Thoughts on the First Week of GDPR and the Future for Data Protection

30 May 2018

On 30 May, Access Partnership joined a wide range of stakeholders at Digital Europe’s “The GDPR story: an early, wide-ranging assessment” panel to discuss the first five days of the General Data Protection Regulation (GDPR) and the future for data protection.

A global regulation

Cecilia Bonefeld-Dahl, Director General of Digital Europe, told the room that the world was watching the EU as the GDPR came into force. With global companies rushing to comply, Japan, Korea and Taiwan are all closely watching the early days of the GDPR with interest. She also noted that there is widespread interest in global alignment in the future, making data protection easier to understand for companies and citizens.

Florence Reynal of the French data protection authority CNIL agreed. She called the GDPR a “historic moment; critical for the credibility of Europe”. She defended the legislation as an opportunity to create a level playing field for European and global firms. Ms. Reynal also noted that major complaints of GDPR breaches had already been lodged with CNIL: one from French organisation La Quadrature du Net and one from the well-known privacy lawyer and activist Max Schrems. As CNIL works on both cases, other EU member states will follow the progress closely.

Jean-Jacques Sahel of the Internet Corporation for Assigned Names and Numbers (ICANN) warned that European standards and norms around privacy were not necessarily shared across the world, and spoke of the need to avoid imposing European values on other regions.

Stakeholder dialogue

Communication with industry was a recurrent theme throughout the panel discussion. Cecilia Bonefeld-Dahl, Anthony Walker of techUK, and Jean-Jacques Sahel all criticised the lack of dialogue. Mr. Walker explained that while awareness of the GDPR was high, understanding was low, resulting in a wave of needless, panicked GDPR compliance emails landing in consumers’ inboxes.

Mr. Sahel said the GDPR had caused major problems for ICANN’s database WHOIS, which allows users to look up domain names to retrieve information about the registered owner. Because of the large number of stakeholders and the lack of clarity around the GDPR, he said it had been difficult to find a consensus around what information could be published on the database, ending with website registries refusing to divulge information on the owners of domain names. ICANN has already filed a lawsuit against a major domain name seller in Germany for refusing to collect information for WHOIS.

To solve this, Corinna Schulze of IBM said that communication was key going forward, a sentiment shared by Mr. Walker and Mr. Sahel, who said the European Data Protection Board (EDPB), the new EU agency responsible for the application of the GDPR, should function as a “shared brain”, an open forum for industry to engage with regulators.

Rebuffing some of the criticism, Ms. Reynal said the EDPB had consistently reached out to industry through workshops, but that businesses had not been particularly active. Ms. Schulze said the workshops had been a good start, but deeper engagement was necessary for the GDPR to be effective.

Future-proofing

No EU event would be complete without a mention of Brexit. Mr. Walker explained that the UK had made a “huge commitment” to comply with the GDPR and that the UK’s data protection authority, the ICO, was determined to take a lead role in the application of the legislation. He outlined the UK’s ambitions for a future data protection partnership and argued that the EU’s unenthusiastic response had been “puzzling”. Ms. Reynal argued that the participation of the UK in the EDPB would have to be consistent with its status in other EU regulatory bodies such as BEREC and ESMA.

Mr. Walker urged public and private sectors alike to think about how to use the GDPR as a tool for innovation. In particular, he suggested challenging the notion that the GDPR would “kill off” the opportunity for the EU to become a world leader in artificial intelligence. Ms. Schulze pointed out that businesses were already concerned about how blockchain could be compliant with the GDPR, given that one of blockchain’s key attributes is the permanent storage of data. She said it was important to make sure that the GDPR was implemented in a way that considered the impact on future innovations.

Despite their differing views on the successes and failures of the GDPR, the panellists were in agreement on one issue: communication is key to ensure that the GDPR remains relevant for future technologies and becomes the global gold standard for data protection.

Author: Kirsten Williams, Policy Analyst, Access Partnership