On Wednesday 23 October, the European Commission presented the results of the third review of the transatlantic data protection mechanism, the 'Privacy Shield', which was launched in Washington on 12 September (see EUROPE 12327/24).
The evaluation report confirms that the United States continues to ensure an "adequate level of protection" for personal data transferred from the EU to US companies participating in the Privacy Shield framework.
The European Commissioner for Justice, Věra Jourová, said at a press conference that the system was a real "success story" and went even further. ""Privacy Shield turns out to be a good tool of digital diplomacy that incentivises the dialogue", she said.
When we were designing the Shield, 3 years ago, there was a lot of scepticism in the United States about our new data protection rules. Today, we have a privacy law in California and advanced discussions in some other states and even in the Congress in Washington, there is a real debate about horizontal federal legislation in the United States, she said. And to add:" I dare say that EU rules and the Privacy Shield has something to do with this".
Today, nearly 5,000 companies participate in this framework: this is more than its predecessor, the Safe Harbour, has achieved in its 13 years of existence, she was pleased to announce. The number of European citizens making use of their rights under the framework is also increasing and the redress mechanisms are functioning well, she added. Most importantly, the United States has finally filled all the vacancies, including Keith Krach’s appointment as Ombudsperson. This was in essence the main thorny issue in the Commission's last evaluation (see EUROPE 12120/11).
The report indicates that a first complaint was lodged with the Ombudsman through the Croatian Data Protection Authority. This complaint was finally considered inadmissible, as it concerned facts that took place before the adoption of the Privacy Shield. However, it provided an opportunity to test the procedure and demonstrated that it was working well, the Commission explains.
The Commission also notes an improvement in terms of repressive measures. The Federal Trade Commission has taken action under the Privacy Shield in seven cases, it said, citing in particular the $5 billion fine imposed on Facebook (see EUROPE 12296/27) and a number of investigations into possible violations of the framework are still ongoing.
Some practical improvements needed
"We would like to see the US do certain things better and faster", said Věra Jourová.
The Commission recommends that the US authorities further strengthen the (re)certification process for companies wishing to participate in the framework by shortening the time of the process. A maximum period of 30 days in total would seem reasonable, the Commission said.
It also asks them to expand compliance checks, in particular concerning false claims of participation in the Privacy Shield and to develop additional guidance for companies related to human resources data.
The Commission also expects the Federal Trade Commission (FTC) to further step up its investigations into compliance with the substantive requirements of the framework and to provide the European authorities with information on ongoing investigations.
The Commission also points out that this assessment has enabled it to obtain clarification from the US authorities on certain issues raised in the' Schrems II' case (C-311/18). Once the Court of Justice of the European Union has delivered its judgment - the Advocate General is due to deliver his Opinion on 12 December 2019 (see EUROPE 12292/15) - the Commission claims that it will assess the consequences for the Privacy Shield.
See the report: http://bit.ly/2ofdjTw (Original version in French by Marion Fontana)