The Privacy Shield – a mechanism by which U.S. companies can legally transfer data to the European Union, continues to draw the attention of regulators and policymakers. On December 19, 2018, the European Commission (the Commission) announced the publication of its report on the second annual review of the EU-U.S. Privacy Shield. The report offers companies insight into what aspects of the Privacy Shield officials find most important and what steps are planned to strengthen enforcement and oversee compliance.


The EU-U.S. Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Companies must self-certify that they meet the requirements of the Privacy Shield and that they transfer data in accordance with requirements. The Privacy Shield provides for annual joint review by the EU and the U.S. to monitor its effectiveness.

Report Findings

Overall, the report finds that the U.S. continues to ensure an adequate level of protection for personal data transferred from the EU to U.S. companies under the Privacy Shield. It notes that U.S. authorities have taken steps to respond to the Commission’s recommendations from last year’s review.

  • New measures to ensure compliance – In response to Commission recommendations, the Department of Commerce implemented new tools to monitor whether companies’ certified to Privacy Shield compliance are in fact meeting requirements. The Department also identified false claims of participation in the Privacy Shield framework. To date, 56 companies were referred to the Federal Trade Commission (FTC) for non-compliance with the Privacy Shield principles or false claims of participation. The next annual review of the Privacy Shield will evaluate the effectiveness of these monitoring measures.
  • Enforcement measures – The FTC has committed to monitoring certified companies’ compliance with Privacy Shield requirements and has issued subpoenas to a number of Privacy Shield participants. The Commission report concluded that developments in this area should be closely monitored.
  • Cooperation between authorities –The Department of Commerce and the European data protection authorities have cooperated to develop guidance on Privacy Shield principles.
  • Appointment of a permanent Privacy Shield ombudsman – The Commission reiterates its call for a Privacy Shield ombudsman and expects that the U.S. government will fill the position by February 28, 2019.
  • Effectiveness of how the ombudsman deals with complaints – The Commission plans to monitor how the ombudsman manages and resolves complaints.

Commission’s Next Steps

The Commission will monitor how the concerns noted here are addressed. It will also watch developments in the U.S. legal framework. In this respect, the Commission encourages U.S. enactment of a comprehensive legal privacy and data protection framework.

Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact