Article 29 Working Party

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:
Continue Reading EU DPA Enforcement Guidance Post-Schrems

On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government.  The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the now-defunct Safe Harbor Framework, and may form a future legal basis for transatlantic data flows between Europe and the United States.
Continue Reading Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement

Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement.
Continue Reading Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

By Monika Kuschewsky and Vera Coughlan

Following the judgment of the Court of Justice of the EU of October 6 in the Schrems case (Case C-362/14) (see our previous blog post here), today, the European Commission issued guidance on transfers of personal data from the EU to the U.S. post Schrems. For the press release see here, Q&As here and the Commission Communication here.

In large, the guidance confirms the status quo and summarizes existing guidance of the Article 29 Data Protection Working Party (“WP29”), the EU advisory body on privacy comprised of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the Commission, and the WP29’s statement of October 16 (see our previous blog post here). Most notably, the Commission joins the WP29 in the position that alternative tools authorizing data flows can still be used by companies for lawful data transfers to third countries, including to the U.S. The Commission then further explains each of these alternative tools in more detail:
Continue Reading European Commission issues guidance on the impact of the Schrems (Safe Harbor) ruling of the EU’s Highest Court

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points include:

  • following the Safe Harbor

The Article 29 Data Protection Working Party (“Article 29 WP”), an EU advisory body on data protection composed of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the European Commission, met in plenary on Thursday, October 15, to discuss the first consequences of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems case (see our previous blog post here). In a press release (see here) on October 16, they emphasize that “it is absolutely essential to have a robust, collective and common position on the implementation of the judgment.” They will closely observe the pending procedures before the Irish High Court, which is expected to issue a judgment in November, now that the case has been referred back to it by the CJEU.

The key take-aways from the Article 29 WP’s press release are that:

  • data transfers under the European Commission’s Safe Harbor decision after the CJEU judgment are unlawful;
  • the Article 29 WP will analyze the impact of the CJEU judgment on other transfer tools − during this period standard contractual clauses and Binding Corporate Rules (“BCRs”) can still be used;
  • grace period: DPAs will take action, including coordinated enforcement action, if by the end of January 2016 no appropriate solution with the U.S. authorities is found (depending on the assessment of the other transfer tools); and
  • in the meantime, DPAs can investigate in particular cases and exercise their powers to protect individuals, for instance, in case of a complaint.


Continue Reading Article 29 WP On the Schrems Ruling (Safe Harbor) − Latest Developments and Next Steps

On June 2, 2015, the Article 29 Working Party updated its published guidance on the topic of Processor BCRs.  In their latest guidance document, the Working Party focus specifically on the sensitive topic of disclosures to  law enforcement agencies (LEAs).

By means of Processor BCRs, data processors are able to share EU-originating personal data within their group globally.  This increases the risk that foreign LEAs will either request or compel production of the data by group affiliates established outside the EU.  European concerns over the broad scope of U.S. government surveillance programs, and similar programs in other countries, undoubtedly provided the impetus for the guidance.  The Working Party recognizes this risk and appears to appreciate the difficult situation processors can find themselves in when asked to produce information to LEAs. In line with previous guidance relating to e-discovery, the Working Party proposes a “best-efforts” model.

Continue Reading Article 29 Working Party Updates BCR Guidance

The Article 29 Data Protection Working Party (Working Party), an independent EU advisory body on data protection and privacy, responded to a request from the European Commission made in the framework of the Commission’s  mHealth initiative to clarify the definition of data concerning health in relation to lifestyle and wellbeing apps.  (See more here, and here for our blog post on the European Commission’s Summary Report of the mHealth consultation.)

In its latest paper on health data in apps and devices, the Working Party supports a broad definition of health data, distinguishing the following three categories of health data:

  1. The data are inherently/clearly medical data, especially those generated in a professional, medical context.
  2. The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person.
  3. Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate, legitimate or otherwise adequate or not).
    Continue Reading Article 29 Working Party Clarifies Scope of Health Data in Apps and Devices

By Tom Jackson

On November 26, 2014, the Article 29 Working Party adopted a working document setting out a cooperation procedure for issuing common opinions on contractual clauses considered as compliant with the EC Model Clauses (the “Working Document”).  The Working Document sets out the framework for a procedure designed to streamline the process of obtaining the necessary approvals to transfer data outside the EEA.  It introduces the concept of a “Lead DPA,” through whom an applicant company would be able to deal with a range of competent national authorities in order to gain a common opinion on the adequacy of its contractual clauses.

The publication of this Working Document serves as an indication that European data protection authorities recognize that the current system is burdensome and often time-consuming for companies seeking to transfer data outside the EEA.  However, it remains to be seen when, or even if, the procedure proposed by the Working Party will be put into practice.
Continue Reading Article 29 Working Party Publishes Working Document Setting Out Cooperation Procedure for Issuing Common Opinions on Contractual Clauses

By Tom Jackson

On November 26, 2014, the Article 29 Working Party released a short joint statement containing a series of declarations on:  (i) “European values”; (ii) “surveillance for security purposes”; and (iii) the “European influence.”  The joint statement emphasizes the balance to be struck between protecting data protection rights and allowing national intelligence agencies to perform their duties, and the fundamental importance of European data protection rights more generally. These affirmations are particularly significant in the context of both the Snowden revelations and the ongoing Transatlantic Trade and Investment Partnership (TTIP) negotiations.

Continue Reading European Data Protection Regulators Release Joint Statement on European Values