Results from the first EU-U.S. Privacy Shield review: Positive, but there is room for improvement

When we talk to customers and prospects about enterprise software in the cloud – such as Google G Suite – we often encounter reservations about privacy and data security. Do US companies such as Google, Microsoft & Co. really maintain the high standards that are legally binding in Germany and the EU? Attorney Wikey Chada takes a look at the facts.


In my previous blog post titled Google joins the EU-U.S. Privacy Shield, I outlined the background of the EU-U.S. Privacy Shield Agreement (hereinafter referred to as the EU-U.S. Privacy Shield), which entered into force on August 1, 2016. In this post, I’ll take a look at the outcomes from the European Commission’s first annual review of the implementation of the EU-US Privacy Shield.

The title of the the European Commission’s press release on 18 October 20171 states “… it works but implementation can be improved” – summarizing the result of the review of how the Privacy Shield currently functions in reality.

Prior to this report, the European Commission met with independent data protection authorities from the various EU countries and the U.S. authorities in mid-September 2017 in Washington to check and finalize the review.

In the report on which this press release is based2 the Commission concludes that the US authorities have put in place the necessary structures and procedures to ensure the privacy shield can function correctly.

On the other hand, the Commission has made recommendations to the U.S. authorities to ensure that the intended guarantees and safeguards contained within the EU-U.S. Privacy Shield agreement exist in practice 3. The following recommendations are noteworthy:

  • Companies should not be able to listed as certified by the U. S. Department of Commerce (DoC) prior to obtaining their Privacy Shield certification. The DoC should proactively check companies for false certification claims.
  • Compliance reviews of data protection obligations by certified companies should be performed by the DoC.
  • More effort must be made to improve information available to EU citizens on their data protection rights and complaints procedures.
  • The U.S. authorities and EU data protection authorities need to cooperate more closely, in particular, to develop guidelines for companies that explain the concepts behind the Privacy Shield.
  • Protection for non-Americans arising from the Presidential Policy Directive 28 (PPD-28) issued by President Barack Obama on January 17, 20144 should be ensured in the course of the ongoing debate on the reauthorization and reform of the previous legislation in the U.S. (§ 702 of the Foreign Intelligence Surveillance Act (FISA)).
  • A permanent ombudsperson needs to be appointed quickly.

The European Commission has planned to check on the implementation of these recommendations in the coming months and to monitor the functioning of the Privacy Shield and compliance with it5. This is likely to be of particular interest with the approaching EU-wide application of EU General Data Protection Regulation on 25 May 20186.

Nevertheless, the Commission’s overall conclusion is that the EU-U.S. Privacy Shield continues to provide an adequate level of data protection when transferring personal data from the EU to companies certified under the Privacy Shield7.

Among other things, legal protection measures have been put in place for individuals, complaint and redress procedures have been set up and cooperation with EU data protection authorities has been strengthened. The safeguards against the collection and use of personal data by U.S. authorities for reasons of national security are also still in place.

As things stand at present, this provides legal certainty for companies that rely on exchanging data with US companies, if those companies are certified.

Over 2,500 certified companies are listed at the moment, including some of the largest U.S. companies like Amazon, Facebook, Google and others. This is the complete list of certified companies.

If you have any concerns about transmitting personal data to U.S. companies, check the list of certified companies first. As the European Commission’s report indicates, not all companies that proudly state they are certified in the media are actually certified.

Wikey Chada (Xing, LinkedIn) is a lawyer (www.chada-law.de) based in Wiesbaden. His current practice focuses on German and international commercial law, in particular in the areas of IT law, data protection law, copyright law, other areas of industrial property law as well as tax law and corporate law.

If you are considering using Google technology within your company, //SEIBERT/MEDIA and lawyer Wikey Chada will be happy to help you: Contact us!


[1] Pressemitteilung der Europäischen Kommission vom 18. Oktober 2017.

[2] Siehe den Bericht der Europäischen Kommission “Report on the Privacy Shield Annual Review” vom 18. Oktober 2017.

[3] Seite 4 f. des Berichts aus Fn. 2.

[4] “Presidential Policy Directive 28” vom 17. Januar 2014.

[5] Siehe Pressemitteilung der Europäischen Kommission, Fn. 1.

[6] Datenschutz-Grundverordnung (DSGVO).

[7] Seite 4 des Berichts aus Fn. 2.


Featured image on the main blog pages: Ying und Yang 335/365 by Dennis Skley  (CC by ND 2.0)

Lesen Sie diese Seite auf Deutsch

Share article:Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someonePrint this page