Tag archives: EU

EU Article 29 Working Party prepares for General Data Protection Regulation and responsibilities as European Data Protection Board

Data Protection Report - Norton Rose Fulbright

On February 11, 2016, the Article 29 Working Party (WP29) issued a statement setting out its 2016 action plan for implementation of the General Data Protection Regulation (GDPR) and its work programme for 2016-2018. WP29 will have 8 working groups leading the implementation of the 2016-2018 work programme.

The statement highlights the following points:

  • WP29 will develop guidelines, tools and procedures for the GDPR framework to be effective for the first semester of 2018.
  • The GDPR will have a distributed governance model with three key pillars (i) “a higher role” for national data protection authorities (
Continue Reading

Political agreement on EU Data protection reforms: the real count-down to compliance has started

Data Protection Report - Norton Rose Fulbright

On December 15, the Civil Liberties Committee (LIBE) of the European Parliament issued a press release announcing a provisional political agreement between the European Parliament and Council negotiators on the texts of both the General Data Protection Regulation and the Police & Judicial Cooperation Data Protection Directive.  Formal approval by the Council is expected shortly and by the European Parliament in early 2016, after which the legislation will be published in the Official Journal.  The new provisions will apply two years later, in the first quarter of 2018.… Continue Reading

Council and European Parliament reach agreement on NIS Directive

Data Protection Report - Norton Rose Fulbright

On December 7, 2015, the Council of the European Union (the Council) reached an informal agreement with the European Parliament on a new EU directive on network and information security (NISD).

The agreement marks the conclusion of two years of work, since the European Commission (the Commission) and the High Representative of the European Union for Foreign Affairs and Security Policy published a strategy for ‘An Open, Safe and Secure Cyberspace’ and proposed a directive in 2013. Once adopted, likely in early 2016, EU Member States will have 21 months to adopt the necessary national provisions to comply with the … Continue Reading

Day-after-Safe Harbor action plan: anticipating ECJ Schrems decision

Data Protection Report - Norton Rose Fulbright

As we have written extensively, the European Court of Justice’s (ECJ’s) ruling in the Schrems case on October 6, 2015 may effectively invalidate the US-EU Safe Harbor framework. While we believe that the Advocate General’s rationale for the proposal is weak, organizations that rely on the Safe Harbor are anxious about the consequences such a decision could have on their operations, and want to make appropriate mitigation plans.… Continue Reading

Schrems Counterpoint: ECJ has good reasons to reject Safe Harbor invalidation

Data Protection Report - Norton Rose Fulbright

The European Court of Justice (ECJ) is expected to rule on Case C-362/14 (the “Schrems” case) on October 6, 2015.  In deciding whether to reject or adopt its Advocate General’s recommendation to invalidate the US-EU Safe Harbor, the ECJ finds itself between the proverbial rock and a hard place. Rejecting the Safe Harbor would lead to uncertainty in the ongoing negotiations to update the Safe Harbor framework, and raise questions about the interpretation of the proposed General Data Protection Regulation, which is currently being finalized in trialogue negotiations among the EU’s Council, Parliament and Commission.  If the … Continue Reading

Europe and US slated to agree on revised US-EU/US-Swiss Safe Harbor framework

Data Protection Report - Norton Rose Fulbright

It is being reported that the European Union and the United States are nearing an agreement on the revised US-EU/US-Swiss Safe Harbor framework. Thousands of US companies that have certified compliance with the Safe Harbor should be encouraged that the framework – which has been the subject of sustained criticism by European data protection regulators – will live another day. At the same time, certified organizations should prepare for enhanced requirements and a more robust enforcement climate that might come with the revised framework.… Continue Reading

Dispute resolution mechanisms for SAs and individuals are key part of proposed EU regulation

Data Protection Report - Norton Rose Fulbright

This is Part 5 — the final part — of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In Part 4 we discussed the consistency Continue Reading

EU regulation proposal seeks to encourage consistency in data protection enforcement

Data Protection Report - Norton Rose Fulbright

This is Part 4 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In this Part we consider the consistency mechanism applicable to SAs.

Consistency Continue Reading

EU focuses on authority of SAs to enforce “One Stop Shop,” proposes a replacement for WP29

Data Protection Report - Norton Rose Fulbright

This is Part 3 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In this Part we consider the scope of authority (i.e., “competency”) of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB).

Competency of supervisory authorities

Please note that the Continue Reading

EU’s “One Stop Shop” Proposal Focuses on “Main Establishment” as Nexus of DPA Enforcement Authority

Data Protection Report - Norton Rose Fulbright

This is Part 2 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In this Part we examine the concept of main establishment and the position of entities without an EU establishment.

Main Establishment

The operation of the One Stop Shop depends on being able to determine the ‘main establishment’ of a business. This dictates which supervisory authority (SA) will be the lead SA where the controller or processor processes … Continue Reading

EU Proposes “One Stop Shop” for Data Protection Supervision and Enforcement

Data Protection Report - Norton Rose Fulbright

This is Part 1 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation.

The Council of the European Union (the Council) has recently published a partial general agreement on its version of the so-called ‘One Stop Shop’ mechanism. The Council’s internal deliberations are expressly caveated to the effect that ‘nothing is agreed until everything is agreed’, and a required ‘trilogue’ between the three EU institutions involved in policy and law making cannot commence until the Council has agreed a complete version of the draft General Data Protection Regulation COM (2012) … Continue Reading

LexBlog