9th Annual European Data Protection and Privacy Conference


On Wednesday 20/03 Spark Legal Network attended the 9th Annual European Data Protection and Privacy Conference. The Conference analysed the current state of data protection under the EU legislation, especially in the light of the upcoming anniversary of the entry into force of the General Data Protection Regulation (GDPR). In relation to this, one of the sessions consisted of the interview with Giovanni Buttarelli, the European Data Protection Supervisor, who shared his (mainly positive) impressions regarding the application of the GDPR EU-wide to date. As a comparison, data protection systems in other parts of the world were also discussed, for instance in Japan and Singapore.

One of the main subjects the speakers discussed was also the European E-Privacy Regulation, currently negotiated by the European Commission and the European Council. The progress was discussed and the main problematic issues, such as Article 10 (privacy settings) of the proposed Regulation, were also debated. The Conference also touched upon the collection of E-Evidence, and the possible ways of finding balance between protecting data and fundamental rights of crime suspects on the one hand and protecting safety and the broadly understood public interest on the other.

As the European elections are taking place in 2 months, the speakers also discussed the measures undertaken by the EU institutions in order to combat fake news and disinformation. The issue of fake accounts on social media and the related data protection issues are also analysed.

The speakers at the Conference included two Comissioners – Mariya Gabriel (Commissioner for Digital Economy and Society) and Vera Jourova (Commissioner for Justice, Consumers and Gender Equality), both holding a key note speech, as well as representatives of the Commission, Parliament and the Council, representatives of think tanks and major businesses, such as Facebook.

Spark Legal Network Newsletter

We are happy to share with you our first Newsletter! News about our latest projects, conferences, Brexit and much more. For further information see: https://mailchi.mp/98e40d74ce77/spark-legal-network-newsletter-57465 

What does Brexit mean for freedom of movement?

New Study – Mapping and Assessment of Developments for one of the sectoral professions under Directive 2005/36/EC – nurse responsible for general care

Spark Legal Network is carrying out the study “Mapping and Assessment of Developments for one of the sectoral professions under Directive 2005/36/EC – nurse responsible for general care“ (DG GROW).

The study aims to assist the European Commission with its assessment whether to propose an adaptation of the minimum training requirements for the profession of nurse responsible for general care under Directive 2005/36/EC, taking into account scientific and technical progress, within the limits of the delegated powers granted to the Commission under this Directive.

The Study covers all EU and EFTA States and is expected to last 15 months.

For further information about this project, please get in touch via email.

Spark Legal Network Data Protection and Brexit Update

The UK government published on its website an explanatory note outlining the possible scenarios in the field of data protection in case no Brexit deal is reached.[1] Based on this note, the following document offers a summary of the prospects presented by the UK government regarding the data protection situation after Brexit. In order to provide a more complex overview, we also used other sources to complete and add information.

The government firstly makes it clear that there will be no immediate change in the data protection standards in the UK. The Data Protection Act 2018, which sets the current standards, will remain in force and together with the EU Withdrawal Act it will incorporate GDPR in the UK legal order.

Nevertheless, due to the UK leaving the EU, there will be changes regarding the ways in which personal data transfers take place between the UK and the EU. The ultimate solution has not been agreed yet but, in line with our recommendations in our recent Study concerning data protection aspects after Brexit[2], there are a few possibilities:

1. An adequacy decision

Based on Article 45 of Regulation (EU) 2016/679, the European Commission can determine whether a third country guarantees “an adequate level of data protection” to that of the EU. A country can provide such data protection level by its domestic legislation or the international commitments it has entered into. Issuing an adequacy decision for the UK would greatly facilitate the exchange of personal data between the EU and UK as no further safeguards would be required. The transfer of personal data would take place the same way as intra-EU exchange.

It seems that at least for the initial period following the EU’s withdrawal from the EU, the adequacy decision will not be an option. This is because the European Commission has not yet indicated a timetable for the assessment process and the decision on adequacy cannot be taken before the UK becomes a third country.

Additionally, as we have pointed out in our Study[3], an adequacy decision will not be sufficient for public sector personal data exchanges. A multitude of legal instruments exists beyond general data protection law that determine which countries may participate in information exchanges, and on which basis. An adequacy finding would thus need to be complemented by a broader legal basis in the form of a legal agreement that would authorise the UK and EU to continue to participate in information exchanges.

However, it seems that this would be the option preferred by the UK government. The White Paper published in July 2018 encourages an “adequacy-plus” style agreement (meaning a unique situation allowing the ICO to be a member of the European Data Protection Board and to serve as a lead supervisory authority under the GDPR, even though the UK will be a third country) between the EU and UK following Brexit.

The UK government also considers other potential solutions:

2. Standard contractual clauses

Model data protection clauses are ready sets clauses prepared by the European Commission, which can be implemented between individual companies rather than on the state-level (and hence can take effect the moment the UK leaves the EU without further delay). Such clauses would also enable the free flow of personal data between the EU and UK companies, when embedded in a contract. The European Commission prepared a number of sets of clauses for transfers between data controllers in the EU and data controllers / processors outside the EU, which can be included in the contracts and which ensure the adequate protection. A full set of rules provided by the EC has to be incorporated in the contract – the provisions may not be split or modified in any way.

