The European Union has given a thumbs up to the EU-U.S. Privacy Shield in its first annual review of the framework for protecting cross-border data flows.
The first annual report concluded the shield works, but could use some bolstering, including by the U.S. Department of Commerce.
"Overall the report shows that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S. The U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield, such as new redress possibilities for EU individuals," the report concluded. "Complaint-handling and enforcement procedures have been set up, and cooperation with the European Data protection authorities has been stepped up," it said. "The certification process is functioning well - over 2,400 companies have now been certified by the U.S. Department of Commerce. As regards access to personal data by U.S. public authorities for national security purposes, relevant safeguards on the U.S. side remain in place."
Among the recommendations for bolstering the shield include "more proactive and regular monitoring of companies' compliance with their Privacy Shield obligations by the U.S. Department of Commerce," appointing an ombudsperson and filling vacancies on the Privacy and Civil Liberties Oversight Board.
The report will be distributed to the European Parliament and U.S. authorities for follow-up on the recommendations.
The White House had predicted the positive review. Last month, press secretary Sarah Sanders said: "We firmly believe that the upcoming review will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic."
The privacy shield replaces the safe harbor agreement that a European Union court invalidated in October 2015 over concerns about the U.S. being able to hold up its end of the agreement given the government surveillance revealed by the Edward Snowden leaks. The voluntary framework requires companies to provide notice of what personal information is being collected and stored, the purposes it is used for, and an "opt out" mechanism.
“We welcome the positive outcome of the first EU-U.S. Privacy Shield Annual Review," said Federal Trade Commission Chairman Maureen Ohlhausen. "Enforcing international privacy frameworks such as Privacy Shield is an integral part of our Privacy and Data Security program, as highlighted in three recently announced Privacy Shield enforcement actions. We look forward to continuing to work with our European counterparts to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows.”
"We applaud, and are relieved by, the positive review of the EU-U.S. Privacy Shield," said ACT | The App Association President Morgan Reed. "We support the EU-U.S. Privacy Shield as a model framework to foster cross-border data flows and secure privacy protections. Our small business members are among the 2,400 businesses that depend on Privacy Shield certification to engage with and access customers throughout the EU. Their growth and success hinges on the ability to protect consumer privacy, and maintain consumer trust. We will continue to work with U.S. government entities to ensure the Privacy Shield and its commitments are upheld."