The European Union Article 29 Working Party (Article 29) issued an opinion on the proposed EU-U.S. Privacy Shield framework agreement (Privacy Shield) earlier this week, stating that although the Privacy Shield was a "great step forward," the Article 29 group identified several areas in which it found the Privacy Shield to be unacceptable, including that it permits the U.S. to carry out "massive and indiscriminate" bulk surveillance of European Union citizens. On the other hand, just a day later on April 14, 2016, European Parliament provided final approval for the new EU General Data Protection Regulation (GDPR), after four years of work between the member states. While many U.S. organizations will be disappointed to learn of the Article 29 group's rejection of the Privacy Shield, as it does not provide "adequate protection" to EU residents, it should not come as a surprise. The Article 29 group continued to raise concerns over the possibility of "massive and indiscriminate" bulk collection by U.S. authorities of EU personal data. However, the Article 29 group raised other concerns as well, tipping their hat to the concern that, unless these issues are addressed, a similar challenge could be brought against the Privacy Shield as was brought against Safe Harbor in the European Court of Justice, thus invalidating the Privacy Shield.
What You Should Start Doing Today to Prepare for GDPR and Privacy Shield
GDPR will apply to almost all organizations who monitor or process the personal data of European citizens, without any regard to the physical location of the processor or controller. Although the penalties for non-compliance with GDPR will not be enforced until mid-2018, organizations that collect or process the personal data of EU citizens may have a lot of work to do to be ready. Likewise, although the Privacy Shield has encountered some roadblocks to its adoption, it seems likely that it will be adopted in some form and companies considering the Privacy Shield have some preparation to do before they can adopt it. We recommend that companies consider the following to prepare for GDPR and Privacy Shield:
Perform a data inventory to understand what personal data your organization collects, how it is processed, where it is stored, how it is protected, and who may have access to it. Put processes in place to conduct Privacy Impact Assessments if your organization may be engaging in high-risk processing (it is likely that you will need to perform such an assessment if your organization handles any of the particular special categories of personal data). Begin drafting or revising your written information security policies to ensure the appropriate technical, administrative, and physical measures to protect personal data and employ proper training for all your employees. Ensure that procedures are in place to continually monitor compliance with these policies prior to, during, and after processing of personal data. Begin performing a gap assessment and consider participation in...