EU Data Protection Authority Issues GDPR Action Plan, Swiss Sign Privacy Deal with U.S.

On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”). The Action Plan follows up on the actions initiated in 2016 and outlines the priorities and objectives for the year to come in anticipation of the entry into force of the GDPR in May 2018.

In 2017, the Working Party commits to continue and/or finalize work on several key issues:

  • Guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments (“DPIA”);
  • Administrative fines;
  • Setting up the administration of the European Data Protection Board (“EDPB”) structure; and
  • Preparation of the one-stop shop and the EDPB consistency mechanism.
New work priorities and objectives for 2017 include:
  • Guidelines on the topics of consent and profiling;
  • Guidelines on the issue of transparency; and
  • Update of existing opinions and guidance documents on data transfers to third countries and data breach notifications.
Moreover, the Working Party commits to continue consultation rounds and will invite relevant stakeholders to provide input on topics of interest. During a “Fablab” workshop announced for April 5 and 6, stakeholders will have the opportunity to comment on the Working Party’s Action Plan. Non-EU counterparts will have an opportunity to exchange views on the Working Party’s GDPR implementation and the GDPR generally during an interactive workshop scheduled for May 18 -19, 2017.

* * *

In other data protection news, on January 11, 2017 the U.S. and Switzerland signed a Privacy Shield Agreement recognizing the adequacy of U.S. data protection legislation in light of Swiss requirements. Months earlier, on October 7, 2015, the Swiss Data Protection Commission stated that it would follow the Court of Justice of the European Union's invalidation of the U.S. – EU Safe Harbor framework, and hence, a new framework was required. Resembling the EU – U.S. Privacy Shield, the new Swiss – U.S. agreement enables certified companies to export data from Switzerland to the U.S. in compliance with Swiss data protection laws. There are three notable differences between the EU –U.S. and Swiss – U.S. Privacy Shield frameworks:
EU – U.S. Privacy Shield Swiss – U.S. Privacy Shield
EU Data Protection Authority is cooperation and compliance authority Swiss Federal Data Protection and Information Commissioner is cooperation and compliance authority
Sensitive data definition under Choice Principle Modified sensitive data definition under Choice Principle includes ideological or trade union-related views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings
Binding arbitration option in place Commerce to work with Swiss Government to put in place binding arbitration option at first annual review
The new agreement replaces the existing U.S. – Swiss Safe Harbor Framework with immediate effect. The Department of Commence will begin accepting self-certification applications on April 12, 2017.