EU-US Privacy Shield Undergoes Second Review By EU Commission And (Re)Passes The Test—For Certifying Companies, Santa Has Come To Town - Privacy Protection

He made a list

He checked it twice

He was gonna find out who was naughty or nice

The EU Commission is not putting the Privacy Shield down

For certifying companies, Santa Claus has come to town

On December 19, the EU Commission ("Commission") published its report to the European Parliament and the Council on the second review of the functioning of the EU-US Privacy Shield (the "Report").

To the relief of the 3,850 US companies who have certified to the Privacy Shield, and those entities transferring personal data to them, the Commission concluded that the Privacy Shield framework ensures an adequate level of protection for personal data and, therefore, can still be used as one of the available transfer mechanisms under the General Data Protection Regulation ("GDPR"). Nonetheless, the review identified some immediate actions for the US government to take in order to continue to keep the Privacy Shield framework on secure footing.

This Legal Update focuses on the findings of the Report, its support of the Privacy Shield as a valid mechanism to transfer data and the improvements that the Commission is expecting for the mechanism to be sustained going forward.

Background: The Privacy Shield and Annual Reviews

On July 12, 2016, the Commission adopted an adequacy decision in which it found that the EU-US Privacy Shield provides an adequate level of protection for personal data that has been transferred from the EU to organizations in the United States that certified to the framework. The Privacy Shield replaced the Safe Harbor framework, which was struck down by the Court of Justice of the European Union in the Schrems case. (See our Legal Update on the adoption of the Privacy Shield framework.)

One component of the adequacy decision was an annual evaluation of the functioning of the framework by the Commission. The first annual review, which concluded in October 2017, recognized that the Privacy Shield framework offered adequate protection for personal data transferred to the United States. However, the Commission also recognized that the practical implementation of the Privacy Shield framework could be further improved, and it made 10 recommendations in that respect, mainly focused on suggestions for the US government. (See our Legal Update covering the first annual report.)

Outcome of the Second Annual Review

The second annual review took place in Brussels in October 2018. It focused on an assessment of the implementation of the recommendations from the first annual review. In its Report, the Commission noted the following areas of progress under the Privacy Shield framework (in addition to developments within the US legal system in the area of privacy):

The US Department of Commerce has strengthened the certification process and introduced new oversight procedures;
The US Department of Commerce has begun spot-checking and monitoring public reports about the privacy practices of Privacy Shield-certified companies in an effort to detect compliance issues;
Enforcement activities have been launched by US authorities to monitor compliance with the Privacy Shield principles (e.g., issuance of administrative subpoenas requesting information from Privacy Shield participants); and
Members of the Privacy and Civil Liberties Oversight Board were appointed.

Although the Commission concluded that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield, the Commission called out the need for the US government to appoint a permanent Privacy Shield ombudsperson and is expecting such appointment to be made by February 28, 2019.

What's Next?

It is now up to the US government to appoint a permanent Privacy Shield ombudsperson, a position which is currently filled by someone in an acting capacity.

The findings of the second annual review will not end the Privacy Shield debate in the European Union. The EU Parliament has voiced concerns on the Privacy Shield framework; in July 2018, it adopted a resolution that called on the Commission to suspend the agreement unless the United States was fully compliant by September 1, 2018.

Even if non-binding, the EU Parliament's resolution indicated a level of discomfort of the mechanism that the EU put in place with the US, especially when compared to other frameworks (e.g., the upcoming adequacy decision with Japan).

The question of available transfer mechanisms under the GDPR will, like a Ghost of Christmas Past, come back to haunt those organizations that cannot rely on the Privacy Shield framework; the Standard Contractual Clauses, common mechanisms for personal data transfers, are being challenged before the Court of Justice of the European Union, and the upcoming Brexit will also require organizations to revisit the way they transfer personal data from and to the United Kingdom. Christmas may have passed, but there remain personal data privacy concerns for which many companies still have to "better watch out."

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.