On February 12, 2018, the Article 29 Working Party (WP29) published guidance regarding Article 49 of the General Data Protection Regulation (GDPR) for public comment.  The deadline for submitting comments on the draft is March 26, 2018, and responses should be emailed to JUST-ARTICLE29WP-SEC@ec.europa.eu.

Like the current EU Data Protection Directive, the GDPR prohibits the onward transfer of Personal Data to: (1) a country that has not been deemed to provide an adequate level of protection (e.g. the U.S.); and (2) where the entity therein has committed to handle the Personal Data of European data subjects applying appropriate safeguards in accordance with Article 46 of the GDPR.  For example, organizations comply with Article 46 by implementing Binding Corporate Rules (BCRs) or Standard Contractual Clauses or by participating in a recognized certification mechanism such as the EU-US Privacy Shield Framework.  However, Article 49 of the GDPR provides for transfers to entities in a country without an adequate level of protection under a series of narrowly tailored exceptions called derogations.

It is being reported that the European Union and the United States are nearing an agreement on the revised US-EU/US-Swiss Safe Harbor framework. Thousands of US companies that have certified compliance with the Safe Harbor should be encouraged that the framework – which has been the subject of sustained criticism by European data protection regulators – will live another day. At the same time, certified organizations should prepare for enhanced requirements and a more robust enforcement climate that might come with the revised framework.