Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

First Annual Joint Review of EU – U.S. Privacy Shield Addresses Six Areas of Concern

Share

In relation to the first annual Joint Review of the EU-U.S. Privacy Shield Framework, the Article 29 Data Protection Working Party (WP29), an independent European advisory body on data protection and privacy, issued its findings on November 28, 2017.

The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU Law.  As we discussed in a previous blog post, the framework is based on a certification system whereby U.S. companies commit to adhere to a set of Privacy Shield Principles. Other mechanisms for transferring personal data to the U.S. from the EU are through binding corporate rules, model contracts, or use of one of a number of derogations to the EU’s restrictions on cross-border data transfers.

The report reflects the Working Party’s views in relation to the first annual joint review of the Privacy Shield program. It acknowledges both the progress and the efforts to implement Privacy Shield, but it raises a number of concerns and calls on the European Commission and U.S. authorities to restart discussions to address those concerns by May 25, 2018, which is the date the General Data Protection Regulation (GDPR) takes effect.

The report states that if the concerns are not adequately addressed by that time, the WP29 will take appropriate action, including the possibility of challenging the Privacy Shield adequacy decision before the national courts (who, in turn, would refer the case to the European Court of Justice (CJEU) for a ruling).

The report addressed six areas of concern:

  1. Guidance on the principles of the Privacy Shield

The report recommends that the U.S. Department of Commerce (DoC) and the Federal Trade Commission (FTC) provide more practical guidance to companies regarding compliance with Privacy Shield. For example, the report identifies the need for more precise guidance on when and how a data subject can opt out from processing of his/her data for a new purpose and more guidance regarding onward transfers. The report also recommends that the U.S. authorities offer more information in an accessible and easily understandable form to EU individuals regarding their rights and remedies.

  1. HR data

The findings gathered during the joint review indicate that the WP29 and DoC interpret the scope of human resources data differently. Specifically, DoC believes that HR data is limited to the processing of data of employees within the same company. As a result, processing of data of an EU company’s employees after being transferred to a Privacy Shield certified processor in the U.S. would be considered processing of commercial data, not HR data. In contrast, WP29 interprets “HR data” as any personal data concerning an employee in the context of an employer-employee relationship. Accordingly, the report calls on the European Commission to address this issue and, if necessary, engage in negotiations with the U.S. authorities to amend the Privacy Shield framework.

  1. Oversight and supervision of compliance with Principles

The report recommends the implementation of more proactive supervision practices by U.S. authorities. Specifically, the report encourages DoC and/or FTC to engage in monitoring that could detect false claims either through internet searches, as well as periodic “sweeps” through the use of questionnaires or on-site verifications. WP29 also notes that U.S. authorities appear to be focusing on compliance during the certification or recertification processes, and not enough to ensure compliance during the intervening periods of time.

  1. Application of the Privacy Shield to processors established in the U.S.

DoC confirms that when examining a request for self-certification submitted by a company under the Privacy Shield, it does not differentiate between controllers and processors. The report calls on U.S. authorities to provide additional public guidance concerning the application of the Privacy Shield to processors and to distinguish more clearly processors from controllers in reviewing certification applications.

  1. Automated-decision making/Profiling

While the findings gathered during the Joint Review seem to indicate that none of the data transferred under the Privacy Shield are processed through automated decision-making systems, the Working Party questions the accuracy of these assertions. Therefore, the report calls upon the commission to contemplate the possibility to provide specific rules concerning automated decision making to provide sufficient safeguards.

  1. Self-certification process and cooperation between U.S. authorities in the Privacy Shield mechanism

Finally, the report recommends that the DoC recertification process be adjusted in order to avoid any potential gap that may occur during either the certification or recertification process by developing a process where the public statements made by the organizations in their privacy policies are synchronized with the publication of the Privacy Shield last flagging the organizations’ certificate as active.  When the certification has expired and the recertification process is not yet complete, an organization’s certification could be flagged as inactive on the Privacy Shield.  In addition, the WP29 notes its regret that there is no proactive practice of searching for false claims of Privacy Shield certification and/or verification and the links made available to access their privacy policies, and recommends that DoC and the FTC focus their efforts to include such checks in their monitoring activity.

Data for law enforcement and national security purposes

The report also addresses the derogations to the Privacy Shield that allow access to data for law enforcement and national security purposes, and it acknowledges certain efforts by the U.S. government to become more transparent, such as publishing decisions by the Foreign Intelligence Surveillance Court. In addition, the report acknowledges that surveillance law in the U.S. is evolving.

Nevertheless, the report, notes that concerns expressed in previous opinions have not been fully resolved. Specific concerns relating to the collection of data for national security purposes include the lack of comprehensive oversight of all surveillance programs and the lack of full redress for EU individuals. In addition, while the report notes that the WP29 welcomes the establishment of an Ombudsperson mechanism to redress EU individuals’ rights with regard to U.S. intelligence activities, concerns remain that there is no judicial review of the Ombudsperson’s decisions.

Privacy Shield is an important mechanism for transferring personal data to participating companies in the U.S. DoC has certified more than 2,400 companies and approximately 20 new companies apply for certification each week. We will continue to monitor developments in this area.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

December 19, 2017
Written by: Discerning Data Editorial Board
Category: EU, FTC, GDPR, Privacy
Tags: department of commerce, wp29

Post navigation

Previous Previous post: DOJ Settlement with Netcracker Technology Corporation Highlights Cybersecurity and Export Control Best Practices for Government Contractors and Information Technology Companies
Next Next post: EU May Soon Decide “Adequate” Status for Japan

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT