Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Adopted 2 July, the European Data Protection Board's Helsinki Statement may not have received a lot of press. Yet, it signals European data protection authorities' ambition to adopt a more actionable and practical approach to some of their work.
We should expect more dialogue with stakeholders, more timely and concise guidance that is "accessible, easy to understand, and practical" for small and medium-sized enterprises and "in line with the risk-based approach," with more templates and tools. And indeed, the EDPB has developed tools over recent months to helps SMEs navigate the data protection landscape.
What if this was indicative of current times, in which the practical realities of the data protection theoretical constructs are finally catching up with the realities on the ground. The recent Court of Justice of the European Union decision in the EDPS v. the EU Single Resolution Board appeared to many as a signal of pragmatism from the Luxembourg court.
The court's affirmation that context matters to consider pseudonymization and anonymization was seen by many as, perhaps, allowing organizations more flexibility in leveraging data in their daily operations, being able to push the boundaries of what was until now only possible under the purview of data protection rules.
After all, a big criticism often voiced about regulators' interpretation of the EU General Data Protection Regulation has been the tendency to stretch the definition of personal data, enough to drastically reduce relevance of other laws, like the Data Act or the Free Flow of Data Regulation — both focused on nonpersonal data on paper.
Perhaps the SRB decision will be one revealer of how much impact the Helsinki Statement will have in practice. The EDPB released draft pseudonymization guidelines in January, which have yet to be finalized. The SRB decision builds on prior jurisprudence, yet it imparts on the EDPB the need to update its draft guidelines to capture the essence of the court's position.
The SRB ruling could have bearings well beyond the mere layer of pseudonymization. From a GDPR angle alone, it raises questions on contractual requirements under Article 28, on safeguards requirements in a data transfers context, on liability in case of re-identification, and on risk analysis by the business in use of data.
At this moment, the impact of the SRB ruling in practice rests as much with organizations' appetite for risk — or prudence, rather — as it does with DPAs and their ability to translate the court's thinking in a harmonized and pragmatic way across Europe.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.