Global Privacy Assembly takeaways: ‘Time to get real’ on cross-border cooperation

Speaking at the Global Privacy Assembly’s (GPA) virtual annual conference this week, Bruno Gencarelli, head of data flows and protection at the European Commission, said “it is time to get real” and recognize data abuses cannot be handled by single regulators when the impacts are cross-border, or even global.

Gencarelli pointed out while there are cooperation and mutual assistance agreements in place to pursue cases of fraud, bribery, and corruption for corporates and particular industry sectors, such as financial services, there are no such arrangements in place for serious data breaches or violations of privacy.

He said while most privacy protection legislation has extraterritorial reach, unlike enforcement agencies in other industry sectors, there is no mechanism to ensure cooperation between data regulators.

“This situation needs to change,” said Gencarelli, with data regulators “focusing on practical solutions.”

“Companies often complain there needs to be a global standard for data privacy without realizing there already is one.”

Paul Breitbarth, Director of Global Policy and EU Strategy, TrustArc

For example, if a company suffers a major data breach or compliance problem that affects millions of users in multiple jurisdictions or worldwide, Gencarelli stated it makes sense for regulators to coordinate resources to investigate the same incident in the same way.

He added, “Under the mandate of the General Data Protection Regulation (GDPR), the EU will act to forge cooperation agreements with other data regulators around the world.”

The U.K.’s Information Commissioner Elizabeth Denham, who is current chair of the GPA, also stressed the need for convergence on global privacy laws.

She said there have been multiple cases where the application of various regulations in different jurisdictions has made proper supervision and enforcement “impossible.”

As such, she said “a common language of personal data” that enables the adoption of similar or identical data principles and provisions in all regions would help move toward convergence. Setting up international standards that guarantee adequate protection of human rights, including protecting personal data and privacy, would be a step forward, said Denham.

However, she added it will not be easy, as regulators, businesses, policymakers, and civil society need to come together. “It will mean compromise and accepting there is no perfect solution,” said Denham.

An imperfect starting point?

A global common standard on data protection and privacy does already exist. Human rights organization the Council of Europe established “Convention 108” in 1981 to lay the framework for harmonized standards on data protection. It was revised and renamed as Convention 108+ in 2018 to bring it in line with the GDPR.

Some data experts have suggested that as the convention is championed by the European Union, many countries could see becoming a signatory as a step toward gaining an adequacy decision from the European Commission, meaning their domestic data regimes are on par with the GDPR.

However, regulators and data experts concede the convention suffers from two key stumbling blocks.

First, outside of the European Union (whose member states must implement it), a lot of countries have still not signed on. Only nine countries that are not Council of Europe members are signatories, including Mexico and Argentina. Notable absences include Japan, China, India, Brazil, Australia, New Zealand, Canada, and the United States.

Second, hardly any companies are aware the convention even exists.

“Companies often complain there needs to be a global standard for data privacy without realizing there already is one,” said Paul Breitbarth, director of global policy and EU strategy at privacy compliance technology company TrustArc. Nor do they realize its basic principles underpin new privacy legislation in California, Brazil, and China.

“If the private sector knew this was the case, it would be easier to work toward a global standard and global compliance,” he said.

Alessandro Mantelero, professor of Private Law and Technology at the University of Turin in Italy, questioned whether a global standard should equate to a “gold standard,” and if so, whether it could be achieved quickly.

“For the EU, the gold standard is the GDPR, but many countries in other regions have adopted privacy legislation that is not in line with it and the gap is relevant,” he said. “We cannot imagine other countries can put in place in a few short years the same kind of legislation that took the EU decades to achieve.”