REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the second annual review of the functioning of the EU-U.S. Privacy Shield Add 1: Commission Staff Working document accompanying the report
1. The EU-US Privacy Shield became operational on 1 August 2016, after the European Commission issued its formal decision that the US Privacy Shield framework provides adequate protection to allow personal data to be transferred to the United States. The Privacy Shield imposes stronger obligations on US companies to protect Europeans’ personal data by requiring the US to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. It also includes written commitments and assurance regarding access to data by public authorities. The framework reflects the principles and requirements laid down by the CJEU in its judgment in the Schrems case, which invalidated the previous EU-US partial adequacy decision which was based on the Safe Harbour framework.
2. On 19 December 2018, the European Commission published its report and staff working document on the second annual review of the EU-US Privacy Shield. The Report, generally positive, concludes that the US continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to the participating companies in the US. It notes that the steps taken by the US authorities to implement the recommendations made by the Commission in its 2017 report have improved the functioning of the framework.
3. The Commission report highlights the improvements made over the past year including the strengthening by the US Department of Commerce of the certification process and of its proactive oversight of the framework. The Department has set up new mechanisms to detect compliance issues, such as random spot checks, and carried out an analysis of Privacy Shield participants’ websites to ensure that links to privacy policies are correct.