top of page

EU Commission Releases Annual Report on EU-US Privacy Shield

Updated: May 14, 2019


On 1 August 2016 the US-EU Privacy Shield became operational. Put in place to protect the fundamental rights of EU citizens whose personal data is transferred to the US for commercial purposes, the framework was created to bring legal clarity to business relying on transatlantic data transfers. The arrangement includes strong data protection obligations, safeguards on US government access to data, effective protection for individuals, and an annual joint review by the EU and US to monitor the application of the arrangement.

2018 Annual Review

This year’s review, released on the 19 December, showed improvements overall. The US continues to uphold an adequate level of security for EU personal data being transferred into the US for commercial use by participating companies under the Privacy Shield. The US has taken steps towards implementing the recommendations given by the EU Commission in the previous year’s report, however the Commission is expecting that the US authorities will nominate a permanent Ombudsperson by 28 February 2019 to replace the current acting one. The Ombudsperson is an essential piece to the Privacy Shield as it designed to ensure complaints issued on the access to personal data by the US authorities is addressed.

The US improvements based on the Commission’s recommendations already made over the past year focused on the steps the Department of Commerce should take in upholding the Privacy Shield. In accordance to the first issued annual review, the Commission recommended for the Department of Commerce to set up several mechanisms, i.e. spot checking, that will randomly select and verify companies in terms of compliance with the Privacy Shield principles. The US has thus strengthened the certification process for the Privacy Shield by the Department of Commerce as well as spot checked 100 companies. 21 of these companies had issues but these have since been resolved. Additionally, these spot checks also cover an analysis of the participating company’s website to ensure that all links to privacy policies are correct. Finally, the Department of Commerce put in place a system that will identify the companies that are falsely claiming Privacy Shield compliance without certification.

In addition to improvements made by the Department of Commerce, the Federal Trade Commission also exhibited a more proactive approach to enforcement monitoring of the Privacy Shield. This was done through the issuing of subpoenas to request information from the participating companies.

In regard to the personal data accessed by the US public authorities for national security purpose, the Privacy and Civil Liberties Oversight Board (PCLOB) has appointed new members to restore the Board’s quorum.

What next?

The Commission issued report will now be sent to the European Parliament, the Council, the EU Data Protection Board, and the US authorities. The Commission expects that the US government will nominate someone to fill the Ombudsperson position on a permanent basis by 28 February 2019. If this does not occur, the Commission will take appropriate measures in accordance to the General Data Protection Regulation.

For more information on the EU-US Privacy Shield click here.



bottom of page