Third Annual Privacy Shield Review Confirms EU Commission's Adequacy Decision

The European Union Commission (“Commission“) has issued a report on its findings from the third annual Privacy Shield review, which took place in September. In its report, the Commission confirmed that the EU-US Privacy Shield framework continues to ensure an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the United States. In concluding its report, the Commission provided additional action items necessary to ensure the continued functioning of Privacy Shield, including time limits for re-certifications and encouraging US authorities to expand their substantive review of Privacy Shield compliance spot-checks.

By way of brief background, the EU General Data Protection Regulation (“GDPR“) restricts the transfer of personal data to third countries unless such countries provide an adequate level of protection for personal data or an exception/derogation applies. The Commission may determine that a third country ensures an adequate level of protection by its domestic law or international commitments on data protection. On July 12, 2016, the Commission adopted a decision finding Privacy Shield ensures an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in the US.¹ The Commission’s 2016 adequacy decision also requires an annual review of Privacy Shield to evaluate the functioning of the framework. Currently, over 5,000 companies participate in the Privacy Shield program.

A press statement from the Commission on the third annual review noted that, “the review focused on the lessons learnt from [Privacy Shield’s] practical implementation and day-to-day functionality.” Participating in the review were US government departments overseeing enforcement of Privacy Shield, including the US Department of Commerce (“Commerce“), the US Federal Trade Commission (“FTC“), and newly appointed Privacy Shield Ombudsperson, Keith Krach.

In concluding that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU, the Commission noted the following next step action items to ensure the continued functioning of Privacy Shield:

Re-certification. To increase the transparency and reliability of the Privacy Shield list for both businesses and individuals, grace periods for companies that have not completed their re-certifications should be limited to 30 days. If these companies have not completed their re-certification at the end of this period, Commerce should send them a warning letter.
Spot-checking. In April 2019, Commerce introduced a system for checking 30 companies per month for Privacy Shield violations. While the Commission encourages such compliance checks, the review found that Commerce’s spot-checks focused on formal requirements, such as unresponsive points of contact at companies participating in the program or inaccessibility to the companies’ privacy policy. As a next step, the Commission encourages Commerce to review more substantive obligations, including the Accountability for Onward Transfers Principles, which would require Privacy Shield companies to produce their data sharing agreements.
False claims. Commerce should expand its quarterly reviews for false Privacy Shield claims to include companies that have never applied for Privacy Shield.
Human Resource Data Guidance. In the coming months, the EU Data Protection Authorities, Commerce and the FTC should develop guidance on the definition and treatment of human resources data.
Authority sharing. The EU and US authorities should find ways to share meaningful information on ongoing investigations.

While the Commission’s report confirms that Privacy Shield continues to provide adequate protection for EU to US personal data transfers, an ongoing matter before the Court of Justice of the European Union raises questions regarding the validity of Privacy Shield.² The Commission’s report does not address its position on this case, however, the Commission notes it will reassess Privacy Shield once the Court issues its judgement. For now, companies currently participating in the Privacy Shield or applying to the program should continue to evaluate and document their capabilities of meeting the Privacy Shield’s obligations.

¹ Adequacy decisions made prior to the new EU General Data Protection Regulation remain in force unless a Commission decision decides otherwise.
² C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximilliam Schrems.

Author Brian Hengesbaugh

Author Lothar Determann

Lothar Determann has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto. He is a member of the Firm's International/Commercial Practice Group and the TMT and Healthcare industry groups.

Author Michael Egan

Michael Egan advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer. He focuses on these issues in the context of: global company operations and applications, including websites, mobile and e-commerce applications; data security breach and incident response; transactions; litigation; internal investigations; and government inquiries. He has represented companies before numerous government authorities, including the US Federal Trade Commission, the US Department of Justice and the US Securities and Exchange Commission.

Author Amy de la Lama

Amy de La Lama is a partner in Baker McKenzie's Chicago office. She has assisted a wide array of companies (financial institutions, retail companies, sourcing providers, online businesses) in addressing legal issues related to global privacy and data collection, data security, information technology and related restrictions on data collection and movement.

Author Teresa H. Michaud

Teresa H. Michaud advises on all aspects of dispute resolution, primarily complex business disputes, class actions, intellectual property and international arbitration. She is the co-chair of the North American Class Action Subgroup and serves as a member of the Global Steering Committee of the Firm's Technology, Media & Telecommunications (TMT) Industry Group. She is admitted to practice in California, Texas and New York, and qualified in England and Wales. She is a Certified Information Privacy Professional/United States (CIPP/US). Teresa is also one of the founding members of our Los Angeles office that opened in 2018.

Author Vincent Schroder

Vincent Schroder has more than 12 years of significant experience in privacy, data protection, information technology and e-commerce law. Being admitted in California, New York and Germany, he advises businesses around the world on questions pertaining to EU and US law as well as cross-border regulation and transactions. His privacy and data protection practice involves helping clients design, structure and implement comprehensive compliance programs and find innovative solutions regarding the processing of personally identifiable information and personal data using cutting-edge technology. Vincent also regularly advises clients on complex IT projects and agreements such as IT outsourcing, transition service agreements, licensing arrangements, cloud computing, the Internet of Things, infrastructure projects as well as terms and conditions governing e-commerce services.

Author Michael Stoker

Michael A. Stoker is a lawyer in Baker McKenzie's Intellectual Property and Technology group. Mr. Stoker routinely advises clients in the areas of information technology, intellectual property, licensing, sourcing, cybersecurity, data protection, data breach response, privacy and electronic commerce. Mr. Stoker is a member of Baker McKenzie's Global Automotive Steering Committee, Future Mobility Working Group, and Global Data Security Working Group. Mr. Stoker has a Bachelor of Science in Computer Science and has formerly worked as a software developer for a document and information management software company. His experience as a software developer has given him valuable insight into the technology matters of the clients he serves.

Author Harry Valetk

Author Brandon Moseberry

Brandon Moseberry advises global consumer, information technology, manufacturing, medical device, and financial institutions, among other clients, on a wide range of global data privacy, cybersecurity, direct marketing, social media, behavioral advertising, and related matters. Brandon is also active in pro bono matters of the Firm.

Third Annual Privacy Shield Review Confirms EU Commission’s Adequacy Decision

Related Posts

Malaysia: The Cyber Security Bill 2024 – A new era for cyber security

Italy: Management of shortages of drugs included in transparency lists

EU Court of Justice requires EMA to conduct a more thorough check on conflicts of interest