Adequacy of Privacy Shield Confirmed Albeit With Recommendations

On the 18th October 2017, the European Commission published its first annual report on the functioning of the EU- U.S. Privacy Shield, the aim of which is to protect the personal data of anyone in the EU transferred to companies in the U.S. for commercial purposes. Overall the report shows that the Privacy Shield continues to ensure an adequate level of protection, however the report makes a certain number of recommendations.

Andrus Ansip, Commission Vice-President for the Digital Single Market, said: “The Commission stands strongly behind the Privacy Shield arrangement with the U.S. Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs. This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.” 

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality stated:“Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards.”

Overall the report shows that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S. The U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield, such as new redress possibilities for EU individuals. Complaint-handling and enforcement procedures have been set up, and cooperation with the European Data protection authorities has been stepped up. The certification process is functioning well – over 2,400 companies have now been certified by the U.S. Department of Commerce. As regards access to personal data by U.S. public authorities for national security purposes, relevant safeguards on the U.S. side remain in place.

The Commission will commission a study to collect factual evidence and further assess the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield. The report will be sent to the European Parliament, the Council, the Article 29 Working Party of Data Protection Authorities and to the U.S. authorities.