On December 13, 2016 at its plenary meeting, the EU’s Article 29 Working Party (“WP29”) adopted guidance on the EU-US Privacy Shield Framework for businesses and individuals in Europe. Since the U.S. Department of Commerce began accepting certifications to the Privacy Shield in August 2016, almost 1,300 companies have self-certified to the Privacy Shield and we understand many more are awaiting approval from the Department of Commerce.
During the meeting the WP29 confirmed that it will take on the role of the “EU centralized body” – the EU individual complaint handling body set up under the Privacy Shield to address complaints in respect of data transferred to the US for commercial purposes and further accessed for national security purposes. This is distinct from the “EU informal panel of DPAs” for which the WP29 will also be assuming the role. The new guidance has been adopted in the form of separate FAQs for European businesses and European individuals.
FAQs for European businesses
The FAQs set out explanatory notes as to the nature of the Privacy Shield, and explains to European businesses which US companies are eligible to self-certify to the Privacy Shield. The FAQs also set out steps that European businesses must take with regard to their US-based counterparts (whether controllers or processors) prior to transferring personal data under the Privacy Shield. These steps include, for example: (i) ascertaining the scope of the relevant Privacy Shield certification and confirming that this certification is active; (ii) identifying a legal basis for the transfer under EU data protection laws where the recipient is a controller; and (iii) entering into a data processing agreement with the recipient where the recipient is a processor. The EU–US privacy shield FAQ for European businesses can be found here.
FAQs for European Individuals
The FAQs for European Individuals contain explanatory notes as to the nature of the Privacy Shield and how this arrangement is beneficial to individuals in Europe. It also sets out the procedure by which a European individual may make a complaint against a business for breach of the Privacy Shield Principles. The EU–US privacy shield FAQs for European individuals can be found here.