The E.U. – U.S. Privacy Shield Review is in

The E.U. Commission had their 3rd annual review of the E.U. – U.S. Privacy Shield this October, with the goal to evaluate the compliance of the agreement in place and the green light to continue.

In 2016, the Privacy Shield agreement was designed by the U.S. Department of Commerce and European Commission for companies to have a mechanism in place to comply with data protection requirements when transferring personal data. While entirely voluntary, this agreement encourages companies from either side to benefit from the Framework’s requirements. All companies that enroll benefit from an organization created to show a commitment to data security, and provides added security to potential clients that their data will be held to the highest of standards.

This year, the annual review focuses on the day-to-day functionality of the E.U. – U.S. Privacy Shield and to ensure an adequate level of protection for personal data transferred under the agreement. There are currently 5,000 companies currently participating under the agreement.

The Good News

The E.U. Commission maintained that the Privacy Shield agreement continued an adequate level of protection and that there were improvements from the previous year’s review, including appointing a permanent Privacy Shield Ombudsman, that completes the staff vacancy for the first time since the agreement’s inception.

The Uncertain News

During the review assessment, several recommendations were made that include:

  • Strengthening the re-certification process for companies that want to participate. The report shows that companies remained on the “active” list too long without being re-certified continuously.
  • “Spot” checks. The report asks to expand these spot checks to additional areas such as investigating false claims of being associated with the agreement.
  • The report also expects the FTC (Federal Trade Commission) to step up its investigations into compliance, and creating a joint guidance of additional data issued by the DOC, FTC, and EU Data Protection Authorities.

The Future of the Agreement

While the EU Commissioner’s report overall approved the framework of the program to proceed another year, the Court of Justice in the E.U. is reported to give a ruling next year whether E.U. citizens’ personal data can legally be shipped to the U.S. If the court rules the U.S. surveillance programs violate its citizens’ privacy, then companies will have to halt data moving oversees, such as payroll information. This poses quite a disruption to corporations should the ruling be denied, but will have to wait until spring of 2020 to know the final decision. Until then, the E.U. – U.S. Privacy Shield agreement remains in place.