Important health check of the functioning of the EU-U.S. Privacy Shield




Earlier this month, on November 12th 2019, European Data Protection Board (“EDPB”) adopted a report (“Report”) on the EU - U.S. Privacy Shield third annual joint review of the adequacy decision and its robustness and practical implementation in the U.S. (the “Review”). The Review was carried out by eight members of EDPB in September 2019 in Washington, the USA. One of the EDPB members actively involved in the review was Mr. Ventsislav Karadzhov, Chairperson of the Bulgarian Commission for Personal Data Protection. 
The EU – U.S. Privacy Shield (“Privacy Shield”) is the legal framework regulating transfer of personal data for commercial purposes between the European Union and the United States under EU law. One of its purposes is to guarantee that companies and other organizations listed in the program ensure an adequate level of data protection and, on this basis, a transfer of personal data from an EU data controller or processor to such U.S. established companies and other organizations is permissible without requiring any specific authorization pursuant to Article 45 of the General Data Protection Regulation. The Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the Privacy Shield was adopted pursuant to Directive 95/46/EC of the European Parliament and of the Council on 12 July 2016 and pursuant to such decision the Privacy Shield adequacy is subject to annual review and confirmation. 
An effective and up-to-date list of the U.S. companies and other organizations certified under the Privacy Shield framework can be found at https://www.privacyshield.gov/list. Checking for a potential U.S. data importer in the list at the website is easy and free.  
The European Commission published its report on the Review in October. In it the Commission confirms that the Privacy Shield continues to ensure adequate level of protection of the personal data processed by the companies and other organizations certified under the framework.It is, however, the Report of the EBDP that provides details on the findings from the Review and addresses from legal perspective the data protection issues of the Privacy Shield that are still outstanding and have to be remedied. The Report is also indicative of the legal matters that the EDPB will continue to actively monitor and encourage the undertaking and implementation of further substantive measures, so that the required consistency with GDPR principles is achieved prior to the next annual review.
According to the Report, the EDPB recognizes the efforts of the U.S. competent authorities, including the U.S. Federal Trade Commission and Department of Commerce, and of the Commission to implement the Privacy Shield, especially the ex officio oversight and enforcement actions with respect to Privacy Shield certified organizations. However, the EDPB continues to have a number of significant concerns regarding both commercial aspects of data processing and collection of personal data by public authorities in the U.S. 
With respect to commercial aspects, the absence of substantial checks remains a serious concern of the EDPB. Other areas that require further attention are the application of the Privacy Shield requirements to onward transfers, HR data and the application of the principles when it comes to processors, as well as the recertification process. As regards the collection of data by public authorities, the EDPB encourages the Privacy and Civil Liberties Oversight Board in the U.S. to issue and publish further reports and increase transparency. 
On the newly introduced Ombudsperson mechanism, the EDPB is still not in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance. Therefore, the EDPB cannot still state that the Ombudsperson can be considered an “effective remedy before a tribunal” in the meaning of Article 47 of the EU Charter of Fundamental Rights.
Last but not least, the EDPB reminds that its concerns expressed via the Report will be addressed by the Court of Justice of the European Union in cases that are still pending before it. 
You may find and read the full text of the report at https://edpb.europa.eu/our-work-tools/our-documents/eu-us-privacy-shield-third-annual-joint-review-report-12112019_en.