The EU Commission noted that while the Privacy Shield “continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S” only around 2,400 companies (of tens of thousands doing business in the EU) have now been certified by the U.S. Department of Commerce.
To improve the Privacy Shield, a number of concrete changes need to take place:
- More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce. The U.S. Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
- More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
- Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
- Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
- To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).