The Article 29 Working Party, the collected data protection authorities in the EU, released more information today regarding work completed in its recent June plenary session. It includes extensive new information on records transferred to non-adequate third countries' financial authorities and details on when to expect further guidance on GDPR implementation.
While the information issued by the WP29 on financial transfers is in the form of a letter to Steven Maijoor, chair of the European Securities and Markets Authority, it reads as an opinion on how, in general, public bodies might continue to transfer data outside of the EU as needed for international cooperation efforts. First, the letter notes, Articles 45 through 49 only dictate how data should be transferred. Whether it should be transferred in the first place depends on an analysis of Article 6 and legitimate interest, which is likely fulfilled by financial authorities working in the public interest.
As to the appropriate method for transfer, WP29 refers to Recital 108 of the GDPR, which allows for the possible adoption of a memorandum of understanding. Financial authorities working together should create an administrative framework that includes an addendum, approved by a relevant data protection authority, addressing the transfer of personal data, and which guarantees certain enforceable data subject rights. Such an addendum should ensure, according to the letter, that EU citizens have effective redress mechanisms in that third country, that the financial authorities involved post prominent information on the potential for transfer outside the EU, and a clear specification regarding how the data will be used. Further, the transfer should only involve necessary information that couldn't otherwise be anonymized, there should be retention limits, and there should be assurances against onward transfer and surrounding security and confidentiality.
Essentially, WP29 would like to see a mini Privacy Shield agreement in place between EU-based public bodies and those equivalents in third-party countries that don't have adequacy findings.
Elsewhere in today's press release, the WP29 also sets out a timetable for much-anticipated guidance on GDPR implementation. The group hopes to finalize guidance on data protection impact assessments at its October plenary, and adopt guidelines for consent, profiling, transparency, data breach notifications, and data transfers in December.
Finally, be on the lookout in the next few days for a new opinion on employee monitoring in the workplace.
Photo credit: justusbluemer Europäische Flagge via photopin(license)