Friday, 25 May 2018

I-CO I-CO! - a GDPR song

My data and your data? Oh don't you take a flyer!
Heed the GDPR now, or you could draw the I-CO's ire!
Talkin' bout fines now (fines now!), fines now (fines now!)
I-CO I-CO one day! (woah!)
Personal data, keep it safe, personal data, hey!

Check out the data, why and how? I-CO has more power!
So make sure your processing's all allowed, personal data, ow!
Talkin' bout data (data!), data (data!)
I-CO I-CO one day! (woah!)
Personal data, keep it safe, personal data, hey!

Think accountability, document it all
Keep your compliance evidence, in case the I-CO comes to call!
Talkin' bout dawn raid (dawn raid!), dawn raid (dawn raid!)
I-CO I-CO one day! (woah!)
Personal data, keep it safe, personal data, hey!

[Chorus to repeat and fade as I couldn't face doing more verses]
Talkin' bout data (data!), data (data!)
I-CO I-CO one day! (woah!)
Data protection's here to stay, data protection, hey!

Lyrics © Kuan Hon licensed under Creative Commons CC-BY

Sunday, 22 April 2018

Cloud - tight UK incident notification deadline; use by critical infrastructure


  • Not much time left for cloud providers/critical infrastructure operators to respond - 29 April deadline!
  • UK cloud providers face mandatory registration, 72-hour incident notification period and up to £17m fines, etc - see further below.
  • Critical infrastructure operators relying on cloud services may be in an impossible position, and should update their contracts before 9 May 2018.

You have till 29 April 2018 to respond to the UK's proposed implementation of the NIS Directive (Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union - supplemented so far by one implementing Regulation).

It has to be implemented nationally by 9 May 2018. That's right, even earlier than the GDPR (General Data Protection Regulation, which from 25 May 2018 applies directly in all EU Member States including the UK, and has nabbed most of the attention in the media and tech community).

The UK conducted a consultation in Aug 2017 (with impact assessment), and in Jan 2018 published an analysis of consultation responses and its own policy response.

But in March 2018 it then launched a separate targeted consultation just on digital service providers (DSPs), or "relevant DSPs" (RDSPs) as the UK calls them - with a closing date for responses 29 April 2018.

Cloud providers with EU HQs in the UK may want to respond - whether IaaS, PaaS or SaaS. So may other RDSPs (basically, online marketplaces and search engines). This is because under the UK proposals, among other things:


RDSPs may have to register with the UK Information Commissioner (ICO), and possibly pay an annual fee.
  • UK proposal: "We are considering making registration mandatory" (p.5)... "it is expected that the ICO... will levy an annual fee on DSPs, in addition to recovering direct costs involved in any regulatory investigations" (p.12)


RDSPs have obligations under the NISD regarding the "security of network and information systems" and their physical environment
  • This means the ability of "network and information systems" to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems
  • "Network & information systems" means electronic communications networks; any device or group of interconnected or related devices, if one or more "pursuant to a program" perform automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by the above for their operation, use, protection and maintenance.
    • Note: this means any digital data and systems - even if not personal data (unlike under the GDPR)
  • See the implementing Regulation for mandatory security elements (including security of supplies, not just access controls etc.); and ENISA's technical guidelines for DSPs' implementation of minimum security measures.

Incident notification

RDSPs must notify the ICO "as soon as possible and in any event no later than 72 hours after the service provider is aware that a security incident has occurred", in cases where the incident has a "substantial impact" on the provision of any of its "digital services" (cloud, online marketplace etc.).
  • This absolute 72-hour max. deadline for security breach notification is:
    • tougher than under the GDPR, which only requires "without undue delay and, where feasible, not later than 72 hours after having become aware of it" for controllers to report personal data breaches to regulators
    • tougher than the deadline for operators of essential services (basically, critical infrastructure providers), where the UK government said (p.12-13) that it would follow the GDPR's deadline.
  • An "incident" is any event having an actual adverse effect on the "security of network and information systems" (see above)
    • This includes incidents affecting non-personal data
  • "Substantial" impact (see implementing Regulation) - factors include: no. of users affected (RDSPs need to implement a way to work that out - contracts or past traffic data), duration, geographical area, extent of service disruption, extent of impact on economic and societal activities, including:
    • service unavailable for more than 5m user-hours (no. of affected EU users for 60mins)
    • loss of integrity, authenticity or confidentiality of stored, transmitted or processed data or the related services offered by or accessible via a network and information system of the DSP, affecting more than 100k EU users
    • incident created risk to public safety, public security or of loss of life, or
    • incident caused material damage of over €1m to at least one EU user
  • See further ENISA guidelines on incident notification for DSPs.

