Privacy Shield Passes Its First Annual Review, But Could Be Improved

On 12 July 2016, the EU Commission adopted its “adequacy decision” finding that the EU-US Privacy Shield offered an adequate level of protection for personal data being transferred from the EU to the US under this framework. Since then, more than 2,400 companies have been Privacy Shield-certified to cover their international data transfers.

The EU Commission committed to re-assess this adequacy decision annually, and carried out its first annual review of the Privacy Shield framework last month. In its report published last week, the EU Commission stated that Privacy Shield continues to offer an adequate level of protection, and therefore remains valid. It also confirmed that the mechanisms and safeguards set out in Privacy Shield had been adequately implemented and were functioning properly. The EU Commission, however, also indicated that the practical implementation of the Privacy Shield could be further improved.

Commercial Areas of Improvement

The EU Commission’s primary recommendations incorporate the concepts of compliance and enforcement, requiring both stricter monitoring on the part of the US authorities, and more awareness on the possible options for lodging a complaint. The EU Commission’s main recommendations can be summarised as follows:

The report shows that, despite the multiple options offered to EU individuals to file a Privacy Shield-related complaint, only a very small number of complaints have been filed over the past year. While the EU Commission does not give precise recommendations for how to generate more awareness about Privacy Shield rights, it expressly refers in its report to the controllers’ obligation to inform individuals about the existence of international data transfers and of an adequacy decision.

We may, therefore, soon see guidance from DPAs indicating that this information should include an explanation about how to exercise a complaint under the Privacy Shield. This would also be in line with the obligation to inform individuals about their right to lodge a complaint with DPAs.

A number of developments having an impact on privacy took place took place in the US over the past year. The EU Commission inquired about their consequences for the Privacy Shield during the joint annual review, and, although it was eventually satisfied that these developments do not affect its validity, it asks that the US communicate more transparently and in a timelier manner about such developments in the future.

One development worth mentioning is the FTC vs. AT&T case, which states that common carriers (e.g. telephone companies) will no longer fall under the FTC jurisdiction for their non-common carrier activities, and will therefore no longer be able to adhere to Privacy Shield. The US confirmed that while this development, if confirmed on appeal, will limit the coverage of Privacy Shield, it will not impact its safeguards and protections for the entities still covered by it.

National Security Areas of Improvement

The EU Commission also recommended that the US finalise and improve the implementation of the safeguards against surveillance that the US committed to last year. Its main recommendations can be summarised as follows:

Section 702 regulates the US program used by the government to access communications about foreign individuals and needs to be re-authorised as it is set to expire at the end of this year. Based on the latest developments, it is doubtful that the EU Commission recommendation will make it through. The Trump administration indeed supports a permanent re-authorisation of the program without any change, and the Senate Intelligence Committee already voted to approve this re-authorisation earlier this week. The debate is still ongoing.

A Focus on Automated Individual Decision-Making

The EU Commission ordered a study to evaluate the differences and similarities between the US and EU approaches on automated decision-making. Given the exponential development of big data and machine learning technologies, automated decision-making has become a key topic for many companies.

The EU has strengthened the rules around automated individual decision-making under the GDPR, especially when this type of processing is used to make decisions that have legal (e.g. a refused entry at the border) or similarly significant effects on individuals (e.g. a loan application), and the recent draft guidelines of the Article 29 Working Party seem to confirm the decision of the EU to subject this type of processing to strict safeguards and limitations.

It is unclear how much the US approach differs from the EU on the protection mandated for this type of processing. Answering this question will be one of the EU Commission’s focuses over the next year.

How OneTrust Helps

OneTrust helps privacy professionals prepare for compliance with upcoming privacy regulations and certifications through proactive self-assessments. Free templates are available for the EU General Data Protection Regulation, Privacy Shield, BCR (controllers and processors), and APEC CBPR, as part of the OneTrust privacy management platform. Privacy professionals can use OneTrust to benchmark their organisational readiness, prioritise requirements for compliance and provide executive-level visibility.