May

The Article 29 Working Party published its Opinion on the EU-U.S. Privacy Shield draft adequacy decision. The Privacy Shield was created to replace the previous Safe Harbor framework invalidated by the Court of Justice of the European Union in the Schrems decision. The Working Party also published a Working Document on the justification for interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data. The Working Party recognized that the Privacy Shield is a significant improvement to the Safe Harbor framework. However, the Working Party also stressed the overall complexity and lack of clarity regarding the new framework and expressed concerns with respect to both the commercial and national security aspects of the Privacy Shield. The Working Party urged the European Commission to resolve their concerns, identify appropriate solutions to improve its draft adequacy decision, and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that offered by European data protection laws.

The EU institutions have agreed on the text of the EU's successor privacy legislation: the General Data Protection Regulation (GDPR). The GDPR will replace the 'patchwork quilt' of 28 different EU Member States' laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonization throughout the EU. In addition to harmonizing the EU data protection legal framework, its main objectives are threefold: First, the GDPR increases the rights for individuals. Secondly, it strengthens the obligations for companies. Thirdly, the GDPR dramatically increases sanctions in case of non-compliance. Employers will need to very carefully assess their current HR-related processing activities and identify the gaps with the GDPR. On the basis of this gap analysis, they will need to update their existing procedures and implement the required mechanisms to comply with the new obligations. Failure to do so may result in significant fines or other enforcement measures that could materially impede their business.

The Chair of the EU Data Protection Working Party, Isabelle Falque-Pierrotin (also President of France 's DPA, the CNIL), said that the concerns that remain on the Privacy Shield include US bulk surveillance of EU citizens, lack of recognition of the data retention principle in the Privacy Shield, and the independence and powers of the US Ombudsman who would deal with complaints. In addition, there are still questions about onward data transfers, even though progress has been made on this topic. Falque-Pierrotin said that the EU DPAs have raised several points with the EU Commission and the US administration. Some of these concerns have been met with informal unwritten assurances, but they cannot form an integral part of an adequacy decision. It is too early to come to a conclusion about Binding Corporate Rules and model contracts for EU-US transfers, but companies can continue to use them for now, Falque-Pierrotin said. The European Parliament 's final approval will clear the way for adoption of the EU General Data Protection Regulation.