Penalty for breach

Up to £17m under the UK policy response (p.16) - risk of being fined under separate laws
  • "The Government does not believe that ‘double jeopardy’ can be completely removed, without undermining either the NIS Regulations or other UK legislation" - including the GDPR
  • A breach includes "failure to cooperate with the competent authority, failure to report a reportable incident, failure to comply with an instruction from the competent authority, failure to implement appropriate and proportionate security measures".

Critical infrastructure services, and contracts

The UK proposes that, if an operator of essential services relies on any RDSP for providing an essential service (which is critical for economic and societal functions - utilities, healthcare, transport, IXPs, DNS service providers, TLD name registries), the operator must notify its competent authority (the authority varies with sector) of any significant impact to the provision of that service caused by a security incident [presumably, at the RDSP] "as soon as the incident occurs".
  • This is on top of the requirement for RDSPs to notify the ICO.
  • Much headscratching. How can an operator notify "as soon as" an incident at its RDSP occurs, when any "significant impact" may take a while to materialise? Cart and horse problem - surely an incident pre-dates its impact, not vice versa? Operators may wish to invest in time machines...
  • Also, how will an operator know about incidents at an RDSP that it relies on  for providing its essential service?
    • There's no statutory obligation on RDSPs to notify their customers such as operators - a gap I pointed out some time ago.
  • So, operators will have to, by 9 May (!):
    • Work out if their essential services rely on any RDSP services
    • Update their contracts with the "relied on" RDSPs to require RDSPs to notify operators of security incidents at the RDSP "as soon as the incident occurs". (Yes, many false positives are possible)
    • Implement mechanisms (which many operators may already have in place) to work how how "significant" an incident's impact is. (Note: the factors for operators to determine impact are similar but not the same as those for DSPs)
    If you're a UK cloud services provider or UK critical infrastructure provider that relies on a cloud service, you may want to respond online or by email before 21 April.

    Monday, 25 December 2017

    A GDPR Carol

    They've wished us a GDPR, they've wished us a GDPR
    They've wished us a GDPR – and a very long year
    Good guidance we need, but what will we see?
    They've wished us a GDPR – and a very long year!
    And we won't sleep until we've got some, we won't sleep until we've got some -
    We're weeping because we've got some (!) – and a very long year
    [Repeat ad nauseam:]
    They've wished us a GDPR, they've wished us a GDPR
    They've wished us a GDPR – and a very long year…

    © Kuan Hon licensed under Creative Commons CC BY 2.0 so share if you wish!

    Friday, 6 October 2017

    GDPR - processor to "immediately inform" - indentation matters!

    The diagram below encapsulates a brief history of the legislative progress of GDPR Art.28(3)(h) and the final subparagraph of Art.28(3), and a processor's obligation to "immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions". Click on the image to enlarge it.

    From a separate sub-paragraph, to same level indented, joined in the same paragraph, separated out again... but that can change the meaning!

    For the links to these travaux preparatoires documents, and discussion of this and other controller/processor contract and liability issues in response to the UK ICO's recent consultation, please see my SCL article.

    Monday, 19 September 2016

    Privacy Shield – history, key links

    This blog contains a chronology and key official links regarding the EU-US Privacy Shield, which replaced the EU-US Safe Harbor scheme, as a resource for ease of historical reference. As I’m UK-based, this inevitably has a UK slant, so any suggestions of further links would be welcome. (I aim to record official links only, not links to news stories, unless they provide useful information not available officially)

    Snowden’s revelations of mass surveillance by US and other countries’ intelligence or security authorities kickstarted Safe Harbor’s demise and its replacement by the Privacy Shield. With a few exceptions, the chronology below starts with the Schrems ruling by the Court of Justice of the European Union (CJEU) on 6 October 2015, where the CJEU invalidated the EU-US Safe Harbour framework.

    The links in this blog are up to date as of 6 August 2017.

