Source: The Times
Interviewed on the anniversary of the General Data Protection Regulation (GDPR) coming into force, Rafi Azim-Khan, global co-head of Data Privacy at Pillsbury, warned that increasing aspects of daily life captured by advancing technology creates a risk of the “general public sleepwalking into a surveillance society.” This has spurred lawmakers and regulators into action, with this year bringing yet more enforcement and new rules, including new adequacy rules to cover Brexit EU-UK data transfers and new Standard Contractual Clauses (SCCs) governing EU-U.S. data transfers.
Europe was at the forefront of general data protection laws in the late 1990s, with the dot-com boom and rapid growth of tech giants then sparking concerns that new laws were needed, which resulted in the GDPR. Azim-Khan said that “there is no hype in saying the EU GDPR was a seismic shift in data law,” and the framework quickly became recognized “as a gold standard in data protection regulation.”
Given how GDPR can apply and also its ripple effect influencing new laws in states across the U.S. and around the world, many U.S. businesses are impacted by this (whether tech or not and even if they have no operations in Europe). For these reasons, many businesses are best advised to consider adopting GDPR level standards across their operations.
However, ensuring GDPR compliance, Azim-Khan said, is not an area where companies can do the work once, put it in a drawer and forget about it. Rather, he said, “this is an area of the law that has very fast-moving goalposts” and businesses need to stay on top of changes and act to reduce the risk of fines, given the regulators’ shifting areas of focus.
Two current examples of this involve the ever-changing rules around data transfers (following the invalidation of the Privacy Shield in the Schrems II European Court of Justice ruling), including new “measures” requirements from enforcers, and new SCCs being proposed to replace clauses used in current data transfer agreements (and many other agreements) which will require a lot of work this coming year.
Brexit has meant restrictions also now apply to EU-UK transfers and so, in yet another change, the UK has been assessed for and initially given the benefit of a draft adequacy finding to permit such data transfers, primarily as a result of the provisions of the GDPR being incorporated into UK data protection law post-Brexit as the UK GDPR at the end of the transition period.
However, again, although Brexit gives more latitude for UK divergence from the EU and GDPR rules, Azim-Khan makes the point that businesses and government should be wary of doing so for fear of jeopardizing the adequacy status.
The takeaway message for businesses in the U.S., UK and elsewhere is that the GDPR is here to stay with increasing enforcement, and advancing tech or novel data use will likely cause friction. To reduce headaches (and risk of fines), it will be important to comply with this increasingly international standard and stay on top of the many evolving new rules and requirements, such as the important need to now update agreements and clauses for data transfers and international data flows.
Read the full article in The Times.