Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Official guidance on the international reach of the European Union’s new privacy regime won’t be issued before the General Data Protection Regulation takes effect May 25, Andrea Jelinek, the new leader of a group of EU privacy chiefs, told Bloomberg Law Feb. 7.
Jelinek, director of the Austrian Data Protection Authority, replaces Isabelle Falque-Pierrotin, president of the French Data Protection Authority, as head of the group of EU privacy officials known as the Article 29 Working Party. Falque-Pierrotin had chaired the group since February 2014.
The group, which announced the change Feb. 7, will become the European Data Protection Board, with new powers to resolve cross-border data disputes, when the GDPR takes effect.
Guidance on GDPR enforcement is particularly important to U.S.-based multinationals because the new regime will apply to any company that uses the personal data of EU citizens in commercial contexts, regardless of where they are located.
“The one million dollar question is to what extent does the GDPR apply directly” to companies outside the EU with establishments in the EU, Jorg Hladjk, privacy of counsel with Jones Day in Brussels, told Bloomberg Law. That is creating a lot of uncertainty, Hladjk said.
Bojana Bellamy, president of the Hunton & Williams LLP Centre for Information Policy Leadership, agreed, telling Bloomberg Law that the Art. 29 party should at least issue short, FAQ-style guidance on the law’s territorial scope, “covering various scenarios and permutations of controllers and processors established in the EU and outside the EU, and how the law applies to them.”
Jelinek, however, said the guidance issued by the party so far is “enough for everybody to start with.” Companies should have been preparing to comply with the GDPR, not waiting for guidelines, she said.
The group has already finalized guidance on data portability, data protection officers, data protection impact assessments, identifying lead privacy regulators when companies operate in more than one EU country, and fines. Principles on internal binding corporate rules used by companies to transfer data out of the EU, and for deciding on the adequacy of privacy protections in non-EU countries in the context of the GDPR, have been updated in draft form.
The group has released draft guidance on data breach notice, automated decision-making and profiling, consent, and transparency of privacy practices. Those drafts will be finalized after the close of a public comment period.
Outgoing chairman Falque-Pierrotin said at the Feb. 7 briefing that already-released guidance has addressed “most of the concerns and the questions” asked by privacy professionals.
But Hladjk said that the late finalization of guidance creates challenges for companies, which have already acted to put compliance programs in place.
Draft guidance on privacy certification programs, and on other legal means for companies to justify their transfer of data outside the EU, will be released before May 25, the group announced at its briefing.
To contact the reporter on this story: Stephen Gardner in Brussels at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)