Privacy & Information Security Law Blog

Recently, the EU’s Article 29 Working Party (”Working Party”) held a plenary meeting to discuss, among other things, the implementation of the EU General Data Protection Regulation (“GDPR”) and the EU-U.S. Privacy Shield. As well as adopting its first Joint Annual Review Report on the Privacy Shield, the Working Party has been working on a number of documents that offer review and/or guidance on the GDPR, including:

• guidelines on (1) consent and transparency, (2) data protection certifications, and (3) derogations for personal data transfers under the GDPR;
• updated “referentials” on adequacy and binding corporate rules for data controllers and processors; and
• tools for cooperation between data protection authorities on data breach notifications.

Future work includes:

• developing a position on Article 3 of the GDPR, which pertains to the GDPR’s territorial scope;
• a new opinion on the proposal of the ePrivacy Regulation, which the European Commission aims to introduce alongside the GDPR.

In addition to these documents, the Working Party has made progress on defining the organization and structure of the European Data Protection Board (“EDPB”), which will be ready by May 2018. The EDPB will replace the Working Party and will have a more active role in the regulation of data protection practices across the EU in comparison to its predecessor. The Working Party also has established a taskforce to focus on harmonization with respect to the calculation of fines imposed under the GDPR, having recognized that there exists a range of approaches to sanctioning across EU Member States.