My IBM Log in
GDPR’s Birthday Wishlist: Greater Harmonization and Robust Data Transfer Mechanisms
Nov 11,2020

Two years ago, on 25 May 2018, the European General Data Protection Regulation (GDPR) entered into force. On this anniversary, the COVID-19 pandemic has in an unprecedented way underlined the need to use data to safeguard people’s health, accelerate research, benefit governments, and to support the resilience of the economy. Most of the important steps to help citizens and economies not only require data, but also trusted and secure solutions which rely on data to flow freely and between different countries. IBM has resources to share — like supercomputing power, virus mapping and an AI assistant to answer citizens’ questions — that depend on such data flows. Privacy, trust and transparency are fundamental to all technologies and their ethical deployment.


Data protection has been for years an important issue on the agenda of political stakeholders in the EU. But in the current climate, the so-called GDPR review of the European Commission marks an even more important reality check for the GDPR. The report, which focuses, among other things, on questions around harmonization and data transfers to countries outside of the EU, will be presented to the public today.


Greater Harmonization


The GDPR greatly improved the European privacy landscape. One of the underlying reasons the GDPR was established was that companies with multiple footholds in the EU would now easily interact with only one single Data Protection Authority (DPA) instead of 27. But harmonization of GDPR rules and their diverging interpretations remain one of the big hurdles, as Member States are still able to develop their own rules, for example on sensitive data such as health data. DPAs issue guidance on several topics such as cookies, mandatory risk assessments (DPIAs), or the use of employee health data to return safely to the workplace. Divergences among EU Member States’ recommendations add a layer of complexity, which should be avoided by improving cooperation – both between DPAs and with stakeholders — and guidance from the European Data Protection Board. New privacy laws – such as the proposed European e-Privacy regulation – should take this into account and strive for strong alignment with GDPR rules to avoid further fragmentation and legal uncertainty.


Robust Data Transfer Mechanisms


Another focus of the European Commission’s GDPR review is on data flows to third countries outside the EU. Cross-border data flows are necessary for companies to operate globally and to provide services to their customers, across sectors and geographies. Mutual recognition and cooperation between non-EU countries and the EU should be encouraged so that data can flow freely. Additionally, the EU should oppose restrictive and discriminatory policies, such as forced data localization. The GDPR provides a suite of mechanisms companies can use for international data transfers, such as adequacy decisions, Binding Corporate Rules (BCRs), certifications, codes of conduct, and Standard Contractual Clauses (SCCs). This second review of the GDPR is a chance for Europe to ensure these data flow mechanisms, which are crucial for international businesses, not only can continue, but also to make them future proof. This is an important prerequisite for increased innovation as digitization is a priority for businesses across sectors. With this in mind, we hope that the EU and the UK will be able to make progress on an adequacy agreement and secure data transfers before the end of 2020.


IBM supports the GDPR and implements its own Principles for Trust & Transparency across our business and across all markets. We are playing a key role in initiatives such as the development of the EU’s AI Ethics guidelines and the Charter of Trust and have been a driving force in the EU Cloud Code of Conduct, an independently-governed industry code that contains rigorous assurances for the protection of data in cloud services.


While the benefits of GDPR have become very clear over the past two years, Europe’s work around data protection is not finished. Now more than ever, European citizens and companies require increased harmonization within Europe and improved cooperation with non-EU countries to rely on robust data transfer mechanisms and to keep international economies running.


— Dr. Nils Hullen, IBM Government and Regulatory Affairs Executive

— Amélie Coulet, Senior Manager, Government and Regulatory Affairs, Europe 


Share this post: