Vanavond mocht ik weer aanschuiven bij L1 Avondgasten, dit keer opgenomen in de studio in het Europees Parlement in Brussel. Samen met Europarlementariërs Jeroen Lenaers (CDA) en Judith Sargentini (GroenLinks) ging ik in gesprek over de Algemene Verordening Gegevensbescherming, die eind deze week van kracht wordt. En uiteraard ging het ook nog over de Grote Mark Zuckerberg Show. De Facebook-baas bracht dinsdagavond een bliksembezoek aan het Europees Parlement, waar hij vooral uitblonk in het ontwijken van antwoorden op een aantal hele terechte vragen.
De foto boven het bericht is gemaakt door het team van Jeroen Lenaers en met toestemming hergebruikt.
European Parliament: GDPR at the eve of its application
On 25 May 2018, the General Data Protection Regulation will finally enter into full force. After many years of preparations, and a two year transition period, organisations at the end of this month will need to comply with an updated set of data protection rules. The burden of proof for compliance is on the organisations, and data subjects (basically: you and me) will have more rights to understand what is happening with their data.
At the eve of its application, the European Parliament Committee on Civil Liberties, Justice and Consumers hosted a so-called Interparliamentary Committee Meeting, to which also the representatives of the national parliaments from across the EU were invited. In four blocks, the state of play of the data protection reform was discussed, including the Police and Justice Data Protection Directive. On behalf of Nymity, I was invited to discuss the issue of GDPR and Technological Innovation: have organisations found new ways to deal with their data protection requirements? And if so, how do they do so?
The recording of the afternoon session of the Interparliamentary Committee Meeting is available via the link below. My contribution starts around the 18-minute mark.
Van de kapper om de hoek tot Google, en van basisscholen tot Facebook. Elke organisatie die iets doet met persoonsgegevens moet vanaf 25 mei voldoen aan de nieuwe privacywet, de AVG. RTL Z zond daarom op 15 mei de Grote Privacyshow uit, waarin wordt uitgelegd wat er verandert en waar organisaties op moeten letten. Onder leiding van Peter van Zadelhoff en Frederieke Hegger leggen verschillende experts uit wat de impact van de nieuwe wet is voor consumenten, bedrijven en verenigingen, en worden talloze vragen beantwoord.
Namens Nymity mocht ik aanschuiven in de uitzending in het eerste en laatste blok van de show. De hele uitzending is hieronder terug te kijken.
Op 25 mei 2018 treedt de Algemene Verordening Gegevensbescherming (AVG, ook wel bekend onder de Engelse afkorting GDPR) in werking. Al zo’n zeven jaar ben ik met de voorbereidingen van deze nieuwe privacywet bezig: eerst bij de Autoriteit Persoonsgegevens, waar ik samen met collega’s de standpunten van de Europese toezichthouders over de AVG (en de bijbehorende politie- en justitierichtlijn) en de onderhandelingsvoorstellen voorbereidde, en sinds een kleine twee jaar bij Nymity. Veel bedrijven, verenigingen en overheden zijn hard bezig om de manier waarop zij met gegevens omgaan aan te passen aan de nieuwe wet, en daar komt veel bij kijken. Het voldoen aan wetgeving is niet makkelijk, maar wel belangrijk: privacy en gegevensbescherming zijn grondrechten en verdienen dus de nodige aandacht.
L1 Avondgasten besteedde in de uitzending van vandaag ruim aandacht aan de nieuwe privacywetgeving, inclusief de uitdagingen waar organisaties voor staan om op tijd hun hele administratie op orde te krijgen. Namens de Universiteit Maastricht schoof ik aan in de uitzending om uitleg te geven over de nieuwe verplichtingen.
Your behaviour is analysed by every online purchase on Amazon, every search on Google or transaction with your credit card. Companies continuously collect data with every click you make and every cookie that you accept. What do they do with these data? Is access to the location of your phone really needed for the application you want to use? The line of privacy can easily be crossed. In today’s world, everybody faces a trade-off between privacy and convenience that is barely talked or thought about in everyday life.
