Response to European Commission Consultation on Transfers of Personal Data to Third Countries and Cooperation Between Data Protection Authorities

Eline Chivot Nigel Cory April 29, 2020
April 29, 2020

The Information Technology and Innovation Foundation (ITIF) submitted comments to the European Commission as part of its two-year review of the General Data Protection Regulation (GDPR) and the issue of international transfers of personal data to third countries (Chapter V of GDPR), and the cooperation and consistency mechanism between national data protection authorities (Chapter VII of GDPR). The submission aims to help EU policymakers better understand how GDPR is impacting international data transfers, how these can be improved, and how national data authorities can work more effectively.

The submission is divided into two sections.

The first focuses on international transfers of EU personal data to third countries and various issues raised by GDPR. GDPR was a seismic shift in data protection for Europe and the world, but it has become clear that its significant impact on international transfers requires the EC to shift away from its reliance on country-by-country adequacy determinations and instead build an expanded and flexible set of data transfer tools and mechanisms to ensure firms are held accountable for how they manage EU personal data—wherever they transfer it. This would help improve firm-level data protection practices for EU personal data, reduce the administrative burden GDPR impose on businesses, and make it much easier for Europe to build interoperability between broadly similar, but different, data protection frameworks with partners who share and respect the EC’s ultimate (and shared) goal of improved global data protection. As part of this, it’s crucial that Europe treat all its partners fairly in consistently applying its principles, criteria, and scrutiny. Together, this would allow Europe to bring together a broader and more diverse group of countries as part of a truly global and integrated data governance framework.

The second section focuses on the cooperation and consistency mechanisms between national data protection authorities (DPAs). It has become clear that EU policymakers did not fully anticipate how to best organize the new relations between DPAs and industry under GDPR—yet there are early lessons to learn here. The EC should strengthen and emphasize the role of DPAs as collaborators that raise awareness among companies, support a better framework for the governance of data protection, avoid legal fragmentation and ensure sufficient funding to provide DPAs with the resources they need. Indicative of this collaborative role, DPAs need to formally bring industry into the policy making process to build trusted relations with companies and help build effective consistency mechanisms moving forward. The purpose of GDPR is not to punish EU businesses, it is to better protect the privacy of EU residents. But that goal will not be realized if companies are unable to get accurate and timely guidance from DPAs, and if DPAs can’t hear directly from industry about policy proposals.