Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

First Annual Review of the Privacy Shield Framework

Share

The European Commission published its first annual report on the functioning of the EU-U.S. Privacy Shield, which protects the personal data transferred from the EU to companies in the U.S. for commercial purposes. The report was released on October 18, 2017.

The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU law.  The framework is based on a certification system by which U.S. companies commit to adhere to a set of Privacy Shield Principles.   To join the Privacy Shield Framework, a company must self-certify to the Department of Commerce that it complies with the   Principles. A company’s failure to comply with the Principles is enforceable under Section 5 of the FTC Act, which prohibits unfair or deceptive acts.   The key requirements for participating companies include:

  • Informing individuals about data processing
  • Providing free and accessible dispute resolution
  • Cooperating with the Department of Commerce
  • Maintaining data integrity and purpose limitations
  • Ensuring accountability for data transferred to third parties
  • Transparency related to enforcement actions
  • Ensuring commitments are kept as long as data is held

When the Privacy Shield was launched in 2016, the European Commission committed to review it on an annual basis in order to assess if it continues to provide an adequate level of protection for the cross-border transfer to the U.S. of personal data.  This first review focused on verifying that all the mechanisms and procedures provided for the framework, many of which are new, have been fully implemented and are functioning.  In preparing the report, the EU Commission gathered information from a wide range of stakeholders and the first Annual Joint Review took place in Washington, D.C. in mid-September.

The report found that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S.  In particular, the report highlighted that the U.S. authorities have put the necessary structures and procedures in place to ensure the correct functioning of the program, including complaint handling and enforcement and coordination with the EU Data Protection authorities.

In addition, the report found that the certification process is functioning well with more than 2,400 companies certified by the U.S. Department of Commerce and approximately 20 new companies applying for certification each week.  In addition, the Federal Trade Commission announced three settlements with U.S. companies that allegedly misrepresented their participation in the Privacy Shield program.

The report makes a number of recommendations:

  • Companies should not be able to publically refer to their Privacy Shield certification before the certification is finalized by the Department of Commerce
  • The Department of Commerce should conduct proactive and regular searches for false claims
  • The Department of Commerce should conduct ongoing monitoring of companies’ compliance with their Privacy Shield obligations
  • Awareness should be strengthened, specifically among EU individuals, about how to file complaints to exercise rights under the Privacy Shield
  • Cooperation should be improved between U.S. federal law enforcement agencies and the EU Data Protection authorities to develop guidance for companies and enforcers
  • Protection should be enshrined for non-Americans offered by Presidential Policy Directive 28 as part of the ongoing debate in the U.S. on the reauthorization and reform of the Section 702 of the Foreign Intelligence Surveillance Act
  • A permanent Privacy Shield Ombudsperson should be appointed and the vacant posts on the Privacy and Civil Liberties Oversight Board should be filled
  • Reporting of relevant developments by U.S. authorities should be more timely and comprehensive.

Finally, the EU will commission a study to collect factual evidence and further assess the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield.

Acting FTC Chairman Maureen Ohlhausen issued a statement welcoming the positive outcome of the EU-U.S. first annual review and looks forward to continuing to work with the EU “to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows.”

Receive Email Alerts to New Articles

SUBSCRIBE

October 24, 2017
Written by: Discerning Data Editorial Board
Category: EU, FTC, Privacy
Tags: International, Privacy Shield

Post navigation

Previous Previous post: HHS Declares Public Health Emergency in California – HIPAA Waivers Apply
Next Next post: OCR’s Guidance on HIPAA-Permissible Information Sharing During Patient Opioid Crisis

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT