European Commission Affirms Privacy Shield Protects Personal Data Transferred to U.S.

The European Commission has just published its first annual report on the operation of the EU-U.S. Privacy Shield, and we’re pleased the report recognizes that the Privacy Shield is operating well. With this review complete, companies can continue to rely with confidence on the Privacy Shield and its effectiveness in facilitating the free flow of data, which is essential in unlocking the full potential of cloud computing.

The Privacy Shield provides an important means to enable the transfer of personal data from the EU to the U.S. Workday was among the first of more than 2,400 companies to certify to the Privacy Shield framework in August 2016 and we just completed our recertification in August 2017. As part of the operation of Privacy Shield, there is a requirement for annual reviews by the European Commission in order to ensure that it is operating effectively and protecting personal data transferred pursuant to its terms.

As the European Commission’s report notes, the U.S. has put in place the structures and procedures needed for the Privacy Shield to function effectively. At Workday, we can attest to the thoroughness of the requirements that must be met to attain certification to the framework. As part of our most recent recertification with the U.S. Department of Commerce, we had TrustArc conduct a third-party assessment of our Privacy Shield program to verify that we continue to adhere to its requirements. Also, the Federal Trade Commission has notably stepped up Privacy Shield enforcement, while other important protections for personal data in the national security context, such as Presidential Policy Directive 28, remain in place.

We were encouraged to see in the report that the European Commission concluded that “the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the Union to organisations in the United States.”

Looking Ahead

The European Commission’s report also notes several opportunities to improve the implementation of the Privacy Shield. We support many of these recommendations. In particular, companies should not be able to claim compliance prior to completing their certification, and the Department of Commerce should proactively search for false claims of compliance.

Likewise, we favor improved cooperation between EU and U.S. enforcement authorities. And, we have consistently called for vacant positions on the Privacy and Civil Liberties Oversight Board to be filled and for the appointment of a permanent Privacy Shield Ombudsperson.

These suggested improvements, important as they are, do not detract from the fact that the Privacy Shield currently provides adequate protection for European personal data transferred to the U.S. in line with the guidance provided by the European Court of Justice. Workday remains committed to adhering to the Privacy Shield as part of our commitment to providing strong privacy protections for customer data.