Following our previous blog on the upcoming second annual review of the EU-U.S. Privacy Shield, the European Commission published its report on 19 December 2018.
In its report, the Commission concludes that the level of protection for personal data transferred under the Privacy Shield from the European Union to the United States continues to be adequate.
The Privacy Shield’s terms must be reviewed every year. You can find our blog post on the first annual report here.
Second annual review
The second annual review took place on 18 and 19 October 2018 in Brussels. The review was conducted against the backdrop of challenges to data privacy, abuses of personal data, and the ongoing debate about federal privacy legislation in the United States.
The review covered two distinct areas: the commercial aspects of the Privacy Shield and U.S. government access to personal data.
The report notes the steps that the United States has taken in relation to the Commission’s recommendations from the first annual review:
- The certification process has been strengthened, and new oversight procedures have been introduced. Companies can no longer publicise their Privacy Shield certification until the Department of Commerce (DoC) has finalised it.
- The monitoring of companies’ compliance with the Privacy Shield has been improved. In particular, administrative subpoenas have been issued to request further information for the purpose of investigations.
- The protections offered by Presidential Policy Directive 28 were not incorporated into the Foreign Intelligence Surveillance Act when it was reauthorised, contrary to the Commission’s recommendation. However, the safeguards in the act have not been restricted, and some additional privacy safeguards have been introduced in relation to transparency.
- The Privacy and Civil Liberties Oversight Board has been reinstalled to its full quorum. The board released its report on Presidential Policy Directive 28 on 16 October 2018.
- A permanent Privacy Shield ombudsperson has not yet been appointed, contrary to the Commission’s recommendation.