Following our previous blog on the upcoming second annual review of the EU-U.S. Privacy Shield, the European Commission published its report on 19 December 2018.

In its report, the Commission concludes that the level of protection for personal data transferred under the Privacy Shield from the European Union to the United States continues to be adequate.

The Privacy Shield’s terms must be reviewed every year. You can find our blog post on the first annual report here.

Second annual review

The second annual review took place on 18 and 19 October 2018 in Brussels. The review was conducted against the backdrop of challenges to data privacy, abuses of personal data, and the ongoing debate about federal privacy legislation in the United States.

The review covered two distinct areas: the commercial aspects of the Privacy Shield and U.S. government access to personal data.

The report notes the steps that the United States has taken in relation to the Commission’s recommendations from the first annual review:

  • The certification process has been strengthened, and new oversight procedures have been introduced. Companies can no longer publicise their Privacy Shield certification until the Department of Commerce (DoC) has finalised it.
  • The monitoring of companies’ compliance with the Privacy Shield has been improved. In particular, administrative subpoenas have been issued to request further information for the purpose of investigations.
  • The protections offered by Presidential Policy Directive 28 were not incorporated into the Foreign Intelligence Surveillance Act when it was reauthorised, contrary to the Commission’s recommendation. However, the safeguards in the act have not been restricted, and some additional privacy safeguards have been introduced in relation to transparency.
  • The Privacy and Civil Liberties Oversight Board has been reinstalled to its full quorum. The board released its report on Presidential Policy Directive 28 on 16 October 2018.
  • A permanent Privacy Shield ombudsperson has not yet been appointed, contrary to the Commission’s recommendation.

The Commission was satisfied with the U.S.’s steps to implement the recommendations from the first annual review, noting that the actions have “improved several aspects of the practical functioning of the framework”.

The report makes clear that the adequacy decision is continuously under review. Consequently, the U.S.’s next steps will be closely monitored, in particular:

  • The effectiveness of the DoC’s compliance monitoring and detection of false claims as to Privacy Shield certification.
  • The development of additional guidance issued jointly by the DoC, Federal Trade Commission and EU data protection authorities.
  • The appointment of a permanent Privacy Shield ombudsperson.
  • The effectiveness of the role of the ombudsperson in handling and resolving complaints.

Next steps

The Privacy Shield has been renewed for another year. However, the United States must continue to address the Commission’s concerns in order to ensure the continuity of the Privacy Shield and provide the Commission with detailed information on its progress.

The immediate priority for the United States is to appoint a permanent Privacy Shield ombudsperson. The Commission considers the absence of a permanent appointee to be “highly unsatisfactory” and expects this to be addressed by 28 February 2019.