Photo of Laura van der Meer

+(32)(2) 899-2931

On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”).  The Action Plan follows up on the actions initiated in 2016 and outlines the priorities and objectives for the year to come in anticipation of the entry into force of the GDPR in May 2018.

In 2017, the Working Party commits to continue and/or finalize work on several key issues:

  • Guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments (“DPIA”);
  • Administrative fines;
  • Setting up the administration of the European Data Protection Board (“EDPB”) structure; and
  • Preparation of the one-stop shop and the EDPB consistency mechanism.

New work priorities and objectives for 2017 include:

  • Guidelines on the topics of consent and profiling;
  • Guidelines on the issue of transparency; and
  • Update of existing opinions and guidance documents on data transfers to third countries and data breach notifications.

Moreover, the Working Party commits to continue consultation rounds and will invite relevant stakeholders to provide input on topics of interest.  During a “Fablab” workshop announced for April 5 and 6, stakeholders will have the opportunity to comment on the Working Party’s Action Plan. Non-EU counterparts will have an opportunity to exchange views on the Working Party’s GDPR implementation and the GDPR generally during an interactive workshop scheduled for May 18 -19, 2017.

*           *           *

In other data protection news, on January 11, 2017 the U.S. and Switzerland signed a Privacy Shield Agreement recognizing the adequacy of U.S. data protection legislation in light of Swiss requirements.  Months earlier, on October 7, 2015, the Swiss Data Protection Commission stated that it would follow the Court of Justice of the European Union’s invalidation of the U.S. – EU Safe Harbor framework, and hence, a new framework was required.  Resembling the EU – U.S. Privacy Shield, the new Swiss – U.S. agreement enables certified companies to export data from Switzerland to the U.S. in compliance with Swiss data protection laws.  There are three notable differences between the EU –U.S. and Swiss – U.S. Privacy Shield frameworks:

EU – U.S. Privacy Shield Swiss – U.S. Privacy Shield
EU Data Protection Authority is cooperation and compliance authority Swiss Federal Data Protection and Information Commissioner is cooperation and compliance authority
Sensitive data definition under Choice Principle Modified sensitive data definition under Choice Principle includes ideological or trade union-related views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings
Binding arbitration option in place Commerce to work with Swiss Government to put in place binding arbitration option at first annual review

The new agreement replaces the existing U.S. – Swiss Safe Harbor Framework with immediate effect. The Department of Commence will begin accepting self-certification applications on April 12, 2017.

On July 12, 2016, the European Commission (“Commission”) formally adopted and released the Privacy Shield Adequacy decision, which will allow certified U.S. companies to transfer EU personal data to the United States.  The EU-U.S. Privacy Shield (“Privacy Shield”) replaces the U.S.-EU Safe Harbor framework (“Safe Harbor”), which was invalidated in October 2015 by the European Court of Justice (“ECJ”) in Maximillian Schrems v Data Protection Commissioner. The decision will immediately go into effect upon notification to the EU Member States.

The more than 4,400 U.S. companies that previously relied on the Safe Harbor and have been waiting for an alternative mechanism for data transfers can choose to self-certify to the Department of Commerce (“Commerce”) under the new Privacy Shield framework. Commerce will begin accepting Privacy Shield applications on August 1, 2016. This client advisory provides an overview of Privacy Shield, highlights key differences between Privacy Shield and Safe Harbor, and offers some key considerations given the forthcoming Global Data Protection Regulation and other data privacy developments.

Continue Reading What You Need to Know About Privacy Shield: An Overview of the New Transatlantic Framework

An exchange of views between the European Parliament and Mrs. Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, revealed ongoing negotiations between the Commission and the U.S. Department of Commerce for a revised Safe Harbour agreement to allow data from the European Union to be processed in the U.S.  The exchange took place at a meeting of the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs Committee in Strasbourg on Monday, 26 October.

Mrs. Jourová informed the Parliament that a Working Party comprising the European Data Protection Authorities (DPAs), convened to discuss the ECJ ruling and a revised Safe Harbour, had confirmed the continuing availability of other tools allowing for data transfer and processing, including standard contractual clauses and binding corporate rules. She noted, however, that the DPAs were in the process of evaluating the potential impact of the Schrems judgement on those other tools.  The Commission will publish an explanatory communication concerning the Schrems judgement shortly.   The Commissioner asked for the Parliament’s support in convincing Washington to provide greater security under a revised Safe Harbour that would move from a self-regulated approach to more oversight through regulatory controls, back up by enforcement and sanctions provisions.

In response to questions by European Parliamentarians, Mrs. Jourová stressed that the ongoing discussions with Washington were unrelated to and did not impact the position of the Commission on TTIP, as data protection is not part of that negotiation. When asked whether a revised Safe Harbour would require changes in U.S. legislation, timeframes, and how the Commission intended to deal with the transitional period, the Commissioner responded that better controls would include more precise descriptions of the limitations under which intelligence agencies would have access to data and, among other things, annual reviews conducted by state authorities.    Mrs. Jourová also indicated that the Commission was continuing to work on an urgent basis on a data protection reform package that would safeguard fundamental rights while creating greater legal certainty by replacing the differing approaches of the 28 Member States.

The European Commission will meet with U.S. authorities in mid-November and will report back to the European Parliament on 10 December. Mrs. Jourová stated that if a solution is not found for a revised Safe Harbour with U.S. authorities by the end of January 2016, the DPAs of the EU Member States would take all necessary steps, including bringing enforcement actions.



In the first public debate in the European Parliament to take place to date, Members of the European Parliament have expressed their support for the 6 October 2015 judgement of the European Court of Justice (ECJ) invalidating the Safe Harbour Decision that had allowed companies to process personal data from the European Union (EU) in the United States since 2000.   In Maximillian Schrems v. Data Protection Commissioner, the ECJ concluded that the general access to the content of electronic communications by U.S. intelligence authorities violates the fundamental right to respect of private life guaranteed to EU citizens and that the U.S. system therefore failed to meet the required level of data protection under EU law. Parliamentarians expressed their initial views in a meeting of the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee on Monday, 12 October, at which the European Commission Legal Services presented the Schrems judgement.

While the basis of the ECJ’s judgement has been criticized as “weak” by numerous legal practitioners, Members of the European Parliament who offered comments unanimously supported the ruling. Members from the European United Left, Liberal Democrats, and Greens parties underlined their views that the Safe Harbour Decision was not in line with the EU Charter of Fundamental Rights and criticized the European Commission for not taking responsibility and action earlier.

Members of the Green party rejected the notion of a quickly renegotiated “Safe Harbour Plus” and left-wing Members insisted that the United States be held to the same standards as any other third country.   Members claimed that negotiations between the European Commission and U.S. authorities are too secretive and called on the Commission to fully inform the European Parliament concerning these discussions. A Member from the Liberal Democrats party also suggested that national authorities are better equipped to evaluate the adequacy of third country data protection systems than the European Commission.   A further exchange of views between Parliamentarians and Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, is scheduled for the LIBE Committee meeting on Monday, 26 October 2015.