In early 2017, the EU Commission published a communication about Exchanging and Protecting Personal Data in a Globalized World in which the EU Commission prioritizes discussions on possible adequacy decision with key trading partners, starting from Japan and South Korea in 2017.  More particularly, on July 3, 2017, the EU Commission and a representative of the Japanese Personal Information Protection Commission met in Brussels to move forward on a possible adequacy decision.

With the recent reform of the Japanese Act on the Protection of Personal Information on May 30, 2017 and with the new EU General Data Protection Regulation (the “GDPR”, which will apply from May 25, 2018), Japan and the EU have strengthened their respective data protection regimes. As a result, both countries have a very similar regime and ensure a very high level of protection for personal data. This convergence offers new opportunities to pursue a dialogue on adequacy decision.

The EU Commission considers that, in particular, the following criteria should be taken into account to assess with which countries a dialogue on adequacy should be pursued:

  • The extent of the EU’s (actual or potential) commercial relation with a given third country;
  • The extent of personal data flows from the EU, reflecting geographical and/or cultural ties;
  • The pioneering role that the third country plays in the field of privacy and data protection that could serve a model for other countries in its region; and
  • The overall political relationship with the third country in question.

An adequacy decision is an implementing decision taken by the EU Commission to make a determination that a third country ensures an adequate level of protection of personal data. Once an adequate level of protection is recognized by the EU Commission, transfers can be made without specific authorizations. For now, the Commission has adopted 12 adequacy decisions, including the EU-US Privacy Shield.

The EU Commission, when determining whether a third country has an adequate level of protection, must take into account among others (GDPR, art. 45.2):

  • the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;”
  • “the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States”; and
  • “the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.”

The overall evaluation does not require a level of protection identical to that offered within the EU, but requires a level of protection that is “essentially equivalent”.

Under the GDPR, an adequacy decision is not a definitive decision but a decision that once adopted needs close monitoring by the EU Commission and review, at least every four years, to take into account all relevant developments affecting the level of protection ensured by the third country.

This two-way dialogue with Japan will include exploring ways to increase convergence of Japan’s laws and practice with the EU data protection rules. The EU Commission and Japan have reaffirmed their commitment to intensify their efforts and to conclude this dialogue by early 2018.

The UK Government will introduce a new Data Protection Bill (the “Bill”) this year. As highlighted in the Queen’s speech back in June, the Government has committed to introduce the new law and, on Monday, published a Statement of Intent.

The Bill will not change the position that the EU’s new data protection legislation – the General Data Protection Regulation (GDPR) – will bring when it comes into force on 25 May 2018. The UK will still be in the EU at that time and so the GDPR will be automatically transposed into English law and replace the UK’s current Data Protection Act. However, when the UK leaves the EU and is no longer subject to the GDPR, the Bill when then implement the GDPR into English law. The importance of this is two-fold; it will support the UK’s position with regard to preserving personal data flows between the UK, EU and other countries around the world, and gives UK businesses clarity about their data protection obligations following Brexit.

The Bill will also introduce the national member state derogations that are permitted under the GDPR. The Government asked for feedback (Call for Views) on how the UK should deal with these exemptions earlier this year. The Statement of Intent provides some detail on the Government’s proposed approach, which include:

  • Enabling children aged 13 year or older to consent to their personal data being processed (under the GDPR the age for valid consent is 16 unless member states reduce this through national law);
  • Maintaining the UK’s position on processing personal data relating to criminal convictions and other sensitive personal data (enabling employers to carry out criminal background checks in certain circumstances);
  • Enabling organisations to carry out automated decision making for certain legitimate functions (e.g. credit reference checks);
  • Maintaining the UK’s current position with regard to the processing of personal data in relation to freedom of expression in the media, research and archiving.

Two new criminal offences will also be created. An offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and an offence of altering records with intent to prevent disclosure following a subject access request. Both offences will be subject to an unlimited fine.

The Bill will also implement the EU’s new Data Protection Law Enforcement Directive (DPLED) in English law. The DPLED sits alongside the GDPR and deals with processing of personal data by the police, prosecutors and other agencies involved in law enforcement. However, unlike the GDPR, the DPLED is an EU Directive (not a Regulation) and so must be implemented into member state law through national legislation by 6 May 2018.

