GDPR as The Guiding Light but not necessarily The Road Ahead

It is widely (universally?) acknowledged that the European Union’s GDPR has not only the purpose but also the effect to have a positive impact for good on the wider world. So even if we recognise the GDPR as the Guiding Light, does it necessarily represent the Road Ahead? This appetite for building on the GDPR and diverging from it in certain ways is reflected in this October edition of PL&B International Report.

The GDPR was discussed for several years before final adoption in April 2016 and inevitably the detailed provisions were the result of compromises among the 28 Member States. But after several years of working with the GDPR, some non-European Economic Area countries are drafting laws which take a different tack in some areas of the law.

Merging controller and processor concepts

The case for merging the data controller and data processor concepts is made powerfully in the book by Brendan Van Alsenoy, Legal Advisor, Data Protection Authority, Belgium – see a video clip of his presentation at PL&B’s 32nd Annual International Conference, in July 2019. Dr. Oliver Butler’s review summarises his argument: “Van Alsenoy recommends that reform be achieved through the abolition of the concepts of controller and processor, ensuring that instead the parties who benefit from processing bear the burden of ensuring compliance with the data protection principles.” The issue of allocating responsibility between a controller, processor and joint controllers is also covered in a video clip at the same conference session by Wojciech Wiewiórowski, now European Data Protection Supervisor.

Some countries have followed this path. Russia’s data protection law has replaced data controller and data processer with one concept “data operator” (PL&B International Report October 2016 pp. 27-28).

Now Egypt’s new law has diverged from the GDPR without following Russia’s model. Whereas GDPR Art 33.1. requires the controller to notify a personal data breach to the DPA, in Egypt’s new DP law both controllers and processors are responsible for notifying the DPA. This reduces arguments on who should take on this responsibility.

Reflection of national culture

It is clear that Switzerland’s new data protection law is influenced by the GDPR and is designed to achieve renewal of Switzerland’s EU “adequacy” status but diverges from it to match Switzerland’s business culture. For example:

  1. Contrary to the GDPR, data processing in the private sector is in principle permissible and a justification (or “legal grounds”) is required only in certain situations.
  2. Conceptually, the information obligation under the new DP Act is very similar to the information obligation under the GDPR, but does not require as much detailed mandatory content as the GDPR.
  3. The fines are primarily to be paid by the decision-makers in offending organisations but only if they act intentionally. They can be found liable up to the amount of 250,000 Swiss francs (€230,000). Although these fines pale in comparison with the amounts under the GDPR, they will likely be even more effective given that they are of a personal nature, even with criminal liability in some cases, and cannot be covered by insurance.
  4. The revised DP Act introduces a general professional secrecy for all professions with fines of up to 250,000 Swiss francs and a new provision against identity theft.

The UK’s Brexit negotiators with the European Commission, with their instinctive drive for political self-determination, will certainly be following the development of Switzerland’s slightly divergent data protection law with great interest.

For sure, the GDPR-influenced laws in the region are subject to the risk of weakening in the course of negotiations on Asia-Pacific trade deals as Professor Graham Greenleaf explains. But his article with Professor Katharine Kemp on vigorous activity from the Australian Competition and Consumer Commission to support privacy principles shows that Germany (PL&B International Report December 2019) is not alone in having its competition authorities supporting the work of the Data Protection Authorities.

We are pleased to publish the article by Camilla Tabarrini, the winner of the 2020 Stefano Rodotà prize for her essay on “Understanding the Big Mind - Does the GDPR Bridge the Human-Machine Intelligibility Gap?” In this shorter version, she explains the concept of algorithmic accountability.

PL&B’s Germany online conference

Many of the provisions in the GDPR are based on German law, and the Hesse law in 1970 was the world’s first, adopted 50 years ago this month. I invite you to take the opportunity to register for our conference, Germany’s Data Protection Law: Trends, opportunities and conflicts, now in the form of five weekly online sessions, starting on 28 October.

But the Road Ahead leads in several directions.


Stewart Dresner, Publisher

International Report 167

Lead stories:

Switzerland’s DP Act revised

David Rosenthal of Vischer reports from Zurich on new aspects of the law which is expected to enter into force in 2022.

Egypt’s Data Protection Law enters into force in October

It is likely that the law will not be fully enforced until 2022, but businesses should start preparing now. By Dino Wilkinson and Masha Ooijevaar of Clyde & Co.

Click for full contents list