On December 20, 2018, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to clarify the effect of the UK’s planned withdrawal from the EU on March 29, 2019. The FAQs provide information on the steps Privacy Shield participants must take to receive personal data from the UK in reliance on the Privacy Shield after Brexit.
On December 19, 2018, the European Commission (the “Commission”) issued a press release regarding the publication of the Commission’s second annual review of the functioning of the EU-U.S. Privacy Shield (the “Report”).
The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.
On November 9, 2018, the European Commission (“the Commission”) submitted comments to the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) in response to its request for public comments on developing the administration’s approach to consumer privacy. Continue Reading EU Commission Responds to NTIA Request for Comment on Developing the Administration’s Approach to Consumer Privacy
On October 19, 2018, European Commissioner for Justice, Consumers and Gender Equality Věra Jourová and U.S. Secretary of Commerce Wilbur Ross issued a joint statement regarding the second annual review of the EU-U.S. Privacy Shield framework, taking place in Brussels beginning October 18. The statement highlights the following: Continue Reading EU and U.S. Regulators Issue Joint Statement on the Status of the Second Annual EU-U.S. Privacy Shield Review
On September 5, 2018, the European Commission (the “Commission”) announced in a press release the launch of the procedure to formally adopt the Commission’s adequacy decision with respect to Japan. Continue Reading EU Begins Formal Approval for Japan Adequacy Decision
Recently, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to provide additional clarification on a wide range of topics, including transfers of personal information to third parties, the application of the Privacy Shield Principles to data processors, and the relation of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) to the Privacy Shield. Certain key insights from the updated FAQs are outlined below:
- Data processors. When responding to individuals seeking to exercise their rights under the Privacy Shield Principles, the FAQs state that a processor should respond pursuant to the instructions of the EU data controller. For example, in order to comply with the Choice Principle, a Privacy Shield-certified organization acting as a processor could, pursuant to the EU controller’s instructions, put individuals in contact with the controller that provides a choice mechanism or offer a choice mechanism directly.
- Onward transfers. The FAQs also provide additional guidance for organizations preparing to come into compliance with the Accountability for Onward Transfer Principle. For example, the FAQs state that organizations may use contracts that fully reflect the requirements of the relevant standard contractual clauses adopted by the European Commission to fulfill the Accountability for Onward Transfer Principle’s contractual requirements.
- CLOUD Act. The FAQs state that the CLOUD Act, which involves data transfers for law enforcement purposes, does not conflict with the Privacy Shield, which is unaffected by the enactment of the law.
View the full Privacy Shield FAQs.
On July 10, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on May 25, 2018, for public consultation. Continue Reading CIPL Submits Comments to EDPB’s Draft Guidelines on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 GDPR
On July 12, 2018, British Prime Minister Theresa May presented her Brexit White Paper, “The Future Relationship Between the United Kingdom and the European Union,” (the “White Paper”) to Parliament. The White Paper outlines the UK’s desired future relationship with the EU post-Brexit, and includes within its scope important data protection-related issues, including digital trade, data flows, cooperation for the development of Artificial Intelligence (“AI”), and the role of the Information Commissioner’s Office (“ICO”), as further discussed below: Continue Reading Brexit White Paper Addresses Data Protection-Related Issues
On July 17, 2018, the European Union and Japan successfully concluded negotiations on a reciprocal finding of an adequate level of data protection, thereby agreeing to recognize each other’s data protection systems as “equivalent.” This will allow personal data to flow safely between the EU and Japan, without being subject to any further safeguards or authorizations. Continue Reading EU and Japan Agree on Reciprocal Adequacy