Privacy Shield’s Second Annual Review: A Good Report Card

May 20, 2020, 09:00 AM by BBB National Programs

On December 19, 2018, the European Commission released a positive report on the second Annual Review of the EU-U.S. Privacy Shield. The report concludes that “the United States continues to ensure an adequate level of protection for personal data that is transferred under the Privacy Shield from the Union to individual organizations in the United States.”

The report is a result of the Annual Review that was conducted by the United States government, the European Commission, and the EU data protection authorities in Brussels on October 18 and 19, 2018. The primary objectives of the joint review were to monitor the current U.S. administration’s work on, and industry’s compliance with, the Privacy Shield, and to influence the privacy discussion in the United States. The report’s findings were also influenced by surveys that the Commission sent to U.S. trade associations and advocacy groups.

In the report, the Commission expressed its approval for the efforts of the United States to fine-tune processes and procedures after the first Annual Review. Specifically, the report mentions:

  • The U.S. Department of Commerce’s requirement that first-time applicants delay public representations regarding Privacy Shield participation until their certification review is finalized.
  • Additional monitoring and oversight efforts that the Department of Commerce has instituted to detect compliance issues, including random spot-checks and the monitoring of public reports about the privacy practices of Privacy Shield participants.
  • The proactive efforts of the Federal Trade Commission to monitor and enforce compliance with the Privacy Shield Principles, including its recent issuance of administrative subpoenas to Privacy Shield participants and its enforcement of false claims of Privacy Shield certification based on Department of Commerce referrals (the report notes that there have been 56 such referrals since the first annual review).
  • The appointment of three new members to the independent Privacy and Civil Liberties Oversight Board (PCLOB) to restore a chair and a quorum to this oversight mechanism.

In addition, the report puts forward a list of processes and outcomes that will be “closely monitored,” which likely indicate the focus of the third annual review. These include:

  •  The appointment of a permanent Privacy Shield Ombudsperson by February 28, 2019 and the effectiveness of the handling and resolution of complaints by the Ombudsperson (so far no complaints have been received through this mechanism).  Note: on January 18th, the Trump administration nominated Keith Krach to serve as Undersecretary of State for Economic Growth, Energy, and the Environment—a role that has historically included the duties of the Privacy Shield Ombudsperson. 
  • The effectiveness of the Department of Commerce’s efforts to monitor compliance with substantive requirements and obligations and to detect false claims of certification.
  • The progress and outcomes of ex officio sweeps by the Federal Trade Commission through the use of administrative subpoenas.

The report will now be sent to the European Parliament, the Council, the European Data Protection Board and U.S. authorities. The Commission will then work with U.S. authorities to implement its recommendations.

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality stated: “The EU and the U.S. are facing growing common challenges, when it comes to the protection of personal data, as shown by the Facebook / Cambridge Analytica scandal. The Privacy Shield is also a dialogue that in the long term should contribute to convergence of our systems, based on strong horizontal rights and independent, vigorous enforcement. Such convergence would ultimately strengthen the foundation on which the Privacy Shield is based. In the meantime, all elements of the Shield must be working at full speed, including the Ombudsperson.”

U.S. Secretary of Commerce Wilbur Ross stated: “I am very proud of our work together to support Privacy Shield and advance the transatlantic economic relationship. Data flows between the United States and Europe are the highest in the world, and it is in both our interests to adopt policies that strengthen data protection and enable transatlantic commerce. Privacy Shield enables the information flows that allow our citizens and businesses to connect and play such a critical role in our society and economy today.”

You will find the full report from the European Commission attached to this email. For further details, consult the accompanying Commission Staff Working Document.

Suggested Articles


A Beginner's Guide to Reading Privacy Policies

Privacy policies are complicated and can be frustrating to read, especially when you are trying to learn about your child's data privacy online. The Children’s Advertising Review Unit (CARU) reviews child-directed online environments to ensure that children’s data is collected and handled responsibly. As a parent, follow these steps to take a proactive role in your child’s data privacy, using privacy policies as your guide to better understand an online service’s data collection practices.
Read more

Q&A: What is an SRO? A Beginner’s Guide to International Advertising Self-Regulation

Advertising is a cutting-edge industry, so it is no surprise that the ad business has been at the forefront of a global trend building for almost 60 years – independent industry self-regulation. In the U.S., the National Advertising Division is the industry’s widely recognized “truth-in-advertising” body, an independent third party that enables competitors to resolve disputes outside the courtroom. It is the self-regulatory organization (SRO) of the U.S. In this Q&A with Mary Engle, Executive Vice President, Policy, here at BBB National Programs, we dig into what industry self-regulation looks like in other parts of the world.
Read more

Substantiating Advertising Claims in Three Steps: A How-To Checklist for Advertisers

Substantiating advertising claims is important, both to comply with the law and to avoid regulatory scrutiny or a potential challenge from a competitor in court or in a proceeding before the National Advertising Division (NAD). NAD examines the fit between challenged claims and the substantiation provided. What follows is not legal advice but a basic one-two-three checklist for advertisers concerned about substantiating their advertising claims.
Read more

Six Tips to Properly Advertise Your Health and Wellness Claims

Although businesses can advertise the benefits of their products, all messages conveyed by the advertising must be supported by a reasonable basis. Failure to adequately support a health or wellness claim can quickly get a business into trouble. Recently, NAD and Faegre Drinker Biddle & Reath LLP presented a webinar event providing guidance on how to stay out of trouble when making health and wellness claims. We share six of the key takeaways discussed.
Read more