November 12, 2019

November 11, 2019

Subscribe to Latest Legal News and Analysis

European Commission Releases Privacy Shield Annual Report

In a positive development for companies relying on transatlantic data transfers, the European Commission (the Commission) recently announced that one year into the program, the EU-US Privacy Shield framework is functioning as intended.


The Privacy Shield is a framework between the United States and the European Union (and the United States and Switzerland) that arranges for the protection of personal data that is transferred from the European Union to the United States for commercial purposes. The Privacy Shield was borne out of the Shrems case where the European Court of Justice invalidated the prior Safe Harbor framework designed to protect personal data transferred from the European Union to the United States

For companies that are Privacy Shield certified, the framework imposes obligations on the protection of personal data transferred from the European Union, including strict obligations regarding the retention and sharing of such personal data. As part of the program, the Commission committed to conducting an annual review of its original decision that the Privacy Shield ensures an adequate level of protection for personal data that is transferred from the European Union to the United States.

The Commission’s Annual Review

On October 18, the Commission released its first annual report on the functioning of the EU-US Privacy Shield framework. The Commission stated that it focused on verifying that Privacy Shield mechanisms have been implemented as planned and confirming that US authorities met their commitments regarding the administration and supervision of the Privacy Shield.

Overall, the Commission found that “U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield” and that the United States “continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” from the European Union to companies in the United States. The Commission did, however, provide ten recommendations on how to further improve the practical implementation of the Privacy Shield. Most notably for the commercial aspects of the Privacy Shield, the Commission recommended that the US Department of Commerce conduct compliance checks on a regular basis, which may include questionnaires or annual compliance reports from certified companies. The Commission also recommended that the US Department of Commerce and EU Data Protection Authorities collaborate to develop legal interpretation guidance on Privacy Shield concepts.


Although the Privacy Shield is still in the early stages of implementation and further reports or opinions may be issued, the positive annual report from the Commission provides a couple of key takeaways for commercial contracts involving transatlantic data transfers. First, when engaging a service provider that will be managing or processing transatlantic data flows, Privacy Shield certification should remain an important consideration during the selection process. Second, if engaging a service provider that is not Privacy Shield certified, customer-side companies should consider adding a provision into their contracts obligating the service provider to provide at least the same level of data protection that is required by the principles of the Privacy Shield framework. For example, “Service Provider shall provide at least the same level of privacy and security protection for personal data as is required by the relevant principles of the Privacy Shield framework, which, as of the effective date, are available at”

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Peter Watt-Morse, Morgan Lewis, Intellectual property lawyer

Peter M. Watt-Morse, one of the founding partners of the firm’s Pittsburgh office, has worked on all forms of commercial and technology transactions for more than 30 years. Peter works on business and intellectual property (IP) matters for a broad range of clients, including software, hardware, networking, and other technology clients, pharmaceutical companies, healthcare providers and payors, and other clients in the life science industry. He also represents banks, investment advisers, and other financial services institutions.

Christopher Archer, Corporate Transactions Attorney, Morgan Lewis

Christopher C. Archer focuses his practice on outsourcing, strategic technology, and commercial transactions. He regularly assists clients with global outsourcing deals that span a wide range of business processes, including information technology, finance and accounting, procurement, and other core and non-core functions. His work includes advising and supporting clients through each phase of an outsourcing transaction, from the RFP process through contract negotiations. He also drafts and negotiates licensing agreements, including cloud-based software license agreements, commercial contracts, technology and data-related agreements, and other services transactions.