EU Commission: EU-US Privacy Shield works but implementation can be improved

The European Commission yesterday confirmed that the EU-US Privacy Shield survives as a method for international data transfers. In its First Annual Review, the Commission states that the arrangement provides an adequate level of protection. The US authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield, such as new redress possibilities for EU individuals. Complaint-handling and enforcement procedures have been set up, and cooperation with the European Data Protection Authorities has been stepped up.

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: "Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It's a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards."

Over 2,400 companies have now been certified to the programme by the US Department of Commerce. To go forward, the Commission proposes more proactive and regular monitoring of companies' compliance with their Privacy Shield obligations by the US Department of Commerce including proactively identifying and investigating companies making false claims about their participation in the Privacy Shield. The Commission also recommends that companies should not be allowed to publicly announce that they are Privacy Shield-certified until the Department of Commerce has finalised their certification. In addition, the US should appoint, as soon as possible, a permanent Privacy Shield Ombudsperson, as well as fill the remaining posts on the Privacy and Civil Liberties Oversight Board.

Both EU DPAs and the US Department of Commerce need to raise individuals’ awareness about how to exercise their rights under the Privacy Shield, the Commission says.

The Commission will soon launch a study to collect factual evidence and further assess the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield.

The Annual Review is based on meetings with all relevant US authorities, which took place in Washington mid-September 2017, as well as input from companies and NGOs. In addition, eight EU DPAs took part in the discussions. The report will now be sent to the European Parliament, the Council of Ministers, the EU Article 29 DP Working Party and US authorities.

The report is at

Read an analysis of the first year of the Privacy Shield in the October edition of PL&B International Report.