Dec 222016

EU’s Article 29 Working Party publishes Privacy Shield FAQs

William RM Long and Francesca Blythe
, , ,

On December 13, 2016 at its plenary meeting, the EU’s Article 29 Working Party (“WP29”) adopted guidance on the EU-US Privacy Shield Framework for businesses and individuals in Europe. Since the U.S. Department of Commerce began accepting certifications to the Privacy Shield in August 2016, almost 1,300 companies have self-certified to the Privacy Shield and we understand many more are awaiting approval from the Department of Commerce.

During the meeting the WP29 confirmed that it will take on the role of the “EU centralized body” – the EU individual complaint handling body set up under the Privacy Shield to address complaints in respect of data transferred to the US for commercial purposes and further accessed for national security purposes. This is distinct from the “EU informal panel of DPAs” for which the WP29 will also be assuming the role.  The new guidance has been adopted in the form of separate FAQs for European businesses and European individuals.

FAQs for European businesses

The FAQs set out explanatory notes as to the nature of the Privacy Shield, and explains to European businesses which US companies are eligible to self-certify to the Privacy Shield. The FAQs also set out steps that European businesses must take with regard to their US-based counterparts (whether controllers or processors) prior to transferring personal data under the Privacy Shield.  These steps include, for example: (i) ascertaining the scope of the relevant Privacy Shield certification and confirming that this certification is active; (ii) identifying a legal basis for the transfer under EU data protection laws where the recipient is a controller; and (iii) entering into a data processing agreement with the recipient where the recipient is a processor. The EU–US privacy shield FAQ for European businesses can be found here.

FAQs for European Individuals

The FAQs for European Individuals contain explanatory notes as to the nature of the Privacy Shield and how this arrangement is beneficial to individuals in Europe. It also sets out the procedure by which a European individual may make a complaint against a business for breach of the Privacy Shield Principles. The EU–US privacy shield FAQs for European individuals can be found here.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

It Is Now More Difficult For International Pharma To Transfer Data Out Of China

China’s new Measures for the Security Assessment of Outbound Data Transfers (the “Measures”) came into force on September 1, 2022. Pharma companies now have until February 28 to work out whether their activities mean they are affected, and to apply for the new type of data security assessment if they need it.