The EU-US Privacy Shield – One Year On and Still Going Strong

The EU-US Privacy Shield was established by the EU Commission in August 2016 to replace the previous ‘Safe Harbour’ system, which was ruled unlawful by the European Court of Justice (to read the ECJ’s decision, see here).

To ensure continued compliance with the scheme by US organisations and the US government, the EU Commission conducts an annual review of the Privacy Shield. The most recent review was undertaken in September, with the report released by the Commission last week (for reference, see here).

What is the EU-US Privacy Shield?

The Privacy Shield aims to provide a safe way of transferring personal data from the EU to organisations in the US by imposing obligations on US companies which receive personal data from the EU, and on the US government should they request access to that data (for more information, see our blog here).

The Privacy Shield was seen as an improvement to Safe Harbour, introducing enhanced protective mechanisms, limits on the length of time companies can retain personal data, and imposing conditions under which data can be shared with third parties outside the Privacy Shield, for example, the US government.

Certification and Oversight

Before US organisations can legally receive personal data from EU countries, they must be certified under the Privacy Shield. This certification procedure is overseen by the US Department of Commerce (the “DoC”).

The Privacy Shield Ombudsperson has also been set up to address complaints concerning access to personal data by the US government for national security and other public interest purposes. Additionally, the Privacy Shield Arbitration Panel provides a final redress mechanism for EU individuals whose data is not used properly under the Privacy Shield, or who consider that a US company is not complying with its rules.

What did the Commission conclude?

Shortly after the Privacy Shield was established, two separate challenges were launched regarding the legality of the arrangement (see our previous blog post here). Despite those early challenges, the EU Commission has now confirmed its decision from July 2016, ruling that the Privacy Shield continues to ensure an “adequate” level of protection of personal data.

This decision was reached on the basis that:

• Structures and procedures are in place to ensure that the Privacy Shield functions correctly;
   
• The certification process has been handled in a “satisfactory” manner;
   
• Complaint handling and enforcement mechanisms are in place to safeguard the rights of EU individuals whose data is being handled;
   
• There are two redress avenues for individuals – the Privacy Shield Ombudsperson and Arbitration Panel;
   
• US co-operation with EU data protection authorities has improved; and
   
• The US government’s access to personal data is more strictly safeguarded.

What has the Commission recommended?

Despite the Commission’s confirmation that the Privacy Shield is safe to operate for another year, it also expressed several concerns about the system, and made various recommendations to further improve it:

• US companies should be prevented from pronouncing their Privacy Shield certification before the certification process is finalised;
   
• The DoC should be proactively and regularly searching for companies falsely holding themselves out to be certified;
   
• The DoC should be continually monitoring compliance with Privacy Shield principles by US organisations;
   
• The EU Data Protection Authorities should be strengthening their efforts to inform EU individuals about how to exercise their rights under the Privacy-Shield, and generally raising awareness of the system;
   
• Encouraging improved cooperation between data protection enforcers (i.e. the DoC and EU Data Protection Authorities), in particular by developing guidance on the legal interpretation of certain concepts in the Privacy Shield;
   
• The appointment of a permanent Ombudsperson (the current Ombudsperson has only been appointed on a temporary basis);
   
• That the US Administration fills the currently unfilled posts on the Privacy and Civil Liberties Oversight Board, which plays an important function in overseeing the protection of privacy and civil liberties in the field of counter terrorism; and
   
• Encouraging the US authorities to proactively report to the EU Commission about any developments that could be relevant to the functioning of the Privacy Shield.

What does this mean for you as a business? 

Over 2,400 US organisations are certified to use the Privacy Shield, meaning an increasing amount of personal data is being transferred across the Atlantic. All UK organisations relying upon the Privacy Shield should be sure to check that any US businesses they are sharing data with are fully certified. The US Privacy Shield website contains a list of certified US organisations, which can be found here.

Undertaking a review of your organisation’s international data transfers is an essential part of your organisation’s preparation for the implementation of the General Data Protection Regulation (GDPR) in May 2018.  If your US data transfers are not protected by the Privacy Shield scheme, your organisation must rely on one of the other lawful bases available to transfer personal data to the US, such as standard contractual clauses or binding corporate rules.

Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.