There have been a number of welcome updates, clarifications and new guidance notes since the General Data Protection Regulation (GDPR) came into force on May 25, 2018. We take a look at some of the key developments for organisations that control or process employee records or other personal data.

EU-US Privacy Shield Remains Adequate

The EU-US Privacy Shield is one of the mechanisms that organisations can rely on to demonstrate that they have adequate protection in place if they transfer personal data (which comprises any information about an identifiable individual and would include, for example, human resources records) from the EU to the U.S. The Privacy Shield replaced the self-certified safe harbour regime that had previously been found to be inadequate. On December 19, 2018, the European Commission (the EC) concluded its second annual review and confirmed that that the Privacy Shield framework ensures an adequate level of protection for personal data under the GDPR. The EC noted that several practical aspects of the framework have improved since the first annual review, and the Privacy Shield can be relied on as one of the available transfer mechanisms for at least another year. This is welcome news to over 4,000 companies that are Privacy Shield-certified.

The chief criticism levied against the U.S. government is its failure to appoint a permanent Privacy Shield ombudsman. Unless one is nominated by February 28, 2019, the EC has threatened to take “appropriate measures” in accordance with the GDPR.

Despite the notable improvements since its first annual review, the EC will continue to monitor the effectiveness of the U.S. Department of Commerce’s enforcement mechanisms and its ability to detect false claims of participation in the framework. The EC will also monitor the progress of the U.S. Federal Trade Commission’s sweeps to detect substantive violations of the Privacy Shield. 

ICO Publishes New Guidance on GDPR and Data Protection Act 2018

The Information Commissioner’s Office (ICO) (the U.K.’s supervisory authority for data protection) has published new and more detailed guidance since the GDPR was enforced, which has been amalgamated into the ICO’s “Guide to the General Data Protection Regulation.” The new guidance now makes reference to the European Data Protection Board (EDPB) (instead of the Article 29 Working Party, which it replaced) and provides comprehensive and user-friendly analysis on a number of key areas, including what constitutes personal data, the core data protection principles and international transfers.

New Guidance Clarifies Territorial Scope of GDPR

The EDPB recently released new guidance (subject to consultation) aimed at helping companies outside the EU determine whether they will be subject to the GDPR’s rules for processing data. Article 3 of the GDPR provides that the “regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not,” and that language had previously caused extensive uncertainty about the territorial scope of the GDPR.

The new guidance clarifies that the applicability of the GDPR to a non-EU data controller requires a fact-based analysis and is not automatic. For example, if a U.S.-based company makes one-off use of an EU-based processor, the processor can comply with its GDPR obligations without those obligations necessarily attaching to the U.S. company. In addition, the guidance clarifies that the GDPR will apply to an establishment outside the EU where the establishment intends to target a data subject in the EU.