3. Privacy shield

Another option which is discussed with regard to the EU-UK relationship in the area of data protection after Brexit, is an agreement similar to the EU-U.S. data protection shield. The EU-U.S. Privacy Shield subordinates U.S. companies to strict rules in order to protect EU citizens’ personal data. The Privacy Shield requires the U.S. to cooperate closely with European Data Protection Authorities, as well as to monitor and enforce relevant rules and safeguards, including written commitments and assurance regarding access to data by public authorities. The privacy shield is jointly administered by the U.S. Department of Commerce and the European Commission. On 12/06/2016, the EC declared the EU-U.S. Privacy Shield adequate to enable data transfers under the EU law.

Although in the media this scenario has been widely discussed as a possible option, nothing has been decided in the negotiation process that would suggest this style agreement will be implemented any time soon.

4. Binding Corporate Rules

Within a multinational company, an adequate mechanism to transfer personal data may also be established by incorporating Binding Corporate Rules. These are basically strict rules, approved by the Lead Supervisory Authority[4] and legally binding, enforced by the company itself, which guarantee the same level of data protection as within the EU.

The BCR need to cover all the rights and obligations included in the GDPR, for instance all the data subject’s rights need to be observed and there needs to be an efficient monitoring system in place. In case of the UK as the third country, BCR would be introduced by the offices of a given company located in the EU in order to cover its UK branches.


[1] Guidance: Data protection if there is no Brexit deal; 13/09/2018; https://www.gov.uk/government/publications/data-protection-if-theres-no-brexit-deal/data-protection-if-theres-no-brexit-deal#before-29-march-2019; last accessed 17/10/2018.

[2] The future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes; European Parliament, Policy Department for Citizens’ Rights and Constitutional Affairs Directorate General for Internal Policies of the Union, August 2018, available at http://www.europarl.europa.eu/RegData/etudes/STUD/2018/604976/IPOL_STU(2018)604976_EN.pdf, last accessed 17/10/2018.

[3] Ibidem.

[4] Lead Supervisory is the supervisory authority of the main establishment or of the single establishment of the controller or processor, as per Article 56 GDPR.

We are glad to see how our research work contributes to EU law making!

Yesterday the European Parliament adopted the Regulation on the free flow of non-personal data, which aims to remove obstacles to the free movement of non-personal data and will enter into force by the end of 2018: http://europa.eu/rapid/press-release_STATEMENT-18-6001_en.htm

Our study on data location restrictions (SMART 2015/0054), conducted in collaboration with time.lex and tech4i2, provided evidence on the scope and magnitude of legal and non-legal barriers in Member States practices which hinder the free flow of non-personal data within the European Union in order to contribute to the sustainable development of a Digital Single Market. It provided also evidence about the costs of these barriers for private and public sector.

Publication of the study on “the future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes”

PwC, time.lex and Spark Legal Network have completed the study on the future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes. This study was commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the LIBE Committee. It examines the available mechanisms for personal data transfers between the EU and the UK after Brexit. The study shows that the existing legal mechanisms and policy measures which are presently used to support the exchange of personal data between the EU and third countries can alleviate some of the concerns surrounding Brexit, but that none of these, in isolation or collectively, would be sufficient to permit a continuation of personal data flows and cooperation in relation to data protection on the same basis as today. Please see the factsheet for more information.

Spark now certified DPO services provider

Spark Legal Network is happy to announce we are now certified to provide Data Protection Officer (DPO) services. We are now even better equipped to assist with any GDPR related queries and able to help ensure that your company fully complies with the new EU data protection requirements. We can help drafting policy notices, processor-controller agreements, personal data breach policies and other documents as well as suggest ways to improve datasecurity in your company and advise on Brexit related data protection issues. For more information, please contact us at: info@sparklegalnetwork.eu

New Study – Enforcement of State aid rules and decisions by national courts

Spark Legal Network, in collaboration with the European University Institute, Ecorys and Caselex, is carrying out the study on the enforcement of State aid rules and decisions by national courts, for the European Commission (DG COMP).

The aim of the Study is to provide a comprehensive overview of the enforcement of State aid rules by national courts since 2007. The Study covers all 28 Member States and gathers information regarding the most relevant rulings adopted by national courts on State aid matters at all levels of jurisdiction, from first to last instance courts.

For further information about this project, please get in touch via email.

Publication of the Final Report of the “study to support the review of Directive 2003/98/EC on the re-use of public sector information”

Deloitte, Open Evidence, WIK Consult, time.lex, the Lisbon Council and Spark Legal Network have completed the study to support the review of Directive 2003/98/EC on the re-use of public sector information, for the European Commission (DG CONNECT). Based on the best data available, this study provides an evaluation of the implementation the PSI Directive and of the changes introduced by revision of the PSI Directive in 2013. It also provides an assessment of the effectiveness, efficiency, relevance, coherence and added value of the PSI Directive and builds on this to offer some policy options and perspectives for the future.