On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield, including in particular the recent appointment of a permanent Ombudsperson. But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield.
The EDPB, which is made up of representatives of various European data protection authorities, is established by the GDPR, and advises on the consistent application of data protection rules throughout the EU. The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield. The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield.
The Report focuses on assessment of both the commercial and government access aspects of the Privacy Shield, and presents the EDPB’s findings based on its participation in the second annual review in Brussels. On the commercial aspects, the Report acknowledges that “significant progress has been made” since the first annual review, and highlights a number of improvements (which the European Commission had also called out in its recent report on the second annual review of the Shield), including that:
- The Department of Commerce (“Commerce”) has adapted the initial certification process to avoid inconsistencies between the time a company posts its Privacy Shield notice and the time the certification is finalized;
- Commerce and the Federal Trade Commission (“FTC”) have started ex officio oversight and enforcement actions with respect to Privacy Shield requirements; and
- Commerce has issued further guidance to both EU individuals seeking to exercise their rights in relation to data transferred under the Shield, and to U.S. businesses to clarify the requirements of the Shield.
The Report also highlights certain concerns, such as a “lack of oversight in substance” (because the FTC was unable to share substantial information on enforcement actions taken); a need for further regulatory oversight over onward transfer contracts for compliance with the Privacy Shield; and a need for further clarity on the application of the Privacy Shield to human resources data. The Report also recalls “remaining issues” initially raised in a 2016 Opinion by the Article 29 Working Party, which “remain valid.” These include the absence of or limitation on certain data subject rights; the absence of “key definitions;” and the lack of specific rules regarding automated decision-making.
On the government access aspects, the Report praises the appointment of three new members to the Privacy and Civil Liberties Oversight Board, and the publication of a report clarifying U.S. surveillance activities and decisions of the Foreign Intelligence Surveillance Court. But the Report also expresses continuing concern with regard to certain issues relating to access to personal data by U.S. law enforcement and national security agencies. These include the lack of “new guarantees for EU individuals” with respect to this access under U.S. law; the continuing difficulties that EU citizens face in seeking redress before U.S. courts; and concerns over the independence and effectiveness of the Ombudsperson mechanism.
Ultimately, while the Report highlights certain successes and concerns with the Privacy Shield that arose during the second annual review, many of the Report’s concerns have been raised before in other forums. And the Report acknowledges that these same concerns will likely be addressed by the European Court of Justice in challenges to the Privacy Shield pending before that Court.