On February 21, 2017, the Article 29 Working Party (“WP29”) published a “Rules of Procedure for the ‘Informal Panel of EU DPAs’ According to the EU-US Privacy Shield” and a “Complaint Form for Submitting Commercial Related Complaints to EU DPAs.” Both documents also reference the not yet effective General Data Protection Regulation (“GDPR”). The publication of these documents indicates the EU regulators are preparing for enforcement. For those organizations that certified by September 30, 2016 to take advantage of the nine-month grace period, this serves as a reminder that enforcement of the Privacy Shield’s Onward Transfer Principle is just a couple months away. Thus, if you have not made the necessary changes to your agreements involving EU data transfers yet, you should make sure to address this issue in the now before the grace period ends on June 30, 2017.
Rules of Procedure
Under Supplemental Principle III.5 “Operation of DPA Panels” of Privacy Shield, individuals or U.S. organizations with unresolved complaints are able to bring such complaints before an informal EU DPA panel. The Rules of Procedure describe how the informal EU DPA panel will operate. Some key points include:
- The Data Protection Authority (“DPA”) that receives the complaint will assess if the DPA panel is competent to handle the complaint, and, if not, it may refer the complaint to the U.S. Department of Commerce or US Federal Trade Commission or the Department of Transportation.
- A competent panel is comprised of a lead DPA and typically two co-reviewer
- The lead DPA should be the DPA that receives the complaint or is the first to receive the complaint if the complaint has been lodged with multiple DPAs.
- When selecting co-reviewed DPAs, the lead DPA will consider certain criteria, such as:
- where the EU headquarters of the U.S. company’s group are;
- where the company’s relevant data processing is facilitated in the EU;
- the place in the EU from which most data transfers take place;
- the place where a large number of EU individuals are likely to be affected by the alleged violation;
- particular expertise of certain DPAs; and,
- available resources.
- To be a co-reviewer DPA, a DPA must either show an interest in the complaint or they are selected by the lead DPA.
- The panel will provide advice within 60 days of receiving a complaint.
- A U.S. company will have 25 days to comply once the panel delivers their advice.
Individuals can choose to use the Complaint Form, which requests answers to several questions about their complaint, to submit their Privacy Shield complaints to their country’s DPA. At the end of the document, the form explains who will be handling the data provided in the form, how the data will be protected, and whether the data will be transferred to the U.S.