On May 1, 2019, WSGR convened a panel of regulators and experts to discuss recent developments in European data protection law. The panel, moderated by Cédric Burton, featured Bruno Gencarelli, head of the International Data Flows and Protection Unit of the European Commission, Isabelle Vereecken, head of the Secretariat of the European Data Protection Board (EDPB), and Dr. Christopher Kuner, senior privacy counsel at WSGR.
Here are some of the key takeaways from the discussion:
- Strong Cooperation Among Data Protection Authorities (DPAs): The General Data Protection Regulation (GDPR) has established a framework for common decision-making and cross-border cooperation among DPAs. A year after the GDPRs became effective, DPAs are collaborating efficiently, both to ensure consistent application of the law through guidance, and to facilitate more effective enforcement. Recent EDPB statistics show that there have been more than 650 cooperation and mutual assistance requests, over 350 cross-border investigations, and more than 100 requests for lead DPA determination.
- Increased Scrutiny on Data Transfers: Bruno Gencarelli expressed the view that the EU-U.S. Privacy Shield, with more than 4,500 participating companies, is a success. He mentioned, however, that the Privacy Shield commitments should be more than mere paper commitments; they must be applied in practice. He added that he expects the Federal Trade Commission to start focusing on investigating substantive violations of Privacy Shield. In addition, the panelists indicated that the EU Standard Contractual Clauses will soon be updated.
- Future Privacy Trends: Privacy awareness is increasing in the EU. Together, EU regulators have received more than 65,000 data breach notifications and 95,000 complaints since the GDPR’s effective data. The panelists suggested that in the near future, enforcement will increase, but that DPAs will also be looking at other options to promote GDPR compliance. For example, EU regulators are willing to obtain input from relevant stakeholders, which the EDPB achieved through public consultation on its guidance, and recently by organizing an event on the concepts of “controller” and “processor”.
- Upcoming EPDB Guidance: This year, the EDPB intends to publish guidance on the following topics: the notion of “controller” and “processor”, the concept of privacy-by-design, new technologies used for CCTV and video surveillance, the status of the standard contractual clauses, and data protection impact assessments (DPIAs).
The discussion provided insight on how the GDPR will be applied in practice, and what the future trends will be in the EU.