The European Commission has published its Report and Staff Working Document on the second annual review of the Privacy Shield. The Report concludes that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to the 3850 participating companies in the U.S. It notes that the steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year have improved the functioning of the framework.

However, the Commission expects the US authorities to nominate a permanent Ombudsperson by 28 February 2019 to replace the one that is currently acting. The Ombudsperson is an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed. If the Ombudsperson is not appointed by that date, the Commission will consider taking appropriate measures, in accordance with the GDPR.


Improvements reported to have been made over the past year include the strengthening by the US Department of Commerce of the certification process and of its proactive oversight over the framework. The Department has set up new mechanisms to detect compliance issues, such as random spot checks, and carried out an analysis of Privacy Shield participants’ websites to ensure that links to privacy policies are correct. The US Federal Trade Commission has also been taking a more proactive approach to enforcement, including by issuing subpoenas to request information from Privacy Shield participants.

New members of the Privacy and Civil Liberties Oversight Board have been appointed which restores the Board’s full quorum. In addition, the Presidential Policy-Directive No. 28, which provides privacy protections for non-Americans, has been implemented across the US intelligence community. The Department of Commerce has also launched a consultation on a federal approach to data privacy.

The Commission notes concerns among NGOs about the adoption of the US CLOUD Act in March 2018, which requires US service providers to comply with US orders to disclose content and other data, regardless of where such data is stored. The Act also establishes a framework for the conclusion of executive agreements with foreign governments, on the basis of which US service providers would be allowed to disclose content data directly to law enforcement authorities of those third countries in investigation of serious crime, subject to civil liberties and privacy safeguards. The Commission states that it will closely monitor whether any executive agreements under the CLOUD Act are being concluded, and carefully assess their impact on the Privacy Shield.

The Commission also highlights two important developments in regard to access to personal data for law enforcement purposes, which have strengthened the protections of individuals. Firstly, in the case of Carpenter v United States (2018), the US Supreme Court held that a search warrant is in principle required for law enforcement authorities to access cell site location records. Secondly, the Deputy Attorney General issued a memorandum on a more restrictive policy on applications for non-disclosure orders under the US Stored Communications Act (SCA). The SCA permits US law enforcement authorities to obtain records (on the basis of a warrant, subpoena or court order) relating to customers or subscribers of providers of electronic communications services or remote computing services for both content and non-content data. Providers are able to voluntarily notify a customer or subscriber whose information is sought by law enforcement authorities, except when such authorities obtain a non-disclosure order prohibiting voluntary notification. The memorandum requires prosecutors to make a detailed determination regarding the need for a non-disclosure order and puts a ceiling on how long a notification can be withheld. The Commission states that the new policy contributes to stronger protections where law enforcement authorities seek to obtain access to personal data transferred under the Shield.

The Report will now be sent to the European Parliament, the Council, the European Data Protection Board and to the US authorities.