the rights of EU residents.
Together with the new EU General Data Protection Regulation (effective May 2018)—which specifically includes obligations on organizations to notify EU residents of how their personal data is transferred outside Europe and of their rights to make regulatory complaints—the European data privacy regime is robust in its protection of EU individuals and their privacy rights. The European objective, of course, is to ensure that these rights are not “watered down” on the transfer of such data to the United States.
Both US and EU authorities recognize the need to continue transatlantic data transfers, and the Privacy Shield is a primary way to do so given that the program eliminates the need for written agreements between European exporters and non-European importers of personal data—as exists under the standard contractual clauses method to transfer personal data from the United States. Note, however, that the validity of these standard contractual clauses is currently being challenged in the European Court of Justice by Maximilian Schrems—the same individual whose claim invalidated the Safe Harbor framework. As such, the issue of data transfers likely will remain contentious for some time to come.
Morgan Lewis has experience advising clients on EU-US data transfers and the Privacy Shield certification process. If we can be of assistance to you, please contact any of the following Morgan Lewis lawyers.