On 23 October 2019, the European Commission published its report on the third annual review of the functioning of the EU-US Privacy Shield (the “Shield”).
The European Commission’s report confirms that the US continues to guarantee an adequate level of protection of personal data transmitted under the EU agreement to participating US companies.
In 2019, the review focused on lessons learned from its practical implementation and day-to-day operation. The report notes that one of the positive developments is the US Department of Commerce’s more systematic oversight, for example, through monthly checks on a sample of companies as to whether they comply with the principles of the Privacy Shield.
However, the Commission recommends that some concrete steps be taken to better ensure the effective functioning of the Privacy Shield in practice. This includes further improving the process of (re) certification of companies wishing to participate, shortening its duration; expanding eligibility checks, including with regard to false allegations of participation in the framework; and developing additional guidance for companies related to human resources data. The Commission also expects the Federal Trade Commission to step up its investigations into compliance with the substantive requirements of the Shield for personal data and to provide the Commission and the EU data protection authorities with ongoing investigations.
