On Oct. 18, the European Commission (EC) released its report on the first annual review of the EU-U.S. Privacy Shield framework, the agreement that ensures privacy protections for cross-border transfers of European data, or data concerning European individuals, to the United States. The Privacy Shield replaced the Safe Harbor agreement after the European Court of Justice invalidated that accord in Schrems v. Data Protection Commissioner in 2015. The report certifies that the U.S. is implementing the privacy protection mechanisms enumerated in the Privacy Shield framework. This post summarizes the EC’s report and the staff working document that detailed the commission’s findings and review process.
Introduction and Background on Review Process
In Sept. 2017, the commission and U.S. officials conducted the first annual review of the Privacy Shield. The Department of Commerce committed to the review process in its agreement to the Privacy Shield principles. The review process allows the commission to certify, on a periodic basis, that the U.S. is protecting European personal data in manner determined to be adequate under EU law—what is called the “adequacy determination.” This first review process involved the solicitation of feedback from trade organizations and privacy group-focused NGOs, alongside a survey of political and legal developments in the United States.
The commission begins its report by providing background information on the Privacy Shield. It details the standards that the European Court of Justice (ECJ) established in Schrems—the standards that formed the basis of the current agreement. The Privacy Shield placed stricter obligations on U.S. companies that retain EU citizen data and mandated more rigorous monitoring from the Department of Commerce,which implements the agreement. When the U.S. and EU agreed on the Privacy Shield framework, the EU received assurances from U.S. law enforcement and national security authorities that they had put safeguards in place that limited their access to EU citizen data in conformity with the Privacy Shield principles.
The commission finds that the U.S. has implemented the necessary mechanisms and safeguards in accordance with the Privacy Shield.
In its analysis of commercial operations, the commission flags an issue with the certification phase for companies—the phase in which companies attest to the Department of Commerce that they comply with the Privacy Shield standards. Companies were able to publicly refer to their Privacy Shield certification before the Department of Commerce finished its certification. The staff working document notes that the Commerce Department referred to the Federal Trade Commission (FTC) eleven cases of companies that falsely listed themselves as compliant. The FTC is the main enforcement mechanism against companies carrying out unfair or deceptive trade practices. Of the eleven cases referred, the FTC brought enforcement actions against three.
In its analysis of U.S. law enforcement and intelligence access to EU citizen data, the commission notes a potential issue with a key oversight mechanism: the Privacy Shield Ombudsperson. The presidential transition left the Ombudsperson position in the State Department vacant. However, the new administration quickly designated an acting ombudsperson, who has been able to fill the role on a temporary basis. The ombudsperson allows European citizens to bring complaints about intelligence collection issues to a neutral U.S. government official. It is an important oversight mechanism because it is independent from the intelligence agencies it oversees. The commission notes that the creation of the Ombudsperson position helped assure Europeans that the U.S. intelligence community would be limited in accessing the data of European citizens.
The commission also positively notes that the new administration has not made any changes to Presidential Policy Directive 28 (PPD-28), the order that limited the use of non-U.S. persons’ data by national security authorities. The commission emphasizes that this order’s protections provided key assurances that enabled the adequacy determination. The staff working document contains a detailed review of the intelligence community’s use of personal information, including statutory restrictions enacted by the Foreign Intelligence Surveillance Act (FISA) and by PPD-28.
Finally, the commission issues a set of recommendations for the U.S. government to ensure that the U.S. continues to uphold its obligations under the Privacy Shield:
- Congress should take the reauthorization process for the FISA Amendments Act of 2008 this year as an opportunity to make into law PPD-28’s protections for the personal data of non-U.S. persons. The commission explained that enshrining the PPD-28 protections in statute would ensure their continuity.
- The Trump administration should nominate a permanent ombudsperson.
- The administration should complete the nominations of the chairman and remaining members of the Privacy and Civil Liberties Oversight Board (PCLOB). These appointments will allow the PCLOB to address new matters and expand current efforts. The PCLOB should release its report on the implementation of PPD-28 to the public.
- The Department of Commerce should more effectively monitor compliance from listed companies and take further measures to prevent companies from falsely claiming compliance with Privacy Shield .
- The commission agrees to undertake a study on the use of automated decision-making and its compliance with the Privacy Shield. As noted in the staff working document, with the upcoming implementation of the EU’s Global Data Protection Regulation, new requirements will apply to data processing by American companies on European citizens’ data. The commission said it would have to determine how companies using automated decision-making—such as credit monitoring firms—should comply with the new regulation.