First Annual Review of EU-U.S. Privacy Shield Shows Data Protected but Also Makes Recommendations

privacy_shield

Written By ESR News Blog Editor Thomas Ahearn

On October 18, 2017, the European Commission (EC) published its report on the first annual review of the EU- U.S. Privacy Shield that protects personal data of people in the European Union (EU) transferred to companies in the United States (U.S.) for commercial purposes, according to a press release.

Officials from the United States Government, European Commission, and EU data protection authorities met in Washington D.C. to conduct the review on September 18 and 19, 2017. Over 2,400 companies have now been certified for the EU- U.S. Privacy Shield that was launched on August 1, 2016.

Overall, the report shows that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S. The report suggests a number of recommendations to ensure the continued successful functioning of the Privacy Shield:

  • More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce. The U.S. Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
  • More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
  • Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
  • Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
  • To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).

“The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards,” Věra Jourová, Commissioner for Justice, Consumers and Gender Equality stated in the press release.

“The Commission stands strongly behind the Privacy Shield arrangement with the U.S.,” said Andrus Ansip, Commission Vice-President for the Digital Single Market. “This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.”

An infographic reveals that the 2,400 companies that certified under Privacy Shield in the first year is more than during the first ten years of Safe Harbor — the predecessor to Privacy Shield that was ruled invalid in October of 2015 – and approximately 20 new companies apply for certification each week.

The report found U.S. authorities have put in place necessary structures and procedures to ensure the correct functioning of the Privacy Shield. Complaint-handling and enforcement procedures have been set up, and cooperation with the European Data protection authorities has been stepped up.

With regards access to personal data by U.S. public authorities for national security purposes, relevant safeguards on the U.S. side remain in place. The website for the Privacy Shield – which covers both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks –  is available at www.privacyshield.gov.

“We look forward to continuing to work with our European counterparts to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows,” Acting Federal Trade Commission (FTC) Chairman Maureen K. Ohlhausen said in a statement about the report.

In September 2017, ESR News reported that three companies agreed to settle FTC charges that they misled consumers about their participation in the EU-U.S. Privacy Shield Framework and violated the FTC Act. The cases are the first the FTC has brought to enforce the EU-U.S. Privacy Shield Framework.

ESR Completes Annual EU-U.S. Privacy Shield Re-Certification

Employment Screening Resources® (ESR) – a leading global background check firm – received notification from the International Trade Administration (ITA) that its annual submission for self-certification of adherence to the EU-U.S. Privacy Shield was finalized and is effective as of September 22, 2017.

Organizations must self-certify to the ITA annually their adherence to Privacy Shield in order to remain on the Privacy Shield List. Along with Microsoft and Salesforce, ESR was one of the first adopters of Privacy Shield with an original certification date of August 12, 2016, less than two weeks after the official launch date.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2017 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.