The draft text of the Bill is due to be published and put before Parliament in early September. The Bill will be largely identical in effect to the GDPR. In light of the increased fines imposed by the GDPR (up to €20,000,000 (£17,000,000) or 4 per cent of an organisation’s global annual turnover, whichever is higher), companies should still be continuing with their GDPR compliance efforts to ensure adherence to the new law by 25 May 2018.

The Article 29 Data Protection Working Party (comprising representatives from the data protection regulators in each EU Member State, the European Data Protection Supervisor and the European Commission) has issued an opinion on data processing at work (2/2017) (the Opinion).  The Opinion is not legally binding but it does provide an indication as to how EU data protection regulators will consider and interpret EU data protection law.  The new EU data protection law (the General Data Protection Regulation – or the GDPR) comes into force on 25 May 2018 and will impose significant fines on non-compliant organizations (up to 4% of annual worldwide turnover or €20 million, whichever is higher) in addition to giving individuals more rights with regard to their personal data.  The GDPR does not only apply to EU companies, but can also apply to non-EU based organizations processing EU citizens’ personal data.

The Opinion notes that in light of the increasing amount of personal data that is being processed in the context of an employment relationship, the balance between the legitimate interests of the employer and the privacy rights of the employee becomes ever more important. It provides guidance on a number of specific scenarios including the use of social media during recruitment. Nowadays, employers may be tempted to view job applicants’ social media profiles as part of the recruitments process. However, according to the Opinion, employers may only use social media to find out information about a job applicant where: (a) they have a “legal ground” for doing so; (b) doing so is necessary and relevant for the performance of the position being applied for; (c) the applicant has been informed that their social media profiles will be reviewed; and (d) the employer complies with all of the data protection principles set out in the law.

What steps should your organization take if it wishes to review social media profiles as part of the recruitment process while also complying with the Opinion and EU data protection law? Continue Reading New Guidance Issued by EU Data Protection Regulators – Does Your Organization Use Social Media During Recruitment?

In June the ICO updated its Subject Access Code of Practice, which gives guidance to data controllers on how to respond to subject access requests from data subjects. The Code itself is not legally binding, but provides advice on good practice to promote compliance with the Data Protection Act 1998 (DPA). With less than a year to go before the introduction of the GDPR, it seems a shame that this revised Code does not address the forthcoming amendments to the law, such as the reduced time limits to respond to a subject access request (which will decrease from the current 40 days to a mere 30) but it does make recommendations for more streamlined and user-friendly options for responding and, in addition to helpful notes on how to handle requests and deal with tricky issues, serves as a reminder of the basic entitlements, which are to:

  • Be told whether any personal data is being processed;
  • Receive a description of the personal data, the reasons it is being processed and whether it will be given to any other organizations or people;
  • Receive a copy of the personal data; and
  • Receive details of the source of the data (where available).

For many businesses, subject access requests can be a time-consuming and frustrating aspect of data protection compliance. There is an understandable urge to ignore them, or provide a minimal response, particularly if the request is made in the context of an existing dispute, or preempting litigation and disclosure/discovery of documents. However, the law states that data controllers must be prepared to make extensive efforts to find and retrieve the information requested in a subject access request, unless it would be unreasonable or would involve disproportionate effort to do so. There is an exemption in the DPA accordingly. This issue has been tentatively raised in the past but the recent cases of Dawson-Damer[1] and Ittiadieh/Deer and Oxford University[2] (both decisions of the Court of Appeal) have given the ICO the opportunity to provide more clarification on these points:

  1. Disproportionate effort is not defined in the DPA, but there may be cases where the work/expense involved in complying with a request by providing a copy of the information in permanent form exceeds the individual’s right of access to their personal data;
  2. Data controllers can take into account any difficulties in finding the information and complying with the request. (This approach is consistent with the EU concept of proportionality, but the ICO expects data controllers to balance any difficulties with the benefits the information might bring to the data subject);
  3. Data controllers have the burden of proof to show that they have taken all reasonable steps to comply with a subject access request and it would be disproportionate in all the circumstances to take further steps; and
  4. It is good practice to engage with the person making the request, to help reduce the costs and effort involved in searching for the information requested. (If there is a complaint, the data controller’s willingness to engage with the requestor will be considered).

