As we have passed by 25th of May 2018, the date European Union’s General Data Protection Regulation was enforced, a deep and quiet wave of turmoil has spread around not only throughout European Union but also United Kingdom, Asia and obviously United States. GDPR was meant to give customer or the ‘data subject’, as in its legal terms, greater control on his or her choice of handling, giving out and controlling his or her personal information. Within the global marketplace where data can be transferred within a second and where business thrive globally, personal data is spread to several politically independent and apart but economically interrelated countries. Just recently, the interpretation of handling of data in international transfers of GDPR’s relevant clause caused financial regulators and businessmen to raise concerns. Under the strictly pro-customer conception of GDPR, European regulators and Data Protection Authorities are entitled to fine implementations of foreign business on the basis of how they store and manage the personal data of European citizens irrespective to the fact that whether they reside in the time of the incident in EU or not.
The issue primarily comes down to major banks and trading organizations, as their cross-border businesses work in same manners with their headquarters and this creates trouble as the GDPR enforces businesses to change the way they process and control data . In order to dodge fines of billions of dollars in scope of the mistreatment of data, non-European authorities, regulators are applying pressure on European Data Protection Board to make them provide some explicitly stated guidance. Non-European parties aim to get a hold to some kind of administrative arrangement about the exemption of their institutions from the respective enforcement of the regulation. It is obvious that they were struggling in the process as European Data Protection Board seems very decisive and keeps its position on solid ground.
The regulation introduces many new conditions, enforcement and extra privacy safeguards but still leaves some of its clauses ambiguous. Under the previous Data Protection Law, regulators benefited exemption when sharing vital information. However, it is noted in GDPR that in addition to new conditions and new safeguards on the processing and storing of personal data, it reserves the right to interrupt sharing of vital data within or without an organization if it is deemed necessary for the sake of public interest. This is unclear in the eyes of regulators and they definitely do not wish to run into some surprise billion dollar fine.
Especially in the case of regulators, more than financial institutions, the conflict arises from EU authorities’ tough stance against an administrative arrangement. Securities Commissions of Japan, U.S and UK all have some different systems in place for obtaining, transferring and processing data. Still, GDPR obliges foreign regulators to manage their data according to the standards and processes of European Union’s own, and non-European parties claim they have appropriate enough measures for privacy. Changing their privacy laws to adapt to GDPR would politically mean a passive breach of independence.
Parties that witness negotiations in part, do not guarantee any definite arrangement in the short term but third parties like the International Organization of Securities Commission have participated to the negotiations. It is estimated that ıf ever an arrangement finds itself a place aside to GDPR, its scope will be narrow enough. It is strongly probable that data transfers and the respective exemption decisions will be subject to interpretation and assessment from case to case, situations of specific nature. This estimation moreover supports the observation that EU holds its ground in negotiations and will not back up, at least for some time. There has been no critical troubling situations so far regarding the data transfers and exemption issue but yet, GDPR has been in force for only a month now, which indicates that it is too soon to be optimistic.