Last week, I attended the 40th ICDPPC in Brussels, which is the global meeting of all privacy and data security regulators. The theme of the conference was “Debating Ethics,” and it was a deep dive into the interplay between digital commerce, regulation, and human dignity. There were representatives from around the globe, of course, but it was a fairly European-heavy event, attended the entirety of the EU data privacy superstructure, the various Supervisory Authorities, and other important players in this space (like Giovanni Buttarelli, who organized it, or Joe Cannataci, who made hilarious and pointed comments about Russian hacking). There were keynotes about privacy by Apple’s Tim Cook and my personal internet hero Tim Berners-Lee, and a group of philosophers talking about ethics in the digital age. It was basically paradise.
No surprises, of course – it was extremely interesting and filled with a lot of big moments. You may have seen that Tim Cook expressed his personal (and, to some extent, professional) desire for a comprehensive, GDPR-style law for the United States and denounced the “data industrial complex.” Representatives from Google and Microsoft made similar, if less sweeping, pronouncements. The regulators themselves did a great deal of talking, expressing their views about the implementation of GDPR, what trends they see emerging in the data privacy sphere and, let’s be honest, doing a bit of lecturing to the United States about our approach to these topics (I mean, we were in Europe).
At any conference like this, there are going to be competing themes and a good deal of dispute. For instance, there was no shortage of disagreement about how to balance the rights of data subjects to privacy and the right to free speech and unconstrained communication in a free society. Even so, through the course of the panels and breakout sessions, I found that the two primary takeaways from the conference were as follows:
1. There is an Emerging Global Trend Towards Data Subject Rights
Although GDPR was a frequent topic, the most relevant legal framework under discussion was the recently-revised Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”). Convention 108, drafted by the Council of Europe, is the only substantive international accord on data protection, and includes signatories from beyond the EU, including the periphery of the Union (Georgia, Russia, Turkey) and beyond (Argentina, Mexico, Uruguay). The modernized version is being called “Convention 108+”
The framework, which predates GDPR by 37 years, includes many of the same concepts that we have seen emphasized lately, including:
- Purpose limitation for the processing of data;
- Protections for sensitive personal data;
- Transparency in uses and restriction of data use to lawful bases; and
- Rights of access, deletion, and rectification.
The Council of Europe made two additional, and very important, changes/clarifications: signatory states have an obligation to enact national legislation that ensures compliance through a supervisory authority, and cross-border transfers to non-signatory states must be accompanied by guarantees of security. That’s right: another GDPR-style restriction on data transfers to non-Convention signatory states, this time, applicable round the world!
The goal, which has now been stated explicitly, is to create an internationally binding agreement governing the transfer and protection of data, and which will be a precursor to what I am calling “data free-trade zones.” EU adequacy decisions will continue to govern GDPR-based transfers of data, but it is for non-EU states (like Mexico, Ukraine, or Russia) where large amounts of data are processed that the changes will be most important. If you use an outsourced processor in one of these states, you now will need to enter into standard contractual clauses or implement approved, binding corporate rules.
That is, of course, a new and unfortunate operations cost, because it provides non-US companies with additional leverage in contractual negotiations, given that most states don’t have an existing set of approved contractual clauses.
A note of caution, though: ratification of Convention 108+ does not necessarily mean compliance. Plenty of current signatories don’t comply (Russia, for instance), and full adherence to all requirements will take time. In other words, this isn’t going to be an overnight change, but it will, we think, be a trend that will continue.
2. Everyone is Worried About the Same Things
In my discussions with regulators, practitioners, and representatives from industry, there was a clearly consistent theme: no one is quite sure what to make of GDPR yet, and we’re all attempting to figure out how to navigate between a rigid adherence to the text and reckless ignorance of it. Time and again, people (including some regulators themselves) expressed that:
- The EDPB and Supervisory Authorities have done a poor job explaining how they intend to proceed with enforcement, and what their enforcement priorities are;
- Drawing the line between anonymized data and pseudonymized data is, in effect, a game of best efforts;
- No one has any idea if/when/how the ePrivacy Regulation is going to happen;
- Breaches requiring notification v. incidents not requiring notification are hard to differentiate, and;
- American data law is a total mess, and no one understands what CCPA means.
Of course, these are problems, and ones that we’ve talked about before. At the same time, given that seemingly everyone expressed these concerns, it’s a comfort to know that we are all attempting to figure out how to manage GDPR compliance through best efforts.
The lesson here is that, while there is still some time to figure out what we’re doing, it is
essential to make an effort to do so. This liminal period of “what does GDPR really look like” won’t last forever, and so this time is perhaps even more crucial than the pre-May 25 days when we could still claim total ignorance, and hope that there would be guidance from authorities to give us insight into what they really wanted. At this point, the last of the pre-GDPR fines are being issued (ahem, Facebook), and whatever happens next is going to be under the more stringent rubrics of the Regulation. That means that a failure to make an effort towards substantial compliance at this late date is, well, not a great idea.
Instead, as everyone attempts to figure out what GDPR really means, and how to comply, this is the time for focus, diligence, and as Eduardo Ustaran noted, creativity. We have all tried some strategies over the last six months that have worked, and some that haven’t. The next six months should be about refining our efforts and finding ways to make business-savvy decisions that protect rights and afford dignity to data subjects. That, if nothing else, was the most important takeaway from the Conference, and one that should drive your approach to leveraging, and protecting, your data.