On September 5, 2018, the European Commission (the “Commission”) announced in a press release the launch of the procedure to formally adopt the Commission’s adequacy decision with respect to Japan. Continue Reading EU Begins Formal Approval for Japan Adequacy Decision
Recently, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to provide additional clarification on a wide range of topics, including transfers of personal information to third parties, the application of the Privacy Shield Principles to data processors, and the relation of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) to the Privacy Shield. Certain key insights from the updated FAQs are outlined below:
- Data processors. When responding to individuals seeking to exercise their rights under the Privacy Shield Principles, the FAQs state that a processor should respond pursuant to the instructions of the EU data controller. For example, in order to comply with the Choice Principle, a Privacy Shield-certified organization acting as a processor could, pursuant to the EU controller’s instructions, put individuals in contact with the controller that provides a choice mechanism or offer a choice mechanism directly.
- Onward transfers. The FAQs also provide additional guidance for organizations preparing to come into compliance with the Accountability for Onward Transfer Principle. For example, the FAQs state that organizations may use contracts that fully reflect the requirements of the relevant standard contractual clauses adopted by the European Commission to fulfill the Accountability for Onward Transfer Principle’s contractual requirements.
- CLOUD Act. The FAQs state that the CLOUD Act, which involves data transfers for law enforcement purposes, does not conflict with the Privacy Shield, which is unaffected by the enactment of the law.
View the full Privacy Shield FAQs.
On July 10, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Data Protection Board (the “EDPB”) on its draft guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the GDPR (the “Guidelines”). The Guidelines were adopted by the EDPB on May 25, 2018, for public consultation. Continue Reading CIPL Submits Comments to EDPB’s Draft Guidelines on Certification and Identifying Certification Criteria in Accordance with Articles 42 and 43 GDPR
On July 12, 2018, British Prime Minister Theresa May presented her Brexit White Paper, “The Future Relationship Between the United Kingdom and the European Union,” (the “White Paper”) to Parliament. The White Paper outlines the UK’s desired future relationship with the EU post-Brexit, and includes within its scope important data protection-related issues, including digital trade, data flows, cooperation for the development of Artificial Intelligence (“AI”), and the role of the Information Commissioner’s Office (“ICO”), as further discussed below: Continue Reading Brexit White Paper Addresses Data Protection-Related Issues
On July 17, 2018, the European Union and Japan successfully concluded negotiations on a reciprocal finding of an adequate level of data protection, thereby agreeing to recognize each other’s data protection systems as “equivalent.” This will allow personal data to flow safely between the EU and Japan, without being subject to any further safeguards or authorizations. Continue Reading EU and Japan Agree on Reciprocal Adequacy
On July 5, 2018, the European Parliament issued a nonbinding resolution (“the Resolution”) that calls on the European Commission to suspend the EU-U.S. Privacy Shield unless U.S. authorities can “fully comply” with the framework by September 1, 2018. The Resolution states that the data transfer mechanism does not provide the adequate level of protection for personal data as required by EU data protection law. The Resolution takes particular aim at potential access to EU residents’ personal data by U.S. national security agencies and law enforcement, citing the passage of the CLOUD Act as having “serious implications for the EU, as it is far-reaching and creates a potential conflict with the EU data protection laws.” Continue Reading European Parliament Calls for Suspension of EU-U.S. Privacy Shield Unless U.S. Can “Fully Comply”
On March 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its draft guidelines on the accreditation of certification bodies under the GDPR (the “Guidelines”). The Guidelines were adopted by the Working Party on February 6, 2018, for public consultation. Continue Reading CIPL Submits Comments to Article 29 Working Party’s Draft Guidelines on the Accreditation of Certification Bodies under the GDPR
On March 26, 2018, the U.S. Department of Commerce posted an update on the actions it has taken between January 2017 and March 2018 to support the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”). The update details measures taken in support of commercial and national security issues relating to the Privacy Shield. Continue Reading U.S. Department of Commerce Posts Update of Actions to Support the Privacy Shield Frameworks
On January 24, 2018, the European Commission issued a communication to the European Parliament and the Council (the “Communication”) on the direct application of the EU General Data Protection Regulation (“GDPR”). The Communication (1) recounts novel elements of the GDPR that create stronger protections for individuals and new opportunities for organizations, (2) reviews preparatory work undertaken to date for GDPR implementation, (3) outlines remaining steps for successful preparation and (4) outlines measures the European Commission intends to take up until May 25, 2018. Continue Reading EU Commission Releases Communication on Remaining Issues for GDPR Preparation
As we previously reported, this October, the EU Commission released its report and accompanying working document on the first annual review of the EU-U.S. Privacy Shield framework. On November 28, 2017, the Article 29 Data Protection Working Party (the “Working Party”) adopted an opinion on the review (the “Opinion”). While the Opinion notes that the Working Party “welcomes the various efforts made by US authorities to set up a comprehensive procedural framework to support the operation of the Privacy Shield,” the Opinion also identifies some remaining concerns and recommendations with respect to both the commercial and national security aspects of the Privacy Shield framework. The Opinion also indicates that, if the EU and U.S. do not, within specified time frames, adequately address the Working Party’s concerns about the Privacy Shield, the Working Party may bring legal action to challenge the Privacy Shield’s validity.