EU seeks Privacy Shield changes in its first annual review

The European Commission has given the green light to the EU-US Privacy Shield agreement following the deal's first annual review, but has urged improvements including a more aggressive approach to tackling non-compliance.

Today's report compiles the findings of a review conducted last month into the effectiveness of the year-old data-sharing agreement, which was designed to guarantee equivalent levels of privacy for EU citizens' personal data when it is transferred to the US, which has weaker privacy laws than the EU's forthcoming General Data Protection Regulation (GDPR).

However, the report found that improvements need to be made to ensure the deal functions effectively in the coming years, including a call for the US Department of Commerce to conduct more proactive and regular monitoring of companies' compliance, and to be more aggressive in the hunting of companies falsely claiming to be signed up to the agreement.

It also recommended closer cooperation between the Department of Commerce, the Federal Trade Commission, and EU data protection authorities, which act as Privacy Shield's main compliance enforcers, including the joint development of official guidance for companies.

Commissioner Vra Jourov said in a press conference today: "Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.

"The Privacy Shield is not a document lying in a drawer," added Jourov. "It's a living arrangement that both the EU and US must actively monitor to ensure we keep guard over our high data protection standards."

Privacy Shield was first launched in August 2016 after the previous data sharing agreement, Safe Harbour, was struck down by the European Court of Justice in 2015. In light of the Edward Snowden revelations of widespread US surveillance, the previous agreement was deemed inadequate at protecting the data of EU citizens.

The new rules aim to enshrine legal rights for EU citizens in the event that their personal data is transferred to a US company, such as a US branch of a social media company collecting profile data, althoughJourov acknowledged that more needs to be done to raise awareness of the rights citizens are afforded.

Since its launch, more than 2,400 companies have been certified compliant under Privacy Shield obligations. New elements have also been added over the year, including new tools that allow for greater cooperation between law enforcement agencies on both sides of the Atlantic, as well as the creation of an online platform that is able to handle complaints from the EU.

Today's report has also called for Congress to enshrine the protections offered by former president Obama's Presidential Policy Directive 28 (PPD-28) into the Foreign Intelligence Surveillance Act (FISA), an act which forms the main legal basis for US authorities seeking to access personal data of non-US citizens.

These would limit the scope of FISA, including a clause that limits US surveillance of non-Americans by ensuring it is as tailored and targeted as feasibly possible.The EU is currently working with lobby groups to push this proposal through Congress, butJourovexplained a decision is unlikely to be addressed until the end of the year.

The report will be delivered to the European Parliament, the European Council, and the Article 29 Working Party - a collection of EU member states' data protection regulators. A copy will also be sent to authorities in the US, where the recommendations will be considered over the coming months.

Image: Bigstock