EU-US Privacy Shield Works Well but More Enforcement is Coming
All those who self-certify with the EU-US Privacy Shield certification may breathe a sigh of relief. The EU is not going to invalidate the EU to US data transfer mechanism, for now.
Mr. Ralph Sauer, the deputy head of unit for the international data flows at European Commission, spoke at the IAPP data protection conference in Brussels, on November 9, 2017. He said that the European Commission is generally satisfied with the implementation of the Privacy Shield.
Mr. Sauer’s statement follows the recently published results of the European Commission’s first annual review of the Privacy Shield. Yet, Mr. Sauer indicated that there are still issues that need improvement, including:
- There is a need for more monitoring of compliance and FTC enforcement. Therefore, if you self-certified with the Privacy Shield, be prepared to demonstrate your compliance.
- There is a need for more training. Consequently, be prepared to address the Privacy Shield in your on-boarding and annual employee training.
- The EU will review the applicability to the Privacy Shield of the data subjects’ right to object to fully automated decision making. This is a forthcoming review and we are yet to see its results.
The Privacy Shield Certification and Annual Report
On October 18, 2017, the European Commission published its first annual report on the functioning of the EU-US Privacy Shield.
The EU-US Privacy Shield aims to protect personal data of EU individuals when transferred to companies in the United States. Over 2,500 US companies have self-certified with the Privacy Shield.
In the post-Snowden era, the Privacy Shield, like additional data transfer mechanisms, were scrutinized for the lack of sufficient safeguards from mass-surveillance by US national security agencies.
The Privacy Shield is the successor of the “Safe Harbor“, which was invalidated by the European Court of Justice, on October 6, 2015, based on the above grounds, following a complaint filed by the privacy advocate Max Schrems.
Although the annual review shows that the Privacy Shield works well, the EU indicated that there is still room for necessary improvements. In the words of Ms. Věra Jourová, Commissioner for Justice, Consumers and Gender Equality:
“…The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards.”
The annual review shows that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the US. Among other findings, the EU representatives indicated that the Privacy Shield provides new redress possibilities for EU individuals, thus keeping the effectiveness of the program. Additionally, the Privacy Shield has complaint-handling and enforcement procedures which have been set up as well as cooperation with the European Data protection authorities.
Required Improvements – More Enforcement!
The annual review recognizes that the program needs some improvements, including the following:
- Monitoring of companies’ compliance. The US Department of Commerce needs to manage more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations.
- List of companies making false claims. The US Department of Commerce should conduct regular searches for companies making false claims about their participation in the Privacy Shield certification.
- Awareness-raising for EU individuals about their rights. Generating more awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, and specifically on how to file complaints.
- Guidance for companies and enforcers. Closer cooperation between privacy enforcers i.e. the US Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities, specifically to develop guidance for companies and enforcers.
- Enshrining Protection for Non-Americans. Enshrining protection for non-Americans offered by Presidential Policy Directive 28.
- Appointing Privacy Shield Ombudsperson. Appointing a permanent Privacy Shield Ombudsperson as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board.
The annual review will be sent to the European Parliament, the Council, the Article 29 Working Party of Data Protection Authorities and to the US authorities.
The European Commission will work with US authorities to implement the above-mentioned recommendations in the coming months. The European Commission will also continue to closely monitor the functioning of Privacy Shield framework, including the US authorities’ compliance with their commitments.
Future Threats to the Privacy Shield
The future of another data transfer mechanism, called the Standard Contractual Clauses (SCC) is uncertain. The EU Court of Justice will review the validity of the SCC in another case brought by Max Schrems (Case name: Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems).
Many argue that the EU court may review the Privacy Shield’s validity, as part of these proceedings.
However, the EU court is notoriously slow in delivering opinions and will likely deliver its opinion in 18 months or more.
Therefore, as of November 2017, US companies may still rely on the Privacy Shield certification for processing EU-originated personal data. However, they need to prepare themselves for potential reviews and enforcement actions.
- Our Guide in Hebrew to the GDPR
- The new Israeli data security regulations
- Our newsletter about the Privacy Shild in Hebrew
This article does not constitute a legal advice.