If you are a risk manager of a multi-national company, and you haven’t heard of Article 29 Working Party (WP29), it’s time you become acquainted. It is an independent European advisory body on data protection and privacy. One of its core functions is to provide an opinion on the level of data protection in the EU and other countries. In this capacity, it will advise on the terms and ultimate implementation of the newly minted US-EU Data Privacy Shield. Recently, it issued guidance on how the current EU data protection program affects businesses located outside the EU.
As we wrote earlier here and here, the EU General Data Protection Regulation is expected to take effect in the next two years. Most importantly, the US-EU Data Privacy Shield framework will have to align with the Regulation to ensure that it offers sufficient protection of privacy rights of EU data subjects for any US-EU data transfers. The Privacy Shield, as proposed, will allow EU data subjects who feel their privacy rights have been violated to complain to the U.S. Department of Commerce or to the Federal Trade Commission, who then have enforcement powers. As we have seen, the FTC has been very active in enforcement of cyber-related transgressions by U.S. companies.
WP29 is expected to review the US-EU Data Privacy Shield documentation in the next two months. If you transfer personal data between the U.S. and EU (or have a vendor who handles this function for you), stay tuned. Once the framework and the corresponding guidance for businesses are established, it will be time to start preparing your business for compliance with the new process.