Personal data protection
The Commission presents its second annual review of the functioning of the EU-U.S. Privacy Shield.
The EU-U.S. Privacy Shield Decision was adopted on 12 July 2016. It ensures an adequate level of protection for personal data that has been transferred from the EU to organisations in the U.S. The Decision provides for an annual evaluation of all aspects of the functioning of the framework. The first annual review took place in 2017, with the Commission concluding that the U.S. continued to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the U.S. At the same time, the Commission made ten recommendations to improve the Privacy Shield framework in order to ensure that the guarantees and safeguards provided therein continued to function as intended.
This report concludes the second annual review of the functioning of the Privacy Shield and is based on information gathered from relevant stakeholders (in particular Privacy Shield-certified companies, and non-governmental organisations active in the field of digital rights and privacy), as well as from the relevant U.S. authorities involved in the implementation of the framework. The review took place in the context of the challenges to data privacy that are increasingly global in nature, as exemplified by the Facebook / Cambridge Analytica case. The report states that both sides stressed the need for vigorous enforcement actions by the EU’s Data Protection Authority and the U.S. Federal Trade Commission.
Findings
Commercial aspects: this relates to questions concerning the administration, oversight and enforcement of the obligations applying to certified companies. The Commission notes that in line with its recommendations from the first annual review, the Department of Commerce has further strengthened the certification process and introduced new oversight procedures, including: (i) a new process that requires first-time applicants to delay public representations regarding their Privacy Shield participation until their certification review is finalised by the Department of Commerce; (ii) new mechanisms to detect potential compliance issues, such as random spot-checks (at the time of the annual review, such spot checks had been performed on about 100 organisations) and the monitoring of public reports about the privacy practices of Privacy Shield participants; (iii) a quarterly review of companies that have been identified as more likely to make false claims and a system for image and text searches on the internet.
Since the first annual review, the Department of Commerce has referred more than 50 cases to the Federal Trade Commission, which in turn took enforcement action in those cases where the referral as such was not sufficient in order to make the company concerned come into compliance.
With respect to enforcement, the Commission noted that the Federal Trade Commission recently issued administrative subpoenas to request information from a number of Privacy
Shield participants. Although the Commission considers that the Federal Trade Commission's more proactive approach to compliance monitoring is an important development, it regrets that at this stage it was not possible for to provide further information on its recent investigations and will closely monitor any further developments in this regard.
Access and use of personal data by U.S. public authorities
The reauthorisation of Section 702 of the Foreign Intelligence Surveillance Act at the beginning of 2018. While the reauthorisation did not lead to the incorporation of the protections of Presidential Policy Directive 28 into the Act, as the Commission wanted, neither did it restrict any of the safeguards contained in the Act which were in place when the Privacy Shield decision was adopted. Moreover, the amendments did not expand the powers of the U.S. Intelligence Community to acquire foreign intelligence information by targeting non-U.S. persons under Section 702. Instead, the Amendments Reauthorization Act of 2017 introduced some limited additional privacy safeguards, for instance in the area of transparency.
The Privacy and Civil Liberties Oversight Board: new members of the Board have been appointed which restores the Board's quorum. The Board’s report of 16 October 2018 confirms that Presidential Policy Directive 28 is fully applied across the intelligence community, which has adopted detailed rules on the implementation of that Directive and have changed their practices in order to bring them in line with the requirements of Presidential Policy Directive 28.
Conclusions
On the basis of the findings, the Commission concludes that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States. In particular, the steps taken to implement the Commission's recommendations following the first annual review have improved several aspects of the practical functioning of the framework in order to ensure that the level of protection of natural persons guaranteed by the adequacy decision is not undermined.
However, the report notes that although the Commission had recommended the swift appointment of the Privacy Shield Ombudsperson, the position of Under-Secretary in the State Department to whom the office of the Ombudsperson has been assigned had not yet been filled by a permanent appointment at the time of the report.
Accordingly, the Commission reiterates its call on the U.S. administration to confirm its political commitment to the Ombudsperson mechanism by appointing a permanent Privacy Shield Ombudsperson as a matter of priority. The Ombudsperson mechanism is an important element of the Privacy Shield framework and, while the acting Ombudsperson continues to carry out the relevant functions, the absence of a permanent appointee is highly unsatisfactory. The Commission expects the U.S. government to identify a nominee to fill the Ombudsperson position on a permanent basis by 28 February 2019.