On 26 July, the Article 29 Data Protection Working Party (WP29)
released a statement outlining its opinion on
the EU-U.S. Privacy Shield, which was adopted by the European
Commission earlier this month. After praising the
improvements implemented by the Commission and U.S. authorities
since its last critical opinion, the WP29 outlined some
remaining concerns, including the lack of:
specific rules on automated decisions
and a general right to object;
clarity regarding how the Privacy
Shield applies to processors;
strong guarantees regarding the
independence and powers of the Ombudsperson mechanism; and
concrete assurances that the bulk,
indiscriminate collection of EU citizens' personal data will
not take place.
The first annual review of the functioning of the Privacy Shield
program in 2017, to be conducted by the U.S. Department of Commerce
and the European Commission, is clearly seen as important by the
WP29, which calls for a more defined role in that process and hints
that an adverse review could impact negatively on other data
transfer methods, including Binding Corporate Rules.
In the meantime, the EU data protection authorities (DPAs)
within the WP29 "commit themselves to proactively and
independently assist the data subjects with exercising their rights
under the Privacy Shield mechanism, in particular when dealing with
complaints". The WP29 has announced it will be producing
guidance for data controllers about their obligations under the
Shield, and commenting on the citizens' guide produced by the
Department of Commerce.
1 August 2016 marks the start of a new chapter for transatlantic
data transfers. U.S. companies will be able to self-certify that
they abide by the privacy principles set out in the Privacy Shield,
providing them with a legal basis to receive personal data from the
EU. It is too early to offer predictions on the success of this
replacement to Safe Harbor; however, in the short term, the EU DPAs
look set to uphold individuals' considerably enhanced rights
under the program – and Privacy Shield joiners should prepare
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).