18 June 2017 Privacy Shield and Forthcoming Review


Article 29 Working Part (WP29) recently held its 106th meeting on 07 and 08 June 2017. Item number 1 on the agenda was the EU - US Privacy Shield.

The EU - US Privacy Shield was adopted by the European Commission on 12 July 2016. This followed the October decision by the Court of Justice in the Schrems case in which the Commission decided the Safe Harbour arrangement was invalid.

The first annual Joint Review looms in September 2017 in which the Commission has the opportunity to review the adequacy of the Privacy Shield.

WP29 has adopted a letter addressed to the Commission sharing its views and recommendations. WP29 has prepared a set of questions in particular in relation to law enforcement, national security access and the commercial aspect of the Privacy Shield agreement. WP29 will address these questions to the US authorities in advance of the joint review fact finding mission.

WP29 invited a number of persons to participate in the Joint Review, including representatives from commercial organisations as well as representatives from law enforcement and national security.

WP 29 will set about 2-3 days of meetings and 1 day of fact finding in order to collect evidence to assess the robustness of the Privacy Shield. A report will be produced by the Commission and WP29 will have an opportunity to provide comments on the Commission's report before it is made public. Independently from the Joint Review and the Commission's report WP29 may produce its own report.

Worryingly during 2016 U.S. companies and government agencies suffered a record number of data breaches numbering 1,093, a 40% increase from 2015 (780 recorded) (source Identity Theft Resource Centre).

According to figures released by the Identity Theft Resource Centre less than 6 months into this year and the number of US reported data breaches as of 14 June 2017 has already reached 732 with a reported nearly 11 million records affected (the number of records actually affected is likely to be significantly higher as a considerable number of those breaches simply state it is unknown whether any records were affected).

If that trend continues 2017 will likely again be a record year with 2016 record figures already likely to be exceeded by the time the first Joint Review takes place in mid September with still 3 and a half months left in the year.

According to Eva Casey Velasquez, Chief Executive Officer of the Identity Theft Unit "We are extremely confident that breaches are undiscovered and under-reported, and we don't know the full scope,"

"This isn't the worst-case scenario we are looking at; this is the best-case scenario."

This suggests we are looking at the tip of the iceberg and once GDPR comes into effect and reporting of all data breaches become compulsory we are likely to see these figures smashed again in 2018.

These worrying trends may very well come to the forefront of WP29's mind when it undertakes its fact finding mission.

June 2017 John Green - © 2018 GDPR Training Ltd

For news as it happens follow us on Social Media

GDPR Training Courses Facebook           GDPR Training courses LinkedIn