March 26, 2019

March 26, 2019

Subscribe to Latest Legal News and Analysis

March 25, 2019

Subscribe to Latest Legal News and Analysis

Progress on EU GDPR Reform - International Aspects Debated re: General Data Protection Regulation

A second round of “trilogue” negotiation on the EU General Data Protection Regulation (GDPR), on July 14th, has addressed the law’s territorial scope and rules relating to international data transfers (Articles 3 and Chapter 5, respectively).

 

 

Although no agreed text has been released, public comments made by Jan Philipp Albrecht, the European Parliament’s lead negotiator on the GDPR, indicate that agreement has been reached “in principle” on most of the provisions discussed.  However, some issues remain to be resolved, and it is expected they will be addressed when negotiations resume in September.

International scope

Jan Philipp Albrecht reported that all parties agreed that the GDPR should also apply to data processors (not just data controllers) based outside the EU, if they are active on the EU market (which Article 3 of the GDPR defines as engaging in processing related to the offering of goods or services to individuals in the EU, or to monitoring them) – a development which Albrecht reportedly considers to be a “huge step forward” that would “level the playing field” between EU and overseas-based organizations, such as providers of cloud services yet to establish a physical presence in the EU.

International data transfers

Jan Philipp Albrecht indicated that there was agreement in trilogue that future European Commission decisions that lower red tape surrounding exports of personal data to non-EU countries (so-called “adequacy decisions” relating to third countries and privacy frameworks such as the U.S.-EU Safe Harbor), would be systematically subjected to periodic reviews.  The GDPR’s negotiations continue to take place in parallel with bi-lateral EU-U.S. discussions over reform of the Safe Harbor (covered here), and a significant judicial challenge to the scheme.

As for onward transfers of data (once the data is already out of the EU), there reportedly was agreement to the Parliament’s proposal on Article 40, which would subject onward transfers to the GDPR’s requirements.

The parties also discussed a controversial proposal by Parliament on Article 43a, namely that foreign (non-EU) court rulings or administrative orders requiring disclosure of the personal data of EU citizens could not be complied with unless such judgements/orders are locally binding (pursuant to a mutual legal assistance treaty or other international agreement), or if local data protection authorities authorise the disclosure.  Although not finally agreed at the meeting, Albrecht expressed optimism about the prospects of the amendment.

Albrecht stated that the next few negotiation rounds (starting in early September, after a summer recess) would turn to potentially thornier issues of data subjects rights, controller duties, and the legal grounds on which data can be collected and processed.

 

© 2019 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Philippe Bradley-Schmieg, Covington Burling, Data privacy and cybersecurity attorney
Associate

Philippe Bradley-Schmieg's practice covers a range of regulatory and commercial matters affecting the IT, internet media, e-health and telecoms sectors across the world.

Mr. Bradley-Schmieg advises on legislation, enforcement, advocacy and contracts relating to privacy, data protection, consumer protection, intermediary liability, copyright and databases, Big Data, medical confidentiality, cybersecurity, law enforcement data requests, and smart medical devices and apps.

44-20-7067-2282