Several significant figures in the privacy landscape shared their thoughts on the keynote stage at the IAPP Data Protection Intensive: U.K. here in London Thursday. The state of play and future of EU enforcement and international data transfers were the focus of a keynote panel moderated by IAPP Research and Insights Director Joe Jones and featuring former U.K. Information Commissioner and current Baker McKenzie International Advisor Elizabeth Denham and NOYB Honorary Chair Max Schrems.
Separately, a day after introducing a new U.K. data protection reform bill to Parliament, U.K. Secretary of State for the Department of Science, Innovation and Technology Michelle Donelan shared her thoughts on the reforms.
Enforcement and the one-stop shop
Earlier this year, the European Data Protection Board and Ireland's Data Protection Commission handed down a trio of enforcement actions against Meta’s Facebook, Instagram and WhatsApp related to transparency and legal bases for data processing. The decisions, which showed the EU General Data Protection Regulation’s one-stop shop in action, stemmed from complaints filed by NOYB in 2018 and have called the mechanism, as well as appropriate legal basis for data processing, into question.
“It’s interesting because you see how on the one hand, the one-stop-shop system kind of works, but it also shows how it’s very messy, very slow, that the regulator has the ability to delay this procedure for four and a half years,” Schrems said, noting there will be at least 18 pieces of litigation that will come out of the three decisions. “The GDPR just says you guys work together but it doesn’t say how.”
Schrems cited issues around different procedural laws among member states and a lack of cooperation, while Denham pointed to “natural tensions” and a need for enhanced transparency and timelines.
“For complainants, for controllers, for all the regulators that sit in the one-stop shop, there needs to be more transparency and not just the white smoke that comes out at the end of the process,” Denham said.
The data transfer conundrum
On the data transfer landscape, Denham said the environment — with a growth of privacy laws and proliferation of data transfer restrictions around the world — is “chaos,” and what Schrems said is a “logical consequence,” of privacy laws.
Denham previously called for a “Bretton Woods agreement for data,” a multilateral solution for data flows. On Thursday, she said she made that call “back when I was optimistic,” noting high hopes for G-7 discussions, the Organisation for Economic Co-operation and Development’s work on government access to private sector data, and other efforts.
“But with the geopolitical situation with Ukraine, with Brexit and China, I do think we have a fractured environment right now … So instead of a multilateral agreement, I could see a plurilateral agreement among the rule-of-law democracies. It’s not going to happen in 2023,” she said.
“This is a nation-to-nation political issue that we really have to solve because, in the meantime, people have real harms going on. We’re not spending enough time on new technologies. As a profession, don’t take your eyes off the ball.”
UK data protection reforms and the question of adequacy
Donelan, who also spoke on the IAPP's keynote stage Thursday, introduced draft data protection reform of the U.K. General Data Protection Regulation to Parliament, the Data Protection and Digital Information (No. 2) Bill.
Donelan said the reform is estimated to create 4 billion GBP in savings over the next 10 years, was crafted alongside "industry and leading experts," and is "a massive step forward in the international landscape."
"Five years since the GDPR was first introduced, we have an opportunity to learn the lessons of data protection around the world and correct the elements that are not working for us as a nation," Donelan said. "This is a bill which does exactly that because we co-designed it with people that deal day in and day out with data. The bill will make it clearer, easier and cheaper for small companies, who account for 99 percent of our country's businesses, whilst maintaining the high standards that British people rightly deserve and expect."
Denham said the move to reform shows “creativity” on behalf of the U.K. in looking at ways to make the law “more pragmatic and fitting for the economy.” But the changes are not substantive, she said, and among hopes the U.K. will retain adequacy with the European Union, she would rather see the U.K. “join other countries outside the EU with full-throated support for a new way,” such as, for example, the Asia-Pacific Economic Cooperation's Cross-Border Privacy Rules.
“I don’t think adequacy is sustainable,” Denham said. “There’s a whole line of countries waiting for refreshment of their adequacy decisions that have been made under the directive,” she said. “What is needed is a sustainable, plurilateral way forward.”
From Schrems perspective, the U.K. law reform “is not relevant.”
“If we go after a U.K. company, we’ll go after a U.K. company in Europe. It’s not really relevant from a litigation perspective as long as you have European customers,” he said. “The more striking problem, is is it relevant? On a global level right now, no.”
Top photo: NOYB Honorary Chair Max Schrems, former U.K. Information Commissioner and current Baker McKenzie International Advisor Elizabeth Denham and IAPP Research and Insights Director Joe Jones.
