European Commission Releases Privacy Shield Annual Report

The Privacy Shield celebrates its first birthday – and the European Commission is quite happy with it so far. This shows the first annual report which has just been released by the Commission.

Data protection for data transfers

How can a company transfer personal data from the EU/EEA abroad? There are several ways, inter alia the Standard Contractual Clauses (which are challenged at the moment at court). However, data transfers to the US have always been a special case. Therefore, the Safe Harbor framework has been – for a long time – a legitimate measure to transfer data to the US.

The Privacy Shield

But Safe Harbor ‘died’ in October 2015 when it has been declared invalid by the European Court of Justice. Thus, there has been a need for a new framework – the Privacy Shield was born! The Privacy Shield is a framework between the United States and the European Union that arranges for the protection of personal data that is transferred from the European Union to the United States for commercial purposes. For companies that are Privacy Shield certified, the framework imposes obligations on the protection of personal data transferred from the European Union, including strict obligations regarding the retention and sharing of such personal data, the National Law Review reports.

More than 2,500 organizations participate in the Privacy Shield to transfer personal data from the EU to the United States in compliance with EU data protection laws, GlobalTrade reports.

One year later…

On October 18, the Commission released its first annual report on the functioning of the EU-US Privacy Shield framework. Since the beginning of the Privacy Shield, it has been – like Safe Harbor – criticized for a number of reasons. One of them is the fact that it is a ‘self-certification’. However, the first annual report reports a positive development. The Privacy Shield framework is functioning as intended, the EU Commission states. The focus of the report was on the implementation of the Privacy Shield mechanisms and the administration and supervision of the Privacy Shield by the authorities.

Overall, the Commission found that

“U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield” and that the United States “continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” from the European Union to companies in the United States.

Acting FTC Chairman Maureen K. Ohlhausen commented on the Commission’s review, according to lexology:

“Enforcing international privacy frameworks such as Privacy Shield is an integral part of our Privacy and Data Security program, as highlighted in three recently announced Privacy Shield enforcement actions. We look forward to continuing to work with our European counterparts to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows.”


The Commission did, however, provide ten recommendations on how to further improve the practical implementation of the Privacy Shield, the National Law Review reports. Most notably for the commercial aspects of the Privacy Shield, the Commission recommended that the US Department of Commerce conduct compliance checks on a regular basis, which may include questionnaires or annual compliance reports from certified companies. The Commission also recommended that the US Department of Commerce and EU Data Protection Authorities collaborate to develop legal interpretation guidance on Privacy Shield concepts.

Misleading of consumers

Recently, the FTC brought actions against three companies which misled consumers about their participation in the Privacy Shield. The report states in this regard:

“There may be a discrepancy between information that is publicly available, e.g. a company’s privacy policy, and the Department of Commerce’s Privacy Shield list which includes a company only once the certification is finalized. It is important that companies are not allowed to publicly refer to their adherence to the framework before the Department of Commerce has finalized the certification and included the company in the Privacy Shield list.”

The report will be sent to the European Parliament and other EU bodies and to US authorities. The Commission will work with the US authorities on the follow-up of its recommendations in the coming months…

Please note that your comments will be published after review and approval by our administrator and not immediately after they have been posted. Please also see our Terms of Service and our Privacy Police.