“A lot of compliance work companies need to do”

Nearly three years after the introduction of the EU’s General Data Protection Regulation, companies have learned a lot, but challenges remain.

With the EU-US Privacy Shield declared invalid by the European Court of Justice in July and the Brexit transition period ending on 31 December 2020, “there will be a lot of compliance work that companies need to do” in 2021, says Tine A. Larsen, president of Luxembourg’s data protection watchdog, the CNPD.

The Privacy Shield provided a regulatory framework for data transfers between EU countries and the US. Companies who based their data transfers on this mechanism must find ways to ensure adequate levels of data protection. “We cannot do this work for them,” says Larsen. But the CNPD provides support and Larsen says companies have more experience with data protection issues since GDPR.

The prospect of a Joe Biden White House makes Larsen optimistic that a successor to the Privacy Shield could be negotiated. Among the key concerns are the access to data by US intelligence agencies and EU citizens being able to file complaints over privacy violations.

A similar framework might yet have to be put in place with the UK in 2021. Even though the EU has agreements with countries like Switzerland and Japan testifying adequate levels of data protection. For the UK “this hasn’t been validated by the [European] Commission yet,” Larsen says. “The UK adopted GDPR into national law, so the likelihood of an adequacy decision is very high, but it could take at least a year.”

In the meantime, the CNPD has been in contact with “at least half a dozen companies” who moved their headquarters from the UK to Luxembourg to avoid transferring data outside the EU. The CNPD checks that the businesses really have a presence in the grand duchy and that management decisions are taken here. To avoid data protection compliance issues, Larsen says, “it’s not enough to have a letterbox in Luxembourg.”