EU reconfirms EU-US Privacy Shield adequacy in 3rd annual review

The EU Commission issued its report on 23 October on the 3rd annual review of the functioning of the EU-US Privacy Shield which currently has around 5,000 participating organisations. The report stated that the US continues to provide an adequate level of protection for personal data transfers. It says that since the second annual review, the US has made improvements such as appointing an Ombudsman. However, the EU calls for further strengthening of the framework, in particular, regarding enforcement.

So far, the US Federal Trade Commission (FTC) has overseen just seven enforcement cases on the Privacy Shield. The EU Commission points out that certain concrete steps should be taken, such as further strengthening the (re)certification process for companies who want to participate by shortening the time of the (re)certification process; expanding compliance checks, including concerning false claims of participation in the framework; and developing additional guidance for companies related to human resources data.

The EU Commission also expects the FTC to share information about ongoing investigations with the EU Data Protection Authorities and the Commission.

An FTC spokesperson said: “We welcome the positive result of the third annual review of the Privacy Shield. The FTC remains committed to robust Privacy Shield enforcement, and to working with the Department of Commerce and our European colleagues to protect privacy and facilitate data flows.”

Whilst the US is debating a federal privacy law, there is increasing legislative action at state level. Privacy Laws & Business has organised a conference New era for US privacy laws: California and more, in London on 14 November.

See the EU Commission's press release on the Third Annual Review.