The EU GDPR may be open to revision
For years, the EU GDPR has been regarded as the gold standard by which other privacy laws are compared.
GDPR principles: The European Commission policy makers have said firmly since it was fully applied in 2018 that the text is not open to revision. The Commission has opened a consultation on the working of the GDPR(1) to which it is committed every four years by the GDPR’s Article 97. This provision lists international transfers, cooperation between the supervisory authorities and consistency for particular attention. This review could, in due course lead to some changes of interpretation of the principles. Privacy advocates are likely to press for holding on to the now familiar privacy principles.
But some companies and industry groups are likely to press for changes to some of the principles, or even the text in this AI era, stating that it is no longer possible to uphold them. Some EU governments now seem ready for change. In October last year, the French and German governments called in a joint initiative for the GDPR to have a less bureaucratic impact on Small and Medium Enterprises. “The General Data Protection Regulation (GDPR) is to be revised to achieve greater legal certainty and more effective enforcement.”(2)
The principle of transparency is widely interpreted as a duty of explainability of AI systems. As soon as one realises that AI is machine learning from the material it has been trained on, rather than the gateway to a future dystopian monster, the mystique fades. People are, or should, remain in charge and are certainly legally responsible and accountable.
At the European Commission/Council of Europe Data Protection Day Conference which I attended on 25 January in Brussels, Sergei Lagodinsky (German Member of the European Parliament) was adamant that the GDPR would not be changed. He reminded everyone that the purpose of the GDPR is to strengthen individual rights. DPAs must look at relevant cases, even if there are no complaints.
There was a session on international transfers, reflecting the fact that the old adequacy decisions had been confirmed a few days earlier. On 15 January, the European Commission published its report providing evidence for declaring the original 11 countries to be able to retain their “adequacy” status. This work is long and detailed taking into account many factors, including recognising draft legislation, for example, in Canada, Israel and New Zealand, progressing through their national legislatures. The report states that the European Commission will continue to closely watch these national developments. It is the totality of factors which add up to the “essentially equivalent” status.
Next countries for adequacy: I asked Bruno Gencarelli (Head of the International Affairs and Data Flows Unit, DG Just, at the European Commission) which are the next countries likely to achieve this status? He replied that his team is reviewing developments all over the world and Brazil is high on his list. Another candidate for adequacy is Mauritius which has a mature data protection law, a large outsourcing sector and an experienced Data Protection Commissioner.(3) Gencarelli hinted that he expected that there would be more countries joining the desirable "essentially equivalent" list later this year.
Mexico’s DPA, the INAI wants EU adequacy status for Mexico. The INAI is having detailed discussions with the European Commission in the coming months, including on the timetable and any required legal or institutional changes.
Several organisations are taking initiatives on the interoperability of international transfer rules. The INAI has updated the Global Privacy Assembly (GPA) website to include a link to a detailed GPA member comparison of standard contractual clauses across several frameworks and jurisdictions.(4) EU-US transfers of personal data receive media attention but there is much work being done in other regions.
Council of Europe: Peter Kimpian (Member of the Data Protection Unit at the Council of Europe) explained at the conference that the aim of the free flow of data has not been realised, despite the 55 parties to Council of Europe Convention 108, 38 ratifications of the Convention and 40 observers. Kimpian said that the Council of Europe’s work programme covers many subjects, such as the AI draft Convention and “all of them have a data protection component.” He is realistic, declaring that “We cannot impose Convention 108 on everyone.”
OECD: Dr Clarisse Girot (Head of the Data Governance & Privacy Unit at the OECD) declared that Data Free Flow with Trust is a G7 priority but “there is a need to operationalise this concept.” Companies want legal certainty. Some countries’ data localisation rules are an obstacle to free flow of data. Her team is running a series of projects which do not include model clauses. A voluntary code could be drafted by the OECD. Girot asked whether non-member countries realise that if they sign up to an OECD document – a serious commitment - they will be assessed by the OECD secretariat and benchmarked.
To assist regional cooperation, Girot is on the drafting committee of the ASEAN Model Contractual Clauses for Cross Border Data Flows.(5)
ASEAN digital ministers met in Singapore starting on 1 February to discuss common issues including practical steps to help companies comply with the ASEAN model clauses.(6) They will launch the second half of a joint guide to the ASEAN Model Contractual Clauses and the EU Standard Contractual Clauses. This document aims to facilitate understanding between ASEAN and EU businesses, and streamline legal processes for cross-border data flows.
We are pleased to publish a proposal by Professor Graham Greenleaf, Asia-Pacific Editor, for default whitelists rather than one off assessments to resolve in stages the long running problem of international transfers of personal data between jurisdictions with different types of laws on international transfers.
PL&B’s 37th Anniversary: This month, we at Privacy Laws & Business are celebrating the 37th anniversary of the first PL&B publication. To show our appreciation to you, our PL&B Report subscribers, we are now offering you free places at our events, except for our International Conference.
We look forward to meeting you on 20 February in London and on 15 May in Dublin (details coming soon).
Publisher, Privacy Laws & Business