The European Data Protection Board's Second Report On The EU-U.S. Privacy Shield

Author:Dr. Martin Braun, Frédéric Louis, D. Reed Freeman, Jr. and Itsiq Benizri

The European Data protection Board ("EDPB"), which is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor, adopted its report on the second annual review of the EU-U.S. Privacy Shield on January 22, 2019. This article provides an overview of the main progress and concerns registered by the EDPB both on the commercial aspects of the Privacy Shield and access by U.S. public authorities to personal data transferred from the EU to the U.S.


In July 2016, the so-called "Privacy Shield" decision by the European Commission ("EC") replaced the EC's 2000 "Safe Harbor" decision, which had been struck down by the Court of Justice of the EU because of concerns relating to national security agencies' processing operations following Edward Snowden's allegations. The EU and the U.S. committed to jointly review the Privacy Shield to assess, on an annual basis, its continued adequacy for the protection of personal data. If the EC considers that the Privacy Shield does not continue to provide such adequacy, it may suspend or even repeal the decision. The EC issued its report on the second annual review of the Privacy Shield on December 19, 2018. The EC's report concludes that the Privacy Shield still ensures an adequate level of protection of personal data, highlighting several improvements and raising less concerns than the EDPB. The EDPB's report follows the second joint annual review and complements the EC's report.

EDPB Views regarding Commercial Aspects of the Privacy Shield: Work in Progress

Progress. The EDPB's report highlights three main areas of progress on the commercial aspects of the Privacy Shield, noting that U.S. authorities took into account many of its findings made in the context of the EDPB's first annual review.

  1. Improved Certification Process. The DoC has adapted the certification process to avoid inconsistencies between the Privacy Shield List and the representations made by organizations regarding their participation in this program. The DoC now prohibits a first-time applicant from making public representations and premature references about its participation until the DoC approves its certification. The DoC has not finalized 100 first-time certifications and 30 re-certifications because the formal requirements set out by the Privacy Shield were not fulfilled. The report notes that there is still room for improvement, though, as there are instances where the due date for renewal shown on the Privacy Shield List has already passed, while the organization is still listed as an active participant.

  2. Increased Oversight and Enforcement. The DoC and the U.S. Federal Trade Commission...

To continue reading