Earlier this week, the European Commission (“Commission”) published its Report on the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document). The Report concludes that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States. The Commission also found that the implementation of a number of the recommendations following the first annual review last year improved several aspects of the Privacy Shield, but that certain recommendations still required implementation and/or monitoring.
In another Privacy Shield-related development this week, the International Trade Administration’s Privacy Shield Team announced new guidance on the applicability of the Privacy Shield to the United Kingdom following the UK’s pending withdrawal from the EU.
Background on Privacy Shield and Annual Review
The Privacy Shield is a framework for the lawful transfer of personal data from the EEA to Privacy Shield-certified companies in the United States. As of this writing, there are more than 4,200 companies currently certified to the Privacy Shield.
The Privacy Shield provides for an annual review process designed to assess the functioning, implementation, supervision, and enforcement of the Privacy Shield. The annual reviews are conducted jointly by the U.S. Department of Commerce (“Commerce”) and the Commission, with participation by the FTC, representatives of the European Data Protection Board, the European Data Protection Supervisor, and other agencies involved in the implementation of the Privacy Shield. In preparation for the review, the Commission sought feedback from a number of trade associations, NGOs, and certified companies. This year’s review was conducted in Brussels in mid-October 2018.
Having reviewed all aspects of the Privacy Shield, the Commission Report concludes that:
[T]he United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States. In particular, the steps taken to implement the Commission’s recommendations following the first annual review have improved several aspects of the practical functioning of the framework in order to ensure that the level of protection of natural persons guaranteed by the adequacy decision is not undermined.
At the same time, the Commission highlights a few aspects of the Privacy Shield which “need to be closely monitored . . . as they affect elements that are essential for the continuity of the adequacy finding.” These include continued review of the effectiveness of mechanisms and tools for Commerce to monitor compliance with the Privacy Shield, and the appointment of a permanent Privacy Shield Ombudsperson. Notably, the Report states that the Commission “expects the U.S. government to identify a nominee to fill the Ombudsperson position on a permanent basis” by February 28, 2019, and the Commission’s press release further emphasizes that the Ombudsperson is “an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed.”
Guidance on Privacy Shield Post-Brexit
Separately, the Privacy Shield Team released guidance this week that describes how a Privacy Shield participant may rely on the Privacy Shield to receive personal data from the UK following its planned withdrawal from the EU. In particular, companies that wish to receive personal data from the UK under the Privacy Shield will need to update their privacy policies to include a reference to the UK.
The deadline for doing so will depend on the manner in which Brexit occurs. If the UK and the EU finalize their agreement on a transition period during which EU law will continue to apply to the UK, the deadline will be December 31, 2020. If there is no such agreement, however, then companies that wish to transfer UK personal data under the Privacy Shield will need to update their privacy policies sooner, by March 30, 2019.