2016 proved to be a pretty intense year for privacy pros. It saw the emergence of the trans-Atlantic data-transfer mechanism that would replace Safe Harbor, unveiled innumerable insights on what to expect under the GDPR and how to comply, and cast some doubt on the future of other data-transfer mechanisms like binding corporate rules or standard contractual clauses. One thing proved true: our readers were hungry for knowledge about all of those things. Below are the top 10 stories from 2016, according to number of reads. Catch up on what you missed, brush up on what you know, or use this list as a way to look back and think: "Wow. 2016 was a turning point for the careers of privacy professionals globally." 

Commission, Commerce announce new EU-US data transfer agreement

After intense talks between senior EU and U.S. officials in Brussels early this year, EU Justice, Consumers, and Gender Equality Commissioner Vera Jourová, alongside Commission VP Andrus Ansip, unveiled a new trans-Atlantic data-transfer agreement to replace Safe Harbor, called the EU-U.S. Privacy Shield. Though they could not provide too many specifics, as the actual adequacy agreement still needed to be written up and approved, Jourová and Ansip did offer up a broad sketch of the new agreement, which was confirmed in a conference call by U.S. Commerce Secretary Penny Pritzker. 

Privacy Shield details released

The European Commission and U.S. Department of Commerce released details about the highly anticipated EU-U.S. Privacy Shield arrangement in February. “On behalf of the United States, I am pleased to transmit here with a package of EU-U.S. Privacy Shield materials that is the product of two years of productive discussions among our teams,” wrote Department of Commerce Secretary Penny Pritzker in a letter to the European Commission’s Vera Jourová. The 132-page Privacy Shield Package includes a set of “Privacy Shield Principles,” two annexes, and letters from the International Trade Administration, U.S. Federal Trade Commission, U.S. Department of Transportation, the U.S. Director of National Intelligence, U.S. Department of State, and the U.S. Department of Justice. 

The next four legal steps for the Privacy Shield 

The EU Commission and the U.S. government agreed on the EU-U.S. Privacy Shield at the beginning of February. That agreement will now form the basis of a proposal for an EU Commission adequacy decision pursuant to Article 25(6) of the Data Protection Directive. A complex process must be followed before this proposed decision can become law. So what does that process look like? In this exclusive for The Privacy Advisor, Denis Kelleher, CIPP/E, outlined the four legal hurdles the Privacy Shield faces now, including scrutiny from the Article 29 Working Party and Article 31 Working Party. In the end, though, the European Court of Justice is the sole entity that can declare the agreement invalid, as seen in Schrems.

EU DPAs respond to Privacy Shield; BCRs are a go, for now

Though the future of trans-Atlantic data transfers continues to hang in the balance, one more clue was put in place Wednesday afternoon in Brussels with official word from the EU’s collection of data protection authorities on their assessment of the newly proposed EU-U.S. Privacy Shield arrangement. The head of the Article 29 Working Party (WP29), Isabelle Falque-Pierrotin said during a news conference that the group “welcomed” the agreement but expressed the need for documentation to assess its legality. Additionally, the U.S. Department of Commerce released a Fact Sheet Wednesday on the EU-U.S. Privacy Shield. 

Study: At least 28,000 DPOs needed to meet GDPR requirements

With the passage by the EU Parliament of the General Data Protection Regulation, a five-year process came to a close and organizations across the Continent are started preparing for a number of new requirements for data collection and processing. One requirement in particular relates to staffing, something not before seen in European law outside of Germany: Certain organizations will now have to hire, appoint, or contract a data protection officer. The IAPP undertook research to determine what the number of DPOs required under the GDPR will be, at the least, 28,000. This article for The Privacy Advisor by IAPP Research Director Rita Heimes, CIPP/US, and IAPP Publications Director Sam Pfeifle details the methodology.

Article 29 Working Party lays out GDPR action plan

In February, the Article 29 Working Party shared its preliminary assessment of the proposed EU-U.S. Privacy Shield agreement. Lost amid this anticipation, however, was an equally significant announcement from the regulatory collective's head, Isabelle Falque-Pierrotin, regarding the group's action plan for the implementation of the General Data Protection Regulation. This report shares commentary from Falque-Pierrotin and looks into the official release by the WP29 of its four action plan items, which included the establishment of a European Data Protection Board, preparation for a one-stop shop and consistency mechanism, guidance for controllers and processors, and the creation of an online communication tool around the EDPB and GDPR.

How GDPR changes the rules for research

The passage of the General Data Protection Regulation in the EU will change the way any number of organizations operate, but for those engaging in research there is a particular impact, loosening some restrictions and implementing others. As the GDPR is a central piece of the Digital Single Market, it is geared toward stimulating innovation just as it is geared toward providing EU citizens with control over their data. Thus, “research occupies a privileged position within the Regulation,” writes IAPP Westin Fellow Gabriel Maldoff, CIPP/US. In this in-depth piece for The Privacy Advisor, he outlined what will be the new reality for those conducting research in the EU, a reality where “it is unclear exactly how far the GDPR’s research exemption will extend.”

Model clauses in jeopardy with Irish DPA referral to CJEU

International data flows between the U.S. and EU took yet another hit with news that the Irish Data Protection Commissioner was planning to refer a case to the Court of Justice of the European Union to determine whether Facebook can use standard contractual clauses to transfer data out of the EU. This exclusive for The Privacy Advisor reported and gathered together commentary from the Irish DPC, Facebook, Max Schrems, and Hogan Lovells Partner Eduardo Ustaran, CIPP/E.

What you didn't read about the Wyndham case

Wyndham Hotels & Resorts’ long-running legal battle with the FTC finally ended in a settlement late in 2015. The settlement, interestingly, was heralded as a win by both sides: The FTC said it evidenced its unwavering commitment to protecting consumer data; Wyndham noted that it managed to wrestle key provisions from the FTC’s initial claim. Some say the FTC’s concessions are, and should be, significant for those charged with protecting an organization’s data — and tell a new story about how to stay out of the FTC’s crosshairs. Angelique Carson, CIPP/US, had this in-depth report for The Privacy Advisor.

Obama establishes Federal Privacy Council as part of massive cyber effort

As part of his 2017 budget proposal for the U.S., President Barack Obama included $19 billion for cybersecurity efforts, a 35 percent increase over fiscal year 2016. The funds will go toward a Cybersecurity National Action Plan, which includes the hiring of a chief information security officer, a $3.1 billion fund for IT modernization at the federal level, and, perhaps most importantly for privacy professionals, a new executive order establishing a permanent Federal Privacy Council, as announced by Office of Management and Budget Director Shaun Donovan in December 2015.