EU-US Privacy Shield – Third Annual Review
Despite efforts made by the United States authorities and the European Commission to implement the EU-US Privacy Shield, e.g., ex officio oversight and enforcement actions, the European Data Protection Board (EDPB) still voiced concerns over adequate data protection that must be addressed by both the Commission and the USA. The EDPB adopted its third annual review on 12 November 2019.
The EU-US Privacy Shield is a legal framework that protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. In operation since 1 August 2016, it allows the free transfer of data to companies that are certified in the USA under the Privacy Shield. By now, more than 5000 companies are already certified under the Privacy Shield, having committed to complying with EU data protection standards. The Shield is reviewed each year. The Privacy Shield must be distinguished from the EU-US Data Protection Umbrella Agreement, which contains a set of data protection rules that apply to all transatlantic exchanges between criminal law enforcement authorities.
According to the EDPB report, the lack of substantial checks remains a particular concern as far as commercial aspects of the Privacy Shield are concerned. Onward transfers, which lead to transfers of data outside the jurisdictions of the American and EU authorities, require more substantial oversight.
As regards access by public authorities to data transferred to the United States under the Privacy Shield, the EDPB regrets the insufficient information basis, which makes it difficult to assess to what extent data are collected for national security purposes. In particular, there have been no follow-up reports by the US Privacy and Civil Liberties Oversight Board (PCLOB). Such reports would be helpful, for instance, to evaluate whether the collection of data under Section 702 FISA is indiscriminate or not and whether or not access is conducted on a generalized basis under the UPSTREAM program. Furthermore, the EDPB has the impression that the Ombudsperson is not vested with sufficient power to access information and to remedy non-compliance. Thus, the EDPB still cannot state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Art. 47 of the EU Charter of Fundamental Rights.
The Commission already concluded its assessment report (third annual review of the functioning of the EU-US Privacy Shield, COM(2018) 495 final) in September 2019. After taking the opportunity to better examine daily experience and practical implementation of the framework, the Commission came to the conclusion that a number of concrete steps should be taken so that the Privacy Shield functions more effectively. Several recommendations have been addressed to the U.S. Department of Commerce and the Federal Trade Commission.
In a joint statement of 13 September 2019, U.S. Secretary of Commerce, Wilbur Ross, and Věra Jourová, at the time EU Commissioner for Justice, Consumers, and Gender Equality, defended the EU-US Privacy Shield. They underlined that the Privacy Shield plays a vital role in protecting personal data and contributing to the $7.1 trillion economic relationship between the United States and Europe.
The third annual review of the Privacy Shield was debated in the EP’s LIBE Committee on 9 January 2020. MEPs voiced severe criticism and pointed to shortcomings in the data protection of EU citizens.