On October 23, 2019, the European Commission (“Commission”) published its Report on the third annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report “confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” (see also the Commission’s Press Release).  The Report welcomed a number of improvements following the second annual review, including efforts made by U.S. authorities to monitor compliance with the framework, as well as key appointments that have been made in the last year.  The Commission in particular noted the appointment of Keith Krach to the position of Privacy Shield Ombudsperson on a permanent basis, filling a vacancy that had been noted in previous reviews.  The Report also provided a number of recommendations for further improvement and monitoring.

Recognizing that, in its third year, Privacy Shield has “moved from the inception phase to a more operational phase,” the Report placed particular emphasis on the effectiveness of the “tools, mechanisms and procedures in practice.”  Not only has the number of Privacy Shield certifications exceeded 5,000 companies — eclipsing in three years the number of companies that had registered to the Safe Harbor Framework in its nearly 15 years of existence — the Report also noted that “an increasing number of EU data subjects are making use of their rights under the Privacy Shield and that the relevant redress mechanisms function well.”

As with prior reviews, the Commission sought feedback from trade associations, NGOs, and certified companies, and  addressed the functioning of (i) the framework’s commercial aspects, and (ii) U.S. authorities’ access to personal data.

Commercial Aspects

The Report focused on the re-certification process under the Privacy Shield, and the Department of Commerce (“DoC”) and the Federal Trade Commission’s (“FTC”) efforts around on-going compliance monitoring and enforcement.  In particular, the Report made the following findings and recommendations:

  • Re-certification process “grace period.” At present, the DoC allows companies a grace period of three and a half months before re-certifying to the Privacy Shield, meaning companies can continue to list as certified for more than three months after their certifications lapse.  The Report found that this practice reduced the “transparency and readability of the Privacy Shield list” and undermined incentives for companies to “rigorously comply with the annual re-certification requirement.”  To address these concerns, the Report recommended that the DoC should shorten the grace period to a maximum of 30 days for re-certification, and send warning letters to companies at the end of this period.
  • Proactive checks on companies’ compliance. The Report welcomed the DoC’s proactive compliance monitoring in the form of spot-checks,  and recommends that the DoC continue to engage in such spot-checks, focusing on compliance with the Privacy Shield’s substantive obligations.
  • DoC’s search for false claims. The Report recognized the DoC’s efforts to check whether companies are falsely claiming to be certified to the Privacy Shield.  However, the Report highlighted that such checks were limited to those companies that had allowed their certifications to lapse, and did not address companies that had never certified in the first place.  The Report identified addressing this issue as a “matter of priority.”
  • Enforcement. As with efforts to root out false claims, the Report welcomed the FTC’s seven concluded enforcement actions for violations of the Privacy Shield, but also noted that the “Commission would have expected a more vigorous approach regarding enforcement action on substantive violations of the Privacy Shield Principles.”  In this regard, the Commission recommended that the FTC ensure that it can share “meaningful information on ongoing investigations” with the Commission and local data protection authorities.
  • Human resources data. The different interpretations of what falls within human resources data by data protection authorities continues to be discussed as an area that requires clear joint guidance.

The annual review may also consider whether additional rules on “automated decision-making,” which are not currently regulated by Privacy Shield, should be added.  In previous years, the Commission has noted that U.S. sectoral legislation, such as the Fair Credit Reporting Act and the Equal Credit Opportunity Act, grant consumers rights to explanations and to contest some of the most significant automated decisions.  In this year’s review, the Commission also took note of the FTC’s hearings on Competition and Consumer Protection in the 21st Century, which tackled some of the issues presented by AI, as well as the U.S.’s approval of the OECD Principles on Artificial Intelligence.  The Staff Working Document considered these developments as evidence of convergence between the U.S. and EU “on the way certain fundamental questions relating to AI should be addressed.”

U.S. Public Authorities Access to Personal Data

In light of questions raised in the on-going challenges to the Privacy Shield, that are currently before the European Court of Justice (Case T-738/16, LQDN v Commission; and Case C-311/18, DPC v Facebook Ireland and Maximillian Schrems), the Commission took the opportunity during the third annual review to clarify the U.S. legal framework (i.e., current U.S. surveillance laws), the available oversight mechanisms, such as the Privacy Shield Ombudsperson, and available redress for EU individuals with respect to violation of U.S. laws.

Overall, the Report welcomed the clarifications the Commission received on the U.S. legal framework, and found that such clarifications confirm the Commission’s original findings that Privacy Shield provides for an adequate level of protection for personal data transferred to the U.S.  In particular, the Report found that U.S. surveillance laws do ensure that government requests for personal data are “targeted through the use of selectors and that the choice of selectors is governed by law, subject to independent judicial and legislative oversight.”  The Report also found that the Privacy Shield Ombudsperson “can properly perform its functions” with respect to complaints received, and that individuals in the EU are “able to obtain the deletion of his or her personal data if it was unlawfully collected and processed by the U.S. Intelligence Community.”  However, the Report noted that this assessment may need revisiting following the outcome of the cases before the European Court of Justice.