On December 19, 2018, the European Commission (the “Commission”) issued a press release regarding the publication of the Commission’s second annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”).
Background
On July 12, 2016, the Commission adopted an adequacy decision on the basis that the EU-U.S. Privacy Shield ensured an adequate level of protection to personal data transferred from the European Economic Area (“EEA”) to the participating companies in the U.S. The Commission also concluded that the EU-U.S. Privacy Shield framework could be improved. On that basis, the Commission annually reviews the framework and issue recommendations.
Findings after This Second Year
This year’s Report concludes that the U.S. still ensures an adequate level of protection to the personal data transferred from the EEA to U.S. companies under the EU-U.S. Privacy Shield. The U.S. authorities have taken measures to implement the Commission’s recommendations from last year and several aspects of the functioning of the framework have improved. Some of these measures have been recently adopted and further developments need to be monitored.
The Report highlights the following concerns:
- New tools to ensure compliance with the Privacy Shield principles and to identify false claims of participation to the Privacy Shield framework: On the basis of last year’s recommendation, the Department of Commerce (“Department”) implemented new tools to proactively monitor certified companies’ compliance with the Privacy Shield Principles and to detect potential compliance issues. The Department also has proactively searched for false claims of participation in the Privacy Shield framework. To date, 56 companies were referred to the Federal Trade Commission for issues of non-compliance with the Privacy Shield Principles or false claims of participation. The third review of the EU-U.S. Privacy Shield will assess the effectiveness of these methods.
- Privacy Shield enforcement measures: The FTC has committed to proactive monitoring of the certified companies’ compliance with the Privacy Shield principles. Accordingly, the FTC has issued administrative subpoenas to request information from a number of Privacy Shield participants. The Commission concluded that developments in this area should be closely monitored.
- Cooperation between authorities: The Department of Commerce and the European Data Protection Authorities have cooperated to develop guidance on Privacy Shield principles. The Commission welcomes and encourages this cooperation, including, when appropriate, the participation of the Federal Trade Commission, as clarification of various concepts is still needed. (The notion of Human Resources data, for example, is understood differently by different authorities).
- The appointment of a Privacy Shield ombudsman on a permanent basis: Despite last year’s recommendation, a permanent Privacy Shield ombudsman has yet to be appointed. The Commission reiterates its call and expects that the U.S. government will fill the position by February 28, 2019. If this is not done, the Commission will adopt the necessary measures in accordance with the GDPR.
- Effectiveness of how the ombudsman deals with complaints: The ombudsman has not yet received any requests. The Commission intends to monitor how complaints will be handled and resolved.
The Commission’s Next Steps
The Commission will monitor the developments and expects to receive information with regard to concerns noted above in order to control the effectiveness of the measures adopted. The Commission also intends to follow the ongoing developments in the U.S. legal framework. In this respect, the Commission encourages the U.S. to adopt a comprehensive legal framework with regard to privacy and data protection and to ratify the Council of Europe’s Convention 108.
A detailed analysis of each aspects of the Privacy Shield framework reviewed after this second year can be found in the Commission Staff Working Document from the Commission to the European Parliament and the Council On The Second Annual Review Of The Functioning Of The EU-U.S. Privacy Shield.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code