January 14, 2019

The report shows that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the US. The steps taken by the US authorities to implement the recommendations made by the Commission in last year’s report have improved the functioning of the framework.

However, the Commission expects the US authorities to nominate a permanent Ombudsperson by 28 February 2019 to replace the current incumbent. If this does not take place by that date, the Commission says that it will consider taking appropriate measures, in accordance with the General Data Protection Regulation.

Improvements already made include the strengthening by the Department of Commerce of the certification process and of its proactive oversight of the framework. As recommended by the Commission’s first annual review, the Department of Commerce has set up several mechanisms, including a system of spot checks, which randomly selects companies to verify that they comply with the Privacy Shield principles. 100 companies have been checked: 21 had issues that have now been resolved. Additional compliance review procedures also include the analysis of Privacy Shield participants’ websites to ensure that links to privacy policies are correct. The Department of Commerce has also put in place a system to identify false claims, which prevents companies from claiming compliance with the Privacy Shield when they have not been certified.

The Federal Trade Commission has demonstrated a more proactive approach to enforcement by monitoring the principles of the Privacy Shield, including by issuing subpoenas to request information from participating companies.

As for access to personal data by US public authorities for national security purposes, new members of the Privacy and Civil Liberties Oversight Board (PCLOB) have been appointed, which restores the Board’s quorum. The Board’s report on the implementation of Presidential Policy-Directive No. 28, which provides for privacy protections for non-Americans, has been made publicly available. It confirms that these privacy protections for non-Americans are implemented across the US intelligence community.

The second review took into account relevant developments in the US legal system in the area of privacy. The Department of Commerce launched a consultation on a federal approach to data privacy to which the Commission contributed and the US Federal Trade Commission is reflecting on its current powers in this area. In the context of the Facebook/Cambridge Analytica scandal, the Commission noted the Federal Trade Commission’s confirmation that its investigation of this case is ongoing. To read the Commission’s press release in full and to access the report, click here.