Yesterday the European Commission published the third annual review on the functioning of the EU-U.S. Privacy Shield, as a result of the ongoing dialogue between both administrations and high-level meetings held in Washington D.C. on 12-13 September 2019. Although the report is generally positive about the implementation of the Privacy Shield in the U.S., it points out several issues that remain troublesome for the EU authorities.
First, the Commission is unconvinced of the long duration granted to companies for completing the re-certification process in the U.S. According to the Commission, a 30-day time-period should be enough for companies to proceed with re-certification procedures in order to avoid the current long durations in which re-certification is uncertain.
Second, the Commission invites the U.S. Department of Commerce to develop tools for detecting false claims of participation in the Privacy Shield and use these tools in a regular and systematic manner. Searches have so far only been aimed at companies that had in some way already been certified or applied for certification under the Privacy Shield (but, for example, were not re-certified). The Commission wants the U.S. Department of Commerce to also target companies that have never applied for certification under the Privacy Shield.
Third, on the sensitive point of access and use of personal data by U.S. public authorities, the Commission’s report confirms that all the limitations and safeguards that the Privacy Shield relies on remain in place. The report goes into detail in explaining the functioning of the Ombudsman mechanism and how it would remedy violations by public authorities when accessing personal data of EU citizens. According to the report, the independent Inspector General of the Intelligence Community would be systematically informed of any complaint submitted to the Ombudsperson, and would carry out his own assessment. In addition, if a complaint before the Ombudsperson would reveal a violation of the targeting procedures under section 702 of the Foreign Intelligence Surveillance Act such a violation would be reported to the Foreign Intelligence Surveillance Court, which would carry out an independent review and, if necessary, order the relevant intelligence agency to take remedial action. This remedy may range from individual to structural measures, e.g. from the deletion of unlawfully obtained data to a change in the collection practice, including in terms of guidance and training of staff.
Finally, on the issue of available remedies for individuals, the report confirms that, if a violation of U.S. law (including a violation of Executive Orders, Presidential Policies and agency rules and procedures, such as e.g. the targeting and minimisation procedures approved by the Foreign Intelligence Surveillance Court) would be identified in the course of the review of a complaint to the Ombudsperson, the unlawfully collected data would be purged from all government databases and any reference to that data would be removed from intelligence reports. Therefore, according to the report, the U.S. authorities confirm that an individual in the EU would be able to obtain the deletion of his or her personal data if it was unlawfully collected and processed by the U.S. Intelligence Community.
Despite the overall positive tone of the report, the Commission enumerates the areas in which it will closely monitor any upcoming developments for the purpose of the fourth annual review of 2020. The main prospective points highlighted by the Commission are the following: (i) the functioning of the Ombudsperson mechanism, in particular in case of a new complaint; (ii) the outcome of the ongoing oversight projects that have been initiated by the Privacy and Civil Liberties Oversight Board and that are particularly relevant for the Privacy Shield; (iii) the reauthorisation of Section 501 of the Foreign Intelligence Surveillance Act, in particular that the existing safeguards remain in place; and (iv) the evolving U.S. case law on judicial redress in the area of government surveillance, in particular with respect to the issue of standing before the courts.
Further information on the third annual review, including the final report and the Staff Working Document, is available here.