Greetings from Brussels!
It’s the week after our IAPP Data Protection Congress here in Brussels, and if you missed it there are a couple of articles (here and here) penned by our content director, Sam Pfeife, that are worth a gander to give you a sense of how the event unfolded. A hearty thanks to all of you who attended, and we hope to see you all again back next year; I have a sense that DPC18 might be an even bigger draw as it will be our first European Congress following the GDPR going into force in May.
On the news front, one particular item recently caught my attention that I have referred to in previous editorials: the question of the ongoing validity of existing international adequacy agreements against the backdrop of changes to EU data protection legislation such as with the GDPR. The European Commission recently announced that it was stepping up its review of the 12 adequacy agreements it has in place with countries outside the EU as part of a scrutiny process that may bring into question the workings of those agreements. The EU executive has been intensely analyzing all 12 of the deals by asking foreign governments for written clarification on their privacy safeguards and by sending experts to visit those countries.
Clearly, the much-publicized failings of Safe Harbor gave much pause for thought for authorities and governments across the globe, and no doubt served as a reminder that it should not be discounted that other equivalent agreements should probably be reviewed to reflect future legislative provisions. At our DPC conference last week, Bruno Gencarelli of the European Commission remained positive, citing intense dialogue with international counterparts. The EC is currently running the adequacy decisions through stress-test reviews with the aim of keeping them from failing potential challenges in courts. For everybody’s sanity, it would be best to avoid another Safe Harbor debacle.
Just for the record, if you were unaware of the 12 countries that have adequacy decisions in place with the EU for international data transfers, they are Switzerland, Andorra, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Argentina, Canada, Israel, New Zealand, the United States and Uruguay. It stands to reason that with sweeping new reforms coming into force via GDPR (with extraterritorial application for EU personal data) the EU executive is working hard to ensure that international standards and agreements continue to meet the traditions and levels of privacy we have in the EU.
In her opening keynote last Wednesday at DPC, EU Justice Commissioner Vera Jourová noted that more and more countries outside the EU are passing their own privacy and data protection laws. Jourová also noted that the European Commission is working hard on developing international data flows. In addition to the EU-U.S. Privacy Shield agreement replacing the flawed Safe Harbor, and having analyzed more than 100 laws globally, the Commission is seeing non-EU countries start to adapt their regulations to align with GDPR standards. Jourová gave particular mention to the Commission’s efforts in its advanced talks with Japan to seal an adequacy decision for trans-border data flows. Similar talks will commence with South Korea before the end of the year.
It is clear here in Europe, with privacy being a fundamental right for consumers and citizens, that the EU sees itself as a leader in supporting the agenda of privacy rights beyond its borders. As Jourová attested, one should not be surprised that Europe is the first to propose more stringent privacy rights. And while one may not agree with the evolution, the EU is not mincing it words: Europe will continue to protect privacy in the mainstream, and companies will be expected to cooperate.
If you want to comment on this post, you need to login.