EU Commission Sets Deadline for the U.S. to Cure Privacy Shield Deficiency

The EU Commission published its second annual review of the EU-US Privacy Shield program which is designed to allow personal data flows from the EU to organizations in the U.S. that are certified under the Privacy Shield program.

The review found that the U.S. Department of Commerce, which administers the Privacy Shield program, has further strengthened the Privacy Shield certification process and introduced new oversight procedures, such as random spot-checks for certified organizations.

The report also found that the U.S. Federal Trade Commission (FTC), which is primarily responsible for regulatory enforcement of the Privacy Shield program, has been taking more a proactive approach to compliance monitoring.
On the basis of the annual review, the EU Commission concluded that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield, but that there are a number of gaps that the EU Commission will closely monitor.

The highest priority gap that the EU Commission has highlighted in the report is the appointment of a permanent U.S. Privacy Shield Ombudsperson, which is tasked with investigating complaints by EU data subjects on alleged privacy violations by U.S. law enforcement, security and intelligence agencies. One such complaint from a Croatian data subject is pending and the Commission’s report states that it expects the U.S. government to identify a nominee to permanently fill the Ombudsperson position by February 28, 2019. The report threatens that if the U.S. does not comply, “the Commission will then consider taking appropriate measures”, although it did not explain what those measure might entail.

CLICK HERE to read the EU Commission’s Report.