    Key current links


    • Challenges to the Privacy Shield are in progress before the Court of Justice of the EU: by Digital Rights Ireland (Case T-670/16) and La Quadrature du Net & others (Case T-738/16)


    European Commission:

    • Privacy Shield webpage
    • See also the 12 July 2016 entry (in red) in the Chronology below, for Commission and US links on the finalised Privacy Shield framework.

    European Parliament:


    • Privacy Shield Joint Review, WP29 letter to Commissioner Jourová, 15 June 2017
    • Preparation of the Privacy Shield annual Joint Review, WP29 press release 13 June 2017 - lists WP29's key concerns: legal guarantees regarding automated decision making, any DoC guidance on the application of the Privacy Shield principles to organisations acting as agents/processors, definition of human resources data; evidence that bulk collection, when it exists, is “as tailored as feasible”, limited and proportionate, information on the nomination of the four missing members  of the PCLOB, the appointment of the Ombudsperson and procedures governing the Ombudsperson mechanism
    • Feedback from the visit of Working Party 29 Chair, Isabelle Falque-Pierrotin to Washington, WP29 press release, 5 April 2017 - emphasis added:
      • "...The FTC and the Ombudsperson reiterated their general support to the Privacy Shield and their willingness to help the European Commission and the WP29 in their annual review. However, some of the key functions in the Privacy Shield architecture still need to be definitely appointed following the US election (Ombudsperson, FTC commissioners and PCLOB members). In addition, the organization of the annual review must be discussed in depth and in detail with the US authorities especially regarding access to documents. In that regard, Isabelle Falque-Pierrotin recalls that the objective of this annual review exercise is to verify through concrete evidences if US commitments under the Privacy Shield are fulfilled. It is essential that US authorities provide substance and demonstrate to EU stakeholders that the system is in place and works effectively so that this instrument ensures real and effective protection to EU data according to EU standards. The civil society expressed its concerns on the current context at national level especially on the renewal of Section 702 and on the overturn of FCC ebroadband privacy rules. The US Business industry supports the Privacy Shield as a solution bringing legal certainty to their transfers of data from the EU. In this context, the WP29 engaged at this plenary the discussions with the Commission as regard the organization of the joint review."
      • Visit of Working Party 29 Chair, Isabelle Falque-Pierrotin, in Washington, WP29 press release, 31 March 2017
    • Form for submission of requests to the US Ombudsperson
    • Rules of procedure for the submission of requests to the Ombudsperson via the “EU Centralised Body” under Rec.119 Shield Decision and Annex III on Privacy Shield Ombudsperson mechanism
    • Rules of procedure for the informal panel of DPAs under Rec.49 Shield Decision & supplemental principle III.5 ( Operation of DPA Panels), Annex II
    • Complaint form for submitting commercial related complaints (i.e. complaints about US organisations under the Privacy Shield) to EU DPAs
    • EU-US Privacy Shield - F A Q for European Individuals - wp246
    • EU-US Privacy Shield - F A Q for European Businesses - wp245

    Pinsent Masons note on the final Privacy Shield (full disclosure – I was involved in this).

    Chronology (reverse order)

    For abbreviations, see the end.

    31 March 2017

    EU-U.S. data flows and data protection: opportunities and challenges in the digital era: speech by Commissioner Jourová in Washington D.C., announcing the first joint annual review of the Privacy Shield for September 2017.

    29 March 2017

    Announcement of Commissioner Jourová's visit to Washington D.C. to discuss, inter alia, the Privacy Shield.

    27 January 2017

    Taking data protection into a digital and globalised era: Joint Statement by Vice-President Ansip and Commissioner Jourová ahead of the 2017 Data Protection day, including: "Now, over 1700 companies have signed up to the Privacy Shield, with 700 further applications in the pipeline. We will continue to promote our data protection values at international level. This is why we will actively engage with key partners, such as Japan and South Korea, to reach adequacy decisions."

    31 Oct 2016

    Re-certifications under Safe Harbor will no longer be accepted (see US Department of Commerce Safe Harbor webpage).

    19 Sept 2016

    Subscribers to Privacy Shield as at this date (see the list) include, among cloud providers, Amazon, Google, Microsoft, Salesforce and Workday, but not yet Dropbox, Facebook, IBM or Twitter.

    2 Aug 2016


    1 Aug 2016

    Privacy Shield Framework in force.


