From August 1, 2016, US companies will be able to certify their compliance with the new EU- US Privacy Shield agreement.
The EU - US Privacy Shield is designed to protect the privacy rights of citizens of the European Economic Area (EEA) when their personal data is transferred to the USA. This new framework is the replacement for the invalidated Safe Harbor Framework. The Privacy Shield places stronger obligations on US organisations to protect the personal data of EEA citizens. It requires greater transparency about transfers of personal data to the US and it offers more accessible redress options in case of complaints.
More details here - pdf
The General Data Protection Regulation (GDPR) has now been agreed by the European Council, Parliament and Commission. The final text was published in Official Journal on 24 May 2016 and came into force on the 24th of May 2016, which means it will apply from 25 May 2018 - giving us a two year window to prepare. The GDPR updates and replaces the current data protection rules based on the 1995 Data Protection Directive.
The Regulation will establish a single, pan-European law for data protection meaning that organisations deal with one law, not many laws. However there will be some country variations as Member States still have discretion on specific provisions. Over 50 articles have been left to member states to implement in their own national law - including provisions governing the processing of personal data for research purposes.
The new rules mean we must build in data protection by design and by default, carry out privacy impact assessments for riskier or larger scale projects, and implement privacy-friendly techniques such as pseudonimysation, data minimisation and encryption. They are designed to be future-proof, technologically neutral, fit for innovation and big data analytics.
The GDPR updates and replaces the current data protection rules based on the 1995 Data Protection Directive. The final stage of the legislative process will be publication of the GDPR in the official journal, which is expected by June this year. Based on publication by June of this year, it will come into force in mid-2018, so members will have approximately two years to prepare.
The Regulation will establish a single, pan-European law for data protection meaning that organisations deal with one law, not 28. However there will be some country variations as Member States still have discretion on specific provisions. The new rules encourage privacy-friendly techniques such as pseudonimysation, anonymisation, encryption and data protection by design and by default, they are designed to be future-proof: technologically neutral and fit for innovation and big data analytics.
The GDPR will also mean that any company - regardless of whether it is established in the EU or not - will have to apply EU data protection law if they wish to offer their services in the EU.
EphMRA is currently working on providing you with more detailed guidance on the implications of the GDPR and will be in touch again soon.
European data regulators (the Article 29 Working Party) have recently reviewed and have expressed concerns about the EU-US 'Privacy Shield' (the successor to the now invalid Safe Harbour Agreement) which is designed to cover the transfer of data between the EU and the USA. The regulators said the latest version needs further amendments and clarification.
The European Commission has indicated that they are hoping to seek approval for the Privacy Shield in May with adoption in June 2016. When we have further news, we will be in touch again.
March 2016: Country Differences Grid - a handy guide showing the country differences in the Code - brought together for easy reference. Available via Members Login.