The US has been told once again to appoint a permanent ombudsperson to oversee the deal governing transatlantic data flows, but this time has been given a deadline.
The European Commission's second annual review of the Privacy Shield agreement, published today, made similar noises to last year's, concluding the deal does the trick but could be better.
It said the US ensures an adequate level of protection for personal data transferred under the deal, and has made some improvements, but progress is slow and there is more work to do.
Two years later and it still sucks: Privacy Shield progress pannedREAD MORE
The Privacy Shield agreement was rushed through in the summer of 2016 after its predecessor Safe Harbor was scrapped, and although widely thought to be better, privacy bods still derive pleasure from poking holes in it.
The commission, though, is in a tough spot: ditching Privacy Shield would damage businesses on both sides of the pond and mean starting negotiations all over again, which makes plugging away at the existing agreement more palatable.
The result is that the review has to strike a broadly positive tone, while making nudges it hopes the US will take notice of – although many of the recommendations in the 2017 review were only implemented in the backend of this year.
The delays have frustrated data protection experts and raised questions about how seriously the US is taking the terms of the agreement.
This argument is exemplified by the fact the main issue identified in this year's review is the same as last year: the lack of a permanent ombudsperson (the current role-holder is only acting).
In 2017's review, the commission didn't set a deadline; this time it said an appointee must be identified by 28 February 2019. If it hasn't happened by then, the commission will "consider taking appropriate measures". Stern words.
However, the ombudsperson has yet to receive any requests – something the commission has acknowledged, though it revealed a complaint has been submitted to the Croatian data protection agency and is currently under review.
Beyond the ombudsperson, the review praised the US for the improvements based on previous recommendations, despite the fact these will need further evaluation as they have only been implemented recently.
The improvements include that the US Department of Commerce has "strengthened" the certification process, introduced new oversight procedures and was trying to spot dodgy claims proactively.
This includes requiring that first-time applicants don't publicise their certification until the review is finalised, and random spot checks on companies to detect possible compliance issues.
The US government is also praised for "actively using a variety of tools" to seek out companies that are falsely claiming to be certified, such as online text and image searches.
The government is also carrying out a quarterly review of companies identified as more likely to make such claims, which has led to 50 cases being referred to the Federal Trade Commission.
However, the FTC has only recently begun to proactively monitor compliance, and the commission said it "regrets that at this stage it was not possible to provide further information on its recent investigations".
Issues around legislative changes in the US and developments on surveillance activities also received a broad thumbs-up.
United States, you have 2 months to sort Privacy Shield ... or data deal is for the bin – EurocratsREAD MORE
The commission had asked that the Presidential Policy Directive 28 – which states surveillance activities need to safeguard personal information regardless of where the person resides – be incorporated into section 702 of the Foreign Intelligence Surveillance Act when it was reauthorised earlier this year.
This didn't happen, but the commission's positive spin was that at least the reauthorised Act didn't restrict any safeguards that were in place when Privacy Shield was adopted.
It also noted that the directive had been confirmed as being in place across US spy activities by the Privacy and Civil Liberties Oversight Board, which now has enough members to function.
The commission emphasised that recent efforts to implement previous recommendations would need to be "closely monitored" since they relate to elements "that are essential for the continuity of the adequacy finding".
These are: the effectiveness of the handling and resolution of complaints by the ombudsperson; the effectiveness of tools used to detect false claims of participation; the progress of FTC investigations to detect violations of the deal; the effectiveness of the ombudsperson in handling complaints; and of course the appointment of a permanent person.
"The EU and the US are facing growing common challenges, when it comes to the protection of personal data," said justice commissioner Věra Jourová.
"The Privacy Shield is also a dialogue that in the long term should contribute to convergence of our systems, based on strong horizontal rights and independent, vigorous enforcement.
"Such convergence would ultimately strengthen the foundation on which the Privacy Shield is based. In the meantime, all elements of the Shield must be working at full speed, including the Ombudsperson." ®