On October 18, 2017, the European Commission (EU Commission) published its report on the first annual review of the EU-U.S. Privacy Shield Framework (Privacy Shield).1The EU Commission confirms that the Privacy Shield ensures an adequate level of protection for EU personal data that is transferred to the U.S., but calls on the U.S. government to implement a number of recommendations.
Certified companies can continue to rely on the Privacy Shield to receive EU personal data in compliance with EU data protection law. This is an important validation of a key mechanism used by EU and U.S. companies transferring data to the U.S., particularly in light of the current uncertainty around data transfers arising from court challenges to the Standard Contractual Clauses2and the Privacy Shield.3
Background
EU data protection law restricts the transfer of personal data outside of the EU. The Privacy Shield is an agreement between the U.S. and the EU Commission that permits certified U.S. companies to receive personal data from the EU.4The Privacy Shield agreement was adopted in July 2016 to replace the Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (CJEU) in Schrems5in October 2015.6Today, more than 2,500 U.S. companies have self-certified to the Privacy Shield.
When approved, negotiators agreed that annual reviews would be conducted to assess the continued adequacy of protection afforded by the Privacy Shield. Officials from the U.S. Government, the EU Commission, and EU data protection authorities (DPAs) participated in the first annual review, which took place on September 18 and 19, 2017, in Washington, D.C. The report reflects the EU Commission's findings on the implementation and enforcement of the Privacy Shield in its first year of operation.
Privacy Shield Deemed Adequate, but Its Implementation Can Be Improved
The EU Commission stands strongly behind the Privacy Shield, and continues to believe that it ensures an adequate level of protection for transferred EU personal data. The report acknowledges that the U.S. implemented the necessary administrative structures for Privacy Shield to function (in particular with regard to complaint-handling and enforcement), and that the U.S. maintains the safeguards regarding data access for national security purposes that had been agreed upon.
However, the EU Commission recommends certain measures7to improve the Privacy Shield. The key recommendations are:
Next Steps
The Article 29 Working Party—the body of EU DPAs—will comment on the report and provide its own non-binding assessment of the Privacy Shield in November 2017.
Both the EU Commission and the U.S. will continue to actively monitor and periodically review the adequacy of the Privacy Shield. In its report, the EU Commission indicated some specific topics that it plans to cover during the 2018 review (e.g., automated decision-making).
In parallel, the question of the validity of Standard Contractual Clauses will be referred to the CJEU once the Irish High Court rules on the text of the preliminary questions later this year,9and two actions for annulment of the Privacy Shield are pending before the Court; both may have an impact on the next Privacy Shield review.
We will continue to closely monitor news related to EU-U.S. data transfers and will update you on any significant developments.
Wilson Sonsini counsels clients on risks related to the enforcement of privacy and cybersecurity laws globally, along with advising clients on EU data transfer strategies. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and data protection practice.
Laura De Boel and Rossana Fol contributed to the preparation of this Wilson Sonsini Alert.