2016

On June 30, 2016, a joint committee composed of representatives from both chambers of the French Parliament (Joint Committee) reached a common position on the French 'Digital Republic ' Bill that rejects the data localization amendment previously approved by the French Senate, but significantly amends other aspects of the French Data Protection Act. One of the issues discussed by the Joint Committee was the amendment (corrigendum No. 473) adopted by the French Senate on April 27, 2016. This amendment added a data localization provision to the French Data Protection Act, requiring that personal data be stored in a data center located in the EU and not transferred outside of the EU. The French Government was against this amendment which ignored current and future cross-border data transfer restrictions. Unsurprisingly, the amendment was deleted by the Joint Committee. The French Digital Republic Bill now needs to be formally adopted by both chambers of the French Parliament.

On June 22, 2016, the Bavarian Data Protection Authority (DPA) issued a short paper on certifications under Article 42 of the General Data Protection Regulation (GDPR). The GDPR will become effective on May 25, 2018. This paper is part of a series of papers that the Bavarian DPA will be issuing periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasizes that these papers are non-binding. The GDPR allows DPAs to issue data protection certifications to companies. According to the Bavarian DPA, such certifications would allow companies to demonstrate that their data processing activities comply with the requirements of the GDPR, however, certified companies must still comply with the law and can be subject to supervision by DPAs. The Bavarian DPA believes that certification under the GDPR has great potential and can provide clarity as to whether data processing operations comply with legal requirements under data protection law.

"The EU-U.S. Privacy Shield register may now be open for business, and Europe's privacy regulators may have collectively (though grudgingly) agreed to assess its progress in a year rather than kick and scream about its flaws now, but at least one regulator is still itching for a fight.

Johannes Caspar, the Hamburg data protection authority, is keen to ask the Court of Justice of the European Union whether it thinks the Commission's decision to strike the data-transfer deal was valid. The ECJ, of course, was the court that declared Privacy Shield's predecessor, Safe Harbor, to have been an invalid ""adequacy decision."" Caspar is hoping that upcoming legal changes in Germany will make it possible for the country's DPAs to challenge adequacy decisions as soon as next year. It is by no means certain that the changes will make this possible, though."