The European Commission released its first annual review of the current EU-US Privacy Shield in order to determine what may or may not need changes as a matter of policy. As it currently stands, the Privacy Shield creates enforceable protections for European Union residents regarding the use of their personal data. The US-based entities that wish to participate will have to conform to greater transparency standards in how the data is used, as well as submitting to strong oversight to ensure adherence, and increased cooperation with Data Protection Authorities (“DPAs”). So, what changes are suggested in this new report? How might this affect businesses in the United States? What consequences, if any, may be added to the new changes?
What is the review?
It was conducted by the Commission to the European Parliament, which in essence reviewed the function of the Privacy Shield and gathered input from publicly-available sources. These sources combined press releases as well as legal cases that were available to the Commission; although, neither source was cited specifically within the seven-page report. The Commission is composed of both European and American representatives, such as the European Data Protection Supervisor and Federal Trade Commission.
What are the suggested changes to the Privacy Shield framework?
Ultimately, the suggested changes to the Privacy Shield framework can be summarized as the Department of Commerce should be doing more to promote privacy protection. This ranges from more education to more active roles in monitoring and acting against false claims of certification. Indeed, the first change mentioned was a prohibition against companies referring to being certified until the process had been finalized by the Department of Commerce.
Naturally, this may result in some snags. As we know, sometimes government filings can be slow, and even though an entity may believe it is completely compliant, some technicality or other misstep may lead to a claim that the entity misled the European Union resident.
However, this press on the Department of Commerce is not the only snag, as the Commission believes the Department of Commerce will have to work closer with the Data Protection Authorities and the Federal Trade Commission.
Most surprisingly is the request that there be a permanent Ombudsperson appointed, as was initially requested in the Privacy Shield framework. As this is a central feature of the Privacy Shield, allowing an alternative dispute resolution system, it is remarkable that no Ombusdsperson has been named or appointed to fill the position on a permanent basis. It is worth noting there is still an acting Ombudsperson for the purposes of the framework and the process still continues.
Finally, the report does nothing to comment on further penalties or enforcement mechanisms for non-compliance. This discrepancy may have more to do with the current release of the GDPR, rather than a review of the Privacy Shield, as the GDPR likely provides enough or better enforcement for similar issues.
At our law firm, we assist clients with legal issues related to business, intellectual property, and e-commerce transactions. Please contact us to set up an initial consultation.