Since news of the Cambridge Analytica data scandal broke one year ago, privacy and data protection have drawn increased attention from the general public and regulatory authorities. To explore these global efforts to regulate data policy, Forum Europe hosted the 9th Annual European Data Protection and Privacy Conference on 20 March in Brussels.
To kick off the event, the Commissioner for the Digital Economy and Society, European Commission Mariya Gabriel recognised EU and industry efforts in building consumer trust by protecting the digital market. For the former, this includes setting the global standards in data protection with the GDPR and ePrivacy Regulation. For the latter, it’s the implementation of the Code of Practice on Disinformation by Facebook, Twitter and Google, establishing self-regulatory standards to tackle online disinformation. These companies use smart algorithms and fact-checking to review content. However, as fake news also involves the systematic abuse of data used to target audiences, she called for greater transparency on political advertising and ahead of the EU elections, recommending businesses to hire independent researchers and fact checkers, and encouraging consumer education to critically analyse digital media.
The GDPR Echoes Beyond Europe
The following session invited a series of speakers to compare national and regional data protection frameworks. According to European Data Protection Board Chair, Andrea Jelinek, more than half of gross domestic products globally will be governed by data protection policies, thereby requiring a certain degree of harmonisation to limit the cost for businesses and avoid unfair competition.
This level of compatibility requires agreeing on the fundamental principles of regulation. For Tetsuo Narukawa, Commissioner of the Personal Information Protection Commission, Europe and Japan share the same values regarding data protection and implementing global standards. This mutual understanding has led to an adequacy decision earlier this year.
However, for Peter Davidson from the US Department of Commerce, the GDPR is “too narrow in definition, yet too wide in scope” and risks choking innovation. While the two regions have regulated transatlantic exchanges of personal data through the EU-US Privacy Shield, the expected rollout of a US cybersecurity framework will set new national standards of data protection. Bruno Gencarelli, Head of Unit, International data flows and protection at DG JUSTICE invited the US to get involved in standardising data protection frameworks: “Our work is not creating copy paste versions of the GDPR, it is promoting new modernised laws with common standards and a governance model.”
While the GDPR has set global standards, some countries, like Singapore, are adopting best practices from around the world. According to Yeong Zee Kin, Deputy Commissioner of the Personal Data Protection Commission (PDPC), Singapore aims to ensure that the country is an important node for global data flows by encouraging data portability and the anonymisation of data sharing. Additionally, the PDPC’s data protection trust mark certification to companies will ensure high standards.
Enforcement is Creeping Up
To discuss the enforcement of the GDPR, Forum Europe invited Giovanni Buttarelli, the European Data Protection Supervisor (EDPD). For him, while penalties have been effective in identifying infringements (there have been over 600 cross border cases, over 200 000 national cases and about €55 million in fines imposed), the GDPR has also ignited a conversation on data protection and exploring remedial actions. Indeed, the privacy debate has spearheaded the conversation on digital ethics. As more sectors continue to be transformed by data-analytics and artificial intelligence (AI), Europe has the unique opportunity to embed privacy by design in AI and other emerging technologies.
His views were echoed in the following speech by Vĕra Jourová, Commissioner for Justice, Consumers and Gender Equality. For her, fines are only one of the tools Data Protection Authorities (DPAs) can use to enforce the GDPR. She encouraged dialogue between stakeholders to ensure compliance and provide safe and trustworthy platforms for consumers. She acknowledged the struggles for SMEs to comply but assured that the risk-based approach of the GDPR allows SMEs processing small amounts of data must meet only a limited set of obligations.
Key Files Still in Limbo
The final two sessions examined the state-of-play of two of the most complex pieces of legislation: eEvidence and ePrivacy Regulation. The former would give law enforcement agencies access to user data — or electronic evidence —regardless of where the data is stored or where the company is located, for example in a third country by a company established or offering services in the EU. This unprecedented level of access has raised concerns in some EU institutions and member states. Before its implementation, policy-makers will need to agree on how to protect citizens’ privacy while efficiently obtaining evidence, how to secure cross-border cooperation, and on the need for real-time monitoring.
The ePrivacy Regulation — aimed at all electronic communications service providers, including telecoms operators and OTT applications — has also sparked months of debate and is not expected to be agreed before the European elections. Member states have failed to reach a consensus with some, like the UK and Ireland, supporting industry’s position that the regulation is too restrictive and others, like Germany and the Netherlands pushing it forward as it is. MEP Birgit Sippel, who oversees both files, passionately supported the progress made and criticised those suggesting slowing down the work on the files before the elections.
While the day saw heated debates in regulatory approaches with the EU taking a much more robust approach than the US over issues such as data protection, it is clear that more and more countries are adopting a common approach, including Brazil, India, Indonesia and Kenya. Compliance is a dynamic process that requires dialogue between stakeholders, and the conversation should go beyond experts and lawmakers to include the public to build trust.
Author: Ivan Ivanov, Marketing Manager, Access Partnership