Greetings from Brussels!
This week was a significant milestone from an IAPP perspective. After a long hiatus, we re-launched our in-person events with our Data Protection Intensive Deutschland 2021 conference. Owing to challenges faced with the pandemic when planning the event, we opted to hold the event in German language only. It was deemed that potential restriction on travel into Germany may pose an issue for pan-European and international travelers. We were simply unable to assess how the environment would look in September. We will of course revisit our usual dual-track setup for 2022 all things permitting. Let’s hope the world will be in a better shape long before then.
All said, I spoke with several of our privacy pros, and the general consensus was one of relief to be able to attend an actual event and meet with peers to discuss the present challenges in data protection and privacy. For a number of our delegates, this was their first time traveling since January or February 2020. Attendees were grateful for the opportunity to discuss, learn and meet in real time. There was a good representation from both Austrian and Swiss members, in addition to German pros, at the event.
The conference itself was hosted by IAPP Country Leader for the DACH Ulrich Baumgartner, CIPP/E. I had a chance to get his take on the proceedings. Overall, the general sense from delegates is that the business of privacy is getting back to normal, and activity is ramping back up after the COVID-19 slowdown. Regulatory enforcement activities in Germany have reached a record high, with the different state authorities starting to show their teeth. A recent EDPB report puts Germany in pole position as the lead regulatory enforcer in the EU, with Ireland and the Netherlands a distant second and third, respectively. Ulrich stated that he had never witnessed so many investigations or formal proceedings as he sees today, much of which is impacting companies and their general compliance efforts.
In terms of conference discussions, the main concern for many remains "Schrems II" compliance, a theme repeatedly debated in almost every session. Transfer impact assessments were truly the buzzword for the conference spilling over into the coffee breaks. There is a good deal of uncertainty as to what regulators expect in terms of TIAs and how to technically carry out these controls. There was an important message from Bavarian Commissioner Michael Will on the opening panel: “TIAs must be watertight!” Companies need to have a thorough knowledge of their transfers, including sufficient analysis of how they have grappled with ‘problematic’ third country legislation, including any possible supplementary measures to remedy. The DPA did acknowledge that regulators themselves may also struggle to challenge said analysis; there seems to be shared uncertainty to a degree. An important aspect to the debate was also around the new standard contractual clause. For example, there was much discussion regarding to what extent controllers can shift the responsibility for "Schrems II" compliance to their vendors.
In discussions specific to Germany, the new Telecommunications & Telemedia Data Protection Act, adopted in May, will have a significant impact on companies, not only in online advertising, but also far beyond as it impacts Internet of Things, machine-to-machine communications and connected cars. It was clear from the panel discussion there is concern the consequences on businesses are still severely underestimated in practice, despite the new law coming into effect 1 Dec., with no grace period. Not to mention the parallel application of the proposed ePrivacy Regulation once it is adopted. The key message from Carolin Loy of the Bavarian State was that the German regulators, via the Datenschutzkonferenz umbrella, will publish guidance on the scope of the legislation’s consent requirements in the coming weeks. In Ulrich’s view, the guidance will define the scope very broadly, which will have considerable practical implications.
All in all, there was much to discuss and clearly data protection remains central to compliance and business issues at large.
If you want to comment on this post, you need to login.