BBB National Programs Insights

EU Privacy Shield Year In Review: 2017

May 20, 2020, 09:00 AM by Bryant Fry
The first full year of the new Privacy Shield Frameworks was a success for the BBB EU Privacy Shield (BBB EUPS) program, its participants, and EU consumers alike. Reflecting on the progress we have made, and looking forward to the future, we have collected some of the significant developments and accomplishments in this year-in-review blog post.

The first full year of the new Privacy Shield Frameworks was a success for the BBB EU Privacy Shield (BBB EUPS) program, its participants, and EU consumers alike. Reflecting on the progress we have made, and looking forward to the future, we have collected some of the significant developments and accomplishments in this year-in-review blog post.

Major growth.The ranks of BBB EUPS participants swelled during 2017. By January 2018, there were more than 750 participants in the program, out of a total of nearly 2,600 companies self-certified to the EU Privacy Shield Framework. April 2017 also marked the launch of self-certification under the Swiss-US Privacy Shield. By the end of the year, BBB EUPS had also assisted more than 400 of the 1,130 companies self-certified to this new Framework.

Last resort mechanism established. In the second half of 2017, the US Commerce Department worked to effectuate the “last resort” binding arbitration for EU individuals, described in Annex 1 to the Privacy Shield Framework. The option for binding arbitration is in place for those who have exhausted multiple redress options under Privacy Shield without satisfactorily resolving a privacy complaint. Formalizing this mechanism involved the selection of a panel of fifteen arbitrators, the establishment of an arbitral fund paid for by a one-time assessment on Privacy Shield participants, and the appointment of an administrator (ICDR-AAA) to manage the fund and arbitration process.

Successful annual review. In September 2017, the United States government, the European Commission, and several EU data protection authorities conducted a two-day review of Privacy Shield. Among the handful of invited private sector participants was BBB EUPS Director Frances Henderson, who discussed program operations and answered questions about the BBB EUPS 2016-2017 Procedure Report. In October, the European Commission released a positive report on the Annual Review, stating that Privacy Shield ensures an adequate level of protection for personal data transferred from the EU to the US. A separate report was published by the EU Data Protection Authorities’ Article 29 Working Party in late November.

Ongoing refinements. The reports from the European Commission and Article 29 Working Party each offered recommendations to improve Privacy Shield in advance of the next Annual Review in 2018. These included suggestions to improve Privacy Shield oversight of commercial activities, notably in the areas of compliance monitoring and false self-certification claims. In addition, they noted the need to raise awareness among EU individuals about how to enforce their rights and submit complaints. BBB EUPS continues to work closely with the US Commerce Department, engaging directly with these concerns and striving for an ideal implementation of the Frameworks.

Preparing for evolving legal requirements. As 2017 wrapped to a close, many new and existing participants in BBB EUPS were busy refining their data privacy practices in anticipation of complying with the EU General Data Protection Regulation (Regulation (EU) 2016/679). This has driven a surge in program growth as companies in the EU and the United States seek to align Privacy Shield and GDPR compliance in preparation for the May 25th, 2018 launch date. Many companies will rely on Privacy Shield as an adequate transfer mechanism that meets the GDPR requirement for transfers of personal data from the EU to the United States. Privacy Shield participants should also be aware that some other aspects of the new Regulation are already engineered into the Privacy Shield, which many companies think of as an “on-ramp” to full GDPR compliance. Companies that could be affected by this regulation may also want to be focusing on priorities such as: building a comprehensive framework of internal policies, developing a workable system of data protection impact assessments, appointing a DPO, preparing for cybersecurity breaches, tightening vendor agreements, and legitimizing international data flows.

Overall, 2017 was a productive year for Privacy Shield, laying a strong foundation for many years to come. But the BBB EUPS program will keep a weather eye on the horizon as EU data privacy law continues to develop. The proposed ePrivacy Regulation, Brexit negotiations, and pending CJEU decisions may all bring changes that impact Privacy Shield, either directly or indirectly. Stay tuned to this blog to keep track of these developments.