Privacy Shield: Second annual review of the data protection agreement
On 18/19 October, representatives of the EU Commission and the US government gathered in Brussels for the second annual review of the data protection agreement “Privacy Shield”. The review focused on commercial aspects and data processing by U.S. public authorities for national security purposes.
Since August 2016, the "Privacy Shield" has been functioning as the most important legal basis for transatlantic, commercial data transfers. It was negotiated between the EU and the US as the successor to the Safe Harbor Agreement. In its adequacy decision on 12/07/2016 (C (2016) 4176), the Commission found that under the conditions of the Privacy Shield, the US ensure an adequate level of protection for personal data transfers within the meaning of Art. 25 (2) RL 95/46 (Art. 45 GDPR), as required for the transfer of data from the EU to a third country. To this day, more than 3900 companies are certified under the Privacy Shield.
Previously, on 06/10/2015, the European Court of Justice (CJEU) had invalidated the Commission’s adequacy decision concerning the Safe Harbor Agreement in its much acclaimed decision in the "Schrems case" (C-362/14). Therein, the CJEU had particularly criticized the lack of effective detection and supervision mechanisms for the system of self-certification under Safe Harbor, the fact that the applicability of the Safe Harbour principles in the US could be limited for reasons of national security as well as the lack of – as contemplated in Art. 47 of the Charta - access to judicial remedies for EU citizens in case of data breaches. He also criticized the fact that the Commission had never reviewed its adequacy decision or if the US complied with the Safe Harbor principles.
Changes under Privacy Shield
The Privacy Shield principles provide more rights for EU citizens and stricter requirements for US companies. Although self-certification under the Privacy Shield is still voluntary, the commitments of the registered companies can now be enforced by (at company’s option) either the Federal Trade Commission (FTC) or the Department of Transportation (DoT). In case of suspected data breaches, EU citizens can contact US companies directly or via a data protection authority and call on an independent arbitration panel. In the event of violations by US government agencies / authorities, an Ombudsperson can be involved.
Commission report on the first annual review
Since the GDPR has been in force, a review of the adequacy decisions by the Commission is required at least every four years (Art. 45 (3) GDPR). The US’ compliance with the Privacy Shield principles is even reviewed annually by the Commission and covers the implementation, administration, supervision and enforcement of the regulatory framework by the competent US authorities and agencies. The first review was launched in Washington, DC in September 2017 and completed with the Commission’s official review report on 18/10/2017. By that time, more than 2,400 companies had already been certified.
The findings and recommendations of the report focused on requesting the Department of Commerce to be more proactive in identifying companies that falsely claim to be certified and regularly review certified companies to identify weaknesses of the certification system. It also called for the appointment of a permanent ombudsperson, the formal appointment of a chairman and members of the Privacy and Civil Liberties Oversight Board (PCLOB) which is responsible for data protection issues involving public authorities as well as the faster and more comprehensive provision of information from the US authorities on important developments.
Pressure from EU authorities
The way the US government is handling the implementation of Privacy Shield principles is viewed critically by some EU institutions. For example, the European Parliament, by resolution of 05/07/2018, called on the Commission to suspend the Privacy Shield if the US were not to fulfill its obligations in the short term. Although Commissioner Vera Jourová did not comply, she officially threatened the US to suspend the agreement. Previously, the temporary ombudsperson (US Ambassador Judith Garber) had attended the second plenary session of the European Data Protection Board, where concerns about the failure of the US to appoint a permanent ombudsperson and to appoint members of the PCLOB had been raised.
Following the growing pressure from Brussels and before the initiation of the second annual review, Manisha Singh was appointed by the US as the permanent ombudsperson on 28/09/2018. Her appointment was generally welcomed by the EU. However, given her governmental involvement (she is Assistant Secretary of State, acting under the Secretary of State for Economic Growth, Energy and the Environment), doubts concerning her independency - as intended in the Privacy Shield principles - have been expressed.
In addition, the chairman (Adam Klein) and two other members (Ed Felton, Jane Nitze) of the PCLOB were confirmed by the US Senate on 11/10/2018. It remains to be seen whether and when the much-demanded reports of PCLOB on the conduct of surveillance by US intelligence agencies will be prepared and published.
The official second annual review Commission report is expected to be released by the end of November 2018. It remains to be seen whether those responsible will be able to alleviate the doubts about the effectiveness of the Privacy Shield and demonstrate progress in its implementation. Despite all the criticism - a repeated failure of the data protection agreement would be undesirable for the digital economy and practice.
These articles may also be of interest to you:
Action for annulment against the EU-US Privacy Shield and coordinated review by the German data protection authorities
EU-US Privacy Shield: The “Privacy Shield List” begins to grow
Any questions? Please contact: Pascal Schumacher
Practice Groups: Data Privacy, Regulatory & Governmental Affairs