Article 29 Working Party sheds light on Privacy Shield complaints procedure and issues upcoming GDPR dates for your diary

Greg Whitaker

As Max Schrems continues to do battle over Model Clauses in the Irish High Court, the Article 29 Working Party (WP29) has this week issued guidance surrounding EU-US Privacy Shield (Privacy Shield) related complaints. The guidance will be of note to any EU citizen wishing to complain about the handling of their personal data that has been transferred from the EU to one of the, as of 24 February, 1724 Privacy Shield registered organisations. It encompasses a template complaint form and Rules of Procedure and should provide parties concerned with all the information necessary to notify a breach under the 6 month old framework.

The Rules of Procedure provide guidance on how an “Informal Panel of EU DPAs” (Panel) will operate in advising US organisations following a complaint. The Panel will aim to provide guidance within 60 days after receiving a complaint form. The complaint form is optional to use (national DPAs can be contacted by other means) but the information requested in the form is needed in order to handle a complaint.

However this is not all that the WP29 has been up to recently. In the light of President Trump’s somewhat eventful start to his term in office, the WP29 is to send a letter to the US authorities covering a couple of areas of concern:

  • It will point out concerns and ask for clarification on the 45th President’s much discussed Executive Order, ‘Enhancing Public Safety in the Interior of the United States’. And,
  • The letter will request assurances on the way personal data will be dealt with by US authorities regarding complaints under the Privacy Shield.

Elsewhere, preparation for GDPR implementation in May 2018 is full steam ahead and in a press release following their February plenary meeting, the WP29 outlined its schedule for the coming months. Dates and deadlines to watch out for include:

In April 2017:

  • The Rapporteurs are due to review comments on the “pre-adopted” guidelines on: DPOs, lead authority and data portability (see Datonomy coverage here), before submitting amended guidelines for adoption at April’s plenary session.
  • The final version of the WP29’s guidelines on Data Protection Impact Assessments is due to be proposed for “pre-adoption”.
  • The WP29’s second Fablab will take place on April 5 and 6 – this interactive workshop will focus on the topics of consent, profiling and the notification of data breaches.
  • Opinions on (i) the proposed e-Privacy Regulation (discussed by Datonomy here) and (ii) the revised EU Regulation 45/2001 on the processing of personal data by European institutions and bodies should, according to the WP29’s Press Release, likely be submitted for adoption.

In June 2017:

  • Guidelines on GDPR certification schemes (certification will demonstrate GDPR compliance) are expected for “pre-adoption”.

Datonomy will continue to monitor these developments.

Leave a Reply

Your email address will not be published. Required fields are marked *