Description
INTERNATIONAL
Privacy Shield will have to meet
more stringent obligations
regarding the processing of
personal data than under the now
invalid Safe Harbor Framework.
We understand that these
obligations will be in line with the
EU General Data Protection
Regulation, which is due to be
adopted in the coming months. In
practical terms, this is likely to
mean that US companies will need
to implement a data protection
programme that meets EU privacy
standards, document international
data flows, review and amend
existing notices, consents and
privacy policies, impose onward
transfer agreements on
subcontractors or other third party
recipients, and develop complaints
procedures. However, it is still
unclear how Safe Harbor selfcertified companies will transition
to the new framework and how
companies new to the framework
will certify to the Privacy Shield,
although, we understand that the
European Commission will be
working on a number of guidelines
to assist companies in
implementing the Privacy Shield.
Where does this leave us in
terms of next steps?
The European Commission is to
prepare a draft ‘adequacy decision’
in the coming weeks, which marks
the start of the comitology
procedure in the EU. This so-called
comitology procedure involves
review of the Privacy Shield by the
WP29 and the Article 31
Committee, which consists of
representatives from EU Member
States.
The European Parliament will also be consulted and may require a resolution to be passed. The WP29 has imposed a deadline of the end of February 2016 for it to receive the documents on the Privacy Shield from the European Commission. In its statement published on 3 Data Protection Law & Policy - February 2016 Although the significant efforts by US and EU authorities to achieve a political agreement on are very much welcomed, there will continue to be uncertainty until the WP29 has concluded its review, not only of the Privacy Shield but also of the other data transfer mechanisms February 2016, the WP29 indicated that its review would be undertaken in line with the ‘four essential guarantees for intelligence activities’ established pursuant to EU case law: 1. Processing should be based on clear, precise and accessible rules; 2. Necessity and proportionality should be demonstrated; 3.
An independent oversight mechanism should exist; and 4. Effective remedies should be available for individuals. Conclusion Although the significant efforts by US and EU authorities to achieve a political agreement on the Privacy Shield are very much welcomed by businesses operating transAtlantic data flows, there will continue to be uncertainty until the WP29 has concluded its review, not only of the Privacy Shield but also of the other data transfer mechanisms (i.e. EU Standard Contractual Clauses and Binding Corporate Rules). During this period of ambiguity companies will need to closely monitor the fast-moving developments to determine the best strategy for dealing with international transfers. William Long Partner Francesca Blythe Associate Sidley Austin LLP, London wlong@sidley.com fblythe@sidley.com 05 .
The European Parliament will also be consulted and may require a resolution to be passed. The WP29 has imposed a deadline of the end of February 2016 for it to receive the documents on the Privacy Shield from the European Commission. In its statement published on 3 Data Protection Law & Policy - February 2016 Although the significant efforts by US and EU authorities to achieve a political agreement on are very much welcomed, there will continue to be uncertainty until the WP29 has concluded its review, not only of the Privacy Shield but also of the other data transfer mechanisms February 2016, the WP29 indicated that its review would be undertaken in line with the ‘four essential guarantees for intelligence activities’ established pursuant to EU case law: 1. Processing should be based on clear, precise and accessible rules; 2. Necessity and proportionality should be demonstrated; 3.
An independent oversight mechanism should exist; and 4. Effective remedies should be available for individuals. Conclusion Although the significant efforts by US and EU authorities to achieve a political agreement on the Privacy Shield are very much welcomed by businesses operating transAtlantic data flows, there will continue to be uncertainty until the WP29 has concluded its review, not only of the Privacy Shield but also of the other data transfer mechanisms (i.e. EU Standard Contractual Clauses and Binding Corporate Rules). During this period of ambiguity companies will need to closely monitor the fast-moving developments to determine the best strategy for dealing with international transfers. William Long Partner Francesca Blythe Associate Sidley Austin LLP, London wlong@sidley.com fblythe@sidley.com 05 .
