The European Commission's (EC) third review of Privacy Shield – the legal fig leaf through which EU citizens' data can be sent to US companies for storage and processing – has found some improvements since last year, but deems the whole agreement as still resoundingly "adequate".
Things looking a bit brighter this time include the US Department of State's improved inspections of participating companies by conducting monthly checks to ensure compliance.
This past year has also seen the Federal Trade Commission, which oversees data protection in the US, take action in seven cases where standards were not being met. The European Commission also noted that EU citizens are becoming more aware of their rights under the legislation and several have used redress mechanisms successfully.
Two years later and it still sucks: Privacy Shield progress pannedREAD MORE
The last two posts on the oversight board have been filled, meaning it now has a full complement of members for the first time since it started sitting in 2016.
But the commission still sees plenty more room for improvement like speeding up the process of certification and re-certification to a maximum of 30 days. It also suggests more compliance checks, including for companies falsely claiming to be part of the scheme.
The EC called on the FTC to keep the commission and European data protection bodies better informed of ongoing investigations.
The commission also noted that there is ongoing litigation in Europe to test EU-US data transfers – notably Max Schrems' case, which was last in court in July. Once a verdict is released, the commission will examine it for possible implications on the Privacy Shield arrangements.
Baby-faced Schrems was also responsible for the legal action that ditched the Safe Harbour Agreement in the first place back in 2015.
The commission is also keeping an eye on possible reforms to state and federal data protection arrangements in the US which could potentially strengthen Privacy Shield by further converging the two legal systems and data protection frameworks. ®