The Article 29 Working Party is preparing for enforcement as the nine-month grace period for US Companies that self-certified before 30 September 2016 comes to an end on 30 June 2017.
As of today there are a total of 1,750 organizations signed up to the EU-US Privacy Shield List, which applies to the transfer of all personal data from the EU to the US by self-certified entities.
In late February the Article 29 Working Party published two important documents, the “Rules of Procedure for the ‘Informal Panel of EU DPAs’ According to the EU-US Privacy Shield” and “EU-US Privacy Shield Complaint Form for Submitting Commercial Related Complaints to EU DPAs.”
I. “Rules of Procedure for the ‘Informal Panel of EU DPAs’ According to the EU-US Privacy Shield”
The Informal Panel of EU DPAs is designed according to recital 49 ff. of Privacy Shield (Commission Implementing Decision C(2016) 4176 of 12 July 2016) and the supplemental principle III.5 (Operation of DPA Panels) of Annex II.
The Panel is comprised of European Union member state Data Protection Authorities and has been assigned the task of handling complaints concerning data transferred from an EU entity to a US company that has signed up to Privacy Shield.
The panel provides binding advice to American organizations concerning complaints raised under Privacy Shield and will generally provide its response within 60 days from receipt of the complaint/referral. Both sides in the dispute will have the opportunity to provide evidence and comments.
In summary, the Procedure will go as follows:
i. The DPA that receives a complaint will assess the competency of the panel to handle the compliant/referral.
The panel is only competent in cases where the organization has demonstrated its commitment to cooperate with DPAs or for those which “process human resources data collected in the context of an employment relationship.”
In cases when the panel is not deemed competent, the DPA that received the compliant/referral will determine the most appropriate body to handle the request.
ii. A lead DPA and two (or in special cases more than two) co-reviewer DPAs will be designated. The lead DPA will, as a rule, be the local national DPA that received the complaint or referral from the US Privacy Shield certified company.
In the case that more than one complaint or a similar complaint is received by more than one DPA, the first DPA to receive the request will be the lead DPA.
The lead DPA acts as a single contact point for the US company throughout the procedure and will inform the US company in writing of the substance of the complaint and all other relevant information.
iii. The co-reviewer DPAs are assigned by the lead DPA and are suggested to be DPAs of countries where either the EU headquarter or important subsidiaries are located when possible.
Other criteria for the selection include jurisdictions where: “1. relevant data processing is facilitated in the EU, 2. the place in the EU from which most data transfers take place, 3. the place where a large number of EU individuals are likely to be affected by the alleged violation, 4. particular expertise located with a certain DPA, and available resources.”
iv. US companies will have 25 days to comply with the advice of the panel, after which enforcement action may be taken. In case of non-compliance enforcement action may be taken and the company may be removed from the Privacy Shield List by the US Department of Commerce.
II. “EU-US Privacy Shield Complaint Form for Submitting Commercial Related Complaints to EU DPAs.”
This is the form that will be used in order to facilitate complaints. Use of the form is optional and local DPAs can be contacted in other ways, however, it is useful to use the form as it includes all necessary information that the local DPA needs in order to handle a request.