The GDPR and the future of data transfer – by Ben Seretny, Head of DPOs, The DPO Centre

Wind the clock back five years to May 2018, when the General Data Protection Regulation (GDPR) was enforced across Europe and the UK. At that time, the UK was still in seemingly endless negotiations with EU neighbours, Facebook was busy appealing a legal judgement about international data transfers, and businesses were bracing themselves for a period of uncertainty as a new, and some might argue unwanted, data protection regime was imposed.

Five years on many things have changed, but equally it appears, some things have stayed the same. We are left wondering if the principles of the GDPR have survived the stress test. Essentially, what worked, what didn’t, and what might be in store for the next five years?

GDPR efficacy 

One of the purposes of the GDPR was to harmonise data protection laws across Europe and give individuals greater control over their personal data. Following Brexit, the UK retained the GDPR by way of the UK GDPR which is sufficiently similar to the EU GDPR.

For UK and EU organisations, the GDPR legislation seeks to provide a route for transparent data management frameworks and robust data governance.

Back in 2018, the most hyped-up concern for businesses was undoubtedly the fines. Organisations braced themselves for massive penalties when, in reality, most of the enforcements at EU level were reprimands. This was partly intentional, to give businesses the benefit of the doubt and offered them time to get their house in order. However, as the years have ticked by, this has led to conjecture over whether the GDPR was merely a paper tiger, with few teeth behind the initial big roar.

Despite the recent Meta case, the biggest privacy concern for businesses isn’t the fines. Many companies see data protection as a matter of reputation and business integrity. There are financial implications for having to fix problems after the effect, and organisations have a vested interest in making sure robust data processes are implemented. They don’t want to deal with the mess of an embedded problem – far easier to get it right from the start.

Privacy by design is the way forward.

Some organisations are still struggling to understand data flow
and data supply chain management, even now, five years later.

International data transfers

International data transfer is currently a hot topic among privacy professionals, neatly coinciding with the GDPR’s fifth birthday. Meta’s record €1.2bn fine for illegally transferring EU data to the US serves to highlight the challenges of international data flow for organisations. In addition to the subsequent fallout from the Schrems II ruling back in 2020 (which invalidated the EU-US Privacy Shield), people are querying whether the GDPR’s chapter 5 needs to be ripped up and re-written.

This is one of the big questions we put to a panel of five Data Protection Officers (DPOs) in our recent webinar. And they had some surprising, or maybe not so surprising answers.

The problem with chapter 5

When GDPR first drew breath, organisations could rely upon the Privacy Shield mechanism to legitimise data transfers to the US. Then came the Schrems II ruling in 2020.

Schrems II is the common term for the case against Facebook Ireland, brought forward by Maximilian Schrems, an Austrian lawyer, and privacy activist.

In short, Schrems II invalidated the EU-US privacy shield – possibly the most important alteration to the EU privacy landscape since the GDPR. Since that ruling, the subsequent associated rulings have led to many pivots and required additional items such as transfer impact assessments (TIAs) and other supplementary measures. International data transfers have become a paperwork minefield.

Herr Schrems might argue these additional measures are not enough. They are merely papering over the cracks. So, what is the answer? There is a risk with leaving chapter 5 issues to the courts and not addressing them with hard and fast legislative change. Continuing piecemeal adjustments to the accepted international transfer framework in never-ending legal cases would also create further uncertainty. In turn, that would inevitably lead to additional expenses for organisations, as well as reduced protections for data subjects. Neither outcome is desirable.

Chapter 5 is one of the most rule-based parts of the GDPR. It states exactly what is needed for an international data transfer, in contrast to the rest of the GDPR, which is principle-based. There is a situation now where silos of data are being created in different countries with major challenges for data flow. The risk is economic isolation.

Chapter 5 seems to be moving away from one of the main principles
of the GDPR, which was to enable the harmonisation of data protection laws

The conclusion is an evolving one, much like privacy legislation in general. If the past five years have taught us anything, we can only prepare for what we currently know. Businesses are best advised to create a culture with in-built data protection from the start. And be ready and adaptable to change.  Data Protection Services – Speak to an Expert | DPO Centre