EU-U.S. Privacy Shield Passes its First Annual Review

Digest Reports First Amendment Privacy

Report from the Commission to the European Parliament and the Council on the First Annual Review of the Functioning of the EU-U.S. Privacy Shield, COM (2017) 611 final (Oct. 18, 2017), hosted by the European Commission.

On October 18, 2017, the European Commission published its first annual report on the EU-U.S. Privacy Shield, a framework governing the exchange of personal data between the United States and the European Union for commercial purposes and providing legal context for businesses relying on transatlantic data transfers. The report comes after relevant authorities convened in Washington, D.C. last month to review the administration, enforcement, and implementation of the program in its first year.

United States and European Union officials formally approved the Privacy Shield last  July. The aim of the agreement was to facilitate the transfer of data for commercial purposes while defining obligations of U.S. companies to protect Europeans' data under EU privacy laws. The framework is based on a self-certification process with the Department of Commerce, under which U.S. companies must publicly commit to the framework and adhere to a set of key principles. In the Privacy Shield's inaugural year, the U.S. fine-tuned its measures for reviewing applications and handling complaints, established enforcement procedures, and developed questionnaires to monitor companies' compliance on an ongoing basis. Over 2,400 companies have certified with the Department of Commerce to date, with around 20 new companies applying for certification each week.

The report, incorporating feedback from the U.S. Government, the European Commission, trade associations, and NGOs active in the field of digital rights and privacy, indicates that the Privacy Shield has been functioning well overall. It concludes that the Privacy Shield "continues to ensure an adequate level of protection" for transatlantic data transfer, and applauds the increased cooperation between U.S. and EU data protection authorities. Many officials welcomed this positive outcome, including Acting Federal Trade Commission Chairman Maureen K. Ohlhausen, whose agency settled with three companies earlier this year for misrepresenting their participation in the Privacy Shield framework.

The Privacy Shield did, however, encounter some criticism and controversy in its first year. Early in its adoption, critics referred to the framework as the "privacy sham," an agreement that "helps nobody at all." It was also legally challenged by a handful of privacy groups claiming that the restrictions placed on U.S. surveillance activities were inadequate, and that the redress mechanisms were ineffective for dealing with complaints.

This month's report and accompanying Staff Working Document may assuage critics' fears about the thoroughness and transparency of the framework. According to Muge Fazlioglu, writing for the International Association of Privacy Professionals, the report highlights several "novel elements" of the Privacy Shield in comparison with its predecessor, the Safe Harbour framework. In particular, the Privacy Shield has provided for "more regular and rigorous monitoring" by the Department of Commerce of data privacy rights and "additional redress avenues for EU individuals." Notable safeguard mechanisms associated with the program include the Privacy Shield Arbitration Panel, Presidential Policy Decision 28, and the designation of a Privacy Shield Ombudsperson.

The report also recognizes room for improvement and makes a number of recommendations to U.S. authorities moving forward. Highlights include: conducting proactive, regular searches for companies making misleading claims about their participation in the Privacy Shield; education for Europeans about how to exercise their rights under the framework should they have concerns about how their data is handled; closer cooperation among enforcers to develop guidance for companies; and prompt appointment of a permanent Privacy Shield Ombudsperson.

Officials from both the EU and the United States are positive about the Privacy Shield's inaugural year and look forward to improving the program's implementation. As Andrus Ansip, the European Commission's Vice President for the Digital Single Market, said of the report's release, "This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work."

Danica Harvey is a 1L student at Harvard Law School.