Greetings from Brussels!
Earlier this week I was in my hometown for a Dublin IAPP KNet event in cooperation with the Institute of Banking, which was well attended, with more than 175 interested parties keen to hear thoughts and views on the current issues of the day, namely Brexit, Privacy Shield, and their impact on international data transfers. Hosted by our IAPP co-chairs, Denis Kelleher and Gonzalo Caro, of the Central Bank of Ireland and Microsoft respectively, we had a solid line up of speakers for the half-day event: Maureen Kehoe, assistant commissioner at the Office of Data Protection Commissioner; John O'Connor, partner at William Fry Solicitors; Marie Charlotte Roques, director, EMEA Privacy Policy at Microsoft; and TJ McIntyre, lecturer in law at University College Dublin and chairman of Digital Rights Ireland.
On the heels of the recently passed motion by European MEPs for resolution on the adequacy of the protection afforded by the EU-U.S. Privacy Shield, this was indeed a timely IAPP event. Point 26 of the motion “calls on the European Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with the GDPR, to be applied as from May 2018, and with the EU Charter.” What will this mean for third countries in their quest for adequacy status? This resolution will not only apply to the EU-U.S. Shield as a transfer mechanism, but invariably to a U.K. accord once they exit the EU, as they too will technically take on third-country status following the Brexit conclusion. What of the existing adequacy agreements in place? Will their statuses now be reviewed in function of GDPR stress tests? There are certainly challenges for such an alignment as several of the key changes in the GDPR — for example, the right to data portability — are not covered by the Privacy Shield. In respect to Brexit, McIntyre was of the view that the Investigatory Powers Act 2016 means that a U.K. agreement like that of Privacy Shield may not survive a “Schrems” type challenge. O’Connor had this to say: “The U.K. is likely to be severely constrained in relation to any amendments it is considering in relation to GDPR when it converts it into U.K. domestic law. This is because the more the U.K. moves away from GDPR the less likely an adequacy decision will be made in its favor.”
As we are broadly aware, the European Parliament resolution only goes to highlight concerns already raised by the WP29 in relation to the Privacy Shield, which I covered in an earlier commentary. In relation to the EP resolution, Emma Butler of Yoti, one of the IAPP London co-chairs, offered up an interesting observation on the matter, stating recently that the EP seem to be looking to fix the issue of government surveillance through prescribing "equivalency" for attaining adequacy. It makes one wonder if international business will become victim to "collateral damage." Conversely, though, the reality supported by the majority of European citizens is that security is a real concern; member states and the European institutions will need to address this more broadly going forward. The powers available to the security agencies within the EU as well as in other adequate and non-adequate countries remains high, in ways that are probably incompatible with the provisions of the GDPR and EU Charter.
As confirmed last week, the first review of the EU-U.S. Privacy Shield agreement will take place September 2017. Speaking in Washington, European Union Justice Commissioner Věra Jourová confirmed she and U.S. Commerce Secretary Wilbur Ross agreed upon the September review date. "This will be an important milestone where we need to check that everything is in place and working well," Jourová said. "If we want to further consolidate this new transatlantic bridge, we need the active engagement and contribution of all interested parties to the review."
We can probably expect a hive of activity in preparation for the review.
Comments
If you want to comment on this post, you need to login.