Audiences in Auckland and Wellington were given a comprehensive overview of how the European Union’s General Data Protection Regulation (GDPR) was working after two years. The messages were particularly instructive because the speaker came from the European oversight body tasked with coordinating how the GDPR is being applied across the EU’s 27 member states.

The GDPR came into effect in May 2018. It was heralded as a landmark step change in privacy and data protection law. Joëlle Jouret is a legal adviser and legal coordinator at the European Data Protection Board (EDPB). As luck would have it, she agreed to do the presentations while holidaying in New Zealand.

Joëlle gave an outline of the challenges facing individual European privacy authorities, including resourcing and language. The role of the EDPB, based in Brussels, is to ensure consistent application of the GDPR in the European Economic Area. One challenge is a common language to conduct its business. A decision was taken to use English. This means each national data protection authority must be able to conduct its communications with the EDPB in English, which Joëlle explained has been a real difficulty for some of the member agencies.

She explained the structure of the EDPB, which holds monthly plenary meetings attended by all member representatives where decisions are made by voting. In one recent decision, the EDPB said it would not review how the GDPR was working because it was premature to do so. But the EDPB has acknowledged the implementation of the GDPR has been challenging for small organisations, notably SMEs.

GDPR: Does it apply to you?

For New Zealand companies, the question they need to ask is: Do you offer goods and services to EU residents or monitor the behaviour of EU residents?

If you provide a service to EU residents, you are required to comply with the GDPR. The definition of EU residents covers people living in an EU country. They do not have to be citizens, just living in the EU. If they are buying your products or using your services, then the GDPR applies to you.

Complaints

The EDPB is not a complaints body. This means it does not receive privacy complaints. Complaints are made to the individual privacy authorities and they are dealt with by the individual authority, sometimes in cooperation with other privacy authorities.

But the EDPB can force a binding decision on its members - if privacy authorities cannot agree on how to resolve a complaint. Under the GDPR’s one-stop-shop (OSS) mechanism, if a lead authority investigates but is unable to get other privacy authorities to agree to a decision, the EDPB acts as a conciliation tribunal that can issue a binding decision.

One-stop-shop

Having a business establishment within the EU enables businesses outside the EU to benefit from the use of the OSS mechanism. This means the relevant privacy authorities will have a coordinated approach to any issues that arise about your business’ compliance with the GDPR.

If you do not have a representative establishment in the EU, then you will not be able to benefit from the mechanism of OSS. This means every relevant privacy authority can initiate its own individual compliance action against your business.

For example, if a complaint is made about your New Zealand company, the OSS mechanism could apply to you – but only if you had a representative establishment in the EU. The benefit to your company is that you would only have to deal with one privacy authority to resolve the complaint. This authority would be the lead authority dealing with the complaint on behalf of all the other concerned privacy authorities.

But if you don’t have a representative establishment in the EU, you cannot benefit from the OSS mechanism. It means that your company would have to deal separately with each privacy authority concerned over the complaint. Joëlle says the worst-case scenario would be having to deal with 27 different privacy authorities individually.

EU adequacy

Under the GDPR framework, there is an expectation that the personal information of European residents that flows out of the European Economic Area should be protected to similar standards to that within the EU.

One of the principles of the GDPR is that no data should be transferred outside the EU to third countries. The GDPR recognises mechanisms to facilitate the transfer of data beyond EU borders. One of these tools is the Privacy Shield arrangement between the EU and the United States.

Another mechanism is to recognise a country’s legal protection of personal information as “adequate” in comparison to the EU. It is essentially the European Commission saying that a third country offers an adequate level of data protection to that found in the EU.

New Zealand is one of a small number of countries to receive an adequacy finding. However, as the GDPR came into force in 2018, the assessment of New Zealand in 2012 was made under the previous data protection framework.

Including New Zealand, there are currently 12 countries or territories which have EU adequacy in data protection. Japan’s adequacy decision is the only one that was made after the GDPR came into law. All other adequacy decisions, including New Zealand’s, are currently awaiting review. Once the EU Commission has reviewed each decision, the EDPB will be asked to provide an opinion.

Video of Joelle’s presentation

The two PrivacyLive forums were both very well attended. A video recording of Joëlle’s is now available on our YouTube channel. You can find it here.

Image credit: GDPR hand via MarTech Today.

General Data Protection Regulation (GDPR), International