The French Chapter of the International Association of Privacy Professionals (IAPP) once again brought together privacy and data protection professionals for a remarkable event, rich in discussion, insights, and collaboration. This time, under the "Grand(iose) KnowledgnNet event" of October 7th.
Dastra was honored to participate as a one of the sponsors of this major privacy gathering, which offered a platform to exchange practical experiences and explore emerging regulatory challenges.
A day of insightful & constructive dialogue
From the future of international data transfers to the complexities of pseudonymisation, Privacy-Enhancing Technologies (PETs), and privacy in HR, the panels covered a wide spectrum of issues central to data protection and compliance.
Speakers shared pragmatic and forward-thinking perspectives on how organizations can reconcile legal compliance, technological innovation, and the protection of fundamental rights.
Each session provided actionable takeaways for professionals navigating an increasingly intricate regulatory landscape.
What we learned
1. Cross-Border Data Transfers : between global vision and operational reality
From a U.S. perspective, panelists emphasized that while certain developments such as the Latombe case bring a sense of certainty, it is still possible for things to take a turn especially with a potential appeal.
Organizations must therefore prepare for multiple scenarios and maintain contingency plans — Transfer Impact Assessments (TIAs) remain a critical tool. Recent enforcement actions, such as the Irish DPA’s decision in the TikTok case, demonstrate that supervisory authorities scrutinize both the assessment process and the evidence of compliance.
In the U.K., changes primarily concern onward transfers, with the previous “essentially equivalent” test evolving into a lower-threshold “data protection test” in which safeguards in third countries must not be materially lower than those in the UK.
At a broader level, discussions touched on the EU’s evolving data sovereignty strategy, with certain Member States, such as the Netherlands, adopting more cautious or restrictive approaches toward U.S. transfers.
Key takeaways:
Maintain clear communication with clients and stakeholders; transparency remains the best safeguard in periods of legal uncertainty.
Strengthen encryption and data residency measures to ensure better control within the EU.
Monitor evolving jurisprudence and regulatory positions closely.
2. Privacy-Enhancing Technologies (PETs)
Optimism was palpable regarding Privacy-Enhancing Technologies as they are gradually gaining traction on the market. These tools hold significant potential to reconcile innovation with data protection, yet their concepts and use cases still require clarification, especially for SMEs seeking practical compliance solutions.
The underlying technology still needs to be demystified, and use cases better understood, particularly from a sector-specific perspective.
Although the term “PETs” lacks a single legal definition, frameworks such as those developed by the OECD provide a useful starting point. Examples already embedded in EU legislation include anonymisation, encryption, and mechanisms under the GDPR or the Data Governance Act.
Emerging trends in PETs such as synthetic data and federated learning were discussed.
3.CJUE's clarifications on pseudonymized transfers: personal data or not?
The CJEU ruling in EDPS v. SRB, which shed light on whether pseudonymised data should be considered personal data, has raised many questions, both in terms of legal interpretation and practical implications.
The Court’s approach emphasized the importance of documentation: controllers must be able to demonstrate why certain datasets are not re-identifiable from the recipient’s standpoint.
Its operational impact could be significant, touching on data transfers, the application of the Data Act, GDPR Article 28 requirements, and even the potential relevance of criminal sanctions.
For now, prudence remains the guiding principle as the community awaits regulators’ analysis and its effects on pseudonymization guidelines.
Practical advice:
Incorporate contractual clauses explicitly prohibiting re-identification of data subjects by third parties or vendors.
As a pragmatic safeguard, some organizations choose to treat all pseudonymised data as personal data.
Note that in certain jurisdictions, such as the U.K., re-identification of anonymised or pseudonymised data constitutes a criminal offence, interpreted strictly.
The Singaporean DPA’s guidance on anonymisation and pseudonymisation was also cited as a helpful benchmark for operational compliance.
4. Privacy in HR: the complexities of employee access requests
Privacy in HR also sparked deep reflection, particularly regarding access requests from (former) employees.
The discussion revealed eye-opening figures about the costs and time involved in handling such requests.
Speakers explored the growing trend of employees, and former employees, using access requests strategically, prompting discussion on the fine line between legitimate rights and abuse of process or as a form of pressure or retaliation.
While DSARs often lead to litigation and resource-intensive procedures, panellists agreed that organizations should not hesitate to engage in dialogue with the data subject to clarify the scope of the request, for instance, by defining timeframes or relevant keywords.
Whatever the approach, companies should ensure their policy is consistent and non-discriminatory, avoiding unequal treatment of similar requests.
A word from Dastra
This edition of IAPP KnowledgeNet France was a resounding success, thanks to the dedication and expertise of the chapter co-chairs and volunteers, who continue to strengthen the privacy community across France.
At Dastra, we believe the real value of professional gatherings lies not only in the quality of the presentations but also in the informal moments between them: a conversation over coffee, a lunch discussion, or a cocktail debate that sparks new ideas and collaborations.
We are proud to have co-sponsored this event with Salesforce, and remain committed to fostering dialogue, trust, and innovation within the French & European privacy ecosystem.