Legal Memo – The European Commission validates the “Privacy Shield” Agreement between Europe and the US

The European Commission considers that the Privacy Shield mechanism implemented by the U.S. guarantees an adequate level of protection for personal data, without prejudice to the fact that there are improvements to be made in the upcoming months.

The European Commission has released a report on the second annual review of the EU-U.S. Privacy Shield[1], a self-certification mechanism that was approved in July 2016 and that ensures an adequate level of protection of personal data transferred from the European Union to the U.S.

The Implementing Decision[2] approved by the European Commission, by means of which the Privacy Shield was approved, established the “continuous monitoring of the functioning” of said mechanism, which implied the completion of annual revisions of the Privacy Shield by the competent authorities to ensure the compliance with the requirements set by the European Union in relation to the protection of personal data.

The first annual review[3] took place in September 2017, and the Commission concluded that the U.S. authorities had implemented the necessary procedures to ensure the proper functioning of the Privacy Shield, so that it continued to offer an adequate level of protection. This is, without prejudice to the fact that it was determined that the implementation of the mechanism, at the practical level, could be improved through a series of recommendations, among which was the need to promote and improve the cooperation efforts among the authorities, the awareness of the interested parties or the continuous monitoring of compliance with the principles of Privacy Shield by the U.S. Department of Commerce.

For the second annual review, carried out in the month of October of this year 2018, the Commission has gathered information from the North American authorities involved in the implementation of the Privacy Shield, the certified companies, as well as the NGOs present in the field of fundamental rights for the protection of users’ privacy, having reviewed both the commercial aspects of the mechanism, and the issues related to access to personal data by the Government.

In general terms, the Commission has validated the compliance with the recommendations made in the first annual review by the Department of Commerce, insofar as it considers that, among other aspects, the certification process of the companies has been toughened; new supervision procedures have been implemented and new tools have been introduced to detect and address possible non-compliance. Also, in response to the monitoring of compliance with the Privacy Shield principles, the U.S. Federal Trade Commission has issued administrative subpoenas to a number of certified companies, and has confirmed that the investigation of the Facebook / Cambridge Analytics case is still ongoing.

It should also be noted that, despite the recommendation to appoint a permanent Privacy Shield Ombudsperson included in the first annual review, the position of Under-Secretary in the State Department, to whom the office of the Ombudsperson had been assigned, had not been covered by a permanent appointment at the time of the closure of the second review carried out by the European Commission.

Based on the information gathered, the Commission has concluded that the U.S. continues to offer an adequate level of protection of personal data transferred through the Privacy Shield, especially taking into account the implementation of the recommendations included in the report on the first annual review. However, in the words of the Commission, some steps have been taken recently and require close monitoring. In this regard, it is worth mentioning:

• Administrative subpoenas to certified companies in case of detection of violations of the Privacy Shield principles, as well as to entities for false claims.
• Observation of the effectiveness of the monitoring instruments for compliance with the Privacy Shield principles.
• Development of additional guidelines jointly by the EU, the Department of Commerce and the Federal Trade Commission, regarding aspects that require further clarification (for example, data related to HR management).

Particularly, the Commission has set a deadline until February 29, 2019 for the appointment of a permanent Ombudsperson. If the position is no filled on a permanent basis, the Commission will consider “taking appropriate measures in accordance with the General Regulation of Data Protection “.

^[1] Second annual review report: https://ec.europa.eu/info/sites/info/files/report_on_the_second_annual_review_of_the_eu-us_privacy_shield_2018.pdf

^[2] Commission Implementing Decision (EU) 2016/1250, on the adequacy of the protection provided by the EU-U.S. Privacy Shield: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016D1250&from=EN

^[3] First annual review report: https://ec.europa.eu/info/sites/info/files/report_on_the_first_annual_review_of_the_eu-us_privacy_shield_2017.pdf