Meeting on GDPR, ePrivacy and Privacy Shield
Beltug/EuroCIO was invited to the Berlaymont building for a Roundtable with Vice President Andrus Ansip, responsible for Digital Agenda, and Commissioner Věra Jourová, on the GDPR, ePrivacy and Privacy Shield.
EuroCIO stated that companies continue to struggle with the GDPR, as their experience with the regulation and its requirements grows (for example, on the ‘Right to be Forgotten’ with cold backups). At the same time, guidelines are still being drafted.
EuroCIO believes there is a significant opportunity to help companies, small and large, by providing additional pragmatic tools and guidance so they do not need to continuously ‘reinvent the wheel’.
Following the meeting, EuroCIO put together a short position, which addressed EU-US relations, GDPR implementation and the ePrivacy Regulation. Some highlights:
- The legal status of the Privacy Shield needs to be confirmed. It’s not clear if the Privacy Shield will hold up in Court, making businesses wary of using it.
- Differences of approach between the US (nationality-based) and EU (territory-based) regulations on personal data protection and access to data for governments are imposing great difficulties on companies.
- There is still confusion about the need to remove data from cold backups upon request by the person whose data is stored. EuroCIO is pleading for an approved workaround, as it is technically impossible to erase a person from a cold backup.
- The laws on retention of data differ from country to country, and even sector to sector within a country.
- There is no standardisation of the compliance questionnaires being sent to suppliers by companies.
- The ePrivacy Regulation should not be a ‘redo’ of the GDPR. There are indications that the costs for implementing this regulation on top of the GDPR are becoming disproportionate. EuroCIO strongly recommends leaving all personal data protection under the GDPR only, with the Regulation on Privacy and Electronic Communications focussing on confidentiality and other aspects that are not already covered by GDPR.
At the Roundtable, Commissioner Jourova and Vice President Ansip both highlighted the importance of continued involvement from and dialogue with businesses.
You can read the full position by EuroCIO here.