EU DPAs: EU-US Privacy Shield improved but not perfect

The European Data Protection Board (EDPB) says that while it welcomes the appointment of a “permanent” Ombudsperson in the US to deal with complaints, it is not certain that the Ombudsperson has sufficient powers to access information and to remedy non-compliance. Also, there remains a certain lack of oversight in substance.

“The Department of Commerce (DoC) as well as the Federal Trade Commission (FTC) also undertook new ex officio oversight and enforcement actions as regards the compliance of Privacy Shield certified organizations with the requirements under the Privacy Shield. The EDPB particularly welcomes that the DoC has increased the number of ‘random spot checks’ to 30 organisations per month.”

However, compliance with the substance of the Privacy Shield’s principles remains unchecked for the majority of companies, the DPAs say. For example, more substantive checks are needed on onward transfers. The DoC could make use of its right to ask organisations to produce the contracts they have put in place with partners in third countries in order to assess whether they provide the necessary safeguards and to discover if any further guidance or other action by the DoC or the FTC is needed, they say.

Eight representatives of the EDPB participated in the third joint review conducted by the European Commission in the autumn of 2019. See the EDPB report.