Following our previous blog on the upcoming first annual review of the EU-US Privacy Shield, the European Commission (“Commission”) published its report on 18 October 2017 (“Report”).

The Commission’s Findings

Overall, the Report confirms that the Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the US, with the necessary structures and procedures having been put in place to ensure the correct functioning of the Privacy Shield. Further, it indicates that complaint-handling and enforcement procedures have been set up, and there is increased cooperation with the European data protection authorities.

However, as Věra Jourová, Commissioner for Justice, Consumers and Gender Equality notes, “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”

The Report includes a number of recommendations that could be implemented to further improve the functioning of the Privacy Shield. These include:

  • Ensuring that companies are not able to publicly refer to their Privacy Shield certification before it has been finalised by the US Department of Commerce (DoC);
  • Calling on the DoC to conduct more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations, as well as regular searches for companies making false claims about their participation in the Privacy Shield;
  • Strengthening awareness-raising efforts to inform EU individuals about how to exercise their rights under the Privacy Shield, particularly in relation to complaints;
  • Improving the co-operation between the DoC and EU data protection authorities, notably to develop guidance for companies and enforcers;
  • Enshrining the protections offered by Presidential Policy Directive (PPD-28) with respect to non-US persons in the Foreign Intelligence Surveillance Act with a view to ensuring the stability and continuity of these protections; and
  • Calling on the US administration to appoint a permanent Privacy Shield Ombudsperson.

Next Steps

The Commission’s report will now be sent to the European Parliament, the Council, the Article 29 Working Party and the US authorities. It is expected that the US authorities and the Commission will work to follow up on the Commission’s recommendations. The Article 29 Working Party previously announced that it will conduct its own analysis of the Privacy Shield review and plans to publish its findings in November.

Whilst the Report will no doubt be welcomed by companies which currently rely on the Privacy Shield as an adequate transfer mechanism, this still needs to be considered cautiously in the context of ongoing legal challenges to the framework (as discussed in our previous blog). Concerns about the Privacy Shield have also been raised previously by the Article 29 Working Party and it remains to be seen whether the Report, or the review itself, has fully addressed the questions in their press release regarding preparation for the annual review. However, businesses should view the Report as a positive step, particularly given the uncertainty surrounding EU Standard Contractual Clauses as we now wait for the European Court of Justice to determine whether these are a valid transfer mechanism.