deepagopi2011 - Fotolia
More than 2,400 companies are signed up to the voluntary agreement that safeguards the privacy rights of Europeans when their data is transferred to the US. The deal was drawn up after the European Court of Justice did away with the previous Safe Harbour agreement following the Edward Snowden revelations about security services’ data gathering.
According to the EU executive, Privacy Shield “has ensured adequate protection and safeguards” for personal data transferred from the EU to the US and all the “necessary administrative structures and procedures have been put in place”. Nonetheless, it found eight specific points where improvement is needed.
Many of the protections put in place were by means of Presidential Policy Directive 28 signed by former US president Barack Obama. EU justice commissioner Vera Jourová said: “The change of administration in the US made this first annual review especially relevant.”
Section 702 of the US Foreign Intelligence Surveillance Act (FISA), which expires at the end of this year, still allows US authorities to snoop on EU citizens under certain conditions.
“For us, the best-case scenario would be if the Congress considered enshrining the protections of data for non-US citizens into this law,” said Jourová.
The EC also wants the US to appoint a permanent Privacy Shield ombudsperson – at the moment there is only an interim appointee – as well as the missing members of the Privacy and Civil Liberties Oversight Board.
Another recommendation is that the US Department of Commerce and the EU data protection authorities should get better at informing citizens about how to exercise their Privacy Shield rights.
Read more about Privacy Shield
- European parliamentarians called for an immediate review of the Privacy Shield EU-US data transfer framework due to concerns about privacy protections being undermined in the US.
- Privacy Shield faces inevitable legal challenges, so organisations should prepare by considering legal and practical alternatives.
- The European Commission has adopted the EU-US Privacy Shield framework, but businesses still lack clarity and assurance on transatlantic personal data transfers.
As Jourová pointed out, the mechanism covers the data of “tens, maybe hundreds, of millions of people”, and yet there has not been a single complaint.
Despite saying that she believed US secretary of commerce Wilbur Ross understands the concerns of Europeans when transferring their data abroad, Jourová put forward a list of measures for the Department of Commerce that she wants to see enacted “swiftly”.
Areas for improvement include: not allowing companies to publicly announce that they are Privacy Shield-certified until the Department of Commerce has finalised the certification; regular Department of Commerce searches for companies falsely claiming participation in Privacy Shield; more compliance checks on a regular basis; and that the EU and US authorities work together to develop guidance on the legal interpretation of certain concepts in Privacy Shield.
“Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU,” said Jourová. “The Privacy Shield is not a document lying in a drawer. It is a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards.”
Read more on Privacy and data protection
EU recognises UK data protection adequacy but warns against divergence
Why data exports from the EU will be challenging without Privacy Shield
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement
EU court opinion finds EU-US data transfers lawful but raises questions over Privacy Shield