Privacy Shield Passes Its First Annual Review, But Could Be Improved

On 12 July 2016, the EU Commission adopted its “adequacy decision” finding that the EU-US Privacy Shield offered an adequate level of protection for personal data being transferred from the EU to the US under this framework. Since then, more than 2,400 companies have been Privacy Shield-certified to cover their international data transfers.

The EU Commission committed to re-assess this adequacy decision annually, and carried out its first annual review of the Privacy Shield framework last month. In its report published last week, the EU Commission stated that Privacy Shield continues to offer an adequate level of protection, and therefore remains valid. It also confirmed that the mechanisms and safeguards set out in Privacy Shield had been adequately implemented and were functioning properly. The EU Commission, however, also indicated that the practical implementation of the Privacy Shield could be further improved.

Commercial Areas of Improvement

The EU Commission’s primary recommendations incorporate the concepts of compliance and enforcement, requiring both stricter monitoring on the part of the US authorities, and more awareness on the possible options for lodging a complaint. The EU Commission’s main recommendations can be summarised as follows:

  • To avoid misleading claims, US companies applying for the Privacy Shield should no longer be allowed to publicly announce their adherence to the framework until their application has been reviewed by the Department of Commerce and their certification is finalised.
  • The US should monitor compliance with the Privacy Shield principles through regular compliance checks and proactively investigate companies that falsely claim that they are Privacy Shield-certified.
  • The cooperation between the US and the EU should be improved, with a focus on developing guidance on interpretation of Privacy Shield concepts that warrant clarification (especially “accountability for onward transfers” and “human resources data.”)
  • The US and EU should both work on bringing more awareness around the Privacy Shield. In particular, the EU and the EU DPAs should ensure that EU individuals are more aware of their rights under the Privacy Shield and how to exercise them.

The report shows that, despite the multiple options offered to EU individuals to file a Privacy Shield-related complaint, only a very small number of complaints have been filed over the past year. While the EU Commission does not give precise recommendations for how to generate more awareness about Privacy Shield rights, it expressly refers in its report to the controllers’ obligation to inform individuals about the existence of international data transfers and of an adequacy decision.

We may, therefore, soon see guidance from DPAs indicating that this information should include an explanation about how to exercise a complaint under the Privacy Shield. This would also be in line with the obligation to inform individuals about their right to lodge a complaint with DPAs.

  • The US should inform the EU in a more timely and comprehensive manner about developments in the US legal landscape that may affect Privacy Shield.

A number of developments having an impact on privacy took place took place in the US over the past year. The EU Commission inquired about their consequences for the Privacy Shield during the joint annual review, and, although it was eventually satisfied that these developments do not affect its validity, it asks that the US communicate more transparently and in a timelier manner about such developments in the future.

One development worth mentioning is the FTC vs. AT&T case, which states that common carriers (e.g. telephone companies) will no longer fall under the FTC jurisdiction for their non-common carrier activities, and will therefore no longer be able to adhere to Privacy Shield. The US confirmed that while this development, if confirmed on appeal, will limit the coverage of Privacy Shield, it will not impact its safeguards and protections for the entities still covered by it.

National Security Areas of Improvement

The EU Commission also recommended that the US finalise and improve the implementation of the safeguards against surveillance that the US committed to last year. Its main recommendations can be summarised as follows:

  • The US must appoint a Privacy Shield Ombudsperson (in charge of receiving EU citizens’ complaint about US surveillance practices) as soon as possible.
  • The US must fill in the missing seats at the PCLOB (independent agency in charge of overseeing the surveillance activities of the Executive branch) as soon as possible to re-establish the quorum required for the PCLOB to be effective.
  • The commitments made by the US government in the Presidential Policy Directive 28 (about protecting non-US persons against government surveillance) should be incorporated into law as part of the re-authorisation of section 702 of the Foreign Intelligence Surveillance Act.

Section 702 regulates the US program used by the government to access communications about foreign individuals and needs to be re-authorised as it is set to expire at the end of this year. Based on the latest developments, it is doubtful that the EU Commission recommendation will make it through. The Trump administration indeed supports a permanent re-authorisation of the program without any change, and the Senate Intelligence Committee already voted to approve this re-authorisation earlier this week. The debate is still ongoing.

A Focus on Automated Individual Decision-Making

The EU Commission ordered a study to evaluate the differences and similarities between the US and EU approaches on automated decision-making. Given the exponential development of big data and machine learning technologies, automated decision-making has become a key topic for many companies.

The EU has strengthened the rules around automated individual decision-making under the GDPR, especially when this type of processing is used to make decisions that have legal (e.g. a refused entry at the border) or similarly significant effects on individuals (e.g. a loan application), and the recent draft guidelines of the Article 29 Working Party seem to confirm the decision of the EU to subject this type of processing to strict safeguards and limitations.

It is unclear how much the US approach differs from the EU on the protection mandated for this type of processing. Answering this question will be one of the EU Commission’s focuses over the next year.

How OneTrust Helps

OneTrust helps privacy professionals prepare for compliance with upcoming privacy regulations and certifications through proactive self-assessments. Free templates are available for the EU General Data Protection Regulation, Privacy Shield, BCR (controllers and processors), and APEC CBPR, as part of the OneTrust privacy management platform. Privacy professionals can use OneTrust to benchmark their organisational readiness, prioritise requirements for compliance and provide executive-level visibility.