In November, the European Data Protection Board (EDPB) issued draft guidance regarding transfers of personal data from the European Union. That guidance has prompted nearly 200 comments from companies, trade groups, and interested observers. Senior Counsel Peter Swire, along with co-author DeBrae Kennedy-Mayo, has now published a report reviewing these comments through the Cross Border Data Protection Forum. (A shorter version of the report was first published by the IAPP.)
Swire’s report indicates that “data localization was a prominent theme” in the nearly 200 comments submitted to the EDPB, reflecting a concern that the EDB guidance could practically result in a requirement to localize data processing within the European Union. Commenters expressed concern that such a localization could negatively impact the EU economy, restrict cross-border data flows, and impair current business operations.
The report additionally highlights that, as the study was being completed, the Portuguese data protection authority issued an order suspending certain data processing within the United States. Swire’s report argues that this decision “lends new urgency to concerns that the European Union is moving towards data localization.” Such data localization would ultimately not only impact the flow of data to the United States, but may impact other countries mentioned in the Portuguese decision, including China, India, Mexico, and Russia.