EU – U.S. Privacy Shield – Second Annual Joint Review
On 22 January 2019, the members of the European Data Protection Board (EDPB) adopted at the plenary meeting a report on the Second Annual Joint Review of the EU – U.S. Privacy Shield.
The EDPB welcomed the efforts made by the U.S. authorities and the Commission to implement the Privacy Shield, especially actions undertaken to adapt the initial certification process, start ex officio oversight and enforcement actions, as well as the efforts to publish a number of important documents, in part by declassification (such as decisions by the FISA Court), the appointment of a new Chair as well as of three new members of the Privacy and Civil Liberties Oversight Board (PCLOB) and the recently announced appointment of a permanent Ombudsperson.
In view of the findings of the second joint review, the following concerns about the implementation of the Privacy Shield still remain. This includes concerns already expressed by the EDPB’s predecessor WP29 on the lack of concrete assurances that indiscriminate collection and access of personal data for national security purposes are excluded. Also, based on the information provided so far, the EDPB cannot currently consider that the Ombudsperson is vested with sufficient powers to remedy non-compliance. In addition, the Board points out that checks regarding compliance with the substance of the Privacy Shield’s principles are not sufficiently strong.
Moreover, the EDPB has some additional concerns with regard to the necessary checks to comply with the onward transfer requirements, the scope of meaning of HR Data and the recertification process, as well as to a list of remaining issues raised after the first joint review which are still pending.