Today, the Atlantic Council hosted an interesting panel discussion entitled: “Protectionism, Data Privacy, and the Transatlantic Partnership.” European Commission Digital Affairs Counselor Peter Fatelnig, Atlantic Counsel Distinguished Fellow Fran Burwell, and the U.S. Chamber’s Senior Manager for Digital Affairs Kara Sutton provided a lot of substance and perspective on what is happening in the run-up to the GDPR’s May 25, 2018 entry-into-force.
Appropriately, although the event name started with “protectionism,” nobody discussed the GDPR in those terms. That is because whatever one’s views are on whether the Regulation really will promote digital innovation in Europe, the GDPR per se is not a protectionist Regulation. Besides, the train has left the station. Companies around the world, including SIIA and its member companies, are racing to comply with the GDPR. Currently, I spend about a quarter of my time advising members on the GDPR.
What did become clear from the conversation is that the game is now all about implementation. The role of the DPAs, data breach, and data portability are just three examples of this reality that came up during the Atlantic Council session.
Peter Fatelnig emphasized the role of the Data Protection Authorities (DPAs) and the “one continent one law” advantages to business in his opening remarks. And indeed there are advantages. SIIA and other U.S. business associations and companies have always appreciated this aspect of the GDPR. However, when the EU originally proposed the GDPR, it very much touted the advantages of a “one-stop-shop” for business. That phrase was subsequently dropped from the lexicon of Commission communication on the GDPR because while the GDPR perhaps streamlines DPA authority, it is no longer appropriate to talk about a “one-stop-shop.” All this to say that it is vital to try to work to accomplish as much as possible what was originally intended through proposing a “one-stop-shop” for business.
The GDPR has a 72 hour data breach notification requirement. However, there is language in the GDPR’s Article 33 that provides some flexibility (“undue delay” and “where feasible”). SIIA sent comments to the Article 29 Working Party with suggestions for areas that need clarification. They included: “First, the desirability of clarifying the requirement for providing notice. Second, the importance of incentivizing resolution of the data breach. Third, the need to clarify that controller-processor arrangements means contractual arrangements. Fourth, the need for guidance that better reflects the realities of the processor-controller relationship.” I mention this simply to illustrate that there is a tremendous amount of work that still needs to be done to ensure that the GDPR is implemented well.
This is also the case with the GDPR’s data portability requirement, which the European Commission considers could stimulate digital innovation. Again in this area SIIA submitted comments to the Article 29 Working Party. Data portability can stimulate competition, but it is important not to mandate standardized data formats in all instances lest such requirements make it unnecessarily difficult to provide upon business or consumer demand, tailored solutions for different problems.
So, well considered implementation is absolutely key now. And we hope that in coming years that the Commission reviews empirical evidence as to whether the GDPR does, in fact, stimulate digital innovation in Europe, particularly from European SME start-ups. Moreover, during this time of heightened debate in the United States about whether aspects of European privacy rules may or may not be appropriate in the United States, we think it is crucial for both the United States and the European Union to recognize that there is much more that unites, rather than separates, the two systems. This is crucial as we seek common ground in addressing the challenge stemming from non-democratic and non-rule-of-law based visions for Internet-based trade, data, and information flows. This will be the subject for a separate blog.