    US Department of Commerce note about commencement date (on old Safe Harbor webpage)

    26 July 2016


    • Press release – statement on the decision of the European Commission on the EU-U.S. Privacy Shield, noting:
      • the continuing lack of ‘specific rules on automated decisions and of a general right to object’
      • lack of clarity regarding how the Privacy Shield’s principles apply to processors
      • guarantees regarding the Ombudsperson were less strict than ‘expected’
      • lack of ‘concrete assurances’ that US authorities do not engage in mass indiscriminate data collection (despite ODNI’s commitment not to do so)
      • the first joint annual review of the Privacy Shield will be a ‘key moment’ for assessing its robustness and efficiency, and the review’s results regarding US authorities’ access to data transferred under the Privacy Shield ‘may also impact’ Mechanisms such as SCCs and BCRs
        • Does this imply that most DPAs will hold off from taking action regarding SCCs or BCRs until the first annual review?

    12 July 2016

    Privacy Shield adequacy decision adopted by Commission.


    US Department of Commerce:


    • Criticism by Max Schrems and MEP Jan-Philipp Albrecht, Irish Times

    8 July 2016

    Art. 31 Committee meeting approving Privacy Shield.


    Art. 31 Committee:

    1 July 2016


    30 May 2016

    European Data Protection Supervisor (EDPS):

    26 May 2016

    European Parliament:

    25 May 2016


    • Irish Data Protection Commissioner announces it is to refer the validity of SCCs to the CJEU
      • Note: the model clauses Decisions suffer from the same flaw regarding DPA powers as the Safe Harbor Decision, see Schrems summary below, and the Commission has not corrected that defect despite its November 2015 Communication (see below), so the SCCs Decisions could well be invalidated on that basis alone, regardless of US surveillance issues

    13 April 2016

    WP29 issued its opinion on draft Privacy Shield documents and a document on essential guarantees regarding state surveillance.


    • Press release - statement on the opinion on the EU-US Privacy Shield
    • Opinion 01/2016 on the EU–U.S. Privacy Shield draft adequacy decision (WP238):
      • ‘Significant improvements’ over Safe Harbour, but 3 key concerns…
        • no obligation to delete personal data that had served its purpose
        • no full exclusion of massive and indiscriminate data collection; and
        • the sufficiency of the proposed Ombudsperson’s powers and independence.
      • Also:
        • key EU data protection law principles were not reflected in the draft Shield documents (notably purpose limitation, data retention/deletion and automated decision-making)
        • ‘onward transfers’ were ‘insufficiently framed’, especially their scope, purpose limitation and ‘guarantees’ applying to transfers to agents
        • the proposed new recourse mechanisms seemed difficult for individuals to use and needed further clarification; and
        • the draft decision contained only limited information regarding the complex issue of access to Privacy Shield data by US law enforcement authorities.
      • The Privacy Shield will need review after the GDPR becomes applicable in 2018.
    • Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees) (WP237) - 4 essential guarantees regarding intelligence activities, based on Schrems and other relevant EU and European Court of Human Rights case law:
      1. Clear, precise, accessible rules for processing, enabling individuals to have reasonable foreknowledge of what might happen to their personal data
      2. Demonstrating necessity and proportionality regarding the legitimate objectives pursued (generally national security)
      3. An independent, effective oversight mechanism; and
      4. Effective remedies for individuals before an independent body.

    18 Mar 2016

    European Parliament:

    29 Feb 2016

    Draft Privacy Shield documents released.




    11 Feb 2016


    3 Feb 2016


    2 Feb 2016

    Political agreement between EU and US on new Privacy Shield.




    6 Nov 2015

    Commission Communication on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems), COM(2015) 566 final

    • Model clauses (SCCs) and BCRs still usable for transfers to US; also derogations
    • The Commission is ‘shortly’ preparing a decision, to be adopted pursuant to the applicable comitology procedure, replacing the provision limiting DPAs’ powers (one of the bases on which the Schrems court invalidated the Safe Harbour Decision) in all existing adequacy decisions (pgs. 14-15)
      • No such decision has been issued as at 19 September 2016

    27 Oct 2015


    • The US Safe Harbor – breached but perhaps not destroyed!
      • There is still a measure of protection for personal data transferred under the scheme – the privacy principles that members sign up to are still positive, for instance. But the assurance that meant Safe Harbor was automatically considered to provide the adequate protection required under the 8th data protection principle is no longer there
      • Don’t panic, take stock, make your own mind up (self-assessment of adequacy)
      • We’re certainly not rushing to use our enforcement powers
      • We’ll consider complaints from affected individuals, whatever transfer mechanism you’re relying on, but we’ll be sticking to our published enforcement criteria

