EU-U.S. Privacy Shield Passes First Annual Review

Alerts

October 19, 2017

On October 18, 2017, the European Commission (EU Commission) published its report on the first annual review of the EU-U.S. Privacy Shield Framework (Privacy Shield).¹The EU Commission confirms that the Privacy Shield ensures an adequate level of protection for EU personal data that is transferred to the U.S., but calls on the U.S. government to implement a number of recommendations.

Certified companies can continue to rely on the Privacy Shield to receive EU personal data in compliance with EU data protection law. This is an important validation of a key mechanism used by EU and U.S. companies transferring data to the U.S., particularly in light of the current uncertainty around data transfers arising from court challenges to the Standard Contractual Clauses²and the Privacy Shield.³

Background

EU data protection law restricts the transfer of personal data outside of the EU. The Privacy Shield is an agreement between the U.S. and the EU Commission that permits certified U.S. companies to receive personal data from the EU.⁴The Privacy Shield agreement was adopted in July 2016 to replace the Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (CJEU) in Schrems⁵in October 2015.⁶Today, more than 2,500 U.S. companies have self-certified to the Privacy Shield.

When approved, negotiators agreed that annual reviews would be conducted to assess the continued adequacy of protection afforded by the Privacy Shield. Officials from the U.S. Government, the EU Commission, and EU data protection authorities (DPAs) participated in the first annual review, which took place on September 18 and 19, 2017, in Washington, D.C. The report reflects the EU Commission's findings on the implementation and enforcement of the Privacy Shield in its first year of operation.

Privacy Shield Deemed Adequate, but Its Implementation Can Be Improved

The EU Commission stands strongly behind the Privacy Shield, and continues to believe that it ensures an adequate level of protection for transferred EU personal data. The report acknowledges that the U.S. implemented the necessary administrative structures for Privacy Shield to function (in particular with regard to complaint-handling and enforcement), and that the U.S. maintains the safeguards regarding data access for national security purposes that had been agreed upon.

However, the EU Commission recommends certain measures⁷to improve the Privacy Shield. The key recommendations are:

Prohibiting companies from publicly referring to their Privacy Shield certification until the certification process with the Department of Commerce is finalized.
Strengthening awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
Conducting (i) regular searches for false claims of participation in the Privacy Shield, for example, through internet searches, including for companies that have never applied for certification; and (ii) compliance checks, for example, by sending certified companies compliance review questionnaires focusing on specific issues.
Developing guidance on certain concepts in the Privacy Shield, such as the accountability for onward transfers and the definition of HR data, in cooperation with EU DPAs.
Including the protection for non-U.S. citizens offered by the Presidential Policy Directive 28 (PPD-28)⁸into the Foreign Intelligence Surveillance Act (FISA).
Appointing a permanent Privacy Shield Ombudsperson and filling positions for the Privacy and Civil Liberties Oversight Board (PCLOB) as soon as possible.
Making public the PCLOB's report on the implementation of PPD-28.

Next Steps

The Article 29 Working Party—the body of EU DPAs—will comment on the report and provide its own non-binding assessment of the Privacy Shield in November 2017.

Both the EU Commission and the U.S. will continue to actively monitor and periodically review the adequacy of the Privacy Shield. In its report, the EU Commission indicated some specific topics that it plans to cover during the 2018 review (e.g., automated decision-making).

In parallel, the question of the validity of Standard Contractual Clauses will be referred to the CJEU once the Irish High Court rules on the text of the preliminary questions later this year,⁹and two actions for annulment of the Privacy Shield are pending before the Court; both may have an impact on the next Privacy Shield review.

We will continue to closely monitor news related to EU-U.S. data transfers and will update you on any significant developments.

Wilson Sonsini counsels clients on risks related to the enforcement of privacy and cybersecurity laws globally, along with advising clients on EU data transfer strategies. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and data protection practice.

Laura De Boel and Rossana Fol contributed to the preparation of this Wilson Sonsini Alert.

¹See also the EU Commission's press release, and FAQs.

²On October 3, 2017, the Irish High Court decided to refer questions to the CJEU to assess the validity of Standard Contractual Clauses. See the Irish High Court judgment as published by the Irish DPC, available at https://dataprotection.ie/documents/judgements/DPCvFBSchrems.pdf, and our WSGR Alerts: "European Court of Justice to Rule on Validity of Standard Contractual Clauses" (October 3, 2017), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-schrems-1017.htm. Now, the Irish High Court needs to determine the exact questions that will be asked to the CJEU. That decision is expected early December.

³See the pending actions for annulment before the CJEU in Case T-670/16, Digital Rights Ireland v Commission, and in Case T-738/16, La Quadrature du Net and Others v Commission.

⁴See our WSGR Alerts: "Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield" (July 26, 2016), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-privacy-shield-0716-v2.htm, "The EU-U.S. Privacy Shield Is Adopted and Available as of August 1, 2016" (July 12, 2016), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-privacy-shield-0716.htm, and "EU Commission Publishes EU-U.S. Privacy Shield" (February 29, 2016), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-privacy-shield-publish.htm.

⁵See the CJEU Judgment, delivered on October 6, 2015, in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner (request for a preliminary ruling from the High Court (Ireland)), available at http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=1&part=1&mode=req&docid=169195&occ=first&dir=&cid=111628.

⁶See our WSGR Alerts: "EU's Highest Court declares Safe Harbor Invalid" (October 6, 2015), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-safe-harbor-invalid.htm and "EU Data Protection Authorities Issue Statement Following Schrems Decision" (October 16, 2015), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-schrems-statement.htm.

⁷These recommendations are further described in the EU Commission's Staff Working Document on the first annual review of the functioning of the EU-U.S. Privacy Shield.

⁸PPD-28 is a policy instruction issued in 2014 by President Obama to set out limitations and safeguards on the use of personal data by U.S. national security authorities, regardless of the nationality of the individual.

⁹See footnote 2 above.

Contributors