The European Commission on 18 October 2017 published its first annual report on the functioning of the EU-U.S. Privacy Shield, the aim of which is to protect the personal data of EU citizens when that data is transferred to the United States for commercial purposes.

The Privacy Shield includes obligations for U.S. companies receiving personal data from the EU, as well as obligations for the U.S. government if it subsequently requests access to this personal data for national security or law enforcement reasons. The arrangement also gives EU individuals the right to lodge a complaint if they think that their personal data is not being properly protected.

To prepare for the first annual review, the Commission gathered information and feedback on the implementation and functioning of the Privacy Shield framework from all relevant stakeholders, including from Privacy Shield-certified companies through their respective trade associations, and from non-governmental organisations (NGOs) active in the field of digital rights and privacy. The Commission also obtained information from the U.S. authorities involved in the implementation of the framework.

As part of its annual review, the Commission made several recommendations to U.S. authorities. In the commercial area, for example, the Commission recommended that:

Companies should not be allowed to publicly announce that they are Privacy Shield-certified until the U.S. Department of Commerce has finalised the certification;

The U.S. Department of Commerce conducts regular searches for companies falsely claiming participation in the Privacy Shield;

The U.S. Department of Commerce conducts compliance checks on a regular basis;

That the Department of Commerce and the Data Protection Authorities work together to develop guidance on the legal interpretation of certain concepts in the Privacy Shield (e.g. regarding the principle of accountability for onward transfers and the definition of human resources data); and

The Department of Commerce and the EU data protection authorities strengthen their awareness raising efforts (e.g. to inform individuals about how to exercise their rights under the Privacy Shield).

Concerning national security matters, the Commission said it would welcome if U.S. Congress would consider favourably enshrining in the Foreign Intelligence Surveillance Act the protections for non-Americans offered by Presidential Policy Directive 28 (PPD-28). It also called on the U.S. administration to swiftly appoint a permanent Privacy Shield Ombudsperson, as well as the missing members of the Privacy and Civil Liberties Oversight Board (PCLOB). Lastly, the Commission called for the public release of the PCLOB’s report on the implementation of PPD-28.

In both the commercial and national security areas, the Commission also called on U.S. authorities to proactively fulfil their commitment to provide timely and comprehensive information about any development that could raise questions about the functioning of the Privacy Shield.

Relevant U.S. legal rules

PPD-28 and the Foreign Intelligence Surveillance Act (FISA) are elements of the U.S. legal system that are particularly relevant in the context of the Privacy Shield.

PPD-28 contains limitations and safeguards for the collection and use of personal data by U.S. public authorities for national security purposes. It was issued in 2014 by former U.S. President Obama and has been specifically designed to also protect the privacy of non-Americans.

Among others, PPD-28 stipulates that U.S. surveillance activities must include appropriate safeguards for the personal information of all individuals, regardless of their nationality or where they might reside. It also provides that such activities must always be as tailored and as targeted as feasible. During the annual review, U.S. authorities expressly confirmed that the current U.S. Administration is not making any change to PPD-28.

Section 702 FISA authorises the acquisition of foreign intelligence information through the targeting of non-U.S. persons located outside the United States, with the compelled assistance of U.S. electronic communication service providers. At the same time, Section 702 FISA imposes several conditions and limitations aimed at ensuring targeted collection.

Access requests

Several Privacy Shield-certified companies publish transparency reports, which show (in bands of 500) the number of requests for disclosure of communications content a company has received during a given reporting period. Microsoft, for example, received up to 499 requests under FISA, which impacted between 12,000 and 12,499 user accounts, the Commission noted.

In the same period, Facebook received between 500 and 999 requests for access to content under FISA, affecting between 13,000 and 13,499 user accounts, while Google received between 500 and 999 such requests, affecting between 25,000 and 25,499 accounts.

The Commission stated that these figures illustrate that, as a percentage of total user accounts—for example, Facebook has two billion active accounts—the number of accounts affected by requests for government access to personal data remains limited.