Overall the report shows that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S. The U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield, such as new redress possibilities for EU individuals. Complaint-handling and enforcement procedures have been set up, and cooperation with the European Data protection authorities has been stepped up. The certification process is functioning well – over 2'400 companies have now been certified by the U.S. Department of Commerce. As regards access to personal data by U.S. public authorities for national security purposes, relevant safeguards on the U.S. side remain in place.
The report suggests a number of recommendations to ensure the continued successful functioning of the Privacy Shield. These include:
- More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce. The U.S. Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
- More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
- Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
- Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
- To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).
The report will be sent to the European Parliament, the Council, the Article 29 Working Party of Data Protection Authorities and to the U.S. authorities. The Commission will work with the U.S. authorities on the follow-up of its recommendations in the coming months. The Commission will continue to closely monitor the functioning of Privacy Shield framework, including the U.S. authorities’ compliance with their commitments.
The EU-U.S. Privacy Shield decision was adopted on 12 July 2016 and the Privacy Shield framework became operational on 1 August 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes as well as bringing legal clarity for businesses relying on transatlantic data transfers.
For instance when shopping online or using social media in the EU, personal data may be collected in the EU by a branch or business partner of a participating American company, who then transfers it to the U.S. For example, a travel agent in the EU may send names, contact details and credit card numbers to a hotel in the U.S. which has registered to the Privacy Shield.
Source: Press Release of the European Commission Nr. 17-3966 of 18 October 2017