The nomination by the US of a permanent ombudsperson to address complaints raised about US authorities' access to EU citizens' data is a requirement of the EU-US Privacy Shield, an important framework that facilitates the free flow of personal data across the Atlantic for businesses. The Privacy Shield enables US businesses to self-certify to a number of privacy principles and is underpinned by a framework of privacy safeguards and of enforcement.
Despite the lack of a permanent ombudsperson, the European Commission confirmed on Wednesday that the Privacy Shield had passed its second annual review.
The Privacy Shield was found in the review to "ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the US", the Commission said. This level of protection is required for transfers of personal data from the EU under EU data protection law.
The Commission said a number of improvements have been made to the Privacy Shield in the past year, including the strengthening of the certification process for US companies, the introduction of 'spot checks' for verifying companies' compliance with the privacy principles, and additional reviews of their privacy policies.
The Commission said the Federal Trade Commission (FTC) has also "demonstrated a more proactive approach to enforcement", and that the US had appointed new members of the US Privacy and Civil Liberties Oversight Board (PCLOB), which provides oversight of the Privacy Shield regime.
However, the Commission called on the US to act, by 28 February 2019, to appoint a permanent ombudsperson under the Privacy Shield. The US currently has an acting ombudsperson.
"The European Commission expects the US government to identify a nominee to fill the ombudsperson position on a permanent basis by 28 February 2019 at the latest," the Commission said. "If this does not take place by that date, the Commission will consider taking appropriate measures, in accordance with the General Data Protection Regulation."
More than 3,850 companies are certified under the Privacy Shield, which has been operational since August 2016. The Privacy Shield replaced the Safe Harbour scheme which previously helped facilitate EU-US data transfers until that framework was effectively invalidated by the Court of Justice of the EU (CJEU) in 2015.
EU justice commissioner Věra Jourová said: "The Privacy Shield is … a dialogue that in the long term should contribute to convergence of our systems, based on strong horizontal rights and independent, vigorous enforcement. Such convergence would ultimately strengthen the foundation on which the Privacy Shield is based. In the meantime, all elements of the Shield must be working at full speed, including the ombudsperson."