Map of Europe with an European flag pinned and a closed padlock

Data Privacy Post COVID19 – What has changed, and where do we go now?

Facebook Twitter Created with Sketch.

Our partner EURACTIV hosted a webinar on data privacy on March 10th, 2021. Here is a summary of the discussion, focusing on the keynote speech by Ms Věra Jourová, Vice-president of the European Commission for Values and Transparency.

Samuel Stolton (Editor Digital, EURACTIV), the host and moderator of the debate, quickly passed the floor to Ms Jourová after a brief introduction of the panellists. She started her keynote speech explaining that the importance of Privacy and Data Protection in our digitalised world has become increasingly apparent in recent months as most of our relationships became digital practically overnight. Nevertheless, European citizens should not be compelled to choose between the privacy and protection of their data and public utility concerning health, economic well-being, and national security. The GDPR provides us with a solid legal framework for protecting our data while supporting our effort to tackle the pandemic through contact tracing and health data processing.

Recent research shows how organisations that invest in privacy and data protection benefit from their investments, for instance, by reducing sales delays and enhancing innovativeness in their businesses. Commitment to privacy has strengthened during the pandemic, reinforcing the virtuous circle between robust privacy rights, consumer confidence, and the effort to build sustainable economic models. In this context, there is increasing convergence towards enhancing multilateral cooperation: like-minded partners should work together, reaching common objectives and exploring novel opportunities to exploit the digital economy.

The European Union and the US should resume and intensify their cooperation to address the multiple threats that our shared values face, developing common standards to facilitate data flows between countries and administrations. If properly regulated, technology could enhance our rights and make our democracies safer. The Commission did everything in its power to build a Privacy Shield that could be acceptable to our counterparts, including the US. Similar deals to regulate mutual data sharing have already been signed with South Korea and a few South American countries, and negotiations with the UK are in an advanced phase. The US Supreme Court’s decision prevented the introduction of federal legislation on data protection that the US Congress was considering. It is not easy to foresee how long it will take for negotiations to resume.

The balance between national interest and individual privacy is an essential factor in reaching an agreement between the EU and any third party. The US administration blocked the Commission’s attempt to set up an authority responsible for receiving information about the US’s investigations of firms and private citizens in EU member states. Therefore, mutuality and full impartiality cannot be guaranteed right now. Hopefully, the new US administration will share the EU’s views on this subject.

The floor then passed to Mr Robert Waitman, Director of Data Privacy for Cisco. He presented the results of the study “Forged by the Pandemic: The Age of Privacy”, based on interviews with 4700 professionals working on digital security and privacy. In general, people and companies seem more aware of their data’s value than they were before the pandemic. According to research, most corporations estimat0e a  return on investment of over 200%  regarding privacy and data protection, while less than 15% evaluate it as negative (under 100%). Customers are willing to recognise further added value to those who guarantee their privacy and protect personal data.

Christopher Hoff, Deputy Assistant Secretary for Services of the US Department of Commerce, then explained that the finalisation of an agreement like the proposed Privacy Shield is a top priority for the US administration.  Seven weeks into the new presidency, internal negotiations are being held in the US. Several changes in key positions are still ongoing, and some time may still be needed before they come up with new proposals.

Chris Gow, Senior Director of EU Public Policy & Government Affairs at Cisco, was next to speak. He emphasised that US legislation currently allows privacy and data to be regulated individually by states. Given the current situation, the US should take concrete steps towards a federal regulation for data to avoid controversies and allow common data use in their territory. This is even more important considering the decision of the Court of Justice of the European Union (CJEU) setting the bar high with essential equivalence for any agreement on data transfer and sharing.

The next panellist to deliver her speech was Helen Dixon, Ireland Data Protection Commissioner. She briefly mentioned the ongoing investigation on data transfers from Facebook servers in Ireland to the US, an area of considerable concern for many companies currently operating in the EU since several business models involve international data transfers. The legal framework set by DPCR is still considered to be in its infancy. A certain amount of time could still be needed to put such a complex framework in full force since many of its functions are innovative.

The last speech was delivered by Bojana Bellamy, President of the Centre for Information Policy Leadership (CIPL). She clarified her view that the primary purpose of any legislation for data protection is not to find and punish trespassers, as some journalists seem to suggest, but rather to provide oversight and guidance on practices. Regulations should provide the means to avoid the same violations, breaches, and misunderstandings happening in the future. Not everyone is using digital technologies with honest intentions, which is why the study of data streams that occur every day must progress to prevent breaches before they occur.