A little more than year after the EU-US Privacy Shield went into effect, the European Commission (EC) says the multi-national pact is doing an "adequate" job protecting Europeans' personal data after it's transferred to companies in the US.
At the same time, the US could do more to protect non-Americans, the EC says, such as adding certain rules to the Foreign Intelligence Surveillance Act (FISA).
The recommendations came from the EC's first annual report assessing whether the Privacy Shield -- a pact between the EU and the US that sets the terms for trans-Atlantic transfers of personal data -- is functioning as intended.
"The U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield, such as new redress possibilities for EU individuals," the EC said in a release.
The US Commerce Department has certified more than 2,400 companies to confirm their compliance with the pact, the report says. Additionally, "revelant safeguards on the U.S. side remain in place."
Those safeguards include Presidential Policy Directive 28 (PPD-28), a directive that President Obama signed in 2014 to protect the privacy of non-Americans. During the EC's review of the Privacy Shield, "U.S. authorities expressly confirmed that the current U.S. Administration is not making any change to PPD-28," the EC noted in a fact sheet.
However, presidential policy directives -- used to promulgate presidential decisions on national security matters -- are opaque rules subject to little oversight.
In its review, the EC suggested "enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA)."
Section 702 of FISA allows the NSA to gather intelligence on foreigners overseas by collecting data from chokepoints where fiber optic cables owned by telecom giants enter the US. It's set to expire at the end of the year, and Congress is currently debating ways to reform and extend the provision.
In addition to including PPD-28 in FISA, the EC gave the US other suggestions, such as more proactive monitoring on the part of the Commerce Department to ensure companies are in compliance with the Privacy Shield. It also called on the US to appoint a permanent Privacy Shield Ombudsperson and to fill the empty posts on the Privacy and Civil Liberties Oversight Board (PCLOB). The Commission is also asking the PCLOB to publicly release its report on the implementation of PPD-28.
"Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU," Commissioner Věra Jourová said in a statement. "Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It's a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards."