The IT Law Wiki
in: Publication, EU, Privacy, 2017

Report on the First Annual Review of the Functioning of the EU-U.S. Privacy Shield

Sign in to edit

Citation[]

European Commission, Report on the First Annual Review of the Functioning of the EU-U.S. Privacy Shield {SWD(2017) 344 final} (COM(2017) 611 final) (Oct. 18, 2017) (full-text).

Overview[]

This is the first annual report on the functioning of the EU-U.S. Privacy Shield, the successor to the U.S.-EU Safe Harbor Framework after its invalidation in Schrems. The Commission continues to back the Privacy Shield. In particular, the finding that the United States continues to ensure an adequate level of protection for personal data transferred from the EU to self-certified organizations in the U.S. under the Privacy Shield sends a positive signal to businesses that rely on transatlantic data flows. This is especially important in light of the ongoing judicial challenges that the Commission's approved standard contractual clauses, also referred to as model clauses, currently face.

The Commission has made ten recommendations to improve the practical implementation of the Privacy Shield framework further, but most of these were predictable for those who have closely followed the discussion over this international transfer instrument. On a broad policy level, the Commission recommends more awareness training for EU individuals to understand their rights under Privacy Shield and how to exercise them, and closer cooperation between all enforcement entities (U.S. Department of Commerce, Federal Trade Commission and EU Data Protection Authorities).

In terms of business impact, self-certified companies will be eager to see how the recommendation on proactive and regular monitoring of compliance by the U.S. Department of Commerce ("DoC") will be implemented. More specifically, the Commission has recommended that self-certified companies be required to respond to compliance review questionnaires or file annual compliance reports with the DoC. In light of the recommendation that the DoC conduct proactive and regular searches for false claims, companies should not publicly refer to their Privacy Shield certification before the certification is finalized by the DoC.

The Commission recommends further reforms or actions in a number of other areas, some of which have been hot topics over the last year. This includes the continued debate on the Foreign Intelligence Surveillance Act of 1978 (FISA) and privacy protections for non-U.S. persons. The Commission has also renewed the call for a swift appointment of the Privacy Shield Ombudsperson and filling posts in the Privacy and Civil Liberties Oversight Board.

Community content is available under CC-BY-SA unless otherwise noted.