No doubt these are busy times for privacy practitioners, but they're not the only ones who've been immersed in work since May 25. That was clear Wednesday when two EU-based data protection regulators shared insight with IAPP Europe Managing Director Paul Jordan and a packed room here at the IAPP Data Protection Intensive: Deutschland, in Munich, Germany.
With this new EU-wide regulatory body taking shape by the day, Isabelle Vereecken, head of the EDPB Secretariat at the European Data Protection Board, enumerated several initiatives underway ahead of next week's third plenary session, happening Sept. 25 and 26. Notably, she said the EDPB expects to adopt 22 opinionson data protection impact assessment lists prepared by member state supervisory authorities. These lists detail the kind of processing operations that are subject to the GDPR requirement to conduct a DPIA prior to implementation.
Vereecken also said the European Commission has asked the EDPB to provide an opinion on the recently published draft adequacy decision on Japan.
Depending on next week's plenary meeting, Vereecken noted, the EDPB may also release guidance on the territorial scope of the GDPR — a topic where many have sought clarity since the law's introduction — and will likely provide guidance on the eEvidence Regulation.
Bas van Bockel, head of Department of International, Policy and Strategy at the Dutch DPA, said he is content with how the EDPB is working so far: "We're very much in the beginning. The system of European governance is now completely different from before. It won't be for another six-to-12 months before we'll really feel the impact of the whole system." He said so much right now is "complaint-driven in the EU and that is difficult."
According to both Vereecken and van Bockel, complaints and data breach notifications are way up at this point, but the national authorities are working diligently to address them. With regard to cross-border cases, the regulators are working together and exchanging information through an IT system developed by the Commission's DG Grow. This system has been adapted to facilitate GDPR-cooperation needs.
Top of mind for many privacy pros, too, is the issue of joint controllers. "There should be further work on joint-controller relationships and the capacity of leading supervisory authorities," Vereecken said. Significantly, she added, "For the identification of the lead supervisory authority, it's more about the identification of the processing and less about the companies."
Two of the biggest uncertainties that lay ahead, van Bockel said, include how European case law will align with the GDPR and, of course, what will happen with Brexit. On the potential for the U.K. to leave the EU, van Bockel said, "It's easy to say how we feel about it: The ICO is an appreciated DPA, and we'd hate to see them go. We hope something is possible for the future. To the best of my knowledge, nothing has been discussed [in the EDPB] about possible solutions that I'm aware of."
Vereecken said the future relationship between the board and the ICO will depend on the Brexit deal. "We would be bound by the international agreement," she explained.
In other areas, however, Vereecken was optimistic about the growth of the EDPB. She said Iceland, Norway, and Liechtenstein became members in July, though they cannot vote or be selected as chair of the organization.
The future of the EU-U.S. Privacy Shield agreement was also brought up during the session. Van Bockel said the board has identified the questions it has, which were released earlier in the year, but he also highlighted that there have not been any complaints lodged thus far. Vereecken said they are "waiting for some clarifications," but added she "can't anticipate anything until the meeting takes place."
The annual review of Shield is due to take place in October, and the U.S. government was given until September to address EU concerns.
Though there are several uncertainties ahead, both regulators were optimistic. "We're in a challenging time," van Bockel said, "but I'm confident that we'll make this into a success."
Vereecken echoed the sentiment, saying she feels positive about how the EDPB is coming together. "As we see the law moving from theory to the practice, it's a good time to be in data protection law," she said. "We're a data-driven society, so it's a pleasure to be here at the moment."