One year after the GDPR: a milestone in a long journey

AmCham EU represents a unique voice on data protection issues: our member companies operate across different sectors and value chains. They have a legal presence in multiple Member States and depend on stable intra-EU and international data flows. The GDPR has introduced important benefits for US business in Europe: increasing legal certainty, harmonisation and flexibility.

One year after its entry into force, there is no doubt that the GDPR has set a new standard. In recent years no other regulatory file has more profoundly impacted our member companies across sectors and its importance will only increase as more businesses embrace data-driven innovation. There is still a long journey ahead of us.

First, we need to promote a uniform and balanced application of the GDPR across Europe. The European Data Protection Board (EDPB) has a crucial role in this regard. Its guidance has been important in helping companies understand their compliance obligations. However, uncertainty has been triggered by diverging interpretations with guidance that sometimes goes beyond what the GDPR prescribes. This is regrettable and limits the benefits that harmonised rules would provide. We fully support the cooperation mechanism that has been put in place among the Data Protection Authorities (DPAs) to avoid divergent interpretations of similar issues. As new technologies are developing, questions about the interpretation of the text will emerge and finding solutions will require a continued dialogue between regulators and industry stakeholders.

Second, just as consistent implementation of the GDPR is vital to the success of the Digital Single Market, we must ensure that any additional regulation on privacy is fully consistent with the GDPR. The recent Commission proposal on privacy of electronic communication data (‘e-Privacy’) created much confusion among industry, innovators and consumers.  For the business community, any future e-Privacy rules need to be strictly aligned with the GDPR. Specifically, while consent is a central provision for many consumer offerings, the full scope of communications services (including business-to-business) is best supported through the GDPR’s more flexible requirements for the lawful basis of processing data.

Third, the ability to transfer personal data across the Atlantic and globally is essential for the competitiveness of many sectors. The GDPR endorses several tools enabling such international transfers. For some countries data protection adequacy decisions, such as that recently agreed between the EU and Japan, present an opportunity to increase trade. Additionally, as not all countries will follow the GDPR approach, alternative instruments and mechanisms, such as the Privacy Shield and standard contractual clauses, will continue to be essential for global trade. However, the uncertainty triggered in this area by ongoing legal and political challenges are detrimental to business. Hence, AmCham EU has consistently called for a review of the existing standard contractual clauses in order to ensure alignment with the GDPR. Similarly, as more countries adopt privacy laws, we need to avoid increased market fragmentation and move towards consistent global privacy principles. For example, the Commission should continue its work to ensure interoperability between the Asia-Pacific Economic Cooperation (APEC) cross-border privacy rules systems and Binding Corporate Rules (BCRs) under the GDPR.

Digital innovation flourishes in a trustworthy environment. This will require a constructive exchange between regulatory authorities and industry stakeholders. We look forward to working on these issues and trust that, through dialogue, the GDPR will be a success for citizens, consumers and business.  

By Maxime Bureau, Chairman, AmCham EU