Optimism for the Future of Data Protection

Earlier this month I spent a week in Brussels, where my team and I were fortunate enough to meet safely with customers, regulators, policy makers, academics, civil society leaders and technologists who are all working hard to define the future of data protection and privacy.??

As we head into the busy holiday season – and while these conversations are fresh in my mind – I wanted to share some insights from a busy week on the ground and why I’m an optimist about the future of data protection.

After a nearly two-year absence, it was clearly time for reconnection. Many of us who were in Brussels for the annual IAPP Data Protection Congress embraced the open sharing and constructive dialogs that can help create progress on the key issues that we face in today’s data-driven economy.

We discussed the critical importance of enabling responsible data while protecting individual rights, the state of cross-border data flows, digital sovereignty trends, global regulatory activity, children’s privacy, and many other current issues that will require multilateral engagement to solve. It was inspiring to see so many leaders committed to addressing these issues.

I wanted to share a few key themes that emerged for me based on my interactions with stakeholders in the region and across the data protection and privacy landscape.

I look forward to continuing these conversations in the year ahead!

• Growing confidence in the state of data transfers. Officials on both sides of the Atlantic are committed to a durable agreement on cross-border data flows. While timing is unclear - it was said on the ground that “In negotiation, you should never have timelines, you should have conditions…” – what is clear is that there is reason to be optimistic. As negotiations for Privacy Shield 2.0 continue, I believe the U.S. Administration well understands the need to address Europeans’ concerns and is working hard to get to an agreement within the constraints of both sides’ legal systems and political realities. There is good reason to be hopeful that conversations are constructive, conditions better understood, and progress is being made.

• Multilateral engagement and optimism over the OECD’s efforts. At a session at the IAPP Congress, titled “Schrems II, Government Access & Accountability Challenges: What’s Next? we learned the OECD is looking at ways to identify commonalities within democratic nations over principles of government access across the OECD member countries. While no one expects the process to be simple, we heard from the OECD’s Head of the Digital Economy Policy Division that the process is enabling constructive multi-disciplinary discussions between governments, privacy regulators, and the private sector. Many are optimistic that an OECD resolution can be reached, and some cite as a workable model the principles-based approach taken by the DPAs at their Global Privacy Assembly last month, which identified principles for government access to personal data held by the private sector.

• Could China be a galvanizing force? By 2023, Gartner estimates that 75% of the world will be covered under some kind of privacy law with built-in subject rights requests and consent. It’s clear that democratic jurisdictions around the world will continue to move quickly to enact or revise privacy and data protection regulation, and the pace of regulation and enforcement will not slow down. While there are many similarities around the globe across the various data protection regulations, such as with Brazil’s General Data Protection Law and the EU General Data Protection Regulation, it is also clear that we will see differences, such as with China’s new Personal Information Protection Law (PIPL).?These developments may galvanize and inspire the democracies of the world to move faster on cross-border agreements and privacy laws in democratic jurisdictions, including in the U.S.

• Privacy as the front line of a broader set of regulatory concerns. Overall, I left my time in Brussels and at the Data Protection Congress with a strong sense of the central role of data in global economies and societies. Data is now ubiquitous and is often the key ingredient enabling an organization to do business today. Not coincidentally, the global community of data protection and privacy regulators is being asked to go beyond its traditional privacy-focused remit to consider cases that include bias, ethics, fairness, competition, children, and consumer protection. Regulators and policymakers are being asked to get very good at understanding these adjacent policy areas, and often doing so in the context of budgets and staffing that is not keeping pace with these expanded demands.??