On 23 October 2019, the European Commission (the Commission) released its report on the third annual review of the functioning of the EU–U.S. Privacy Shield (Privacy Shield). The report summarises various improvements in the functioning of the framework, and further ‘concrete steps’ that need to be taken to ensure its continued effectiveness.


The Commission’s Privacy Shield adequacy decision obligates the Commission to carry out annual reviews of the framework. To date, there have been two annual reviews (September 2017 and October 2018). The 2019 review took place in Washington D.C., with representatives from the Commission, European Data Protection Board (EDPB), and various U.S. government departments and offices in attendance. The Commission’s findings are divided between:

  • commercial aspects of the framework (compliance, administration, oversight, enforcement by U.S. authorities); and
  • aspects concerning public authorities’ access to personal data transferred under Privacy Shield.

We focus our discussion on the commercial aspects of the review.

Commercial aspects findings

  • Re-certification process: the Commission noted that the U.S. Department of Commerce (DoC) has an internal procedure to re-certify companies on the Privacy Shield list. The DoC is able to grant grace periods for companies that do not get their re-certification documents on time. During this grace period, companies remain on the Privacy Shield ‘active’ list. The Commission has cautioned that a long grace period may reduce the transparency and readability of the ‘active’ list. Such a facility does not incentivise compliance with re-certification requirements.
  • Spot-checks: the DoC conducts spot-checks on 30 companies each month for compliance with Privacy Shield requirements. The Commission noted that the spot-checks are limited to assessing compliance with Privacy Shield’s formal requirements. The Commission believes that spot-checks should incorporate reviews of compliance with more substantive obligations (for example, accountability for onward transfers).
  • False claims of Privacy Shield participation: the Commission noted that the DoC limits its searches for false claims of Privacy Shield participation to companies that have previously applied to be accredited under Privacy Shield. The Commission believes that the DoC should broaden its searches to include companies that have never applied for accreditation. The Commission has identified such companies as “potentially the most harmful”. They are unlikely to have implemented any protections guaranteed by Privacy Shield.
  • Enforcement: the Commission welcomes enforcement actions concluded by the Federal Trade Commission (FTC). However, the Commission hopes that greater cooperation between it and the FTC can be fostered. The Commission noted that the FTC is currently too restricted in sharing details of its enforcement activities with the Commission. The FTC has provided only limited information to date, which restricts the Commission’s ability to evaluate enforcement progress.

Newly appointed Ombudsperson

Keith Krach’s appointment as U.S. Under Secretary of State for Economic Growth, Energy, and the Environment was confirmed by the U.S. Senate in June 2019. Mr Krach will also serve as the Privacy Shield Ombudsperson.

Both the EDPB and the Ombudsperson expressed satisfaction with the Ombudsperson mechanism during its handling of the first complaint from an EU data protection regulator (Croatia) in 2018. All relevant procedures were executed and completed “in a satisfactory manner”.


On the whole, the Commission’s report confirms that the United States continues to provide an adequate level of protection for personal data transfers in the context of Privacy Shield. However, there are some gaps between the expectations of the Commission and U.S. authorities in terms of how Privacy Shield compliance can be achieved. The Commission wants greater transparency in U.S. enforcement activities as well.

Additionally, the Court of Justice of the European Union is expected to deliver its judgment in 2020 in the pending case of Schrems II. This is likely to have significant implications on the continued validity of the Privacy Shield adequacy decision. It may necessitate a reassessment of Privacy Shield by the Commission.

We are monitoring updates closely, so do check back often!