October 28, 2019
The report confirms that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the US.
Since the second annual review, the report finds that there have been a number of improvements in the functioning of the framework, as well as appointments to key oversight and redress bodies, such as the Privacy Shield Ombudsperson. Being in the third year of the Shield’s operation, the review focused on the lessons learnt from its practical implementation and day-to-day functionality. There are now about 5,000 companies participating in the framework.
Among the improvements, the report notes that the US Department of Commerce is ensuring the necessary oversight in a more systematic manner by, for example, carrying out monthly checks of a sample of companies to verify compliance with Privacy Shield principles.
Enforcement action has also improved with the Federal Trade Commission taking action related to the Privacy Shield in seven cases.
An increasing number of EU individuals are also making use of their rights under the Privacy Shield and the relevant redress mechanisms are functioning well.
In addition to the appointment of the permanent Ombudsperson, the final two vacancies on the Privacy and Civil Liberties Oversight Board have been filled, ensuring that it is fully staffed for the first time since 2016.
However, the Commission recommends that certain concrete steps be taken to better ensure the effective functioning of the Privacy Shield in practice. This includes:
- further strengthening the (re)certification process for companies who want to participate by shortening the time of the (re)certification process;
- expanding compliance checks, including in relation to false claims of participation in the framework; and
- developing additional guidance for companies related to human resources data.
The Commission also expects the Federal Trade Commission to further step up its investigations into compliance with substantive requirements of the Privacy Shield and provide the Commission and the EU data protection authorities with information on ongoing investigations. To read the Commission’s press release in full and to access the report, click here.