Commission Publishes Report on the Second Annual Review of the Functioning of the EU-U.S. Privacy Shield

4 Minute Read

December 20, 2018

Categories: European Union, International

On December 19, 2018, the European Commission (the “Commission”) issued a press release regarding the publication of the Commission’s second annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”).

Background

On July 12, 2016, the Commission adopted an adequacy decision on the basis that the EU-U.S. Privacy Shield ensured an adequate level of protection to personal data transferred from the European Economic Area (“EEA”) to the participating companies in the U.S. The Commission also concluded that the EU-U.S. Privacy Shield framework could be improved. On that basis, the Commission annually reviews the framework and issue recommendations.

Findings after This Second Year

This year’s Report concludes that the U.S. still ensures an adequate level of protection to the personal data transferred from the EEA to U.S. companies under the EU-U.S. Privacy Shield. The U.S. authorities have taken measures to implement the Commission’s recommendations from last year and several aspects of the functioning of the framework have improved. Some of these measures have been recently adopted and further developments need to be monitored.

The Report highlights the following concerns:

New tools to ensure compliance with the Privacy Shield principles and to identify false claims of participation to the Privacy Shield framework: On the basis of last year’s recommendation, the Department of Commerce (“Department”) implemented new tools to proactively monitor certified companies’ compliance with the Privacy Shield Principles and to detect potential compliance issues. The Department also has proactively searched for false claims of participation in the Privacy Shield framework. To date, 56 companies were referred to the Federal Trade Commission for issues of non-compliance with the Privacy Shield Principles or false claims of participation. The third review of the EU-U.S. Privacy Shield will assess the effectiveness of these methods.
Privacy Shield enforcement measures: The FTC has committed to proactive monitoring of the certified companies’ compliance with the Privacy Shield principles. Accordingly, the FTC has issued administrative subpoenas to request information from a number of Privacy Shield participants. The Commission concluded that developments in this area should be closely monitored.
Cooperation between authorities: The Department of Commerce and the European Data Protection Authorities have cooperated to develop guidance on Privacy Shield principles. The Commission welcomes and encourages this cooperation, including, when appropriate, the participation of the Federal Trade Commission, as clarification of various concepts is still needed. (The notion of Human Resources data, for example, is understood differently by different authorities).
The appointment of a Privacy Shield ombudsman on a permanent basis: Despite last year’s recommendation, a permanent Privacy Shield ombudsman has yet to be appointed. The Commission reiterates its call and expects that the U.S. government will fill the position by February 28, 2019. If this is not done, the Commission will adopt the necessary measures in accordance with the GDPR.
Effectiveness of how the ombudsman deals with complaints: The ombudsman has not yet received any requests. The Commission intends to monitor how complaints will be handled and resolved.

The Commission’s Next Steps

The Commission will monitor the developments and expects to receive information with regard to concerns noted above in order to control the effectiveness of the measures adopted. The Commission also intends to follow the ongoing developments in the U.S. legal framework. In this respect, the Commission encourages the U.S. to adopt a comprehensive legal framework with regard to privacy and data protection and to ratify the Council of Europe’s Convention 108.

A detailed analysis of each aspects of the Privacy Shield framework reviewed after this second year can be found in the Commission Staff Working Document from the Commission to the European Parliament and the Council On The Second Annual Review Of The Functioning Of The EU-U.S. Privacy Shield.

Tags: Data Protection Authority, Data Transfer, Department of Commerce, European Commission, Federal Trade Commission, GDPR, Privacy Shield

You May Also Be Interested In

2 Minute Read

March 6, 2026

European Commission Seeks Feedback on Draft Cyber Resilience Act Guidelines

On March 3, 2026, the European Commission published draft guidelines intended to clarify the application of the Cyber Resilience Act and opened a public consultation to gather feedback from stakeholders.

3 Minute Read

February 26, 2026

FTC Issues COPPA Policy Statement Encouraging Adoption of Age-Verification Technologies

The Federal Trade Commission has issued a new Policy Statement encouraging the adoption of robust age‑verification technologies by pledging not to bring enforcement actions under the COPPA Rule against operators of general‑ or mixed‑audience sites that collect, use or disclose personal information solely to determine users’ ages, so long as long as they follow strict safeguards.

2 Minute Read

February 23, 2026

Data Protection Authorities Globally Highlight Privacy Issues in AI Image Generation

On February 23, 2026, a Joint Statement on AI-Generated Imagery was published by 61 data protection authorities. The Joint Statement addresses concerns regarding AI systems capable of generating realistic images and videos depicting identifiable individuals without their knowledge or consent.

1 Minute Read

February 19, 2026

FTC Issues Second Report to Congress on Cyberattacks

On February 6, 2026, the Federal Trade Commission announced its second report to Congress on its efforts to combat ransomware and other cyber attacks.

Privacy & Cybersecurity Law Blog

You May Also Be Interested In

Search

Recent Posts

Categories

Tags

Archives