Greetings from London!

Like many privacy professionals, I had the privilege of attending the sold-out 2019 IAPP Data Protection Congress in Brussels two weeks ago, the last major privacy conference of the decade. Time has flown by since the draft General Data Protection Regulation first emerged eight years ago, but what can Europe offer for the 2020s?

Giovanni Buttarelli, the great visionary, was already thinking ahead. Christian D’Cuhna presented Buttarelli’s manifesto, "Privacy 2030: A New Vision for Europe," at the Congress. It is well worth a read. This presentation was followed by the inaugural Giovanni Buttarelli Memorial Lecture from Margrethe Vestager, the executive vice-president for a Europe fit for the digital age. The IAPP’s Angelique Carson filed an excellent report on Vestager’s speech, which again I recommend to readers.

A more immediate issue for the European Union is the stalled negotiations on the proposed ePrivacy Regulation. On only his second day in post, Thierry Breton, commissioner for internal market, addressed member state ministers and ambassadors at the meeting of the Transport, Telecommunications and Energy Council 3 Dec. Although 5G and ethical data use were on the agenda, it was ePrivacy that dominated the meeting and the subsequent news conference.

Despite the efforts of the Finnish Presidency of the Council of the European Union, it was not possible to gain a general approach (agreement) from member states on the proposed draft text. Outstanding issues included child imagery, data retention and setting a level playing field for over-the-top communications services providers.

The meeting was remarkable in that the prime minister of Luxembourg, Xavier Bettel, made a short intervention near the end of the discussion. He said, “We’ve been wasting three years so far on this.” He continued, “I do hope that with you as commissioner, Mr. Breton, that we’ll finally get some conclusions on this.”

Breton responded, “Well I think that the prime minister from Luxembourg said it all.”

Observing the divergence of opinion on ePrivacy, Breton made a commitment at the news conference to speak to each party in the negotiations to try to understand their concerns. He said that the commission and the incoming Croatian Presidency would need to consider all the options, including recasting the proposal.

At this meeting, the U.K. was represented by Katrina Williams, deputy permanent representative to the EU. This may have been the last time the U.K. contributes to ePrivacy discussions at the council. To recap, the U.K. will hold a general election 12 Dec. The U.K. is then due to leave the EU 31 Jan. 2020, although the result of the election will affect exactly what happens next.

In terms of data protection, if the U.K. leaves the EU 31 Jan., then in accordance with the political declaration on the future relationship between the EU and the U.K., adequacy negotiations will commence. If the proposed status quo transition period is not extended beyond the end of 2020, then there will be just 11 months available to conclude an adequacy decision.

Experts on Brexit panels at the 2019 Congress noted that this could be challenging, given the potentially short time frame, but achievable given that the U.K. has already implemented the GDPR and Law Enforcement Directive. Progress on adequacy negotiations will be tracked with interest in the coming year.

Finally, the warmest congratulations are due to Wojciech Wiewiórowski, the newly appointed European Data Protection Supervisor. Privacy professionals in Europe and around the world will undoubtedly want to wish him well in this prominent and influential role.