EDPS goes to Washington

Giovanni Buttarelli

The United States has always been a vital strategic partner for the EU. Our relationship extends to cooperation in multiple areas, as well as representing the largest trade and investment relationship in the world, with around €500bn of goods and services flowing in each direction. These exchanges rely on the regular flow of information and much of that information is personal data, relating to people – citizens, children, clients, partners and employees – and this therefore triggers the fundamental rights and freedoms of individuals under the Charter for Fundamental Rights, part of the primary law of the Union.

A major priority in the strategy for the current EDPS mandate has been to forge global partnerships on privacy and data protection, to provide a stronger basis for consensus on data processing practices and technologies. This is hard work, even in the case of countries and regions, such as the Americas, that have so much in common with the EU in terms of culture, history and legal systems.

Like a number of good colleagues from data protection and privacy commissioners inside and outside the EU, I have just returned from a week of meetings in Washington DC, my first visit to the capital since the inauguration of the new President.  I met NGOs and civil society, the Federal Trade Commission and various legal experts to talk about recent EU developments on migration, border management and security, as well as our project on digital ethics.  I reminded my interlocutors that like the US, the EU is also in a year of transition with major elections in France, Germany and UK, the opening of Brexit negotiations and continued pressures on the Euro and on the Union’s external borders.

I was asked many times last week for my perspective on how our strategic relationship will develop in the next few years. It is true that we continue to await positive signals, whether it is about the permanent replacement for the Privacy Shield Ombudsman, the functioning of the Privacy and Civil Liberties Oversight Board, or the previous Administration’s Presidential Policy Directive 28 which provides that ‘all persons should be treated with dignity and respect regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information.

On the other hand, I learned about the billions of dollars being invested by the Federal government across about 20 agencies into research into privacy and privacy enhancing technologies. So, to borrow the words of Pope Francis, these are early days and we need to give the new Administration a chance, and we stand ready to provide any support or advice they might need.

Thousands of experts converged on the city last week for the Global Privacy Summit organised by the IAPP. The Privacy Shield was of course a recurring theme. But more importantly it was clear that businesses and legal practitioners were now fully engaged with the General Data Protection Regulation, which in just over a year will become fully applicable to all organisations who target services at or who monitor individuals in the EU. In that respect, the Privacy Shield, which is based on the outgoing Directive 95/46 and which concerns only one aspect of data processing- transfers of data outside the EU, is likely to be at best a medium term solution. To that end, the review scheduled for later this year, and for which the European Commission is adopting a commendably proactive approach, must be a serious, sincere and thorough. In the longer term, as the CJEU has made clear, all third country transfers under secondary legislation of the EU must now be interpreted on the basis of the higher protections provided for by the Lisbon Treaty.

Daniel Solove recently reported one Chief Privacy Officer of a large multinational company telling him that 75% of her time was being spent on GDPR alone.  Controllers are particularly grappling with the updated rules on consent, profiling and administrative fines. Meanwhile those providing communications services are slowly beginning to focus on the reform of the rules on confidentiality of communications or ‘ePrivacy’, on which I issued an Opinion this week.

Businesses and government agencies are also concerned with the preparations for and future operation of the European Data Protection Board, for which EDPS will provide the secretariat. All in all, DPAs are getting ready, as demonstrated by the ambitious work programme of the Article 29 Working Party. As the countdown continues, I announced my hope that, on Thursday 24 May 2018, DPAs might meet for the last time under the old dispensation to finalise rules of procedure before at midnight raising a toast to the GDPR. Then on the morning of Friday 25 May, we may collectively, in the spirit of collegiality which I expect to define the work of the new entity, announce to the world that the EDPB is open, accessible and ready for business.