In tonight´s Debate Café we are going to discuss about governance surveillance, data breaches, the role and responsibilities of companies, technological developments, the good side of data collection and data science, what you yourself can do about your privacy and much more.
So, join this diverse Debate Café on the price of your privacy and discuss with the expert panel about these issues!
Panel Anna Berlee – Assistant Professor at the Molengraaff Instituut of Private Law, Utrecht University; PhD researcher Maastricht European Private Law Institute (MEPLI). Research interests: Property, Privacy & Data Protection, Internet of Things, Law and Technology, Fintech (including Blockchain) and Teaching Methods. Paul Breitbarth – Director of Strategic Research and Regulator Outreach at Nymity, a Canadian privacy research organization, visiting fellow at the European Centre for Privacy and Cybersecurity at Maastricht University, member of the provincial Council in South Holland. Matthias Matthiesen – Senior Manager, Privacy & Public Policy, IAB Europe (Interactive Advertising Bureau). Responsible for European data protection and privacy policy. Apostolis Zarras – Assistant Professor at the Department of Data Science and Knowledge Engineering, Maastricht University. Research interests include: systems, network, and web security. Zarras received his PhD in IT Security from the Ruhr-University Bochum. He also holds a M.Sc. and B.Sc. in Computer Science from the University of Crete. Before joining Maastricht University, Zarras was a postdoctoral researcher at Technical University of Munich.
Moderator Cosimo Monda – Director of the Maastricht European Centre on Privacy and Cybersecurity, Faculty of Law, Maastricht University.
CPDP 2018 – Data Processing Beneficial to Individuals: the Use of Legitimate Interest
This Nymity sponsored panel at the annual Computers, Privacy and Data Protection conferences in Brussels deals with the use of legitimate interest under the GDPR. I was one of the speakers in the panel.
This week, I’m in Tartu (Estonia) for a privacy conference organised by the Estonian presidency of the European Union. It is a timely conference, with some 260 days to go before the GDPR will come into full application. On the afternoon of the first day, I joined a panel on “GDPR and the Private Sector”, with several speakers from the Baltics. The video of the session is available below.
An important take-away from the conference for me (outside of the fact that Tartu is a lovely city) is that there are so many people still looking for practical guidance on how to deal with the GDPR. The conference had some great sessions explaining the ins and outs of the legislation, as well as of some recent case-law, but the sessions most appreciated by the audience were those where practical tips were provided. Good to remember for my next speaking engagements!
So let’s imagine how the letter from hell has been answered in a typical organization. All these annoying questions have been asked, and they may have to be answered. The scope of the answers will depend on the context of what the subject is legitimately making a complaint or inquiry about.
If you are not prepared and do not have an adequate picture of your data processing activities and privacy management processes, then answering any subject-access request will be time consuming. You won’t even know who knows the answers to some of these questions, and in your exploration of your companies’ subterranean caverns of data processing, you come up against the deadline.
So naturally, you have written back initially in the one-month period following the subject-access request, to advise that you will require a further two months (Article 12(3) GDPR). And despite your best efforts and intentions to get answers from your IT department, your HR department, marketing and everyone else who presumably should know how this individual’s information is being processed, you find yourself coming up against the extended deadline again.
And you slip over it. Not by much, but you are late. And your answers are, admittedly, a bit vague and perhaps not that persuasive. The data subject does what data subjects will do – they complain to their national or local DPA. And you get another letter…
Video of the panel I chaired during the 2017 Computer, Privacy and Data Protection Conference in Brussels. Together with Joëlle Jouret (Belgian Privacy Commission), Bojana Bellamy (CIPL), Irene Kamara (Vrije Universiteit Brussels / Tilburg University), Gemma Farmer (Information Commissioner’s Office, UK) and Valérie Bourriquen (CNIL) I discussed how certifications can be used as a means to demonstrate compliance under the GDPR.
