Cross-border GDPR probes in focus as EU prepares to review privacy rulebook

Problems that multinational companies have faced in EU privacy probes will be picked over at a closed-door meeting in Brussels next month as part of the runup to a review of the General Data Protection Regulation next May, MLex has learned.

A series of questions circulated today by the European Commission reveals that technology, direct-marketing and financial-services businesses, among others, will get a chance to tell EU officials on Dec. 18 how the bloc's strict new privacy rules have worked since coming into force in May 2018.

That will include difficulties they have encountered in "dealings with [national] data-protection authorities in the context of complaints investigated under the [GDPR's] one-stop shop mechanism," according to the list of 13 questions, seen by MLex.

Under the one-stop shop procedure, multinational investigations against a company are led by the regulator in the country where the company has its EU base. The idea is that those operating across multiple EU states shouldn’t have to face a number of distinct investigations and lawsuits, with potentially conflicting results, for a single business practice.

But the mechanism has already caused confusion among companies and even regulators, partly because of the bureaucratic difficulty faced by non-EU companies that do business in the bloc of setting up a single administrative headquarters in the bloc that’s responsible for decisions regarding data processing.

A high-profile case involving Google's collection of users' location data led to national enforcers agreeing in July on which regulator takes the lead on investigations in cases where companies choose to relocate their main EU establishment.

The EU executive also wants to know whether companies have been involved in the GDPR's dispute-resolution procedure, where the umbrella group of national regulators — the European Data Protection Board — issues binding decisions on enforcers in case of disagreements between lead investigators and regulators elsewhere in the EU on the outcome of probes.

In 2017, the commission set up an expert group with a broad representation to support the GDPR's application across the EU. Its members include business associations DigitalEurope, Federation of European Direct and Interactive Marketing, the European Banking Federation and SMEunited, as well as consumer and civil-society groups and academics.

Other questions on which the EU executive will seek feedback at next month's meeting include data-breach notifications, codes of conduct and international data-transfer tools.

New technologies

Artificial intelligence, blockchain and the Internet of Things could also come under the spotlight in the commission's review of the GDPR next year, judging from an extensive question about how the application of the regulation affects emerging technologies.

The EU executive wants to know how the GDPR affects companies' approach to innovation and the development of new technologies. In particular, the commission asked, does the law offer "sufficient protection for the trustworthy development of new technologies such as artificial intelligence?"

Also in relation to AI, "what could be the potential gaps with respect to the protection of individuals' personal data, for which further policy action may be necessary?"

Adequacy decisions

As part of the commission's evaluation of the GDPR, including the review of its 11 data-flow deals with non-EU states adopted under the 1995 data-protection directive, the commission is asking organizations with which other countries the bloc should negotiate such deals.

Formally known as data adequacy agreements, these ensure the protection of individuals' data by imposing stricter rules on companies shifting such information from the EU.

The commission has said that Brazil, Chile and other Latin American countries could be good candidates in the near future.

Business views

At next month's meeting, businesses will seek to underline where more work from enforcers is needed to help companies comply with the GDPR.

The Federation of European Direct and Interactive Marketing told MLex today that it would seek to stress the importance for European and national data-protection authorities to continuously support codes of conduct as a way to demonstrate accountability under the GDPR.

Small businesses, for their part, will seek to underline the continued lack of clarity around definitions of "data controller" and "data processor," which has consequences in terms of liability for GDPR violations, Luc Hendrickx, director for enterprise policy and external relations at SMEunited, told MLex today.

They will also emphasize the need for more clarity around the circumstances in which they must appoint a data-protection officer, as well as what exactly "large-scale" processing of data entails for them, he said.