EU-U.S. Privacy Shield, A Year Later

Recently, the EU Commission released its first annual report on the EU-U.S. Privacy Shield framework that went into effect in August 2016. The Privacy Shield, which replaced the EU-U.S. Safe Harbor, is designed to allow transfers of personal data from the EU to the U.S. while maintaining the same level of data protection and privacy required under EU law. We previously summarized the Privacy Shield, its requirements, and instructions on how entities may participate in “EU-U.S. Privacy Shield: Should You Sign Up?” and our 2016 Privacy Year In Review.

In its report and an attached working document, the EU Commission expressed satisfaction that the Privacy Shield has been effective in protecting transferred personal information, and that U.S. authorities have effectively implemented the Privacy Shield’s framework. However, the report did include several recommendations to improve upon the Privacy Shield, including more active oversight of Shield participants by the U.S. Department of Commerce (including monitoring for false claims of participation), quickly filling vacant regulatory oversight positions, and increasing cooperation between EU and U.S. regulators responsible for Shield enforcement. The report also recommends the commission of a study on the relevance of automated decision-making for cross-border data transfers under the Shield, and encouraging Congress to incorporate the privacy protections afforded by the Presidential Policy Directive 28 into the Foreign Intelligence Surveillance Act.

The recommendations in the report must be approved by EU legislators, after which the Commission will coordinate the implementation of the recommendations with U.S. authorities.

TIP: With the May 2018 implementation of General Data Protection Regulation (GDPR) looming, the Privacy Shield will continue to serve as one of the legal bases on which organizations may transfer data from the EU to the U.S.