Third review of EU-US Privacy Shield

On 23rd October 2019, the European Commission published its third annual review report on the functioning of the EU-US Privacy Shield framework, which became operational on 1st ­August 2016.

The Privacy Shield aims to protect the fundamental rights of anyone in the EU whose personal data is transferred for commercial pur­poses to certified companies in the United States. Today there are about 5,000 companies participating in this EU-US data protection framework.

Since the second annual review, there have been a number of improvements in the functioning of the framework, as well as appointments to key oversight and redress bodies, such as the Privacy Shield Ombudsperson. Among the improvements, the third review notes that the US Department of Commerce is ensuring the necessary oversight in a more systematic manner by, for example, carrying out monthly checks of a sample of companies to verify compliance with Privacy Shield principles. Enforcement action has improved with the Federal Trade Commission taking enforcement action related to the Privacy Shield in seven cases. An increasing number of EU individuals are making use of their rights under the Privacy Shield, and the relevant redress mechanisms are functioning well, according to the report.

In spite of the improvements, the Commission recommends concrete steps to better ensure the effective functioning of the Privacy Shield in practice. This includes further strengthening the certification process for companies who want to participate by shortening the time of the certification process; expanding compliance checks, including checks concerning false claims of participation in the framework; and developing additional guidance for companies related to human resources data. The Commission also expects the Federal Trade Commission to further step up its investigations into compliance with substantive requirements of the Privacy Shield and provide the Commission and the EU data protection authorities with information on ongoing investigations.

When the report was published, litigation was pending before the European Court of Justice on EU-US data transfers, which may also have an impact on the Privacy Shield.

Further information:
• Press release –

• Third Privacy Shield review report –