The European Commission today published its EU-US Privacy Shield report, following the second annual review of the programme.
The EU-US Privacy Shield report found that the US has continued to provide adequate protection and security for data transferred from the EU to the US under the Privacy Shield, which aims to guarantee the fundamental rights of EU residents whose data is transferred from the EU to certified companies in the US for commercial reasons. The report noted that the framework of the Privacy Shield had been markedly improved by the US’s implementation of recommendations laid out in last year’s review.
The US Department of Commerce has strengthened its certification process and implemented random spot checks on certified businesses to ensure they remain compliant with the terms of the Privacy Shield, the EU-US Privacy Shield report found. Meanwhile the Federal Trade Commission is conducting an ongoing data privacy investigation with regard to the Cambridge Analytica scandal.
While the progress of the Privacy Shield was found to have been mostly positive, the EU-US Privacy Shield report highlighted the continued absence of a permanent Ombudsperson to oversee the arrangement. The Commission stated it expects a permanent Ombudsperson to be appointed by 28 February 2019; if this does not happen, the Commission will examine the possibility of taking further measures in line with the General Data Protection Regulation.
Andrus Ansip, Commission Vice-President for the Digital Single Market, said: “[The EU-US Privacy Shield report] shows that the Privacy Shield is generally a success. More than 3,850 companies have been certified, including companies like Google, Microsoft and IBM – along with many SMEs. This provides an operational ground to continuously improve and strengthen the way the Privacy Shield works. We now expect our American partners to nominate the Ombudsperson on a permanent basis, so we can make sure that our EU-US relations in data protection are fully trustworthy.”
The EU-US Privacy Shield report will be passed to the European Parliament, the Council of Europe, the European Data Protection Board; and the US authorities.