The first annual review of the Privacy Shield agreement that governs transatlantic data flows has come back with a solid, unsurprising mark of "adequate".
The agreement – which rose from the ashes of the Safe Harbour framework that was ruled invalid after being challenged by privacy activist Max Schrems – aims to protect personal data transferred from the EU to US companies.
And, despite various questions over the agreement, not to mention legal challenges, the European Commission has ruled that it provides an "adequate" level of protection for personal data.
The review clearly tries to strike a positive note, offering praise for the US government's efforts to date, no matter how small. For instance, there's a line on the fact it "has established an online platform for the [Privacy Shield] ombudsman". Translation: they made a webpage.
However, justice commissioner Věra Jourová acknowledged that there are a number of areas that need improvement.
These include – as expected – that the US needs to fill the vacant posts on the Privacy and Civil Liberties Oversight Board, and appoint a permanent ombudsman (currently there is only an acting one). Jourová said this should happen "as soon as possible" but that the Commission had not set a "concrete deadline".
There have also been concerns about the impact of Donald Trump's executive orders on immigration, and the administration's feeling towards security and privacy.
Addressing these concerns, the Commission said that US authorities "expressly confirmed that the current US administration is not making any change" to the Presidential Policy Directive 28, which says surveillance activities need to safeguard personal information regardless of where the person resides.
However, at a press briefing Jourová said it would be better if this directive was signed into US law, adding that the Commission was lobbying for it to be included in the Foreign Intelligence Surveillance Act, which will expire at the end of the year.
"To have it in the Act would give much stronger protection and a much more sustainable solution," she said. "We are lobbying for improvements, but we have to wait until the end of the year."
Elsewhere in the review, the Commission calls on the US Department of Commerce to increase its oversight of the framework, which allows companies to self-certify (2,400 have done so to date – more than in Safe Harbour's first 10 years).
The Commission said the DoC should carry out more "proactive and regular monitoring" of companies' compliance with the framework, as well as search for firms making false claims about their participation in the scheme.
It also called for closer cooperation between US and EU enforcers, and work to increase awareness of the agreement within the EU, so individuals knew how lodge complaints.
Jourová said that "so far there have been practically no complaints", but this might mean people lack information on how to raise one.
When asked later how a recent ruling from the High Court in Dublin that has referred transatlantic data transfers back to the European Court of Justice might affect Privacy Shield, Jourová said that she was "confident" the agreement "will withstand such court scrutiny".
Meanwhile, the Article 29 Working Party – made up of the EU's data protection authorities, and a vocal critic of the agreement when it was first drafted – has said that its own analysis of the framework and the review will be published in November. ®