GDPR: Race to the Top: “EU and international perspectives on the GDPR five months on,” - a reflection on the first months of the Regulation together with members of the national Data Protection Authorities and the EDPB.
In the aftermath of the media flurry leading up to May 25th (with a crescendo of consent requests), mainstream reporting has turned to other topics, which has given the public the impression that the GDPR hype has faded and is no longer important. Things could not be further from the truth: May 25th was not the finish line but the start of GDPR compliance and accountability.
While news about GDPR may have grown quiet, the actual case load across member states has decidedly increased, as evidenced by several of the panelists in a conference to evaluate the impact of the GDPR 5 months after its entry into force.
The panel, “Initiatives in the EU – a new quality of cooperation,” featured the heads of the data protection authorities (DPAs) of Ireland (Ms Helen Dixon) and Denmark (Ms Cristina Angela Gulisano), as well as the Head of the EDPB Secretariat (Ms Isabelle Vereecken).
From the DPAs perspective, the new data protection rules mean a new and more integrated way of working. The one-stop shop mechanism (which allows multi-nationals operating in several EU member states to only deal with the supervisory authority in the country where they have their main establishment, as opposed to all countries where they are present) is seen as an advantage also from a regulatory perspective, as greater cooperation translates into a more harmonized interpretation of the Regulation.
During the panel discussion the representatives of the DPAs pointed out that the one stop shop mechanism also represents a valuable asset to their work, enhancing cooperation and transparency when dealing with cross-border cases (in the first five months of application of the GDPR, the EDPB reported the notification of more than 160 such cases). In these instances, the DPAs pointed out that working together under the guidance of a leading authority has been a way to exchange valuable knowledge and harmonize their application of the GDPR principles. Handling of cross-border cases is moreover facilitated by the Internal Market Information System (IMI), an EU IT platform for exchanges on cross-border issues. Thanks to the IMI, national DPAs can identify the Lead Supervisory Authority for a cross-border case, further cooperate closely and coordinate decision-making. The European Data Protection Board will also issue opinions and binding decisions (via the IMI) to arbitrate in cross-border cases between different national data protection authorities. At the national level, Ms Dixon informed us that the top three complaint types in Ireland concerned access requests, data erasure complaints and privacy policies. The industries that generated most of the complaints were social media, technology, internet services as well as engineering, aviation and gambling.
The highlight of the conference was the keynote address by the President of the European Court of Justice, Judge Koen Lenaerts, on the “Accountability in a digitalized world: the Court’s role in enhancing data protection in the European Union.” The speech was an exposé of landmark cases that have influenced the data protection landscape in Europe. To mention a few, the first Schrems case against Facebook, sparked by the Snowden revelations, with the claim that their data transfers to the US did not provide an adequate level of data protection for European data subjects. As most readers will know, the case led to the invalidation of the Safe Harbor mechanism. In addition, this case showed that EU law is dynamic (or “reactive”), and that the way to interpret the law depends on the landscape at the time of its analysis rather than just a sterile reading of the legal text.
Furthermore, Judge Lenaerts analyzed the Google Spain vs. Mario Costeja González case about the right to be forgotten, which taught us that the extent of responsibilities to remove content is not automatic. Indeed, it requires a balancing act by the operator between the right to privacy and data protection of the individual versus the legitimate interest of internet users to have access to the information.
Judge Lenaerts closed with two recent cases. First, he discussed the recent Facebook judgement concerning joint controllership between the administrators of a Facebook page and the social network: he highlighted in particular that this decision relied heavily on the fact that the administrators can define the parameters of data collection and are thus allowed to profile their users. Second, he examined a recent case, which ruled that a religious community, such as the Jehovah’s Witnesses, is a controller, jointly with its members who engage in preaching, in processing personal data carried out by the latter in the context of door-to-door preaching. Among other things, it established that the activity is not covered by the so called household exception and that the EU Law on the protection of personal data does apply. Further insights are available via this link.
In summary, the conference served to remind us all that while GDPR may seem to be a fait accompli, we are only at the start of its implementation. As new complaints and queries land on the desks of the national supervisory authorities, the courts will have a new case load that will further set the course of the European privacy journey for decades to come.