    26 October 2015


    • Rhineland-Pfalz’s DPA asked 122 large organizations how they were implementing their US transfers; 53% answered satisfactorily, with the DPA remarking, without mentioning SCCs, that their privacy-protective positions regarding ‘no-cloud policies’ or preference of EU providers had paid off

    21 October 2015


    • DSK Position Paper - Special meeting of the Conference of Data Protection Commissioners (DSK) (German DPAs) in Frankfurt
      • Transfers to the US based ‘exclusively’ on Safe Harbor are ‘inadmissible’
      • The admissibility of transfers to the US based on model clauses (standard contractual clauses) or binding corporate rules (BCR), is also questionable
      • For the time being, [German] data protection authorities will not issue any new permission for data transfers to the  US  based on binding corporate  rules  (BCR) or data  export contracts. 
        • Presumably “data export contracts” are ad hoc contracts not model clauses, which strictly under the DPD should not require authorisation
    • Numerous individual German DPA positions – not linked to here

    16 Oct 2015


    • Statement on implementing Schrems
      • transfers to the US relying on Safe Harbour are invalid
      • ‘massive and indiscriminate surveillance’ was a ‘key element’ of the CJEU’s analysis
      • urgent ‘legal and technical’ solutions needed to enable transfers to ‘the territory’ of the US ‘that respect fundamental rights’
      • SCCs and BCRs still usable (although DPAs could still investigate complaints)
      • if, by the end of January 2016, no appropriate solution was found with the US, and depending on its assessment of transfer tools, EU DPAs were ‘committed to take all necessary and appropriate actions, which may include coordinated enforcement actions’.

    6 Oct 2015

    C-362/14 Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650, CJEU

    • Commission’s 2000 Safe Harbour Decision was invalid:
      • Art. 1 was invalid – it did not comply with Art. 25(6) DPD or the Charter as it did not find, duly stating reasons, that that the US in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. No need to consider content of Safe Harbour principles.
      • Art. 3 was invalid – it constrained national DPAs’ powers ‘under restrictive conditions establishing a high threshold for intervention’, which the Commission had no legislative competence to do because DPAs must have ‘complete independence’ to review data subject claims under Art. 28 DPD and the Charter
      • As Art. 1 and Art. 3 were inseparable from the rest of the Decision, the entire Decision was invalid
    • No Commission adequacy decision may prevent national DPAs from examining individuals’ claims regarding the inadequate protection of their personal data transferred to a third country; but neither national courts nor DPAs can declare Commission decisions invalid, only the CJEU can do so
    • When considering the ‘adequacy’ of protection in a third country for the purposes of a Commission Art.25(6) decision, the test is whether the country’s legal regime provides ‘essentially equivalent’ protection
    • Although strictly the court’s decision rested on the Safe Harbor Decision being invalid for the reasons stated above, but it also outlined requirements for EU legislation interfering with the Charter’s fundamental rights to private life and data protection to be valid (drawn on by WP29 in its April 2016 opinion)
    • Note: all other Commission adequacy decisions, eg on SCCs or ‘whitelisting’ certain countries for transfers, contain the same wording as the invalidated Art. 3 of the Safe Harbour Decision - so they are all also at risk of invalidation for that reason alone


    10 April 2014





    News breaks in June 2013 regarding NSA contractor Edward Snowden’s revelations, notably, from the Guardian:

    (for a detailed timeline of stories see


    Art. 31 Committee – a Committee of EU Member State representatives, under Art.31 DPD, that votes on Commission adequacy (or inadequacy) decisions proposed under Art. 25(6) or 25(4) DPD, and certain other decisions under the DPD (flowchart of Art. 31 Committee voting and decisions)
    CharterEU Charter of Fundamental Rights
    CJEU - Court of Justice of the European Union
    Commission – European Commission
    DPA – EU national data protection authority
    DPDEU Data Protection Directive 95/46/EC
    FTC – US Federal Trade Commission
    ICO – UK Information Commissioner
    Member State – EU Member State (see diagram on the differences between the EU, EEA, EFTA etc)
    Model clauses – see SCCs
    SCCs – standard contractual clauses, aka ‘model clauses’, for enabling transfers of personal data outside the EEA, under various Commission Decisions
    WP29 – Article 29 Working Party, comprising EU data protection regulators, with an advisory function under Art.29 DPD.

