The European Commission expects the U.S. Department of Commerce (DoC) to request from companies evidence of the privacy provisions of the relevant contracts with third parties to assess compliance with the onward transfer principle.
Additional commercial takeaways from the EC’s third annual report on EU-U.S. Privacy Shield include:
- The “grace period” for companies that missed their re-certification deadline should be 30 days max.
- Searching for false claims on a quarterly basis is commendable. However, they should include companies that have not applied for certification.
- An increasing number of EU data subjects are making use of their rights under the Privacy Shield and the relevant redress mechanisms function well.
- Since last year, the Federal Trade Commission concluded seven enforcement actions but the EC expects a more vigorous approach.
- The FTC should find ways to share meaningful information on ongoing investigations with the EC and EU Data Protection Authorities (DPAs).
- EC, DoC and FTC should develop common guidance on the definition and treatment of human resources data in the coming months.