The European Commission published its second annual review of the Privacy Shield agreement yesterday, largely repeating what it said last year, that the regime is “ok” but could be better. It confirmed that it was happy the US ensures an adequate level of protection for personal data transferred under the arrangement, and has made some improvements, but progress is slow and there is more work to do. As a result, the European authorities have imposed a deadline on the US government to appoint an ombudsman to oversee the implementation of the arrangement and compliance with its provisions.
The EU-US privacy shield mechanism has been facing legal challenges on a number of fronts for some time and the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) were pushing for a suspension as soon as possible after the review if there could not be shown to be any progress on reforms. A series of questions regarding its adequacy have been referred to the CJEU by Ireland’s High Court as a result of a separate privacy challenge to a different EU data transfer mechanism (the EU Model Clauses, sometimes referred to as the Standard Contractual Clauses) also used by a number of organizations to authorize data flows. The EU authorities seem to have given the US a grace period of sorts here, allowing it another chance to appoint the ombudsman (stated as a requirement under the first review in 2017) and indirectly, to strengthen the regime by way of this key official appointment. Nevertheless, the Shield remains under pressure and international businesses are well-minded to be considering alternative means of legitimizing their data flows.