EU-US Privacy Shield Second Review: Improvements Shown, but More to be Done
The EU Commission published its second annual review of the functioning of the EU-US Privacy Shield, which focused on the commercial issues, human resources and data automated individual decision-making and developments in the U.S. legal framework. This report follows the same general structure as the report on the first annual EU-US Privacy Shield review that we reported on last year.
A central component of the second report was an assessment of the implementation of the recommendations from last year. The report is based on information gathered from relevant stakeholders and U.S. authorities both in preparation and during the Annual Joint Review meeting held in Brussels on October 18 and 19, 2018.
The second review report focused on three main topics: commercial aspects, which include recent developments in the administration and supervision of the Privacy Shield framework including the day-to-day functioning; two substantive topics, human resources data and automated individual decision-making; and developments in the U.S. legal framework. The report concludes that the U.S. continues to ensure an adequate level of protections for personal data transferred under the Privacy Shield from the EU to organizations in the U.S. However, the Commission was extremely critical that the post of Privacy Shield Ombudsperson, the position of Under-Secretary in the State Department to whom the office of the Ombudsperson has been assigned, has not yet been filled by a permanent appointment.
The report identified developments in the certification and re-certification process, oversight and enforcement, complaint handling and awareness raising finding that the Department of Commerce (DoC) had further strengthened the certification process and introduced new oversight procedures. Specifically, the report noted that the DoC had developed and issued internal guidelines, introduced new elements in the certification procedure, and improved the procedure for first-time certification applicants. One of the new elements in the certification process is a new check which verifies whether companies’ privacy polices contain a hyperlink to the correct complaint form on the website of the respective compliant handling body. With respect to the first-time certification process, DoC improved the procedures by prohibiting any public representations about a company’s privacy shield certification before the DoC had finalized the process.
The report also highlighted other mechanisms implemented by the DoC to detect potential compliance issues including random spot-checks and other monitoring efforts that include reviewing Privacy Shield participants’ websites to identify broken links and the use of Compliance Questionnaires. In addition, DoC has developed a prioritization plan and a system for text and other Internet searches.
The DoC referred 56 companies to the Federal Trade Commission (FTC) during the last year five of which were the subject of enforcement actions, with other investigations underway. The report also highlighted the new composition of the FTC with five new commissioners this past year. The FTC confirmed that it continues to systematically look for potential Privacy Shield violations as part of its privacy and security investigations.
Human Resources Data
At the first annual review, it emerged that there is a different interpretation of what content is considered HR data in the EU and the U.S. The EU has a much more expansive reading, while the U.S. is narrower. During the second review, the parties continued the discussion about the difference in interpretation. The report recommends the continued constructive dialogue with a view to issuing common guidance.
Automated Decision Making
After the first annual review, the Commission commissioned a study to determine the extent to which Privacy Shield-certified companies in the U.S. make decisions affecting individuals based on automated processing of personal data transferred from companies in the EU under the Privacy Shield and the safeguards for individuals that the U.S. federal law provides. The study concluded that automated decision-making is still an emerging technology and there is currently no evidence suggesting that it is normally being carried out by Privacy Shield-certified companies on the basis of data transferred under the Privacy Shield. In addition, there are no overarching federal laws that apply to automated decision-making though several sectoral laws may apply such as the Fair Credit Reporting Act, the Equal Credit Opportunity Act, and Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. The report concludes that automated decision-making is rapidly evolving and requires close monitoring.
U.S. Legal Framework
Finally, the report reviewed recent developments in the U.S. legal framework relating to access and uses of personal data by U.S. public authorities noting the important legal development regarding the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act. The report noted that although the reauthorization did not incorporate certain recommended protections, it did not restrict any of the safeguards contained in the Act which were in place when the Privacy Shield decision was adopted. The report also noted that during the past year the U.S. Senate confirmed the nominations of the Chairman and two other members of the Privacy and Civil Liberties Oversight Board.
The report was critical that the post of Privacy Shield Ombudsperson has not yet been filled by a permanent appointment. The Commission stated that it expects the U.S. government to identify a nominee to fill the Ombudsperson position on a permanent basis by February 28, 2019 and if such an appointment has not taken place, it will then consider taking appropriate measures pursuant to the GDPR.