On February 20, 2017, the Article 29 Working Party released procedures and a template complaint form for implementing the EU-US Privacy Shield. The procedures govern the functioning of the informal data protection authority (DPA) panel described in the section 5 (c) of the Supplemental Principles to the Privacy Shield:
- Authority of the Panel: The DPA panel has authority when an organization has agreed to subject itself to the authority of the DPAs for the purpose of resolving complaints under the Privacy Shield, or when an organization has certified to the Privacy Shield for the purpose of transferring data about its employees. Under section 9 (d)(ii) of the Supplemental Principles to the Privacy Shield, US organizations that wish to transfer data about their employees from the EU to the US must “commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases.” Accordingly, organizations that use the Privacy Shield for moving human resources data should take note of these procedures, as they will apply in data protection disputes with EU employees. If the issue arises outside of the DPA panel’s authority, the DPA panel will refer the compliant to the “most appropriate body”—which may include the FTC.
- Receiving the Complaint or Referral: If a DPA receives a complaint or referral, it should notify the other Article 29 Working Party members and determine whether the complaint or referral should be brought to the DPA Panel. Even if the DPA does not become a lead or co-reviewer on the case, the DPA will remain as a point of contact for the complainant and coordinate communications between the complainant and the panel.
- Composition of Reviewers: For each case, the panel will designate one “Lead-DPA” and at least two “co-reviewer DPAs.” In general, the Lead-DPA will be the DPA that received the complaint or referral that is the subject of the case. However, if the complaint relates to a cross-border data transfer, then the data exporter’s “lead supervisory authority” under Article 56 of the GDPR (the supervisory authority with responsibility for the EU member state where the data exporter maintains its “main establishment” for data processing activities and decisions) may choose to be the Lead-DPA for the panel. The co-reviewer DPAs should be “concerned” DPAs (under Article 4 (22), a DPA becomes “concerned” if a data controller or processor is established within its territory, the data subjects reside in its territory, or it has received a complaint). If less than two DPAs volunteer to be co-reviewer DPAs, then the Lead-DPA may designate up two co-reviewers.
- Role of the “Lead-DPA”: The Lead-DPA will be responsible for communicating with the US organization that is the subject of the complaint, a role that includes informing the US organization of the substance of the complaint. The Lead-DPA is also generally responsible for keeping the proceedings moving along and keeping the rest of the Article 29 Working Party informed.
- Hearing Evidence and Arguments: The procedures do not establish a formal process for receiving evidence or hearing arguments. Instead, the Lead-DPA is instructed to “offer all sides (complainant, company) reasonable opportunity to comment and provide any evidence they wish on the matter within a reasonable time-limit.”
- Reaching a Decision: The Lead-DPA is charged with preparing a draft of “an advice including remedies (where appropriate)” and working with the co-reviewers to obtain a “consensus” around the advice. The co-reviewers are expected to offer comments and feedback on the advice within two weeks of its receipt. If no consensus can be reached, the reviewing DPAs will vote, with the Lead-DPA’s vote breaking any tie. Once a decision is reached, the Lead-DPA communicates the advice to the US company and may also make the results public, “if appropriate and by respecting confidentiality duties.”
- Enforcing the Decision: If the Lead-DPA determines that the US company has not complied with its advice “within 25 days of the delivery of the advice” and has not offered a “satisfactory explanation for the delay,” the Lead-DPA may refer the matter to the FTC or another appropriate US agency for further proceedings. The Lead-DPA may also determine that failure to follow its advice is a serious breach of the US company’s Privacy Shield promises, and may inform the Department of Commerce that the US company should be removed from the Privacy Shield list.
In addition to these procedures, the Article 29 Working Party also adopted a complaint form for use in “commercial related complaints to EU DPAs.” This complaint form asks for basic information about the data subject making the complaint, and the companies involved in transferring the data from the EU to the US. The form then asks for a description of the “reasons why you believe that your personal data have been transferred from the EU to a Privacy Shield US organisation,” and “the alleged violation of the Privacy Shield Framework by the US organisation.” The complainant is asked to describe the relief sought and any efforts made to resolve the issue with the US company. The form concludes by providing information about the DPA panel process and how complaints will be referred to US authorities.
In addition to these forms, the Article 29 Working Party confirmed dates (5 and 6 April 2017) for its FabLab workshop—an event that brings together DPAs and data privacy stakeholders—to continue discussions about the GDPR’s implementation. The Working Party also announced its intention to publish GDPR-related guidance on “Data Protection Impact Assessments (DPIAs),” in April and guidance on “certification and other internal topics (e.g. administrative fines, EDPB internal rules)” in June. The guidelines on DPOs, lead authorities, and data portability, which were previously released for comment, will be revised and reissued in April. The Article 29 Working Party’s previously released 2017 GDPR Action Plan indicates that the Working Party will next take up guidelines on consent and profiling, transparency, data transfers to third countries, and data breach notifications.