EU Privacy Shield Report Gives U.S. Companies Compliance Insights

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

The European Commission’s first review of the EU-U.S. Privacy Shield data transfer program provides valuable guidance for U.S. companies if they begin facing formal complaints about their transfers of EU personal information to the U.S., privacy professionals told Bloomberg Law.

The commission, the EU’s executive arm, gave the green light to the continuation of the Privacy Shield in an Oct. 18 report. But the absence of complaints to EU privacy regulators leaves U.S. corporate compliance untested when it comes to significant issues, such as the use of algorithms and other computer-automated decision-making, commission staff said in their work report released alongside the commission report.

Some U.S. companies have been contacted by individuals in the EU with questions about what happens to their data transferred to the U.S., but none of these contacts have triggered any of the various Privacy Shield complaint mechanisms, an EU official who asked not to be identified citing official policy told Bloomberg Law. Companies have reassured individuals about the treatment of their data, the official said. The official declined to provide details number of individual queries or name of companies involved.

But queries could turn into complaints as EU data subjects become more aware of their rights under the Privacy Shield, Brian Hengesbaugh, data protection partner at Baker & McKenzie LLP in Chicago, told Bloomberg Law. In particular, the new EU privacy regime—the General Data Protection Regulation (GDPR)—may heighten privacy awareness when it takes effect in May 2018, Hengesbaugh, a former special counsel to the U.S. Department of Commerce, which overseas the Privacy Shield in the U.S., said.

The Privacy Shield replaced the U.S.-EU Safe Harbor program, which the EU’s top court invalidated in 2015, in part over concerns about how EU citizens could enforce their privacy rights in the U.S. McKesson Corp., Oracle America Inc., Eli Lilly Co., and more than 2,500 other U.S. companies rely on the program to send data from the EU to the U.S.

The commission’s report “works as guidance for companies to verify their processes and procedures as part of their Privacy Shield compliance program,” Jorg Hladjk, European data protection of counsel at Jones Day in Brussels, told Bloomberg Law.

Automated Decisions

Automated decision making employed in the processing of personal data—such as the use of artificial intelligence, algorithms or other mechanisms to make decisions on how to categorize, share, or evaluate data—gets special attention under EU law and is referenced in the Privacy Shield report.

Under the forthcoming GDPR, individuals will have the right to object to decisions taken about them based solely on automated decision-making, such as a decision not to grant a potential buyer a loan if that decision is taken only on the basis of automated credit scoring.

The GDPR requires that companies that control the collection and use of personal data provide “a simple way” for individuals to exercise the right to object to automated decision-making and contest the decision, according to recent draft guidance from the Article 29 Working Party of privacy officials from the 28 EU countries. “Human intervention is a key element” in any review of automated decisions, according to the guidance. The Working Party has said it will issue its own review of the Privacy Shield in November.

The focus on automated decision in the Privacy Shield report shows that the commission engaged in a “very granular review” of how U.S. companies are carrying out their privacy obligations when using EU personal data, Hengesbaugh said. Companies should be mindful of what is emphasized in the report as insight into what will likely be heightened future enforcement, he said. The attention of the commission to automated processing may also lead to it at some point proposing changes to the Privacy Shield pact, he said.

In addition to becoming a source of Privacy Shield complaints, automated decision-making law violations under the GDPR could attract a fine of up to 20 million euros ($23.5 million) or 4 percent of the company’s worldwide revenues from EU privacy regulators.

Public Awareness

The low level of Privacy Shield-related queries shows that most EU citizens “don’t even know their data is being processed outside Europe,” Agustin Reyna, senior legal officer with the European Consumer Organization, which represents 42 independent national consumer associations from 31 European countries, told Bloomberg BNA.

EU privacy regulators and commission officials are engaged in a GDPR educational push aimed at companies and individuals that includes details on cross-border data transfers.

Consumers in the EU “really ought to be aware that their data is flowing practically unimpeded across the Atlantic to the U.S.,” Simon Migliano, head of research at London-based, which reviews virtual private networks, told Bloomberg Law.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

The European Commission's EU-U.S. Privacy Shield report is available at,The commission staff work report s available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security