European union concept, digital illustration.

The end of 2018 saw heightened activity surrounding the EU-U.S. Privacy Shield Framework.  This blog post provides a news roundup on the following developments:

• The European Commission’s (the “Commission”) December 19th report (the “Report”) summarizing the second annual joint review that was held in October 2018.

• The Report’s February 28, 2019 deadline for the U.S. to identify a nominee to permanently fill the Ombudsperson position required by the EU-U.S. Privacy Shield Framework.

• The UK Information Commissioner’s Office’s guidance providing deadlines for Privacy Shield-certified companies to update their privacy policies depending on whether the UK ends up with a Deal or a No-Deal Brexit.

As we previously reported, senior officials from the United States government, the Commission, and European Data Protection Authorities met in Brussels in October 2018 for the second annual joint review of the EU-U.S. Privacy Shield Framework. Although the outcome was generally positive for the future of the Framework, a couple key points of concern remain.

Further to the October 19th joint statement issued by European Commissioner for Justice, Consumers and Gender Equality Věra Jourová and U.S. Secretary of Commerce Wilbur Ross, on December 19, 2018, the Commission published the Report (and accompanying Staff Working Document) summarizing the joint review. Concluding that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the U.S., a central element of the Report is an assessment of how recommendations from the first annual review have been implemented. The Report found that the U.S. has indeed put in place many of the recommendations; for example, the Department of Commerce has strengthened both the certification process and its proactive oversight. In addition, the Report noted that the Department of Commerce has established procedures to analyze Privacy Shield participants’ websites and set up a system to identify false compliance claims. Currently, more than 3,500 companies are self-certified to the Privacy Shield, and it was reported that the Department of Commerce received around 1,000 certification applications leading up to the May 25, 2018 effective date for the EU’s General Data Protection Regulation.

With respect to national security, the Commission praised the U.S. for appointing three individuals to fill vacancies on the Privacy and Civil Liberties Oversight Board (PCLOB), which is an independent U.S. government agency that oversees certain data protection concerns. Just days before the second annual review, nominations of Ed Felten, Jane Nitze, and Adam Klein (appointed as chairman) were approved by the U.S. Senate. Concern over the PCLOB vacancies was expressed in both the first annual report and the European Parliament’s July 2018 non-binding resolution calling for the Shield’s suspension, and voiced in January 2018 by Commissioner Jourova’s head of cabinet, Renate Nikolay, who stated that it is “unfortunate that some of [the PCLOB] nominations are still not done,” and expressed displeasure that “this U.S. administration that has been in power now for over a year [has not filled] these important positions because they are one of the one of the key important novelties of this regime of the Privacy Shield.” These appointments fill two of the three vacancies on the five-member board, which is crucial because a three-member quorum is required for any formal action to be taken. The prior chairman of the PCLOB resigned in 2016, which effectively rendered the board inoperative.

The Commission’s Report also highlighted several aspects of the Privacy Shield that “need to be closely monitored . . . as they affect elements that are essential for the continuity of the adequacy finding.” These include continued review of the effectiveness of mechanisms and tools for the Department of Commerce to monitor compliance with the Privacy Shield and the appointment of a permanent Privacy Shield Ombudsperson. Just weeks before the second annual review, on September 28, 2018, Acting Under Secretary of State for Economic Growth, Energy, and the Environment Manisha Singh was appointed Privacy Shield Ombudsperson, a position “dedicated to facilitating the processing of requests from EU and Swiss individuals relating to national security access to data transmitted from the European Union or Switzerland to the United States.” This appointment was particularly important because the report released October 18, 2017, following the first annual joint review, recommended that the United States “appoint as soon as possible a permanent Privacy Shield Ombudsperson.”

Notably, the Report states that the Commission “expects the U.S. government to identify a nominee to fill the Ombudsperson position on a permanent basis” by February 28, 2019. The Commission’s press release further emphasizes that the Ombudsperson is “an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed,” and Commissioner Jourová stated that her “patience is coming to an end” after almost two years of discussions.

Also under discussion for years has been the UK’s forthcoming exit from the European Union. While many details remain unknown, the UK Information Commissioner’s Office (ICO) has offered some clarity relating to the treatment of UK personal data. In particular, the ICO issued guidance on the applicability of the Privacy Shield to transfers of personal data from the UK to the U.S. The guidance makes clear that the UK government intends the Privacy Shield to apply to companies receiving personal data from the UK.

U.S. companies importing UK personal data under the Privacy Shield Framework will need to update their privacy policies to expressly state that their Privacy Shield commitments apply to transfers of personal data from the UK. The deadline for a company to update its privacy policy depends on whether the UK and the EU reach a final agreement for the UK to leave the EU. If a final agreement (Deal) is made, no special mention of the UK in a privacy policy will be required until December 31, 2020. If no final agreement is made (No Deal), companies will need to update their privacy policies by December 31, 2019.

Further to the ICO’s guidance, the U.S. Department of Commerce added a Brexit-related page to its Privacy Shield FAQs. The updated FAQs echo the ICO’s statements that Shield-certified companies will need to publicly affirm in their privacy policies (both public-facing and internal (HR)) that their commitment to the Privacy Shield extends to personal data received from the UK, and highlight the same timelines discussed above as dependent on whether the UK ends up with a Deal or a No-Deal Brexit.

The guidance from both sides of the pond makes clear that Privacy Shield-certified companies that have employees or otherwise do business in the UK should pay close attention to Brexit developments and update their privacy policies according to the advice and subject to the timelines provided.