GDPR and Beyond

The European Union’s General Data Protection Regulation (GDPR) applied since May 2018, was a policy response to widely felt skepticism and fears in the European population around privacy protection in technology. Policy-makers in EU member states and institutions intended to strike a better balance between promoting innovation and protecting the European citizens’ individual autonomy.


However, GDPR’s concept clashed with views in the tech industry, particularly in the United States, that focus on the monetization of data and their exponential use by companies to develop and improve products.


The start of GDPR implementation represented a significant milestone for privacy and for any organization, no matter where it resides, that collects or uses data of European individuals.


For the 2018 edition of SEC2SV European Innovation Day, we therefore decided to host an entire Workshop on GDPR/Data Privacy.


The Policy Brief that you can download HERE for free presents the main insights and key findings that emerged in this workshop. They are relevant for policy-makers and the general public alike.


Here are some conclusions drawn from an intense three-hour session among 48 participants from the United States and Europe, including data protection professionals in technology companies and privacy lawyers based in the Bay Area. They discussed with European policy-makers, including MEP Sorin Moisa and Joao Rodrigues of the EP liaison office to US Congress, and head of unit at the European Commission’s DG Connect, Pēteris Zilgalvis.


Among the biggest challenges related to GDPR that companies were faced with in the past months, tech industry representatives in the workshop mentioned more tensions around vendor negotiations, a strengthening of monopolies due to the increasing preference of bigger, more mature companies and therefore a bias against smaller and mid-size providers that fell short of compliance, and a debilitating wait-and-see attitude with regards to actual enforcement.


The ongoing negotiations among EU member states on an ePrivacy Regulation are another concern shared by industry both in Europe and in the United States. This “additional layer” of European privacy regulation will mean more changes but also much needed clarity for industry.


Looking at privacy management at a global level, many industry leaders underlined that for practical reasons, they provided rights derived from GDPR not only to Europeans, but to all their users around the world. These days, it is without any doubt an advantage to be GDPR compliant in all markets. However, in only very few months, many other countries have issued privacy laws, and the increasingly complex global privacy landscape creates a mosaic of different and sometimes conflicting pieces of legislation. A particular burden that participants mentioned is the “localization principle” included in some national laws, prescribing that certain data, or at least their “primary version”, will have to remain domestic.


The SEC2SV event provided an opportunity for Silicon Valley’s tech businesses to reflect on the GDPR, its impact on business, compliance, standard and peers. In particular, it was an opportunity to discuss the GDPR’s challenges in an open and tech savvy environment. I hope you enjoy reading about the results. Our take-away is that there is a clear need for a multi-stakeholder dialogue on common rules that allow companies to transfer data internationally while upholding appropriate privacy rights to citizens around the world.


Julia Reinhardt
CIPP/E, SEC2SV Public Affairs Coordinator