The European Commission undertook its Second Review of the EU-US Privacy Shield in October 2018 and, in light of the Commission’s publication of its Report in late December, we consider the implications of this report for business. The Report is available here.
What is the EU-US Privacy Shield?
The EU-US Privacy Shield was agreed in 2016 and allows personal data to be transferred from Europe to the United States. Current data protection laws prohibit the transfer of personal data outwith the EEA to countries that do not have in place adequate measures to protect the personal data of EU citizens. The US is one of those countries deemed not to have adequate measures – this is a huge issue for any business or organisation which needs to share personal data with businesses in the US! The EU-US Privacy Shield is the mechanism negotiated between the EU Commission and the US Administration that allows businesses to trade (where personal data is concerned).
The EU-US Privacy Shield imposes stringent duties on US companies who receive the personal data of Europeans and also obliges the US administration to be more robust in its enforcement of data protection rules and to monitor compliance more thoroughly (its perceived lack of enforcement was something the US administration was highly criticised for under the Shields predecessor (Safe Harbor). Further, it obliges them to fully cooperate with Data Protection Authorities in Europe.
Over 3,850 companies have signed the EU-US Privacy Shield, including the likes of Microsoft, IBM and Google. For companies who are data rich and/or are dependent upon on the sharing of personal data to enable it to do business or to simply operate its business, the Privacy Shield is an important means of ensuring that free flow of personal data of EU citizens from the EU to the US continues, whilst ensuring that personal data receives adequate protection.
Unfortunately, the Privacy Shield has received some criticism in recent months. Whilst the EU-US Privacy Shield mechanism was agreed during the Obama administration, many (including the European Commission) are concerned that the current US administration will not prioritise the protection of EU citizens’ privacy. Further, the European Parliament issued a resolution in July 2018 calling for the suspension of the Privacy Shield if the US failed to ensure a GDPR level of protection for the data of EU citizens.
The 2018 Review
The Privacy Shield’s terms state that it must be reviewed on an annual basis and the second annual review took place in October last year. The Review firstly considered whether the US Administration was monitoring the compliance of companies with the Privacy Shield rules and was the US Administration taking enforcement action where necessary; and secondly reviewed matters relating to data transferred to US authorities for law enforcement and security purposes (such use by the US Administration played a key role in the downfall of the predecessor to the Privacy Shield - the Safe Harbor mechanism).
The review also gave consideration to recent developments which have had serious privacy implications such as the Cambridge Analytical scandal.
So what did the Commission find?
In its Report of 19 December 2018, the Commission held that “the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States.” Therefore, there is no immediate threat to the continuation of the free flow of personal data between from the EU to the US. As such, businesses who are utilising the EU-US Privacy Shield to transfer personal data can draw comfort from this.
One fly in the ointment, though, was the vexed question of when was the US administration going to appoint its Privacy Shield Ombudsperson – something the US is obliged to do under the terms of the EU-US Privacy Shield deal. The Ombudsperson has an important role: handling complaints and queries from EU citizens in relation to the use of their personal data.
In its Report, the Commission stated that the US must appoint a permanent Privacy Shield Ombudsperson urgently and, in any event, by 28 February 2019. The Commission was particularly critical of the US in this respect, declaring that “the absence of a permanent appointee is highly unsatisfactory and should be remedied as soon as possible.” If the US administration fails to appoint an Ombudsperson by 28 February 2019, the Commission has stated that it may proceed with “appropriate measures” in line with the GDPR.
Despite this, however, the European Commission praised the US administration for its compliance with its recommendations outlined in the first annual review (with the exception of the Ombudsperson appointment!) and as far as data transferred to US authorities is concerned, the Commission commended legal developments in the sphere of data protection which have introduced additional privacy safeguards.
To conclude, the US administration has received a good report card that will give comfort to businesses, however the US administration has just over two months to comply with the European Commission’s call for the appointment of a Privacy Shield Ombudsperson. We await further information to see whether the US will appoint such an Ombudsperson, or, if they fail to do so, whether the European Commission will follow through with their ultimatum, and take action (whatever that action may be) under the GDPR.