European data regulator told draft rules need to change

A coalition of industry federations have urged  the European regulator to rethink their plans for a further regime for data sharing.

The group including Insurance Europe and the European Federation of Insurance Intermediaries, has published a joint statement raising serious concerns about a set of draft recommendations published by the European Data Protection Board (EDPB) in the wake of the European Court of Justice Schrems II decision.

The court’s decision invalidated the EU-US “Privacy Shield” and cast doubt upon the use of other available tools, such as standard contractual clauses (SCCs), for transferring personal data outside of the EU.

However, Insurance Europe said while the EDPB’s draft recommendations aim to offer clarity, they will in fact make it unnecessarily difficult for businesses to transfer data outside the EU, which will hamper the competitiveness of European businesses on the world stage.

“The EDPB should instead take a more risk-based approach, a fundamental pillar of the General Data Protection Regulation, when drafting its final recommendations and allow businesses to continue to rely on contractual and organisational means,” said a spokesperson. “The recommendations should also encourage the development of workable technical solutions, rather than an overreliance on methods such as encryption.”

The statement said the associations “take the right to the protection of personal data seriously, whether it remains within the EU or is transferred internationally.

“The digital economy does not recognise borders and international data flows act as an enabler of the global economy.

“From the collection of personal data to its processing by a business to offer a service, the privacy protection and fundamental rights afforded to the individual are upheld by strict compliance with the General Data Protection Regulation (GDPR). This means that when the personal data of European citizens flows outside the EU, the protection of the GDPR flows with it.”

It added whether directly or indirectly, many European businesses conduct transfers to grow in Europe and on the international stage.

It warned recently, the use of SCCs had “unfortunately been thrown into disrepute” .

The statement added the current draft will make Europe’s ability to operate within the global economy “unreasonably impractical”.

“This is because the EDPB’s (draft) Recommendations:

  • Are overly prescriptive and therefore reject the risk-based approach of the GDPR and recent CJEU jurisprudence, disproportionately treating all personal data flows, no matter the context, as of potential interest to law enforcement authorities;
  • Mandate specific technical measures in all situations, deviating from the GDPR by prioritising their use over organisational or contractual measures, raising barriers between entities willing to collaborate and build solutions for Europe;
  • Focus on unworkable end-to-end encryption and force decryption keys to remain in Europe, meaning the intended recipient will not be able to make sense of exported data, potentially exposing data subjects to risks usually protected through tools relying on decryption;
  • Create legal uncertainty as they do not achieve a balance between the free flow of data and privacy protection currently promoted by the GDPR or align with the Commission’s (draft) SCCs, raising the risk of European fragmentation;
  • Hamper the free flow of data, causing a negative impact on digital trade and the benefits it offers Europe’s society.

“This will not only harm European opportunities to enter international markets but also investment into Europe’s market itself and the capacity to offer the services and products Europeans demand,” it added. “In the short-term, the EDPB’s approach will cause a loss of European collaboration with the rest of the world when needed to weather the storm of the ongoing COVID-19 pandemic and beyond.

“In the long-term, it will negatively impact Europe’s geopolitical influence, turning us inwards and risking retaliation from other regions.”

The court’s decision invalidated the EU-US “Privacy Shield” and cast doubt upon the use of other available tools, such as standard contractual clauses (SCCs), for transferring personal data outside of the EU.