The Court of Justice of the European Union (CJEU) handed down its judgment on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II) yesterday, July 16, 2020. The case concerned the transfer of personal data to recipients in the United States via the
On 23 October 2019, the European Commission (the Commission) released its report on the third annual review of the functioning of the EU–U.S. Privacy Shield (Privacy Shield). The report summarises various improvements in the functioning of the framework, and further ‘concrete steps’ that need to be taken to ensure its continued effectiveness.
The Commission’s Privacy Shield adequacy decision obligates the Commission to carry out annual reviews of the framework. To date, there have been two annual reviews (September 2017 and October 2018). The 2019 review took place in Washington D.C., with representatives from the Commission, European Data Protection Board (EDPB), and various U.S. government departments and offices in attendance. The Commission’s findings are divided between:
- commercial aspects of the framework (compliance, administration, oversight, enforcement by U.S. authorities); and
- aspects concerning public authorities’ access to personal data transferred under Privacy Shield.
We focus our discussion on the commercial aspects of the review.Continue Reading EU–U.S. Privacy Shield: EU Commission issues its third annual review report
The Federal Trade Commission’s (FTC) recently announced settlement with background check provider SecurTest, Inc. shows the agency remains vigilant regarding businesses’ claims that they comply with the EU-U.S. Privacy Shield Framework (Privacy Shield). Privacy Shield provides U.S. businesses with a legally recognized mechanism for receiving personal data in the United States from the EU. In its complaint against SecurTest, the FTC alleges that for several months SecurTest falsely claimed on its website that it complied with Privacy Shield when in fact it had not self-certified its Privacy Shield compliance with the U.S. Department of Commerce. The terms of the FTC’s decision and order prohibit SecurTest from misrepresenting its Privacy Shield compliance status and require it to submit to compliance monitoring and recordkeeping requirements.
Along with announcing its settlement with SecurTest, the FTC noted that, rather than beginning enforcement proceedings, it has issued a number of warning letters to businesses over similar alleged inaccurate statements about compliance with cross-border privacy and data security transfer programs like Privacy Shield:Continue Reading FTC settlement and warning letters over cross-border personal data transfers
Following our previous blog on the upcoming second annual review of the EU-U.S. Privacy Shield, the European Commission published its report on 19 December 2018.
In its report, the Commission concludes that the level of protection for personal data transferred under the Privacy Shield from the European Union to the United States continues to be adequate.
The Privacy Shield’s terms must be reviewed every year. You can find our blog post on the first annual report here.
Second annual review
The second annual review took place on 18 and 19 October 2018 in Brussels. The review was conducted against the backdrop of challenges to data privacy, abuses of personal data, and the ongoing debate about federal privacy legislation in the United States.
The review covered two distinct areas: the commercial aspects of the Privacy Shield and U.S. government access to personal data.
The report notes the steps that the United States has taken in relation to the Commission’s recommendations from the first annual review:
- The certification process has been strengthened, and new oversight procedures have been introduced. Companies can no longer publicise their Privacy Shield certification until the Department of Commerce (DoC) has finalised it.
- The monitoring of companies’ compliance with the Privacy Shield has been improved. In particular, administrative subpoenas have been issued to request further information for the purpose of investigations.
- The protections offered by Presidential Policy Directive 28 were not incorporated into the Foreign Intelligence Surveillance Act when it was reauthorised, contrary to the Commission’s recommendation. However, the safeguards in the act have not been restricted, and some additional privacy safeguards have been introduced in relation to transparency.
- The Privacy and Civil Liberties Oversight Board has been reinstalled to its full quorum. The board released its report on Presidential Policy Directive 28 on 16 October 2018.
- A permanent Privacy Shield ombudsperson has not yet been appointed, contrary to the Commission’s recommendation.
The European Union and the United States have now conducted the second annual review of Privacy Shield, a framework which regulates and facilitates the exchange of personal data across the Atlantic. The European Commission will publish its conclusions in a report at the end of this month.
The EU-U.S. Privacy Shield mechanism
EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. Privacy Shield imposes stronger obligations on U.S. companies to protect the personal data of individuals in the EU and to monitor, enforce and cooperate with the European data protection authorities to ensure adequacy.
