After many months of negotiation and review the EU-US Privacy Shield was formally adopted by the European Commission on July 12, 2016. This came just a few days after the Article 31 Committee approved the updated text of the EU-US Privacy Shield on July 8, 2016.
The final text of the much anticipated EU-US Privacy Shield has been sent by the European Commission for review and approval to the Article 31 Committee, which includes representatives from all 28 Member States. Approval by the Article 31 Committee will pave the way for a final decision by the Commission adopting the Privacy Shield, expected on 11 July, 2016. If approved, the Privacy Shield will take effect as soon as the US Department of Commerce establishes a new process for US companies that wish to use the Privacy Shield as a legal basis for data transfers of personal data from the EU to certify in accordance with the new framework. Businesses should examine the final Privacy Shield documents and requirements and determine whether to proceed with certification once the Privacy Shield is approved.
On 6 June 2016, the Hamburg Data Protection Commissioner issued fines against three international companies for failing to implement alternative data transfer mechanisms following the invalidation of Safe Harbor in October 2015.
On May 17, 2016, the European Council formally adopted the Network and Information Security Directive (the “NIS Directive“) at first reading. According to the Council press release, the NIS Directive is meant to increase cooperation among EU Member States on the vital issues of cybersecurity.
The NIS Directive was first proposed by the European Commission in 2013 as part of the EU’s Cyber Security Strategy. The formal adoption of the NIS Directive by the Council follows on from the political agreement reached in December 2015. It must now be approved by the Parliament at second reading. The NIS Directive is expected to enter into force in August 2016, after which Member States will have 21 months to implement it into their national laws.
On Thursday, April 14, 2016, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (the GDPR). During the plenary session Jan Philipp Albrecht, rapporteur of the European Parliament for the GDPR, welcomed the adoption following what he described as years of “democratic debate and legislative process.” Albrecht further described the adoption as “a huge step forward towards creating a single legal environment for the digital world of tomorrow.” Today’s parliamentary vote completes the legislative process for adoption of the GDPR. The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. Companies and regulators will then have two years from the date of publication in which to implement the requirements under the GDPR. Businesses should now seriously consider the impact of the GDPR and start planning for implementation.
The past several days, the GDPR (the EU General Data Protection Regulation) took two significant steps towards adoption. On Friday, April 8, 2016, the European Council adopted the GDPR at first reading. Then today, Tuesday, April 12, 2016, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (the LIBE Committee) approved the GDPR by a 54-3 vote with one abstention. The European Parliament is due to vote on the GDPR in a second reading at a plenary session this coming Thursday. That will complete the legislative process for adoption of the GDPR. The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. After publication, the GDPR will apply two years after the date of publication, allowing companies and regulators a grace period to prepare. The interpretation of the GDPR will be shaped by guidance from the new European Data Protection Board.
Today, alleged extracts from the impending Article 29 Working Party Opinion on the adequacy of the Privacy Shield were leaked. These extracts indicate that a number of clarifications on the Privacy Shield documents will be required before the Working Party can confirm that the Privacy Shield, in its view, ensures a level of protection that is essentially equivalent to that in the EU. The full opinion is due to be published on Wednesday 13 April, and will form part of the package for consideration by the European Commission.
The much-anticipated documentation for the EU-U.S. Privacy Shield, a new framework on transatlantic data flows, was published by the European Commission on February 29, 2016. The framework now will undergo a process of review and approval, including by the EU’s Article 29 Working Party, which is due to finish its review by the end of March 2016. If approved, it will take effect after an implementation period, during which all companies that wish to use the Privacy Shield as a basis for data transfers will have to certify in accordance with the new framework.
The Article 29 Working Party has confirmed in a statement that EU Standard Contractual Clauses and Binding Corporate Rules are still valid data transfer mechanisms for the time being. The announcement was made following a meeting held to discuss the consequences of the Court of Justice of the European Union’s (“CJEU“) decision invalidating the US-EU Safe Harbor Framework and just one day after the European Commission announced that a political agreement had been reached on a new framework, the “EU-US Privacy Shield”.