The European Commission published its report on the first annual review of the EU-US Privacy Shield last week. The report reflects the commission’s findings on the implementation and enforcement of the EU-US Privacy Shield framework in its first year of operation.

The Privacy Shield is a framework for the transfer of personal data from the EU to companies in the US for commercial purposes. It is based on a certification system by which US companies commit to adhere to a set of privacy principles – the EU-US Privacy Shield framework principles. Certification is voluntary, but companies that have been certified must comply with the principles, as they become enforceable under US law.

The Privacy Shield framework is administered and monitored by the US Department of Commerce and compliance with the principles is enforced by the Federal Trade Commission or the Department of Transportation, depending on which authority has jurisdiction over the Privacy Shield-certified company.

On the whole, the report shows that the Privacy Shield continues to ensure an adequate level of data protection. However, there is room for improvement. The commission has drawn up a list of recommendations on the functioning of the shield that need to be improved by the US authorities.

Among the issues identified in the report, US companies can make public representations about their Privacy Shield certification while the certification process is not yet completed. “Consequently,” the report noted, “there may be a discrepancy between information that is publicly available, e.g. a company’s privacy policy, and the Department of Commerce’s Privacy Shield list which includes a company only once the certification is finalized. It is important that companies are not allowed to publicly refer to their adherence to the framework before the Department of Commerce has finalized the certification and included the company in the Privacy Shield list.”

US Secretary of Commerce Wilbur Ross said welcomed the release of the report.

“We have worked closely with our partners across the EU during the past year as we implemented the Privacy Shield program,” said Ross. “That cooperative approach led to a stronger program and a successful first annual review held in late September. We look forward to continuing to work together with our colleagues on the European Commission and across all of the EU Member States as we continually strive to ensure that the Privacy Shield program serves all stakeholders well.”

The report will be sent to the European Parliament and other EU bodies and to US authorities. The Commission will work with the US authorities on the follow-up of its recommendations in the coming months.

More than 2,500 organizations participate in the Privacy Shield program to transfer personal data from the EU to the United States in compliance with EU data protection laws.