January 16, 2022

Volume XII, Number 16


January 15, 2022

Subscribe to Latest Legal News and Analysis

January 14, 2022

Subscribe to Latest Legal News and Analysis

January 13, 2022

Subscribe to Latest Legal News and Analysis

EU Commission’s First Annual Review Confirms Adequacy of the EU-U.S. Privacy Shield

On October 18, 2017, the European Commission published its report and supporting documents regarding its first annual review of the EU-U.S. Privacy Shield (Privacy Shield), which sets forth procedures and safeguards for transferring personal data from the European Union (EU) to the United States. The report concludes that Privacy Shield “ensures an adequate level of protection for personal data” transferred from the EU to the United States.

The EU Commission met with U.S. authorities involved with Privacy Shield in Washington D.C. in September of 2017 as part of the mandatory Annual Joint Review meetings conducted to review the adequacy of Privacy Shield. The EU Commission also received input from Privacy Shield certified companies, nongovernmental organizations, U.S. authorities, and EU data protection authorities regarding the administration of Privacy Shield since it became operational in August 2016. 

In finding that Privacy Shield continues to provide adequate safeguards for personal data transferred to the United States from the EU, the Commission stated that the U.S. authorities had enacted several structures and procedures to ensure the correct functioning of Privacy Shield such as new redress possibilities for EU individuals, complaint-handling and enforcement procedures, increased cooperation with EU data protection authorities, a well-functioning self-certification process, and relevant safeguards regarding access to personal data by U.S. public authorities for national security purposes.

Significantly, the EU Commission also provided several recommendations for improving the functioning of Privacy Shield including:

  • more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce;

  • increased enforcement against companies that falsely claim to participate in Privacy Shield;

  • providing more information to EU individuals about how to exercise their rights under Privacy Shield including how to lodge complaints;

  • closer cooperation between U.S. and EU regulators, notably to develop guidance for companies and regulators;

  • enacting the protections afforded to individuals who are not U.S. residents as set forth in the Presidential Policy Directive in the reauthorization and reform of the Foreign Intelligence Surveillance Act (FISA); and

  • the appointment of a permanent Privacy Shield ombudsman, who processes requests from EU individuals relating to national security access to EU-transferred data, and the appointment of additional members to the Privacy and Civil Liberties Oversight Board, which ensures that U.S. executive branch actions regarding terrorism are balanced against the need to protect privacy and civil liberties.

Key Takeaways for Employers

The EU Commission’s finding that Privacy Shield is an adequate method to transfer personal data from the EU to the United States provides some certainty to employers that have self-certified under Privacy Shield or that have waited to see if Privacy Shield would pass muster with the EU Commission before self-certifying. However, Privacy Shield employers should expect greater enforcement efforts from both U.S. and EU regulators.  

The EU Commission’s Privacy Shield report is especially relevant for employers that use standard contract clauses rather than Privacy Shield to transfer human resources data between their EU and U.S operations. The validity of standard contract clauses is currently under legal review by the European Court of Justice, which, many predict, will hold that standard contract clauses are invalid for the same reasons the court invalidated the EU-U.S. Safe Harbor framework in 2015, i.e., improper access to EU data by U.S. surveillance agencies. Although the validity of Privacy Shield is also under legal challenge, the fact that the EU Commission has determined that the U.S. has enacted relevant safeguards under Privacy Shield regarding access to personal data by U.S. public authorities for national security purposes bolsters the validity of Privacy Shield and distinguishes Privacy Shield from standard contract clauses.

More importantly, the EU Commission’s Privacy Shield report is significant in light of the General Data Protection Regulation (GDPR), which is set to become effective on May 25, 2018.  The GDPR will impose strict requirements upon employers regarding the collection, processing, and transfer of human resources data involving EU employees and applicants and will subject non-compliant employers to fines of up to $20 million euros or 4 percent of annual worldwide revenue, whichever is greater. Consequently, employers currently using standard contract clauses should consider self-certifying under Privacy Shield by May 2018 to ensure that they have a valid mechanism to transfer human resources data from the EU to the United States to avoid these hefty GDPR fines.

Finally, employers should note that both Privacy Shield and the GDPR impose different and often stricter requirements for human resources data than for commercial or consumer data. For example, the GDPR expressly provides that each EU member state can enact its own, stricter requirements for human resources data under national data privacy laws, labor laws, and collective agreements with labor unions. Thus, employers should implement Privacy Shield and GDPR compliance programs, in addition to their commercial and consumer data compliance programs, that are specific to human resources data.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume VII, Number 293

About this Author

Grant Petersen, Labor, Employment, Ogletree Deakins

Mr. Petersen represents and counsels employers regarding a broad range of U.S. and international labor and employment law issues, Foreign Corrupt Practices Act and other anti-corruption law issues, and data privacy and data protection law issues. He represents clients in a wide variety of industries, including manufacturing, service, healthcare, financial, retail, and food processing, as well as multinational companies and trade associations.

Simon McMenemy, Labor Employment, Managing Partner, New York, OgleTree Deakins law firm
Managing Partner

Simon is an experienced employment law practitioner. He was called to the Bar in 1995, and subsequently qualified as a solicitor while working in the employment and incentives team of a major global law firm. He has advised on the employment aspects of many major international and multi-jurisdictional mergers and acquisitions. He also has a wide range of experience in advising companies on change management, particularly in relation to acquired rights, pensions and benefits. Simon advises on the increasingly complex issues arising on data privacy and data protection in the workplace and is...

44 (0)20 7822 7620
Hendrick Muschal, Ogletree Deakins, Employment Attorney, Germany
Managing Partner / Certified Specialist for Employment Law

Hendrik Muschal is a partner in Ogletree Deakins’ Berlin office.  He advises numerous German and international clients on all aspects of individual employment law, collective employment law in both the private and public sector, international employment law and criminal labor law.  Hendrik is strongly involved in international business activities, particularly in the field of international investments and cross-border transactions as well as global HR management.

One of the focal points of Hendrik’s work regarding global HR management is data protection and monitoring inside the EU...

+ 49 (0) 30 862030 161