EU Regulators Set Data Transfers to U.S. Complaint Plan

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

European Union privacy regulators have issued EU-U.S. Privacy Shield data transfer framework complaint forms and process rules for individuals who are unable to resolve personal data use issues with companies.

Under the Privacy Shield, an informal panel of EU privacy regulators would be able to step in if individuals are unable to resolve privacy complaints directly with Privacy Shield-certified organizations that have transferred their personal data to the U.S. The informal panel would be able to act in cases involving the personal data of employees, or where Privacy Shield-certified organizations have agreed to submit to oversight by EU regulators.

“U.S. organizations have to respond to inquiries and comply with the advice given by the panel,” Carlo Piltz, a data protection lawyer with Reuschlaw Legal Consultants in Berlin, told Bloomberg BNA Feb. 21.

Peter Van Dyck, an information technology and data protection senior associate with Allen & Overy LLP in Brussels, told Bloomberg BNA Feb. 21 that the documents give clear instructions for making complaints and are “certainly to be welcomed.”

The publication of the documents shows that EU privacy regulators “are serious about acting” on Privacy Shield complaints. Despite some criticism of the Privacy Shield voiced by the Article 29 Working Party of data protection officials from the 28 EU countries, their issuance of the complaint process rules and forms shows that the regulators “haven’t written off the Privacy Shield,” Van Dyck said.

Referral to U.S. Authorities

The informal panel may refer unresolved cases to the U.S. Federal Trade Commission for enforcement action. Alternatively, the panel might inform the U.S. Department of Commerce, which could rescind the Privacy Shield certification of noncompliant organizations.

The Privacy Shield allows U.S. companies that self-certify with the Commerce Department their compliance with EU-approved privacy and security principles to legally transfer personal data from the EU to the U.S. The Privacy Shield is relied upon by over 1,000 U.S. companies, including Alphabet Inc.'s Google, Microsoft Corp. and Facebook Inc., as well as thousands more EU companies that send data to those U.S. companies.

The Privacy Shield arrangement is backed up by an amended U.S. Privacy Act that allows EU citizens to seek to file a court action in the U.S. over allegations of government misuse of personal data sent to the U.S. under the Shield program. EU citizens may also file complaints with an ombudsman established in the U.S. State Department. EU privacy regulators and other officials are seeking assurances from President Donald Trump of the continuing commitment of the U.S. to the Privacy Shield.

Lead Regulator

The regulators said that the informal panel would consist of a lead regulatory office, which would be the agency that received a complaint from an EU citizen against a Privacy Shield certified organization. In most instances, the lead regulator would be assisted by two “co-reviewer” regulatory offices chosen by the lead regulatory office.

In selecting the co-reviewers, the lead regulator would take into account “in whose jurisdiction the EU headquarter or significant subsidiaries of the U.S. company’s group are situated, if any,” the rules of procedure said.

The complaint form published with the rules of procedure is an optional form that EU individuals could use to submit Privacy Shield complaints to their EU country’s privacy regulator.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information

Full text of the Privacy Shield complaints form is available at

Full text of the Privacy Shield complaints rules of procedure is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security