Privacy Law Update: December 6, 2021
With the recent adoption of guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation relating to international data transfers, the European Data Protection Board sought to answer a question that has been debated going back five years to the GDPR’s original drafting. But as is usually the case when addressing the complex topic of transfers, answering one question has spawned so many others. EDPB Secretariat Head Isabelle Vereecken said during a LinkedIn Live conversation with IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP, the EDPB’s decision to act had less to do with answering or creating questions than it did with providing consistency, clarity and legal certainty.
The European Data Protection Board’s new guidelines on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation answer the threshold question that underpins GDPR’s data transfer regime — what is a transfer? The answer comes across as straightforward, but the debate behind it and the implications of it are anything but. IAPP Vice President & Chief Knowledge Officer Caitlin Fennessy, CIPP/US, dives into the practical impacts and policy considerations stemming from the new guidance.
A new Commissioner’s Opinion issued by the UK’s Information Commissioner’s Office (ICO) reiterates the country’s data protection standards and lays out its vision of future regulation plans for ad tech companies, calling for solutions that are more privacy-focused and worthy of user trust. The actual impact of this opinion on the country’s data protection standards is questionable given that it does not clearly indicate any new regulations for adtech; it simply implies that previously lax enforcement by ICO may be stepped up. This could depend greatly on the organization’s leadership, however, which is presently in flux. The opinion was issued by Elizabeth Denham, whose term as Information Commissioner comes to an end November 30 and whose replacement does not step in until January 2022.
The Joint Parliamentary Committee (JPC) on November 22 adopted the draft report on the Personal Data Protection (PDP) Bill 2019, after almost two years of deliberations. According to sources, the report will now be presented in the Winter Session of Parliament along with the PDP Bill 2019, for discussion. The final meeting of the JPC included several MPs, including three Congress leaders, Jairam Ramesh, Gaurav Gogoi and Manish Tewari raising dissent.
While universally desired by individuals and enterprises alike, true privacy is nearly unobtainable. On a conceptual level, adhering to privacy may appear straightforward, but the logistical and technological challenges getting there are daunting. To holistically incorporate privacy into an organization, one has to take stock of the challenges that have historically impeded compliance efforts and continuously re-evaluate privacy strategies.