GDPR: where are we now and what can we expect?

In an interview with VitalBriefing, Renaud Le Squeren, a partner at Luxembourg law firm DSM Avocats, explains that European data protection rules are a source of confusion, and that the EU’s GDPR is still widely misunderstood. Uncertainty also surrounds the future of data exchanges with the UK following its departure from the union, and with the US, after the European Court of Justice Struck down the Privacy Shield arrangement negotiated by the European Commission with Washington.

So…what can we expect?

The General Data Protection Regulation has been the forerunner of data protection rules around the world, including California. Can it be a template for a global standard?

Renaud Le Squeren, Partner,
DSM Avocats à la Cour

It’s important to remember that the GDPR is inherently and closely linked to the concept of privacy, which differs greatly from one continent to the next and one constitutional system to another. The idea of privacy can vary widely even among neighbouring European Union member states.

For that reason, I don’t believe the GDPR, which has defined a general concept of privacy that is generally accepted by EU countries, can become a template for a global data protection standard. What is critical is that each member state focuses on protecting the privacy of each of its citizens and residents.

How are companies and organisations adapting to the GPDR? What have been the most significant changes to working and operating practices?

Basic understanding of the legislation has been slow since its introduction in 2018, although national data protection authorities have imposed fines on a number of companies – primarily for cyber-security failings, but more recently also for violation of the GDPR in their commercial activities.

At this stage, the largest fines have not yet been paid because appeals processes are still pending. It could be that some prohibited behaviour might remain profitable for the companies concerned since the consequences are not being enforced, at least in the short term.

What impact has the GDPR had on the financial services industry in Luxembourg and elsewhere?

Privacy has been important to the financial system in Luxembourg since the 1960s, but as financial transparency becomes more important, some GDPR principles appear to run counter to the concept of privacy.

We can see, for example, a division between on one hand the maintaining of banking secrecy and the privacy requirements underpinning the GDPR, and on the other measures such as the beneficial ownership register in Luxembourg, that must include all ultimate beneficial owners directly or indirectly of at least 25% of a company. The register is open to the public, with very limited exceptions.

There are complaints that in practice EU regulators have been slow to enforce the regulation and punish breaches. Are these justified?

It takes a long time for an EU regulation to become recognised as part of each member state’s legal system. Regulators are not sitting around. The real issue is the political will and ability of governments to fund their national data protection authorities.

Another key step to make the judicial system effective is to reinforce its authority to collect fines and enforcing sanctions on companies that fail to comply within a reasonable timeframe. EU regulators can only do so much – and they are doing what they can despite the difficulties. The rules will only be made effective through a political commitment to defend EU citizens’ privacy.

What GPDR issues are arising or may do in the future from the UK’s departure from the EU?

The UK has left the European Union with a mutual recognition of adequacy that is valid until June 27, 2025. Until that date, the EU recognises that Britain provides a level of protection of personal data equivalent to that of the union. For now, personal data can be transferred between the EU and UK based on the assumption that the data processor complies with the legal requirements.

However, this situation is liable evolve depending on the political direction taken by the UK and its stance on privacy, particularly regarding the right of access for the secret services, which is already a point of contention with privacy advocates.

The UK could lose its adequacy recognition in the same way as the European Court of Justice’s Schrems II decision (see below) did with the US last year. This means we can expect a legal uncertainty over the next three to five years about data exchanges with our neighbours across the North Sea.

The EU-US Privacy Shield arrangement for data transfers with the US has been struck down by the European Court of Justice. How do the two jurisdictions aim to move forward?

Unfortunately there’s no straightforward answer yet. Uncertainty abounds in a situation where data controllers are located in a third-party country. Another major issue is the lack of European alternatives to US IT tools, especially products from Google, Amazon, Facebook, Apple, and Microsoft, which are in widespread use both in the private and public sectors in Europe.

The authorities have reacted very differently to the Schrems II decision than they did to its predecessor, Schrems I in 2015, in which the European Court of Justice invalidated the Safe Harbor arrangement that governed and regulated data transfers between the EU and the US. On that occasion, the US and the European Commission rushed to replace Safe Harbor with the Privacy Shield in just eight months.

However, following the Schrems II decision the authorities appear to have decided to bide their time and analyse the implications of the ruling. From a practical standpoint, all obligations have been transferred from the government to private companies – a response that I don’t believe is sustainable in the long-term. In the meantime, the striking down of the Privacy Shield creates new complexities regarding major public sector agreements, particularly those with strategic or military purposes.

What difficulties have arisen in connection with data controller and data processor requirements and qualifications?

The differences in qualifications and requirements regarding processors, joint controllers and controllers are often uncertain. As a result, drafting agreements can be a complicated process, especially given the challenge of incorporating all the information set out in Article 28 of the GDPR.

Recent decisions by national data protection authorities have resulted in fines for both controllers and processors for security weaknesses relating to the same data transaction. If both are to blame in such circumstances, defining the roles and responsibilities between the two becomes extremely complicated.

Meanwhile, courts have the power to requalify a relationship between controller and processor, regardless of whether the roles have already been set out in a contract. In my view, this makes the distinction between controllers and processors increasingly artificial.

Renaud Le Squeren has been a partner at DSM Avocats à la Cour since 2015. Prior to joining DSM, he worked as Associate and Senior Associate at two other Luxembourg law firms. Between 2005 and 2008 he worked as an External Consultant with Luxembourg’s National Commission for Data Protection (CNPD).

Renaud’s areas of legal expertise are in Digital (contracts, data protection, GDPR, crypto, blockchain), Corporate (M&A) and Real Estate (financing, structuring, litigation). He also assists companies in their digital transition (including GDPR compliance and related issues).

Renaud lectures for French Universities and at several professional training courses. He also is an active participant and speaker at seminars conferences in Luxembourg and abroad on corporate law, real estate, GDPR, Investment Funds, IT, contracts and commercial transactions.

More VitalBriefing insights: