What is the Privacy Shield?
The Privacy Shield is an arrangement for protecting the personal data of anyone in the EU when it is transferred to the U.S. for commercial purposes.
It includes obligations for U.S. companies receiving personal data from the EU, as well as obligations for the U.S. government if they subsequently request access to this personal data for national security or law enforcement reasons.
The arrangement also gives EU individuals the right to make a complaint if they think that their personal data is not being properly protected.
The Privacy Shield is also reviewed on an annual basis to make sure that it still ensures an adequate level of protection for personal data, and to check that it is being implemented correctly.
How did the Commission prepare the report of the first Privacy Shield annual review?
To prepare the annual review, the Commission services gathered information and feedback on the implementation and functioning of the Privacy Shield framework from all relevant stakeholders:
- from Privacy Shield-certified companies through their respective trade associations, and
- from non-governmental organisations (NGOs) active in the field of fundamental rights and in particular digital rights and privacy.
It also obtained information from the U.S. authorities involved in the implementation of the framework.
The first Annual Joint Review took place on 18 and 19 September 2017 in Washington, DC. It was opened by Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, and U.S. Secretary of Commerce Wilbur Ross. The annual review was conducted for the EU by representatives of the European Commission's Directorate General for Justice and Consumers. The EU delegation also included eight representatives designated by the Article 29 Working Party, the advisory body bringing together the national data protection authorities of the Member States (DPAs) as well as the European Data Protection Supervisor.
On the U.S. side, representatives of the Department of Commerce (DoC), the Federal Trade Commission (FTC), the Department of Transportation, the Department of State, the Office of the Director of National Intelligence and the Department of Justice participated in the review, as well as the acting Ombudsperson, a Member of the Privacy and Civil Liberties Oversight Board (PCLOB) and the Office of the Inspector General of the Intelligence Community. Moreover, representatives of organisations that offer independent dispute resolution under the Privacy Shield, the American Arbitration Association as administrator of the Privacy Shield Arbitration Panel and some Privacy Shield-certified companies provided input during the annual review.
The annual review has further been informed by publicly available material, such as court decisions, implementing rules and procedures of relevant U.S. authorities, reports and studies from NGOs, transparency reports issued by Privacy Shield-certified companies, press articles and other media reports.
What are the new elements introduced to the functioning of the Privacy Shield by the U.S. since its launch?
Among the new elements introduced by the U.S. since last year:
- the Department of Commerce has set up and fine-tuned its process for receiving and reviewing applications from companies that wish to certify under the Privacy Shield;
- the Department of Commerce has developed questionnaires as a tool to monitor on an ongoing basis companies' effective compliance with their obligations under the Privacy Shield (companies have to respond within 30 days);
- the Department of Commerce and the Federal Trade Commission, in cooperation with EU data protection authorities (DPAs), have put in place tools and instruments to ensure smooth cooperation between the enforcement authorities on both sides of the Atlantic. For example, they have developed a Standard Referral form which facilitates the referral of a company to the Department of Commerce for further compliance review if a Data Protection Authority believes that the company is not complying with the Privacy Shield, and the they have identified points of contact for Data Protection Authorities;
- the U.S. Department of State has taken measures to ensure that the Ombudsperson mechanism (the special instrument created by the Privacy Shield to address complaints concerning access to personal data by U.S. authorities for national security purposes), is fully functional and ready to receive and address complaints. In particular, it has established an online platform for the Ombudsperson and developed an electronic form through which the complaints from the EU can be channelled to the Ombudsperson. It has also drawn up the rules of procedure which govern how the Ombudsperson deals with complaints.
What are the key recommendations of the Commission to the U.S. authorities?