Overall, the ICO expects data controllers to act positively towards those making a subject access request and to have readily accessible systems in place to respond to requests. Those receiving a request should deal with them promptly and fairly from the start. Subject access is a fundamental right and (as noted in the Code) an opportunity to improve customer service and delivery, by increasing levels of trust and confidence, streamlining processes and providing better customer care. These aims are consistent with the GDPR and so even though this Code is not specifically targeted at compliance with the new laws, companies should benefit from its up to date guidance.


[1] Dawson-Damer & Ors v Taylor Wessing LLP [2017] EWCA Civ 74

[2] Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors

The UK government launched its 5-year National Cyber Security Strategy in November 2016, investing a reported £1.9 billion to protect UK businesses from cyber-attacks and make the country the safest place to live and do business online. This strategy has included the opening of the National Cyber Security Centre (part of GCHQ) and the creation of campaigns to support businesses with expert guidance on cyber security, such as Cyber Aware and Cyber Essentials.

More recently, on 19 April, the government produced its report into cyber security breaches, based on a survey of over 1500 UK businesses. According  to the government report, just under half of all UK businesses suffered at least one cyber security breach or attack in the last 12 months, yet only 1 in 10 businesses have a cyber security incident management plan in place and only a third have a formal policy that covers cyber security risks. The average cost of a breach is said to be around £20,000, but this is a conservative estimate and for many larger companies the cost is much more, not least in monetary terms. The risk of negative publicity and damage to reputation remains high, even when security measures are adopted and insurance cover is in place, so it is no wonder that businesses are confused about what to do to protect themselves and the data they hold. The danger is that companies do not sufficiently address the problems, perhaps because it seems impossible to eliminate the threat completely, or they are put off by scaremongering tactics by InfoSec consultants or cyber insurance brokers.

Cybersecurity should be a priority for company directors. Under the Companies Act 2006, they have a duty to promote the success of the company and to exercise reasonable care, skill and diligence in the performance of their role. Failing to adopt and maintain appropriate security measures to protect personal data and confidential information against cyber-attacks could be considered a breach of these duties and expose the company and individual directors to legal liabilities, including fines and claims for compensation, under data protection legislation and potential action from regulators, such as the ICO or FCA, for businesses in the financial sector. Continue Reading UK Cyber- Security Breaches Survey

On May 18, 2017, the European Commission imposed a “proportionate and deterrent” fine of €110 million on Facebook for providing misleading information during the Commission’s investigation under the EU merger control rules of Facebook’s acquisition of WhatsApp. This decision – which it is understood Facebook will not appeal – is an example of the importance that the Commission puts on complying with all aspects of the EU merger rules.  The information at issue concerned how Facebook would be able to use its and WhatsApp’s data.  Although the case did not directly concern the processing or use of data as such, its factual background raises data protection issues and it is notable that similarly high fines will soon be possible under the EU’s General Data Protection Regulation (GDPR) for data protection infringements.

During the acquisition notification procedure in 2014, the Commission had some concerns about Facebook’s ability to establish automated matching between users’ accounts in the two services. Such matching could be a way for Facebook to introduce advertising on WhatsApp and/or to use personal data sourced from WhatsApp to improve its targeting of advertisements. From a competition perspective, this could strengthen Facebook’s position in the online advertising market and hamper competition in such market. From the data protection side, data subjects and data protection authorities should be informed of any such data sharing between Facebook and WhatsApp, as well as possible new processing resulting from that matching.

Facebook informed the Commission that it would be technically impossible to achieve reliable automated matching between Facebook users’ accounts and WhatsApp users’ account.  However, WhatsApp updated its Terms of Service and Privacy Policy in August 2016, which update included the possibility of linking WhatsApp user’ phone numbers with Facebook users’ identities.  The Commission investigated and found that the technical possibility of this automatic matching of identities existed in 2014, that Facebook staff were aware of this and that Facebook was aware of the relevance of the issue for the Commission’s investigation. Facebook’s answers in 2014 had been incorrect or misleading and a fine was justified.

