Well, we certainly DO live in interesting times.
The UK is supposed to leave the EU at the end of March, but no one knows if they will, if there will be a deal, if they will delay Brexit, if they will have another vote.
The European Data Protection Supervisor says do not expect anything with regard to UK “adequacy” (meaning that you can freely move data between the EU and the UK) for at least a couple of years. For folks with large operations in the UK, that could be a problem.
The Supervisor also said that it is unlikely that GDPR will be revisited for another 7-10 years; then considering the adoption process, do not assume any changes to GDPR of around 20 years. For those hoping for relief, do not count on it.
He also told the European Parliament that Privacy Shield, the Frankenstein agreement concocted by the US and EU after the EU courts struck down Safe Harbor, is “an instrument of the past”. He said that Privacy Shield is an interim instrument. He said that when you look at the full scope of GDPR, Privacy Shield doesn’t make any sense.
Regarding the ePrivacy legislation that is in the works, he is hoping to get some consensus this summer, but whether that means there will be a vote-ready version, that is another story. That, once approved, will be another set of rules for companies to adopt.
When it comes to data retention, he wasn’t happy about Italy’s law which allows people to keep data for 6 years. Of course, in the US, there is no limit on retention. He did, however, like the German approach, which allows retention for weeks, not years.
Suffice it to say, there is a huge gap between European desires (and their laws) and current American practices and that will likely continue to play out in the courts. Stay tuned. Source: IAPP (membership may be required to view).