During this session, we started with a look at the Belgian status, with an update from the Belgian DPA chairman. Then we dove into the international aspects, as Deloitte talked us through Schrems II and the recent VTC recommendation to avoid US-based clouds for the long-term storage of public data.
Presentations and a recording of the event are available for our members (after login).
Two years of the DPA: where are we now, plus a look ahead
David Stevens, Chairman of the Belgian Data Protection Authority, opened the afternoon. He started by showing the Gartner hype cycle of innovations, explaining the same cycle is applicable to the GDPR (slide 3). David immediately added that data protection is obviously a fundamental right, yet it always needs to be balanced with other fundamental rights: we don't want to over- or under-protect.
David shared a one-page overview of the plan of the Belgian DPA. This menu for achieving the optimal level of data protection in Belgium includes awareness-creation, monitoring, collaboration, enforcement, and more (slide 5).
While David is the chairman, he is not the only one to make decisions: there is a 5-person Board of Directors.
The DPA’s three types of activity include:
The Belgian DPA achieved quite a lot in the past 2 years, David is proud to say (slide 9). He took use through a number of recent cases where the DPA intervened, within the framework of COVID-19 measures for instance - asking critical questions, sometimes advising against a suggested measure, offering guidance, etc. At the EU level, the Belgian DPA has also been actively involved in providing advice on privacy issues related to pandemic measures.
Some other interesting initiatives include ‘Boost!' and ‘DPO Connect’: take a look at the slides to find out more!
David closed his talk with a look ahead for the Data Protection Authority. On the short term, they will work on Codes of Conduct: an instrument that hasn't been used enough at this point, so the DPA will guide organisations on how to initiate such a Code (in FR and NL). And keep in mind: a Code of Conduct doesn't have to apply to an entire sector - it can also be on a subset.
Data Protection Impact Assessments (DPIA) and the creation of certificates are other upcoming initiatives, while in the longer term, the DPA is looking into sandboxing (creation of a 'safe playground' to experiment with innovations) (slide 18).
Schrems II in practice: The need for a risk-based approach
Erik Luysterborg, Partner and Leader Data & Privacy Team at Deloitte, opened his talk with a comparison of the times before Schrems II and now (slide 4).
The immediate effect of Schrems II was that the Privacy Shield is now invalid and supplemental measures to the standard contractual clauses are needed for an international transfer of data. Erik shared the guidance from the EDPB and from the Baden-Württemberg DPA, and explained what to do in practice to comply with Schrems II (slides 8-10, minute 45:05 in the recording).
Erik believes that you don’t need (expensive) external consultancy to choose prioritisation: you can take many criteria into account, such as volume of data, type of data, type of transfer, type of organisation, the country of exportation, etc.
Then he turned to the recent VTC-AWS recommendations. Keep in mind that these are related to a specific case of four public bodies putting student data into US clouds. Erik shared the basic requirements and the matrix created by VTC-AWS (slides 13 – 14).
Fundamentally, Erik insists, transfers outside the EU are not automatically high-risk!
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login