Following our previous blog on the upcoming second annual review of the EU-U.S. Privacy Shield, the European Commission published its report on 19 December 2018.

In its report, the Commission concludes that the level of protection for personal data transferred under the Privacy Shield from the European Union to the United States continues to be adequate.

The Privacy Shield’s terms must be reviewed every year. You can find our blog post on the first annual report here.

Second annual review

The second annual review took place on 18 and 19 October 2018 in Brussels. The review was conducted against the backdrop of challenges to data privacy, abuses of personal data, and the ongoing debate about federal privacy legislation in the United States.

The review covered two distinct areas: the commercial aspects of the Privacy Shield and U.S. government access to personal data.

The report notes the steps that the United States has taken in relation to the Commission’s recommendations from the first annual review:

  • The certification process has been strengthened, and new oversight procedures have been introduced. Companies can no longer publicise their Privacy Shield certification until the Department of Commerce (DoC) has finalised it.
  • The monitoring of companies’ compliance with the Privacy Shield has been improved. In particular, administrative subpoenas have been issued to request further information for the purpose of investigations.
  • The protections offered by Presidential Policy Directive 28 were not incorporated into the Foreign Intelligence Surveillance Act when it was reauthorised, contrary to the Commission’s recommendation. However, the safeguards in the act have not been restricted, and some additional privacy safeguards have been introduced in relation to transparency.
  • The Privacy and Civil Liberties Oversight Board has been reinstalled to its full quorum. The board released its report on Presidential Policy Directive 28 on 16 October 2018.
  • A permanent Privacy Shield ombudsperson has not yet been appointed, contrary to the Commission’s recommendation.

Continue Reading European Commission publishes second annual report on EU-U.S. Privacy Shield

The European Union and the United States have now conducted the second annual review of Privacy Shield, a framework which regulates and facilitates the exchange of personal data across the Atlantic. The European Commission will publish its conclusions in a report at the end of this month.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. Privacy Shield imposes stronger obligations on U.S. companies to protect the personal data of individuals in the EU and to monitor, enforce and cooperate with the European data protection authorities to ensure adequacy.

On a voluntary basis, U.S. organisations can self-certify to the U.S Department of Commerce, publicly stating that they will comply with Privacy Shield requirements. A list of the certified organisations can be found here. Nearly 4,000 companies have now made legally enforceable commitments to comply with the framework since Privacy Shield went into effect in 2016.Continue Reading EU and U.S. second annual review of Privacy Shield