26 October 2017
The European Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, presented, on 18 October 2017, the European Commission’s (‘the Commission’) report (‘the Report’) on the first annual review of the EU-US Privacy Shield (‘the Annual Review’). In particular, the Report outlines that in its first year of operation, the Privacy Shield ensured adequate protection and safeguards for personal data transferred from the EU to the US. However, the Commission highlighted that there was still room for improvement and issued key recommendations to US authorities.
Bastiaan Bruyndonckx, Partner at Lydian, told DataGuidance, “The Commission wishes to avoid the Privacy Shield becoming an empty box, something that companies sign up to but that is not systematically being enforced. Consequently, the Commission’s focus in the Annual Review has shifted towards ongoing compliance with the Privacy Shield principles rather than the signing up process […] Indeed, the acceptance of the Privacy Shield as an adequate safeguard for the transfer of personal data to the US largely depends upon its effectiveness.”
In the Report, the Commission called on the US administration to confirm its political commitment to appoint a Privacy Shield Ombudsperson. Moreover, the Commission recommended that the U.S. Department of Commerce (‘DOC’) conduct searches for false claims of participation in the Privacy Shield, including of companies that have never applied for certification but make representations that they comply with the Privacy Shield’s requirements. The Commission also recommended that companies should not be allowed to make public representations about their Privacy Shield certification before the DOC has finalised the certification and included the company on the Privacy Shield list.
Complying with the Privacy Shield framework is an ongoing exercise […] the day on which [organisations] certify under the Privacy Shield is only the beginning, not the end, of their compliance journey
Joan Antokol, Managing Partner at Park Legal LLC, highlighted, “Under the current requirements, a company seeking certification must post its certification commitments and Privacy Shield notice on its website when it submits its certification application to the DOC. As has been the case with some of my clients, it then takes some time, up to six weeks, for the DOC to approve the certification. I previously raised this point with the DOC, and apparently, the Commission challenged it too, as this process essentially requires the company seeking certification to hold themselves out as certified before the certification is officially approved.”
More broadly, the Report outlines that the Privacy Shield places stricter obligations on certified companies, including on how long a company may retain personal data, and the conditions under which data can be shared with third-parties. It also allows for rigorous monitoring by the DOC for compliance with the Privacy Shield.
Lisa Sotto, Partner at Hunton & Williams LLP, concluded, “Complying with the Privacy Shield framework is an ongoing exercise. Certified organisations understand that they need to constantly ensure that all relevant aspects of their business comply with the Privacy Shield principles and that the day on which they certify under the Privacy Shield is only the beginning, not the end, of their compliance journey.”
FELICITY TURTON | Privacy Analyst