Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsEC Report for Second Annual Privacy Shield Review Finds Adequate Protection of Privacy
The European Commission has released its report on the functioning of the EU-US Privacy Shield to the European Parliament and Council at the end of December. The report concludes that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield to organizations in the United States.
The European Commission performs an annual review of the functioning of the Privacy Shield to protect data transfers from the EU to the US under its terms. The Privacy Shield was adopted in 2016 as a replacement to the Safe Harbor framework for data flows between the EU and the US, which was invalidated by the Court of Justice of the European Union in October 2015.
The second annual review of the Privacy Shield has been a subject of some contention throughout the year. Over the summer, members of the European Parliament adopted a resolution calling for the suspension of the Privacy Shield if the US was not in full compliance by September 1st. In order for there to be adequate protections, the non-EU country must offer a level of protection which is essentially equivalent to the guarantees offered by the EU.
The report issued as part of the second annual review indicates that:
– The Department of Commerce strengthened the certification process and launched additional oversight procedures. This has resulted in the referral of more than 50 cases to the Federal Trade Commission for enforcement since last year. The changes include:
First time applicants must now delay public representations regarding participation until after the Commerce Department completes the certification review.
There are new mechanisms, such as random spot checks, to detect potential compliance issues. These mechanisms include a system of internet searches to detect false claims of participation.
– The Federal Trade Commission has taken a more proactive approach to compliance monitoring, issuing administrative subpoenas to some participants and investigating Facebook / Cambridge Analytica.
– The EC also observed that the Commerce Department and the FTC are considering new approaches to offer additional privacy protections.
– The Senate confirmed the nominations of three members of the Privacy and Civil Liberties Oversight Board, restoring to to a full quorum of five. At the time of the first annual review, there was only one Board member.
– The US has confirmed that the process is “well underway” to make the Privacy Shield Ombudsperson a permanent appointment as an Under-Secretary in the State Department.
The concerns identified by the EC in the report include:
– Whether the new mechanisms of the Commerce Department to monitor compliance will be effective.
– Whether the tools to detect false claims of participation will be effective.
– Whether efforts to detect substantive violations through sweeps will be satisfactory.
– The effectiveness of the Ombudsperson in handling and resolving complaints.
The report sets up a third annual review of the EU-US Privacy Shield this fall. We will be closely following it again given the importance of the adequacy decision to transatlantic data flows. 2019 will be a big year as Japan and the UK are also on the radar for adequacy decisions.
On Privacy Shield:
EU and US Meet for Second Annual Privacy Shield Review
US Affirms Full Compliance with Privacy Shield Obligations
European Parliament Calls for Suspension of Privacy Shield in September
EU considering deadline for Privacy Shield compliance by United States
Improve Data Privacy for GDPR or CCPA with Clarip
The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.
Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