On a voluntary basis, U.S. organisations can self-certify to the U.S Department of Commerce, publicly stating that they will comply with Privacy Shield requirements. A list of the certified organisations can be found here. Nearly 4,000 companies have now made legally enforceable commitments to comply with the framework since Privacy Shield went into effect in 2016.Continue Reading EU and U.S. second annual review of Privacy Shield
On Thursday, September 27, the Federal Trade Commission (FTC) announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc., following allegations that the companies falsely claimed to be certified under the EU-U.S. Privacy Shield.
Specifically, the FTC alleged that IDmission, LLC misrepresented participation in the program by claiming certification on its website despite never completing the steps necessary to participate following the company’s October 2017 application. On the other hand, mResource LLC, SmartStart Employment Screening, Inc., and VenPath, Inc. each successfully obtained Privacy Shield certification in 2016 but failed to properly renew expired certifications. Therefore, the FTC alleged the three companies misrepresented that they were current participants in the program.
Further, the FTC alleged that SmartStart Employment Screening, Inc. and VenPath, Inc. additionally misrepresented that they adhere to the Privacy Shield Principles by failing to withdraw or affirm the commitment to protect personal information acquired during participation in the program. The Privacy Shield Principles require that if a company ceases to participate, the company must affirm to the U.S. Department of Commerce that it will continue to apply the Privacy Shield Principles to such personal information.Continue Reading FTC continues aggressive enforcement of Privacy Shield
This month, the Privacy Shield Program posted answers to Frequently Asked Questions. The Privacy Shield provides a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
The general guidance addresses topics such as the continued status of the Privacy…
On 5 July 2018, the European Parliament demanded in a resolution that the European Commission suspends its EU-U.S. Privacy Shield unless the U.S. administration introduces adequate data protection safeguards by 1 September 2018. The Privacy Shield agreement is aimed at facilitating data transfers of EU personal data to the United States. The non-binding resolution was passed 303 to 223 votes, with 29 abstentions, and calls on the European Commission to suspend the data-sharing deal unless the United States is fully compliant by September 1.
The European Parliament admonishes the United States for failing to ensure effective ‘adequate protection’ of the transfer of EU personal data to the United States.
The European Parliament critiques that the U.S. administration has been slow to meet requirements set forth by the General Data Protection Regulation (GDPR), which specifies that special data sharing arrangements with countries outside the EU can only remain in place if those countries have independent authorities that properly oversee how Europeans’ data is handled once it moves abroad. The United States has failed to appoint members to the U.S. Privacy Civil Liberties Oversight Board (PCLOB), or to appoint a permanent Ombudsman to chair the PCLOB.Continue Reading European Parliament calls for suspension of EU to U.S. data transfers under the Privacy Shield
On 22 November 2017, the Court of Justice of the European Union (“CJEU”) gave judgment in a case taken by the not-for-profit company, Digital Rights Ireland Limited (“DRIL”). DRIL sought an annulment of the European Commission’s Privacy Shield decision. This decision states that the US ensures an adequate level of protection for personal data transferred from the EU to companies in the US under the EU-US Privacy Shield (the “Contested Decision”).
The CJEU ruled that DRIL’s annulment request was inadmissible for two reasons; (1) it cannot show that it is sufficiently affected by the Contested Decision to bring proceedings in its own name; and (2) a lack of standing to bring proceedings in the name of its members, supporters and the general public.
In this case, the DRIL acted as the applicant and the European Commission was the defendant.
Admissibility of the action brought by DRIL in its own name
DRIL presented three arguments to demonstrate the admissibility of the action brought in its own name.
Argument 1: DRIL argued that, given that it possesses a mobile phone and a computer, its own personal data is liable to be transferred to the US pursuant to the Contested Decision. The CJEU rejected this argument. The CJEU ruled that in its capacity as a legal person, DRIL does not possess personal data. The Data Protection Directive only provides for the protection of personal data of natural persons, not legal entities.Continue Reading CJEU rules Digital Rights Ireland’s Privacy Shield invalidation action inadmissible
The Commission’s Findings
Overall, the Report confirms that the Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to participating companies in the US, with the necessary structures and procedures having been put in place to ensure the correct functioning of the Privacy Shield. Further, it indicates that complaint-handling and enforcement procedures have been set up, and there is increased cooperation with the European data protection authorities.
However, as Věra Jourová, Commissioner for Justice, Consumers and Gender Equality notes, “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”
The Report includes a number of recommendations that could be implemented to further improve the functioning of the Privacy Shield. These include:
Continue Reading European Commission publishes first annual report on EU-US Privacy Shield.