The European Commission has published its third annual review of the EU-US Privacy Shield and said the system to regulate trans-Atlantic data exchange is performing better than a year ago, according to Telecompaper. The Commission said US oversight of the system has improved as have the opportunities for redress by data subjects who feel their rights may have been violated.
About 5,000 companies participate in the Privacy Shield, agreeing to implement certain checks and processes to ensure personal data is protected when passing between the EU and US. The system was implemented three years ago after the EU Court of Justice found the US was not doing enough to meet EU data protection requirements, according to Telecompaper.
Among the improvements, the third review notes that the US Department of Commerce is ensuring the necessary oversight in a more systematic manner by, for example, carrying out monthly checks of a sample of companies to verify compliance with Privacy Shield principles. Enforcement action also has improved, with the Federal Trade Commission taking enforcement action related to the Privacy Shield in seven cases.
In addition, an increasing number of EU individuals are making use of their rights under the Privacy Shield, and the relevant redress mechanisms are functioning well, the Commission said. Alongside the appointment of the permanent Ombudsperson, the final two vacancies on the Privacy and Civil Liberties Oversight Board have been filled, ensuring that it is fully-staffed for the first time, according to Telecompaper.
However, the Commission recommended additional steps for improvement. This includes further strengthening the (re)certification process for companies who want to participate by shortening the time of the certification process; expanding compliance checks, including concerning false claims of participation in the framework; and developing additional guidance for companies related to human resources data. The Commission also expects the FTC to step up its investigations into compliance with substantive requirements of the Privacy Shield and provide the Commission and the EU data protection authorities with information on ongoing investigations.