Regulators Demand Stronger EU-U.S. Data Transfer Program Privacy

From Bloomberg Law: Privacy & Data Security

December 5, 2017

By Stephen Gardner

The EU-U.S. Privacy Shield data transfer program may face legal action by European Union regulators if the European Commission doesn’t work with U.S. officials to tighten the program’s privacy safeguards, a group of EU privacy officials announced today.

The Article 29 Working Party of EU privacy regulators from the 28 EU countries issued a report on the first annual review of the program and gave the commission, the EU’s executive arm, until the May 25 effective date of the EU’s new privacy regime to improve the Privacy Shield program. If the shortcomings aren’t addressed, the group said it would “take appropriate action, including bringing the Privacy Shield adequacy decision to national courts.”

The national courts could be asked to refer the Privacy Shield privacy adequacy issue to the EU Court of Justice, which invalidated the Privacy Shield’s predecessor, the U.S.-EU Safe Harbor data transfer plan, in October 2015.

Some EU officials and lawmakers have expressed continuing concerns that the program doesn’t adequately protect EU citizen data from U.S. government surveillance after the information is sent to U.S. companies.

Although the Privacy Shield represents “progress” compared to the Safe Harbor, the working party said it still has “significant concerns” about the framework, in particular its oversight arrangements in relation to U.S. government access for national security purposes for personal data of EU citizens transferred to the U.S.

“This is a very strong statement by the data protection authorities,” Jorg Hladjk, of counsel with Jones Day in Brussels, told Bloomberg Law. “It shows they won’t let this go easily.”

The Privacy Shield program is relied on by over 2,500 U.S. companies, including Raytheon Corp. and Oracle America Inc., that self-certify to the U.S. Commerce Department that they will abide by EU-approved privacy principles. Tens of thousands of EU companies rely on the program to send personal data of EU citizens to those U.S. companies. Eliminating the program would make it more difficult for U.S. companies to easily transfer personal data from the EU.The report included a series of critiques and recommendations for how the Privacy Shield program should be strengthened before the EU General Data Protection Regulation takes effect , including:

The European Commission’s first review of Privacy Shield, which was published in October, found that the framework was largely in compliance with privacy requirement but could be improved. The commission report said the program hasn’t been tested in how it resolves complaints.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The Privacy Shield report is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.