Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Personal data protection

1990/0287(COD)

This Commission staff working document accompanies the report from the Commission on the third annual review of the functioning of the EU-U.S. Privacy Shield.

It presents the findings of the Commission services on the implementation and enforcement of the EU-U.S. Privacy Shield framework in its third year of operation.

Commercial aspects

The Commission assessed the concrete functioning of the administration, oversight and enforcement of the Privacy Shield process. The third annual review focused notably on the recertification process, compliance monitoring and enforcement.

The (re)-certification process

At the time of the review meetings, just over 5000 companies were certified under the Privacy Shield. After three years of operation, the Privacy Shield has therefore more participating companies than its predecessor, the Safe Harbor arrangement. The majority (more than 70%) of Privacy Shield certified-companies are Small and Medium-sized entreprises (SMEs). The success of the Privacy Shield is also reflected in the current re-certification rate of 89%.

The Commission services welcome that the Department of Commerce (DoC) continously reviews the (re-)certification process and amends it to address issues as they arise.

Monitoring and supervision by the Department of Commerce

The Commission services welcome that the DoC is carrying out proactive compliance spot-checks on a regular basis and in a systematic manner, which is important for improving the overall compliance with the framework. Whereas the spot-checks should continue to be done regularly and in a systematic manner, compliance with these requirements is thus crucial for the continuity of the Privacy Shield and should be subject to strict monitoring and enforcement by the U.S. authorities.

False claims

The DoC detected 669 cases of false claims of particpation since the last review in October 2018. In all these cases, the DoC sent certified warning letters to the companies concerned. In most cases, companies completed their (re-)certification further to these warning letters.

The Commission services regret that the DoC does currently not have appropriate tools at its disposal to more effectively identify false claims of participation in the framework by companies that have never applied for certification.

Enforcement by the Federal Trade Commission (FTC)

Seven enforcement actions related to Privacy Shield violations were concluded. All seven cases concerned false claims of participation in the framework. The Commission services would have expected a more vigorous approach regarding enforcement action on substantive violations of the Privacy Shield Principles.

More generally, the Commission services note that it has been an important year for the FTC’s enforcement actions in the area of privacy. In particular, two major settlements were reached for alleged violations of the Children's Online Privacy Protection Rule (“COPPA”). The first case resolved the charges against YouTube to have illegally collected personal information from children without their parents’ consent. As a result of this settlement, YouTube (and its parent company Google) agreed on a $170 million penalty.

The second case, settled with a penalty of $5.7 million, concerned the FTC’s allegations against the Video Social Networking App Musical.ly (known as TikTok) for having illegally collected personal information from children without parental consent.

Access and use of personal data

The Commission services welcome clarifications, which confirm the Commission’s findings in the adequacy decision that the collection of foreign intelligence information under Section 702 the Foreign Intelligence Surveillance Act (FISA) is targeted through the use of selectors and that the choice of selectors is governed by law, subject to independent judicial and legislative oversight.