Separately, in a letter of October 2016, the Article 29 Working Party (WP29, gathering all EU data protection authorities) called into question the validity of the existing WhatsApp users’ consent to this change under data protection rules.  This is because, at the time they signed up, users were not informed that their data was to be shared among the “Facebook family of companies” for marketing and advertising purposes.  The WP29 announced an investigation, urged WhatsApp to communicate all available information on this new data processing and required the company not to proceed with the sharing of users’ data until appropriate legal protections could be assured.

This investigation by the Article 29 Working Party demonstrates once again, against the background of the increased sanctions soon to be introduced under the GDPR, the importance of compliance with data protection law in the EU.  For example, companies engaged in a merger or acquisition should integrate data protection compliance programs (in addition to those covering, at least, general corporate, competition and bribery/corruption matters). Such programs should include at least the following measures:

  • Map and assess the privacy risk involved in the new processing to be carried out in the context of the corporate operation (due diligence audits, international transfers, etc.), as well as the privacy risk involved in the new processing that will be carried after the operation.
  • To the extent required by law, inform the data subjects (employees, clients, stakeholders, etc.) about those new processing and purposes, taking into account confidentiality issues.
  • Take all steps necessary to make the new data processing, data transfers and processing purposes compliant with the various applicable data protection rules.

It has been less than three years since the Court of Justice of the European Union (CJEU) decided that people have the right to have incorrect information about them removed from online search engine results. However, this so-called “right to be forgotten” is not absolute, as confirmed by the CJEU’s most recent ruling last week.

This case concerned an Italian director, Mr. Salvatore Manni, who sought to have his personal details removed from company records in an official public register. He believed that his properties had failed to sell because the companies register showed that he had been an administrator of another company that went bankrupt.

The CJEU held that Mr. Manni could not demand the deletion of his personal data from the official register because the public nature of company registers is intended to ensure legal certainty and to protect the interests of third parties. It was held that this inference with an individual’s fundamental rights to a private life and to protect personal data was not disproportionate in the circumstances. This was because company registers only disclose a limited amount of personal data and company executives should be required to disclose data relating to their identity and functions within a company. The CJEU concluded by saying that in specific and exceptional situations, overriding and legitimate reasons may justify limiting the rights of third parties to access such data, and left it up to national courts to determine whether “legitimate and overriding reasons” exist on a case-by-case basis.

This decision echoes the ruling in the 2014 Google Spain Case; the right to be forgotten must be balanced against individuals’ fundamental rights, such as the right of freedom of expression and the public’s right to know information about persons holding key positions within a company. The General Data Protection Regulation (GDPR) which codifies the right to be forgotten also confirms this position. The right to be forgotten allows individuals to request the deletion of personal data in specific circumstances. However, the GDPR contains certain exemptions where companies can refuse to deal with a deletion request, such as where the processing is necessary to exercise the right of freedom of expression, and for archiving purposes in the public interest.

Companies who receive requests by individuals asking that their personal data be deleted will need to determine, on a case-by-case basis, whether or not such data should be erased. Organizations will be required to perform a balancing act against any competing rights when considering such erasure requests.

See also:

UK’s First Ever Right To Be Forgotten Enforcement: Google In the Firing Line Again

The French Data Protection Authority Puts Google On Notice To Delist Domain Names Beyond Site’s EU Extensions

The CJEU’s Google Spain Decision: A Right to be Forgotten Within the Limits of the Freedom of Expression

Costeja’s Revenge: Orders to Delete Accurate Data and the Right to be Forgotten in the EU

A study by the International Association of Privacy Professionals has found that 28,000 data protection officers (DPO) will be needed in the next two years for companies to comply with the EU’s new General Data Protection Regulation (GDPR).  By the time the GDPR comes into force in 2018, in-scope entities will have to have their DPO in place. Competition for DPOs will likely be strong in light of the ongoing shortage of privacy professionals. With this in mind, businesses should start thinking now about how best to recruit, train and resource a DPO and not wait for the GDPR to come into effect.

