Given all the above, perhaps the real question behind strategies of economic intelligence or economic patriotism in Europe is the need to ensure the availability and the usability of data as a raw material for technological progress, while maintaining the protection of personal data as guaranteed (or at least envisaged) by European legislation and case law. On the other hand, it is universally accepted that effective management of data is an essential aspect of organisations’ digital transition, a lever for creating value and innovation and a prerequisite for the development of AI technologies. Meanwhile, end-users (in theory, the main beneficiaries of the protective regime installed by GDPR) are asked to consult privacy policies and accept cookie banners which are often incomprehensible to the layman. Īre decisions and announcements of this kind about digital sovereignty or economical patriotism? There is a perhaps a certain hypocrisy, or at least wishful thinking, at play: we forbid the use of technology but then carry on using it because there are no alternative solutions.Īt the same time, management teams in both private and public sectors are confronted with difficulties including the ongoing legal uncertainty surrounding data transfers, the administrative burden of keeping “data inventories” and the expense of data protection impact assessments. Elsewhere in Europe, the Lithuanian Deputy Defence Minister has advised citizens not to purchase Chinese smartphones and to “get rid of those already purchased as fast as reasonably possible”. This followed a French government communication last year stating that the use of Microsoft Office 365 by public sector organisations was incompatible with its “ Cloud au centre” doctrine, which holds that messaging and other office tools should be hosted on a cloud service which is protected from non-EU regulations. The regulator’s view was that this implied a transfer of personal data to the United States, and that the transfers were “illegal” because the data was insufficiently protected. Thus, in its September proposal, the UK Government underlined its “disappointment” with Schrems II and stated its intention to take a “risk-based” approach to data transfers “based more heavily on an assessment of the real-world outcomes of data protection regimes rather than on a largely textual comparison of another country’s legislation with the UK’s legislation.”įor its part, the French data protection regulator recently served notice that it intends to apply the Schrems IIprinciples in practice, issuing an official warning to a website publisher which used Google Analytics. The GDPR-maximalist position taken by the Court of Justice of the European Union on international data transfers, in its now-famous Schrems II judgement of July 2020, has created something of a legal minefield in a globalised economy characterised by the interdependence of systems and infrastructure, not to mention Europe’s dependence on American technology.
U.K. FRANCE ONCE MORE BREACH FREE
So why make this announcement with the ink on the “adequacy decision”, enabling free EU-UK data transfers, not yet dry? Is this a new instalment in the ongoing geopolitical struggle over data flows between governments and the tech giants? Or, more prosaically, an example of post-Brexit pragmatism where flexibility for business is prized above all else? In their place, a system of “privacy management programs” would be introduced: flexible and customisable depending on your business activity.
All these pillars of the so-called “accountability framework” would disappear.
No more “record of processing activities”, “data protection officer” or “impact assessments”. On 10 September last year, the UK’s Department for Culture, Media and Sport published a proposal to streamline GDPR drastically. No longer constrained by EU law, the UK government intends to free itself as soon as possible from GDPR, an apparently unwelcome legacy from the pre-Brexit era. Could the British be saying out loud what European business leaders think in private? EU data protection rules, the theory goes, are an economic burden, without providing sufficient protection of citizens’ rights.