The annual conference of the world’s data protection regulators is a three day exercise, with half of the conference being “closed door” for the regulators only, and the other half being a series of side meetings and presentations, which report out to interested attendees the results of the closed door meetings. This is a good meeting to gain insight in the next year’s trends in data protection regulation and enforcement across the globe. While this conference happens every year, the events in the European Court of Justice and the impending completion of the new General Data Protection Regulation (“GDPR”) made this year’s conference particularly interesting. Here are some of the insights which were developed during the conference:
Health Data is the Next “Big Thing”
In the past, DPAs have focused much of their efforts in looking at cross-border data transfers in the “business-to-consumer” space. Investigations and actions against large internet and social media companies have seem to be de rigueur over the past few years. However, this year saw an interesting focus on the development of health and wellness businesses which use wearable devices, and populate big data platforms with large amounts of very personal data.
More specifically, the next “enforcement sweep” by the Global Privacy Enforcement Network (“GPEN”) will focus on health and fitness apps, websites, and wearables (which are often connected to a health and fitness app or site). It seems that the DPAs have finally discovered this latest trend in use for personal devices. Consequently, app developers and device manufactures who imbed health related functionality in their devices should expect the DPAs to take a close look at their privacy practices during 2016.
Along with health and fitness, there was much discussion around genetic data, and how its use could have potentially severe adverse consequences. While the research opportunities were extolled, one of the more interesting points of discussion was around the ability and capabilities of de-identification and anonymization in the medical and genetic research context.
Schrems, Safe Harbor, and the other ways to manage cross-border data transfers
One of the original intentions of this year’s conference was the discussion of the “Privacy Bridges” project – which had intended to discuss how to better coordinate cross-border transfers of data while maintaining reasonable protections without the need for additional legislative action. While a laudable goal, the Schrems judgment may have mooted the project. In observing the discussions between the different DPAs, as well as the different representatives of the EU agencies, there was a lot of differing opinions as to the scope and impact of Schrems.
Some DPAs understand Schrems as giving them power to reject transfers under any “adequacy mechanism” developed by a Commission Decision (as the Safe Harbor was). The Commission has taken a somewhat different position, pointing out that while DPAs may investigate sufficiency of a particular adequacy mechanism, they can’t unilaterally refuse to accept such a mechanism without a court invalidating the mechanism. Needless to say, the discussions on this point were contentious and do not provide much comfort for those hoping to revive a harmonious enforcement regime.
The General Data Protection Regulation
The GDPR has taken a new level of urgency as a result of the Schrems judgment. Unfortunately, the two areas of complete agreement among all the regulators at the conference are 1) no one is ready to implement the GDPR, and 2) the resultant instrument will not be perfect (or even very good in some regulator’s eyes). Some of the more interesting components to the GDPR are the ability for one local DPA to sue another local DPA in court to enforce the regulation, and the reduction in activity (and budget) of the European Data Protection Board (“EDPB”).
These two particular components of the GDPR could operate to add more confusion to an already confusing and inconsistent regulatory environment. The limited resources for the entity that is supposed to resolve disputes between DPAs (the EDPB) will quite possibly push the various DPAs to resort to the courts to support their individual (and possibly political) motivations. While the Commission representative indicated that this type of infighting was unlikely due to the cooperation obligations built into the GDPR, it will remain to be seen if this is the case.
In any event, both the Commission representative and the DPAs involved in the drafting of the GDPR recognize that “drafting fatigue” has set in and getting something done is better than nothing. While understandable, the accuracy of that position will be borne out over time.
The one consistent theme which can be taken away from this year’s conference is that the environment is still highly volatile; the ball (of compliance) will continue to be moved; and businesses who rely on the cross-border transfers of data will need to be highly agile in order to respond to the implementation of new rules and enforcement priorities over the coming years. Now, more than ever, privacy needs to be “front of mind” for businesses and their advisors.