EU US PRIVACY SHIELD FRAMEWORK 6. Periodic Review of Adequacy Finding

  1. In the light of the fact that the level of protection afforded by the U.S. legal order may be liable to change, the Commission, following adoption of this decision, will check periodically whether the findings relating to the adequacy of the level of protection ensured by the United States under the EU-U.S. Privacy Shield are still factually and legally justified. Such a check is required, in any event, when the Commission acquires any information giving rise to a justified doubt in that regard[1].
  2. Therefore, the Commission will continuously monitor the overall framework for the transfer of personal data created by the EU-U.S. Privacy Shield as well as compliance by U.S. authorities with the representations and commitments contained in the documents attached to this decision. To facilitate this process, the U.S. has committed to inform the Commission of material developments in U.S. law when relevant to the Privacy Shield in the field of data protection and the limitations and safeguards applicable to access to personal data by public authorities. Moreover, this decision will be subject to an Annual Joint Review which will cover all aspects of the functioning of the EU-U.S. Privacy Shield, including the operation of the national security and law enforcement exceptions to the Principles. In addition, since the adequacy finding may also be influenced by legal developments in Union law, the Commission will assess the level of protection provided by the Privacy Shield following the entry into application of the GDPR.
  3. To perform the Annual Joint Review referred to in Annexes I, II and VI, the Commission will meet with the Department of Commerce and FTC, accompanied, if appropriate, by other departments and agencies involved in the implementation of the Privacy Shield arrangements, as well as, for matters pertaining to national security, representatives of the ODNI, other Intelligence Community elements and the Ombudsperson. The participation in this meeting will be open for EU DPAs and representatives of the Article 29 Working Party.
  4. In the framework of the Annual Joint Review, the Commission will request that the Department of Commerce provides comprehensive information on all relevant aspects of the functioning of the EU-U.S. Privacy Shield, including referrals received by the Department of Commerce from DPAs and the results of ex officio compliance reviews. The Commission will also seek explanations concerning any questions or matters concerning the EU-U.S. Privacy Shield and its operation arising from any information available, including transparency reports allowed under the USA FREEDOM Act, public reports by U.S. national intelligence authorities, the DPAs, privacy groups, media reports, or any other possible source. Moreover, in order to facilitate the Commission’s task in this regard, the Member States should inform the Commission of cases where the actions of bodies responsible for ensuring compliance with the Principles in the United States fail to secure compliance and of any indications that the actions of U.S. public authorities responsible for national security or the prevention, investigation, detection or prosecution of criminal offences do not ensure the required level of protection.
  5. On the basis of the annual joint review, the Commission will prepare a public report to be submitted to the European Parliament and the Council.

[1] Schrems, paragraph 76.