The European Commission has published its first annual review of the EU–US Privacy Shield, following October’s announcement that the framework had been approved.
The Privacy Shield is the legal basis for transferring data between the EU and US for commercial purposes. It replaced Safe Harbor in 2016, and is subject to an annual review from representatives of the EU and US.
Despite heavy criticism of the Privacy Shield, the report found that the framework “continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the US”.
It says this has been possible because the US has put in place the necessary structures and procedures to make sure the Privacy Shield is working properly, complaint handling and enforcement procedures have been set up, and US companies and the EU’s data protection authorities have become more cooperative.
Commenting on the report, the EU justice commissioner, Věra Jourová, said: “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.
“The Privacy Shield is not a document lying in a drawer. It’s a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards.”
As such, the report suggests several ways in which the Privacy Shield can be improved, including:
- Monitoring companies’ compliance with the Privacy Shield more proactively;
- Making sure the US Department of Commerce conducts regular searches for companies making false claims about their participation in the Privacy Shield;
- Raising EU citizens’ awareness of their rights under the Privacy Shield and how to exercise them;
- Closer cooperation between privacy enforcers (i.e. the US Department of Commerce, the Federal Trade Commission and the EU data protection authorities);
- Enshrining the protection for non-Americans offered by Presidential Policy Directive 28; and
- Appointing a permanent Privacy Shield ombudsman, and filling other empty posts.
How will this affect the GDPR?
The Privacy Shield’s scope differs significantly from the EU General Data Protection Regulation (GDPR), the forthcoming law to strengthen EU residents’ rights and freedoms concerning personal data. Signing up for the Privacy Shield won’t satisfy the GDPR’s processing clauses, as the framework only concerns the protection of personal data under the Data Protection Directive in transatlantic data flows.
Any organisation that transfers data between the EU and US should proceed on the basis that they will have to comply fully with the requirements of the GDPR. Because of the complexity of the Regulation, many organisations are in desperate need of qualified professionals to help them become compliant.
If you want to gain the required skills to oversee a GDPR compliance project, you should enrol on our Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination Course.
This course explains the GDPR in clear language, and gives you practical advice on planning, implementing and maintaining a GDPR compliance programme. It also enables you to fulfil the data protection officer role.
The course is delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.