Companies Must Wait for Reach of GDPR Guide: New EU Privacy Leader

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Official guidance on the international reach of the European Union’s new privacy regime won’t be issued before the General Data Protection Regulation takes effect May 25, Andrea Jelinek, the new leader of a group of EU privacy chiefs, told Bloomberg Law Feb. 7.

Jelinek, director of the Austrian Data Protection Authority, replaces Isabelle Falque-Pierrotin, president of the French Data Protection Authority, as head of the group of EU privacy officials known as the Article 29 Working Party. Falque-Pierrotin had chaired the group since February 2014.

The group, which announced the change Feb. 7, will become the European Data Protection Board, with new powers to resolve cross-border data disputes, when the GDPR takes effect.

Guidance on GDPR enforcement is particularly important to U.S.-based multinationals because the new regime will apply to any company that uses the personal data of EU citizens in commercial contexts, regardless of where they are located.

“The one million dollar question is to what extent does the GDPR apply directly” to companies outside the EU with establishments in the EU, Jorg Hladjk, privacy of counsel with Jones Day in Brussels, told Bloomberg Law. That is creating a lot of uncertainty, Hladjk said.

Bojana Bellamy, president of the Hunton & Williams LLP Centre for Information Policy Leadership, agreed, telling Bloomberg Law that the Art. 29 party should at least issue short, FAQ-style guidance on the law’s territorial scope, “covering various scenarios and permutations of controllers and processors established in the EU and outside the EU, and how the law applies to them.”

Sufficient Guidance?

Jelinek, however, said the guidance issued by the party so far is “enough for everybody to start with.” Companies should have been preparing to comply with the GDPR, not waiting for guidelines, she said.

The group has already finalized guidance on data portability, data protection officers, data protection impact assessments, identifying lead privacy regulators when companies operate in more than one EU country, and fines. Principles on internal binding corporate rules used by companies to transfer data out of the EU, and for deciding on the adequacy of privacy protections in non-EU countries in the context of the GDPR, have been updated in draft form.

The group has released draft guidance on data breach notice, automated decision-making and profiling, consent, and transparency of privacy practices. Those drafts will be finalized after the close of a public comment period.

Outgoing chairman Falque-Pierrotin said at the Feb. 7 briefing that already-released guidance has addressed “most of the concerns and the questions” asked by privacy professionals.

But Hladjk said that the late finalization of guidance creates challenges for companies, which have already acted to put compliance programs in place.

Draft guidance on privacy certification programs, and on other legal means for companies to justify their transfer of data outside the EU, will be released before May 25, the group announced at its briefing.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security