    Tuesday, 17 May 2016

    Article 93(2) GDPR comitology - flowchart

    Under the General Data Protection Regulation (Regulation (EU) 2016/679), the European Commission has the power to make decisions in certain areas by way of "implementing acts", subject to approval of the relevant act by a committee under Art. 93(2) of the GDPR - which will no doubt become known as the Article 93(2) Committee (or Article 93 Committee).

    When considering proposals by the European Commission, this Committee must use the "examination procedure" under the EU "comitology" process, governed by Regulation (EU) No 182/2011 - the same procedure that the Article 31 Committee under the current Data Protection Directive must use.


    Below is a flowchart I prepared showing the Article 93(2) procedure. Click on the small image below to download the full PDF flowchart (note: amended 2 June 2016 to expand on what "positive", "negative" and "no opinion" mean).

    Article 93(2) GDPR

    The areas where the Article 93(2) Committee procedure applies are as follows; some are quite significant so it's important to know how the procedure works.

    International transfers

    Most of these areas relate to "international transfers" of personal data to third countries outside the European Economic Area or to international organisations:

    • Making decisions on the adequacy of protection of third country, territory or one or more specified sectors within a third country, or an international organisation – Art. 45(3) – or conversely on inadequacy, and repealing, amending or suspending previous adequacy decisions – Art. 45(5)
    • Adopting standard data protection clauses for allowing international transfers (the successor to the current model clauses or standard contractual clauses)– Art. 46(2)(c)
    • Approving standard data protection clauses adopted by national data protection supervisory authorities (SAs) for allowing international transfers - Art. 46(2)(d)
    • Specifying the format and procedures for the exchange of information between controllers, processors and SAs for binding corporate rules (BCRs) – Art. 47(3).

    Other areas

    The Art. 93(2) procedure also applies to certain other areas:

    • Laying down standard contractual clauses for controller/processor and processor/sub-processor contracts - Art. 28(7)
    • Giving EU-wide validity to an approved code of conduct, amendment or extension submitted to it (following its approval by an SA and the European Data Protection Board) - Art. 40(9)
    • Laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks - Art. 43(9)

      (Note that the last two are relevant to international transfers also, in that transfers may be permitted to recipients who adhere to an approved code or obtain an approved certification, and who also make legally-binding commitments to apply the "appropriate safeguards" - Art. 46(2)(f).)
    • Specifying the format and procedures for mutual assistance betwee SAs and arrangements for the electronic exchange of information between SAs, and between SAs and the Board, in particular the standardised electronic format for SAs to supply information requested by other SAs – Art. 61(9)
    • Implementing acts of general scope to specify arrangements for exchange of information by electronic means between SAs and between SAs and the European Data Protection Board - Art. 67.

    Article 31 Committee flowchart - Privacy Shield

    The proposed EU-US Privacy Shield, intended to replace the Safe Harbour regime invalidated by the Court of Justice of the EU in Schrems, is currently being considered by a committee of representatives of EU Member States under Article 31 of the Data Protection Directive - known, of course, as the "Article 31 Committee".

    When considering proposals by the European Commission, such as its draft adequacy decision to approve the Privacy Shield, this Committee must use the "examination procedure" under the EU "comitology" process, governed by Regulation (EU) No 182/2011.

    Comitology is somewhat convoluted, so I've produced a flowchart explaining the different options, depending on what opinion the Article 31 Committee issues - expected to be in June 2016, but at this rate it may be later!

    Explanatory paragraph added 13 June 2016: Note that the Data Protection Directive was amended from November 2003 by Regulation (EC) No 1882/2003. That changed the Article 31 Committee procedure from the one in the original Data Protection Directive, that gave the Council the final say, to the procedure set out in Decision 1999/468/EC. The 1999 Decision was itself amended a couple of times, and eventually replaced by Regulation (EU) No 182/2011. My flowchart reflects the Regulation 182/2011 procedure, which is now the applicable procedure for comitology under Article 31 of the Data Protection Directive.

    There are other flowcharts on comitology, but mine just shows what's relevant to the Article 31 Committee and not other areas of law, and I believe it's clear but still informative.

    Click on the small image below to download the full PDF flowchart (note: amended 2 June 2016 to expand on what "positive", "negative" and "no opinion" mean).