With the hustle and bustle of the holiday season, it was easy to overlook the issuance of the written report from the European Commission concerning its second annual review of the EU-U.S. Privacy Shield program. Dated December 19, 2018, the Commission’s report notes that while the review covered all aspects of the functioning of the Privacy Shield program, it was particularly focused on the ten recommendations from its first annual review.
Report Conclusion Favorable
To the great relief of the more than 4,200 organizations that self-certified to the Privacy Shield, the Commission concluded that the United States continues to ensure an adequate level of protection for personal data transferred to the U.S. under the Privacy Shield. It noted that the steps taken since the first annual review to implement the recommendations have in fact improved the practical functioning of the Privacy Shield. The report pointed out, however, that some of the steps were only recently undertaken, and that continued monitoring will be necessary to determine whether the relevant processes have the desired effect of buttressing the adequacy finding.
These elements concerned “commercial aspects” of the Privacy Shield framework, as well as government access to personal data. The report pointed with approval to the Department of Commerce tools and mechanisms that are intended to:
- proactively monitor compliance with the substantive Privacy Shield requirements and obligations;
- detect false claims of participation in the Privacy Shield
- ex officio sweeps by the Federal Trade Commission (FTC) through administrative subpoenas to detect substantive violations of the Privacy Shield
The Commission viewed favorably the Department’s new process that requires first-time applicants to the certification process to refrain from publicly representing their Privacy Shield participation until the Department had issued final approval of their certification. This process, combined with heightened monitoring and random spot-checking for false claims of participation in the Privacy Shield, has resulted in the Department referring more than 50 cases to the FTC for enforcement action. The report also expressed a desire for a joint guidance to be issued by the Department, the FTC, and European Union (EU) data protection authorities on elements that require further clarification, such as Human Resources data.
Ombudsperson Appointment Remains a Road Bump
The report also noted the U.S. Senate had confirmed the nominations of members of the Privacy and Civil Liberties Oversight Board to restore it to its full quorum and allow it to exercise its functions. However, of continuing concern to the Commission was the failure of the U.S. administration to appoint a permanent Privacy Shield Ombudsperson, as required by the Privacy Shield adequacy finding. The Privacy Shield Ombudsperson is charged with facilitating and responding to complaints from EU individuals concerning the processing of requests relating to national security access to personal data transmitted from the EU to the U.S. The Commission called on the U.S. to renew its commitment to the Ombudsperson mechanism by replacing the acting appointee with a permanent appointee. It gave the U.S. government a Feb. 28, 2019 deadline to identify a nominee to fill the position and inform the Commission of that nomination. A failure to meet this deadline will result in the Commission taking “appropriate measures” consistent with the General Data Protection Regulation (GDPR).
Federal Privacy Legislation of Interest to Commission
The Commission concluded its report by expressing interest in following the debate concerning the possible enactment of a federal data privacy law. In light of the extensive cross-border data flows from the EU to the U.S., it encouraged the U.S. to pursue a comprehensive system of privacy and data protection, noting that a convergence between the U.S. and EU systems would strengthen the foundations upon which Privacy Shield framework is based.
Those organizations who already self-certified to the Privacy Shield can breathe a sigh of relief that the Privacy Shield continues to satisfy the adequacy requirements under Article 45 of the GDPR. Organizations refraining from self-certifying until the Commission announced the second annual study results can safely commence the process knowing that the Commission was favorably impressed with the strides that the U.S. government has made since the first annual review.
However, there remains the looming deadline of Feb. 28, 2019 for nomination of a permanent Ombudsperson. Although it is unclear what measures the Commission might take if this requirement is not met, the Commission holds considerable power to enforce the GDPR against violators.
For that reason, it is incumbent on the Department to process the nomination of a permanent appointee in an expeditious manner to meet this deadline. In addition, the Department and the FTC must make every effort to provide the Commission with the level of information required to satisfy the Commission that the processes for the improvements to the commercial aspects of the Privacy Shield have indeed strengthened the program. With such a large number of U.S. organizations relying upon the Privacy Shield to comply with the GDPR, it would be a great disservice to these organizations for the Department of Commerce and the FTC to fail to address the Commission’s requirements.
Listen to Jane Hils Shea discussing this topic on the Data Privacy Detective Podcast