EU Data Protection Authority Issues GDPR Action Plan, Swiss Sign Privacy Deal with U.S.
On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”). The Action Plan follows up on the actions initiated in 2016 and outlines the priorities and objectives for the year to come in anticipation of the entry into force of the GDPR in May 2018.
In 2017, the Working Party commits to continue and/or finalize work on several key issues:
- Guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments (“DPIA”);
- Administrative fines;
- Setting up the administration of the European Data Protection Board (“EDPB”) structure; and
- Preparation of the one-stop shop and the EDPB consistency mechanism.
- Guidelines on the topics of consent and profiling;
- Guidelines on the issue of transparency; and
- Update of existing opinions and guidance documents on data transfers to third countries and data breach notifications.
* * *In other data protection news, on January 11, 2017 the U.S. and Switzerland signed a Privacy Shield Agreement recognizing the adequacy of U.S. data protection legislation in light of Swiss requirements. Months earlier, on October 7, 2015, the Swiss Data Protection Commission stated that it would follow the Court of Justice of the European Union's invalidation of the U.S. – EU Safe Harbor framework, and hence, a new framework was required. Resembling the EU – U.S. Privacy Shield, the new Swiss – U.S. agreement enables certified companies to export data from Switzerland to the U.S. in compliance with Swiss data protection laws. There are three notable differences between the EU –U.S. and Swiss – U.S. Privacy Shield frameworks:
|EU – U.S. Privacy Shield||Swiss – U.S. Privacy Shield|
|EU Data Protection Authority is cooperation and compliance authority||Swiss Federal Data Protection and Information Commissioner is cooperation and compliance authority|
|Sensitive data definition under Choice Principle||Modified sensitive data definition under Choice Principle includes ideological or trade union-related views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings|
|Binding arbitration option in place||Commerce to work with Swiss Government to put in place binding arbitration option at first annual review|