The European Commission recently delivered a passing grade for the U.S.-EU Privacy Shield, the agreement allowing for trans-Atlantic data transfer, in their second annual review, despite urging from the European Parliament this past summer to abrogate the deal.

The review covered both government access to data and “commercial aspects” (the private sector use of data that we care about).

The Commission reported that, “the Department of Commerce has further strengthened the certification process and introduced new oversight procedures. In particular, the Department of Commerce adopted a new process that requires first-time applicants to delay public representations regarding their Privacy Shield participation until their certification review is finalised by the Department of Commerce. Moreover, the Department of Commerce has introduced new mechanisms to detect potential compliance issues, such as random spot-checks (at the time of the annual review, such spot checks had been performed on about 100 organisations) and the monitoring of public reports about the privacy practices of Privacy Shield participants. In the search for false claims of participation in the framework, the Department of Commerce is now actively using a variety of tools, for instance a quarterly review of companies that have been identified as more likely to make false claims and a system for image and text searches on the internet.

The Commission also commended improvements in the U.S. on enforcement of the Privacy Shield: “As a result of these newly introduced practices and procedures, the Department of Commerce since the first annual review has referred more than 50 cases to the Federal Trade Commission, which in turn took enforcement action in those cases where the referral as such was not sufficient in order to make the company concerned come into compliance.” The FTC further, “as part of its efforts to proactively monitor compliance with the Privacy Shield Principles, recently issued administrative subpoenas to request information from a number of Privacy Shield participants.” The Commission was pleased that the FTC continues to investigate the Facebook / Cambridge Analytica case.

The European Commission concluded its December 19, 2018 report by acknowledging “that the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States.

The Insights Association offers our Privacy Shield Program as a benefit of company membership, since it serves as an Independent Recourse Mechanism (IRM), a required component of the program. The Privacy Shield agreement still faces long-term threats, but it remains a useful mechanism for data transfer and a good starting point for GDPR compliance.