This year’s Computers, Privacy & Data Protection (CPDP) Conference ran from January 22-24 in Brussels. While last year’s conference concentrated heavily on the (then new) draft EU Data Protection Regulation, this year’s conference covered a wider variety of topics. Even so, a few key topics were addressed repeatedly:

The Status of the Draft EU Data Protection Regulation

The EU Data Protection Regulation has been in its current draft form for over a year, and there are no signs of movement.  EU Parliamentary elections are approaching in May, making it a tricky time to push through such a large and important piece of legislation.

The Polish DPA frankly stated that the Regulation had no chance of passing in 2014.  Privately, other conference attendees expressed doubts about the chances of passage in 2015 as well, although they remained hopeful.

The Future of the US-EU Safe Harbor

Mentions of Edward Snowden were everywhere: in the Introductory statement in the printed program, during the first 5 minutes of the first talk I attended, and in a dedicated panel on the NSA on the final day of the conference. To say that Europeans are angry at the US over the revelations around the NSA’s PRISM program is putting it mildly.

This anger has renewed calls for a re-examination of the Safe Harbor agreement and whether transferring data to the US can ever be said to protect EU citizens adequately. Despite this difficult political climate, a representative of the EU Commission clearly stated that the Safe Harbor agreement is not going away, although some changes may be necessary. There was general agreement that more vigorous enforcement was required and possibly more stringent requirements for registration.

Trade negotiations on this topic are ongoing between the US and EU, and there is no time frame for when any changes might occur.

EU – APEC Interoperability

Starting in two weeks in Ningbo, China, the EU and the Asia-Pacific Economic Cooperation (APEC) Organization will begin official meetings on Interoperability between the EU Binding Corporate Rules (BCRs) and the APEC Cross Border Privacy Rules (CBPRs) systems.

The idea is to identify commonalities between the two international transfer schemes, with the goal of allowing companies to leverage their participation in one system to gain certification in the other.

For example, companies certified as APEC CBPRs compliant might have an expedited or less stringent process for completing EU BCRs. The combination would make a truly global regulatory system for multi-national data transfers. While the relationship is just beginning, there was optimism that the comparison of the two systems could be completed by the end of the year.