Key Takeaways From Sidley’s Privacy and Cybersecurity Monitor-Side Chat Featuring Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission

On June 25, 2020, Sidley partner, Alan Raul, founder and co-head of Sidley’s privacy and cybersecurity practice, hosted Bruno Gencarelli, head of International Data Flows and Protection at the European Commission, for a Monitor-Side Chat.

The discussion focused largely on the Commission’s report on two years of the GDPR which was issued on 24 June 2020. Key themes of the report include:

  • EU data protection authorities (“DPAs”) should increase their efforts towards the adoption of a harmonised approach to responding to cross-border investigations;
  • a call for greater resources to be given to DPAs by EU Member States to ensure the GDPR is sufficiently enforced;
  • a need for greater consistency among EU Member States on interpretations of the GDPR in national laws in order to avoid unnecessary burdens on companies; and
  • greater utilisation of the data portability right under the GDPR to ensure individuals have greater involvement in the digital economy by enabling them to switch between different service providers and make use of other innovative services.

Key takeaways from the Sidley Monitor-Side Chat include:

COVID-19 – “stress test” and a “test case” for the GDPR, DPAs and the European Data Protection Board (“EDPB”)

  • Mr Gencarelli noted at the beginning of the COVID-19 pandemic, due to its unprecedented nature, there was a tendency for DPAs to adopt different approaches to dealing with COVID-19.
  • In April/May 2020, there was an increased realisation by EU institutions that a “pan-European” approach was needed to respond to COVID-19.
  • COVID-19 led to a transformation of the working methods of the EDPB, with virtual plenary sessions every week to promote consistency and the adoption of an EU-wide response and sub-groups and staff meeting more frequently. This enabled the development of EU-wide COVID-19 guidance and at a national level, an increased alignment.
  • In the Commission’s view, the response of EU data protection stakeholders to COVID-19 has been “quite positive”.

International Transfer Mechanisms Update

  • The Commission is seeing an increasing number of countries outside of the EEA adopt data protection legislation, which tends to share a number of common elements with the GDPR (e.g., overarching rather than sector-specific, a common set of safeguards and rights and enforcement by an independent body). In the view of the Commission, this offers “incredible opportunities” in terms of better protecting the transfer of personal data.
  • The Commission believes the increasing convergence enables the full international transfer toolkit of the GDPR to be utilised. It is currently reviewing standard contractual clauses (“SCCs”) to make sure they are in line with the GDPR and are modernised to cover new developments in today’s digital economy (e.g., the frequent transfers of personal data from processor to processor and enabling more than two parties to adhere to the SCCs during the lifecycle of certain business operations or transactions). The Commission will present its ideas at an upcoming stakeholder event.
  • The Commission’s work on reforming the SCC’s is dependent on the Court of Justice of the European Union (“CJEU”)’s ruling on the challenge to the validity of the SCC’s scheduled for 16 July, however, regardless of the outcome, the Commission will work on a solution to ensure SCC’s are in line with the CJEU’s ruling.
  • The Commission would like the EDPB to intensify work on certification and codes of conduct.
  • Adequacy findings with South Korea are currently being finalised.
  • The Commission would like to develop synergies between data protection instruments and other instruments (e.g., trade instruments).
  • The GDPR report notes the Commission’s opposition to “unjustified restrictions such as forced data localisation requirements” on data flows and trade instruments, advocating in favour of data protection and against data protectionism, viewing data localisation as unnecessary to protect personal data.
  • The Commission has in place a new trade policy for all of its trade negotiations that prohibits forced data localisation and storage. In its view, using trade instruments and data flows can facilitate free and safe data flows.

International expert working group to harmonise data standards between the EU and third countries (e.g., the US)

  • The Commission considers there are sufficient international forums discussing data protection convergence between the EU and third countries.
  • The G7 and G20 are frequently discussing privacy standards. In addition, the OECD is currently reviewing guidelines on privacy and data flows. The Convention 108, which was created as an EU instrument, is now a universal instrument with members and observers from Latin America, Asia, Africa and the US.
  • Greater convergence on data protection, often based on the EU model, appears to be taking place around the world.

GDPR requirement to balance fundamental privacy and data protection with other fundamental rights (e.g., freedom of expression)

  • The Commission considers the fundamental rights of privacy and data protection should be balanced against other fundamental rights such as freedom of expression, the right to private property and other rights such as intellectual property rights, security and competition.
  • This balance already exists in the GDPR. For example, individuals’ data portability rights involve the balancing of competition rights (e.g., lowering entrance barriers to concentrated markets) and the GDPR recitals discuss the importance of open flows and trade.
  • However, DPAs, the Commission and EU courts also need to take this balance into account when applying data protection rights in practice, recognising other international data protection systems may strike the balance in a different way (e.g., in favour of freedom of information and expression).
  • DPA’s play an “essential role” in striking this balance. Whilst this is a work in progress, important steps have been taken in light of new challenges faced by DPAs (e.g., the EDPB has acknowledged a balance needs to be struck between data protection and public health, noting the GDPR does not “hinder” measures adopted in the fight against COVID-19).

Brexit – Adequacy review

  • The UK has confirmed it will not request an extension to the Brexit transition period, scheduled to end on December 31, 2020. As such, from January 1, 2021, an international transfer mechanism will be needed for data flows between the EU and the UK.
  • UK adequacy discussions are ongoing between the Commission and the UK.
  • The UK’s data protection standards as a former member of the EU, are based on EU data protection standards. However, as the UK has stated it wants its own independent data protection standards, the Commission has to ensure any adequacy decision granted is sustainable, not just with respect to UK data protection standards applicable today but in order to ensure comity exists from January 1, 2021 and onwards.

Upcoming Monitor-Side Chats include speakers Adam Klein, Chairman and Member, Privacy and Civil Liberties Oversight Board (July 2, 2020) and Dr. Andrea Jelinek, EDPB Chairwoman, (July 8, 2020) – register for the July 2nd Chat here.