The GDPR requires data controllers and processors to appoint a DPO when processing is carried out by a public authority or when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”. Even where not required, businesses may voluntarily appoint a DPO. This will not only include EU companies but also companies based in the U.S. and elsewhere who fall within the scope of the GDPR and the DPO requirements.

DPOs must possess “expert knowledge of data protection law and practices”, plus have an understanding of the company’s technical and organizational structure and its IT infrastructure and technology. Key tasks include ensuring regulatory compliance; training staff; coordinating with regulators and understanding applicable data processing risks.

Businesses can either assign this role to an existing or new employee provided that the employee’s other professional duties do not create a conflict with his or her new duties as DPO, or businesses can appoint an external candidate under a service contract. A corporate group may appoint a single DPO provided that the person is “easily accessible” for each entity. This means that the DPO must not only be able to speak the local language but also understand and address differences in data protection laws across the Member States in which the business operates.

DPOs must be independent in the performance of their tasks and are not only responsible for managing data privacy compliance, but also reporting any non-compliance to the relevant data protection authority. The role, therefore, is one of internal policeman and whistleblower at the same time, which businesses may, at first, find challenging. Breach of the DPO provisions may lead to huge administrative fines (up to the greater of EUR 10,000,000, or up to 2% of an organizations’ total worldwide annual turnover of the preceding financial year).

Companies should take steps now to determine whether they are subject to the GDPR and if so, whether a DPO must be appointed. Given the significance of privacy compliance today and the potential new administrative fines, even if a business is not required to appoint a DPO, larger companies that regularly process data may wish to consider appointing one in any event in order to assist with GDPR preparations and demonstrate compliance when the new law comes into effect.

While we wait to see what the BREXIT result will mean for the UK’s data protection regime, it is important to recognize that the result will not change anything immediately. The exact nature of the post-BREXIT UK-EU relationship will influence any UK data protection reform, and it is highly likely that the UK will continue to be heavily influenced by EU laws. Indeed, the UK’s data protection authority (the ICO) has emphasized that “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”

So what should you be doing now?

Prepare for the GDPR and changes to UK data protection laws

Data controllers established in the UK processing personal data in the context of that establishment are currently subject to the UK’s Data Protection Act (DPA). Once the EU’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, the UK will still be a member of the EU and so the GDPR will automatically replace the DPA. UK companies will then need to comply with the new regime until BREXIT occurs. Following that, the GDPR will fall away but we do not yet know what form any replacement legislation will take.  If the UK wants to continue trading with other EU Member States, it will likely need to adopt legislation similar to the GDPR (see further below). With this in mind, businesses should continue with their GDPR compliance preparations.

In addition, the GDPR will not only apply to businesses established in the EU, but it will also apply to businesses outside the EU that processes personal data of EU citizens, either by offering services or goods or from monitoring behavior. Therefore, following BREXIT, the GDPR will still apply to UK based businesses trading with the EU or targeting EU citizens. Such businesses therefore should continue their GDPR compliance efforts.

Consider where personal data is processed and transferred

EU data protection laws prohibit transfers of personal data to countries outside the European Economic Area (EEA), unless they have been recognized as providing “adequate protection” to personal data. Companies need to consider whether they receive data in the UK from global regions which are currently compliant based on the UK being within the EU or EEA.  If the UK is not classified as “adequate” post BREXIT, UK companies receiving data from the EEA will need to re-think their data protection compliance strategy and put in place adequate safeguards, such as Model Clauses and Binding Corporate Rules.

In addition, the converse (transfers outside the UK) may also be an issue and so companies should consider whether they send personal data from the UK and what compliance measures they may need to put in place. The new EU/U.S. Privacy Shield is due to be adopted early next week. Following BREXIT, the Privacy Shield will not cover transfers from the UK to the U.S. However, the ICO could approve the Privacy Shield as an adequate means of data transfer from the UK to the U.S., or it could establish a similar framework (e.g. like the U.S.-Swiss Safe Harbor framework).

