Following our previous blog on the upcoming first annual review of the EU-US Privacy Shield, the European Commission (“Commission”) published its report on 18 October 2017 (“Report”).

The Commission’s Findings

Overall, the Report confirms that the Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the US, with the necessary structures and procedures having been put in place to ensure the correct functioning of the Privacy Shield. Further, it indicates that complaint-handling and enforcement procedures have been set up, and there is increased cooperation with the European data protection authorities.

However, as Věra Jourová, Commissioner for Justice, Consumers and Gender Equality notes, “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”

The Report includes a number of recommendations that could be implemented to further improve the functioning of the Privacy Shield. These include:
Continue Reading European Commission publishes first annual report on EU-US Privacy Shield.

During the week of 18 September 2017, the European Commission and the Article 29 Working Party (“WP29”) will undertake the first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). The meetings will take place in the United States. As for the U.S. side, the U.S. Department of Commerce will conduct the review, and it is likely that, among others, the U.S. Department of State and the U.S. Department of Justice will participate.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. On 6 October 2015, the European Court of Justice (“CJEU”) invalidated the “Safe Harbour” decision by the European Commission, the predecessor to the Privacy Shield, in its Schrems v Data Protection Commissioner (Ireland) judgment (“Schrems Judgment”). By decision of 12 July 2016, the European Commission adopted a new transfer mechanism: the EU-U.S. Privacy Shield (“Adequacy Decision”).

Certified organisations

On a voluntarily basis, U.S. organisations can register for a self-certification to the U.S. Department of Commerce, and publicly assure to comply with the requirements under the Privacy Shield. A list of the certified organisations can be found here.

While about 5,500 organisations had signed up to Safe Harbour, about 2,500 organisations, including many large organisations, have already self-certified to the Privacy Shield in its first year. Apart from that, organisations still consider EU Model Clauses, as well as Binding Corporate Rules, as a good alternative to the Privacy Shield.Continue Reading Upcoming first annual review of the EU-U.S. Privacy Shield