The EU-US Privacy Shield is due for its first joint annual review in September 2017, which will be undertaken by the European Commission and the Article 29 Working Party (WP29) in the US.
The US Department of Commerce will be responsible for conducting the review while the US Department of State and the US Department of Justice are likely to participate (among others).
The annual review is expected to assess whether the EU-US Privacy Shield is functioning effectively and providing adequate safeguards for cross-border data flows, and is most likely to focus on law enforcement and national security issues.
The EU-US Privacy Shield was agreed in August 2016 and aims to provide robust protections for the personal data of EU citizens when processed in the US. It reflects the requirements of the Court of Justice of the European Union, which declared the previous Safe Harbour framework invalid. The EU-US Privacy Shield imposes strong obligations on US companies who are certified under the EU-US Privacy Shield to protect European individuals' personal data and requires US authorities to implement oversight mechanisms to ensure US companies abide by these obligations.
The review aims to ensure that the EU-US Privacy Shield keeps functioning effectively and maintains an adequate level of protection for EU citizens' personal data which is processed in the US. In a recent speech, the EU Commissioner for Justice stated that the review will focus on verifying that the key foundations of the EU-US Privacy Shield remain in place, in particular with respect to government access for national security reasons.
The relevant reviewing authorities will also monitor the compliance of US companies with the EU-US Privacy Shield principles in order to ensure the proper day-to-day implementation of the framework and identify any issues that may require a robust follow up.
Some other areas of concern to be included in the review identified by the EU Parliament's LIBE Committee and the WP29 are as follows:
The first joint annual review will be critical to assessing robustness and efficiency of the EU-US Privacy Shield framework. As the EU-US Privacy Shield seeks to put in place an efficient and robust data transfer mechanism, the results of the review will be of interest to organisations that deal with the transfer of data outside the European Economic Area on the basis of the EU-US Privacy Shield framework.
Following the completion of the annual joint review of the EU-US Privacy Shield, the European Commission will issue a report which may be followed by a separate public report issued by the WP29.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2017. Specific advice should be sought for specific cases. For more information see our terms and conditions.