Determine where the organization’s main EU establishment will be

Some GDPR provisions are dependent on the “main establishment” of a business being in the EU. Once the UK leaves the EU, a company with UK based headquarters will no longer count as the main establishment under the GDPR following BREXIT. This will affect a company’s lead data protection supervisory authority under GDPR for the purpose of enforcement and other reasons such as approval of Binding Corporate Rules.

It is hard to predict at the moment precisely the timing and scope of legal changes to the UK’s data protection regime resulting from BREXIT. We will continue to monitor developments closely and keep you fully informed and the post-BREXIT process unfolds.

SAVE THE DATE McGuireWoods Annual European Data Protection and Security Conference September 27, 2016 London

Learn more about data protection laws in light of BREXIT. The conference is designed for in-house counsel, risk managers, security officers, regulatory and compliance officers, directors, financial officers, information officers, human resource officers and managers of corporations with cross-border operations. A full agenda is under development, but topics and speakers from last year’s event can be viewed here.

Click here to ensure you receive an invitation to our 2016 conference.

Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion n° 4/2016 of May 30, its concerns about the compliance of the draft adequacy decision on the EU-U.S. Privacy Shield (available here) with the Schrems ruling. As a refresher, this ruling, issued on October 6, 2015 by the EU Court of Justice (CJEU) (C-362/14), invalidated the Safe Harbor framework, which allowed EU companies to transfer personal data to certain self-certified U.S. companies. Since the EDPS is one of the most influential voices on the CJEU regarding data protection matters, this opinion should be carefully considered.

The EU and U.S. negotiators are caught between competing sides. For obvious reasons, industry urges the negotiators to reach an agreement before the end of summer and the U.S. elections. On the other side, the WP29 and the EDPS outline the imperative to meet the requirements resulting from the Schrems ruling by reaching an agreement ensuring “a level of protection of fundamental rights and freedoms that is [not necessarily identical but] essentially equivalent to that guaranteed within the European Union“. The outcome of this negotiation relies on whether U.S. legislation will provide the guarantees of implementation and enforcement of the commitments made under the agreement.

In its opinion, the EDPS targets the lack of precision of certain provisions and recommends strengthening certain principles:

  • Purpose limitation: data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • Data retention: data must not be retained longer than is necessary for the purpose for which it is processed;
  • Automated processing: every person should have the right not to be subject to a decision based solely on automated processing which significantly affects him/her;
  • Onward transfers: those transfers should not enable third parties and foreign importers to circumvent the Privacy Shield framework; and
  • Data subjects’ right: the provisions addressing the right to access and the right to object should be improved.

The EDPS welcomes the efforts towards increased transparency in the information provided on access to data by U.S. authorities. However, according to the EDPS, the Privacy Shield should better specify the notion of “foreign intelligence” and the purposes for which derogations “necessary to meet national security, law enforcement or any public interest requirement” are possible.

The EDPS also recommends improving the redress mechanisms by providing specific commitments that (i) the proposed Ombudsperson will be able to act independently not only from the intelligence community but from any authority, (ii) the requests for information and cooperation from this Ombudsperson will be effectively implemented by all U.S. agencies, (iii) the level of protection of U.S. and non-U.S. data subjects will be identical. The EDPS encourages exploring the possibility of involving EU representatives in the assessment of the oversight system results.

One of the major merits of this opinion is to promote general and long-term objectives that can lead negotiations toward a stable agreement. According to the EDPS:

  • The final adequacy assessment should not only include regulations directly related to the U.S. commitments but all federal and state laws that could allow access for public interest purposes;
  • As required by the CJEU and the WP29, in order to check whether the finding relating to the adequacy decision is still factually justified, the annual joint review of the application of the Privacy Shield should not only include meetings with public and private entities but also “on-the-spot verifications“;
  • Last but not least, the new elements of the General Data Protection Regulation (GDPR), which will replace the current Directive in about two years, should be put on the negotiating table, including the privacy by design and by default principles, data portability and the criteria for future third countries adequacy decisions.

For more information on the Privacy Shield and the GDPR, please refer to the following prior Password Protected blog posts:

New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

New Tough and Harmonized Framework for EU Data Protection

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

CJEU Declares the EU Commission Safe Harbor Decision Invalid