EU DPAs: In the absence of the EU-US Privacy Shield, BCRs can be used for now / GDPR to be adopted tomorrow

EU DPAs: In the absence of the EU-US Privacy Shield, BCRs can be used for now

In a press conference today, the Chair of the EU Data Protection Working Party, Isabelle Falque-Pierrotin (also President of France’s DPA, the CNIL), said that the concerns that remain on the Privacy Shield include US bulk surveillance of EU citizens, lack of recognition of the data retention principle in the Privacy Shield, and the independence and powers of the US Ombudsman who would deal with complaints. In addition, there are still questions about onward data transfers, even though progress has been made on this topic. Falque-Pierrotin said that the EU DPAs have raised several points with the EU Commission and the US administration. Some of these concerns have been met with informal unwritten assurances, but they cannot form an integral part of an adequacy decision.

It is too early to come to a conclusion about Binding Corporate Rules and model contracts for EU-US transfers, but companies can continue to use them for now, Falque-Pierrotin said. The EU DPAs will take a decision on this point when the EU has finalised the Privacy Shield. The EU Commission has said it intends to complete this work by mid-June. While the EU DPAs’ common position, to be released later today, is not binding, the DPAs could challenge any deal put in place via supporting legal cases against the Privacy Shield in the Court of Justice of the European Union.

GDPR to be adopted tomorrow

The European Parliament’s final approval, expected tomorrow, will clear the way for adoption of the EU General Data Protection Regulation. The European Parliament’s civil liberties (LIBE) committee already approved, on 11 April, the revised text which had been subject to technical and linguistic checks and revisions. Many language versions of the GDPR were published last week.