In the commercial area, the recommendations of the Commission are the following:
- the Commission recommends that companies should not be allowed to publicly announce that they are Privacy Shield-certified until the Department of Commerce has finalised the certification;
- the Commission also recommends that the Department of Commerce conducts regular searches for companies falsely claiming participation in the Privacy Shield;
- the Commission recommends that the Department of Commerce conducts compliance checks on a regular basis;
- the Commission encourages the Department of Commerce and the Data Protection Authorities to work together to develop guidance on the legal interpretation of certain concepts in the Privacy Shield (e.g. with regard to the principle of accountability for onward transfers and the definition of human resources data);
- the Commission recommends that the Department of Commerce and the EU Data protection Authorities strengthen their awareness raising efforts (e.g. to inform individuals about how to exercise their rights under the Privacy Shield).
In the area of national security, the recommendations of the Commission are the following:
- the Commission would welcome if U.S. Congress would consider favourably enshrining in the Foreign Intelligence Surveillance Act the protections for non-Americans offered by Presidential Policy Directive 28 (PPD-28);
- the Commission calls on the U.S. administration to swiftly appoint a permanent Privacy Shield Ombudsperson, as well as the missing members of the Privacy and Civil Liberties Oversight Board (PCLOB);
- the Commission calls for the public release of the PCLOB's report on the implementation of PPD-28.
In both the commercial and national security areas, the Commission also calls on the U.S. authorities to proactively fulfil their commitment to provide timely and comprehensive information about any development that could raise questions about the functioning of the Privacy Shield.
What are the possibilities of complaints against a Privacy Shield company?
The Privacy Shield provides a number of ways to help you make a complaint about a U.S. company if you think that it is not using your personal data in the correct way or that it is not complying with the rules. You can choose to make a complaint to, alternatively:
- the U.S. company itself;
- an independent Alternative Dispute Resolution body;
- a National Data Protection Authority;
- the U.S. Department of Commerce;
- the U.S. Federal Trade Commission.
If your complaint is unresolved after using the other redress mechanisms, or if you are not satisfied with the way your complaint was handled, you have the right to seek redress by bringing your case to the Privacy Shield Arbitration Panel.
The European Commission's Guide to the EU-U.S. Privacy Shield has more detailed information about these different ways of making a complaint.
Which elements of U.S. legal rules are particularly relevant for the compliance with the Privacy Shield and why?
The Presidential Policy Directive 28 (PPD-28) and the Foreign Intelligence Surveillance Act (FISA) are elements of the U.S. legal system which are of particular relevance in the context of the Privacy Shield.
PPD-28 contains limitations and safeguards for the collection and use of personal data by U.S. public authorities for national security purposes. It has been issued in 2014 by former U.S. President Obama and has been specifically designed to also protect the privacy of non-Americans. Among others, PPD-28 stipulates that U.S. surveillance activities must include appropriate safeguards for the personal information of all individuals, regardless of their nationality or where they might reside. It also provides that such activities must always be as tailored and as targeted as feasible. During the annual review, the U.S. authorities expressly confirmed that the current U.S. Administration is not making any change to PPD-28.
FISA provides one of the main legal authorities on the basis of which U.S. public authorities can access the personal data of Europeans that has been transferred from the EU to Privacy Shield-certified companies in the U.S.: Section 702 FISA authorises the acquisition of foreign intelligence information through the targeting of non-U.S. persons located outside the U.S. with the compelled assistance of U.S. electronic communication service providers. At the same time, Section 702 FISA imposes a number of conditions and limitations aimed at ensuring targeted collection.
How many access requests from surveillance authorities were received by companies under the Privacy Shield?
A number of Privacy Shield-certified companies publish transparency reports, which show (in bands of 500) the number of requests for disclosure of communications content a company has received during a given reporting period. Between January and June 2016, Microsoft, for example, received between 0 and 499 requests under FISA, which impacted between 12,000 and 12,499 user accounts. In the same period, Facebook received between 500 and 999 requests for access to content under FISA, affecting between 13,000 and 13,499 user accounts, while Google received between 500 and 999 such requests, affecting between 25,000 and 25,499 accounts. These figures illustrate that, as a percentage of total user accounts (for ex. Facebook has two billion active accounts), the number of accounts affected by requests for government access to personal data remains limited.