Greetings from Brussels!
This week saw the much anticipated IAPP KnowledgeNet meeting here in Brussels hosted by Linklaters. The subject of the panel discussion was the state of play of the long-awaited General Data Protection Regulation (GDPR) and related trilogue. Clearly a hot topic, the auditorium was packed with more than 100 participants, all eager to know where we are heading. This large turnout did not come as a surprise, considering the quality of the panellists, who kindly agreed to participate: the Luxembourg Presidency of the EU was represented by Laure Wagener and Joelle Jouret, both leading the negotiations under the trilogue; the Belgian Privacy Commission was represented by Isabelle Vereecken, who provided insight from the national but also international perspective; and Inge Janssen, senior manager public policy at Liberty Global addressed the private sector angle. Tanguy Van Overstraeten, Linklaters Global head of privacy and data protection, had the pleasure as host to introduce the topic and moderate the discussion.
The debate kicked off immediately with interesting highlights on the adoption process of the GDPR. A process that officially started almost four years ago, the intention remains to finalise the text by the end of 2015. Once formally adopted by the EU Institutions, there will be a vetting and polishing of the text with the assistance of the legal services of the institutions, as well as its translation into all the required languages of the European Union.
Chapters II to VIII have already been discussed during the trilogue to date, with approximately 70 percent of the text agreed upon. The remaining 30 percent, however, contain a number of issues for which the institutions’ opinions are still widely divided. They are likely to be more difficult to resolve, although there is a semblance of optimism. The momentum is clearly palpable, and the willingness to come to a conclusion by year end is further stressed by the reasoned approach of the European institutions.
Regarding international data transfers (Chapter V), the panellists looked at the impact of the recent decision of the European Court of Justice in the Schrems case (Case C‑362/14). Its consequences can indeed not be underestimated. Concern was expressed over the lack of harmonised approach to date, stressing some divergences among national data protection authorities (DPAs). A prompt solution is required, but the question is whether the GDPR’s adoption should be part of it. The point was made that re-opening discussions on adequacy in the draft GDPR should be avoided since, according to the court ruling, adequacy may continue to be used as a transfer mechanism. The key question is also which authorities should be involved in identifying a solution, and it was felt that the European Commission and the DPAs were best placed to address the matter. Another question is also what should be the role of the European Parliament in this context.
The panel also discussed the one-stop shop mechanism and the question of applicable law. There is a concern that the current debate may lead to more autonomy of decision at the level of national authorities, which would result in a patchwork of applications of the rules. Whereas the initial goal was to have one decision made by one DPA applicable and valid in all member states. A balance should be found between efficiency on the one hand and proximity of data subjects on the other hand. The matter however depends on the structure of each group of companies and the level of independence of controllers belonging to a same group. Regarding the issue of applicable law, it should largely be resolved given that the new instrument is due to be a regulation, directly applicable in all Member States.
The panellists also touched upon how some existing as well as upcoming rules should be reconciled with the GDPR. Data breach notifications were debated together with the overall e-privacy Directive (2002/58/EC) and the upcoming NIS (Network and Information Security) Directive. The risk of overlap and contradiction was underlined. It was agreed that all these texts will need to be revised and aligned in due course. For the e-privacy Directive, this could already start in 2016. The need for more clarity, consistency and ultimately legal certainty was emphasized not only by the panellists but also by the participants.
The panel ended with a lively Q&A followed by a reception where participants were able to continue the discussion with the panellists in a more relaxed manner. Well attended, with some excellent debate, this was a KnowledgeNet that lived up to its expectation.
If you want to comment on this post, you need to login.