Delphotostock - Fotolia
Brexit may cause a certain amount of disruption and is already creating a widespread feeling of disorientation, says Giovanni Buttarelli, European data protection supervisor.
“There is uncertainty over the legal repercussions of this unprecedented process, but the one certainty is that the European Union will continue to advance in the pursuit of maintaining the highest standards of protection for the personal data of people in the EU,” he told a Westminster eForum seminar in London via a video link from Brussels.
In any event, Buttarelli said “substantial dialogue” will continue with the UK, which he said is an important member state today, and will be a “potential strategic partner” to the EU in future, particularly regarding privacy and data protection.
“For decades we have had common values and we have been building policies the UK influentially contributed to,” he said. “We have a tradition of collaboration, and when it comes to rights such as the one to privacy and data protection, we will continue to pursue the same European-wide strategy.”
According to Buttarelli, there is not much sense talking about “regaining sovereignty” where fundamental rights are at stake. “On the contrary, we shall aim to [work to] a common strategy and a common approach as much as possible,” he said.
In a recent Notice to Stakeholders, the European Commission’s consumer directorate warned the UK government and businesses of the obvious consequences of not reaching a Brexit deal that covers data protection.
The second phase of the Brexit negotiations, said Buttarelli, “should possibly shed light into the substantial terms of this strategic partnership, and also with regard to the fundamental right of people to have personal data respected”.
Buttarelli described as a “landmark moment” the compliance deadline for the EU’s General Data Protection Regulation (GDPR) on 25 May 2018. “This represents the culmination of decades of analysis, consultation and negotiations,” he said.
The GDPR will apply to the UK, not only until Brexit at the end of March 2019, but will affect any UK businesses that offer goods and services to data subjects in the EU, due to the extra-territorial provisions contained in the regulation, said Buttarelli.
“Such UK businesses will also be impacted by the interpretation that the European Data Protection Board (EDPB) and the European Court of Justice will give of the GDPR,” he said.
Read more about the GDPR
- Almost a quarter of London businesses unaware of GDPR.
- There is a growing anxiety in many parts of the regulated community that their GDPR plans may not be fit for purpose.
- The GDPR is widely expected to spark privacy claims after its compliance deadline of 25 May 2018, but Austrian lawyer Max Schrems is doubtful.
- Computer Weekly looks at options for tools to help organisations comply with the EU’s General Data Protection Regulation.
- The General Data Protection Regulation comes into force in May 2018. We explore common myths surrounding GDPR.
Buttarelli said the EU will work to strengthen the spirit of unity among data protection authorities, including the UK’s [Information Commissioner’s Office], in the new EDPB. “The consistency mechanisms and the one-stop-shop are there to work on the basis of trust and co-operation, which, of course, will be the prerogative of EU countries only,” he said.
Implementing the GDPR effectively would imply enhancing the enforcement phase, said Buttarelli. “But the GDPR evolution will not be merely about transposing provisions. It will be about enrooting a deep cultural change, and DPAs should guarantee that companies comply with the rules across a range of sectors.”
He added that no single company should become so powerful that it is able to to threaten democracy and rules.
Buttarelli’s statement coincides with news that the German competition authority is considering putting restrictions on Facebook’s collection of data from millions of users. The authority is looking at the connection between data and market dominance, data and market power, and the possible abuse of data collection, according to the Financial Times.
Buttarelli said the interest around GDPR implementation should be complemented by debate around ethics and business models that do not encompass unethical processing of personal data. “There is an urgent need to deepen the understanding around what ethics actually mean, and we [the office of the EU data protection supervisor] are committed to facilitating this understanding,” he said.
To this end, Buttarelli said his office would host a “Privacy and Data Protection Olympic Games” in Brussels in October 2018. “Privacy and data protection commissions from around the globe will meet to discuss current and future challenges for individuals’ rights to privacy and data protection,” he said. “We see ethics at the centre of any possible investigations into the future role of privacy and data protection rules.”
There is interest around the world in what the new UK data transfer regime with the EU will look like, said Buttarelli. “The GDPR allows several alternatives, and different scenarios will be possible,” he said, adding that many questions will be answered once the EU and UK negotiators clarify the kind of relationship they want.
“I stay confident in the strong and convergent relationship, and we acknowledge the importance of the work done by the ICO and continue to ensure consistency with other DPAs,” he said. “Take my address today as a message of hope and trust in what the future of this strategic relationship will be – a relationship that is subject to review and assessment, but that will, hopefully, build on common ground.”