Is GDPR still a mystery?

Event report

The moderator, Mr Vladimir Radunović (Cybersecurity and E-diplomacy Programmes Director, DiploFoundation) started the session by asking the audience what issues they believed to be to most pressing ones in facing the difficulties brought by the EU General Data Protection Regulation (GDPR).

He then collected these issues as questions to be addressed in the next part of the session. Participants formed subgroups in which specific aspects of the GDPR were discussed and brought to the full audience after being addressed by the group during 30 minutes of exchange and interaction. The specific points focused on by the subgroups were data controllers and processors, social media and GDPR, ICANN and the WHOIS service, data protection authorities, consent and data subjects rights, and international data transfers. The debate in each subgroup was facilitated by one of the key participants, who made a brief introduction justifying the choice and the relevance of each subset of aspects, presented initial questions, encouraged and coordinated the debate, and then summarised the main views of each group to the audience.

Mr Cláudio Lucena (Researcher, Fundação para a Ciência e a Tecnologia, Portugal) reported that the group discussing GDPR repercussions in social media agreed that these platforms bring much more people into an environment where privacy and data protection are relevant. There was a concern though, that the necessary public capacity building and awareness initiatives were not yet in place or widely known. The group considered the balance between freedom of expression and the protection of personal data  to have been adequately addressed in the GDPR through the public interest exception, but feared that objective mechanisms and tools to achieve this balance were unclear.

Ms Adriana Minović (Curator, DiploFoundation) reported that her group addressed issues regarding data controllers and processors, and agreed that resources for local data protection authorities were scarce and that authorities would most probably adopt the path of reacting to notification, and discovering what to do and the concrete ways to move as situations develop. That, coupled with misunderstandings and discrepancies in the interpretation of issues that remain unaddressed on a national basis, will be serious obstacles to implementing GDPR.

Ms Nana Rapava (Office of the Personal data Protection Inspector, Georgia) led a group that discussed the role of data protection authorities and stressed that the output of the interaction could be summarised in two basic questions, one referring to why there was a general unpreparedness to deal with the GDPR when there was enough time to arrange the transition and the implementations of changes for the purpose of compliance, and the other referring to why data protection authorities, specifically speaking, were on the same page. The group also raised the question of whether the European Union has done a good job of explaining the GDPR to the world at large, noting that internal implementation teams at data protection authorities in many places still lack the expertise to work in the new model.

Ms Elena Plexida (Government and IGOs Engagement Senior Director, Internet Corporation for Assigned Names and Numbers (ICANN)) facilitated the group that went over the issue of the WHOIS service within the ICANN scope. She mentioned that it was important to clarify in the scope of this discussion that the service does not operate a centralised database, that the enforcement of ICANN contracts always face a limit which is national law, and that there is a currently open question if the service as it is today still falls within the remit of ensuring DNS stability or if it has simply over time become a different usage of the collected data. The group concluded that WHOIS is an important tool for the security and stability of the Internet, and as such there is a duty of care on the community to maintain it, while ensuring the right balance between privacy and security. The group also said that it was necessary to have a clear path with respect to the next steps, with ICANN steering the process.

Mr Tapani Tarvainen (Vice President, Electronic Frontier Finland) and Ms Ana Kapanadze (CEO, Privacy Logic Group) gathered a group to analyse the changes in the structure of consent, and explore the concept of explicit consent, the ways of demonstrating the obtention of consent, and what should be enough for information about consent to be considered intelligible and the data subject to understand the whole process. They also questioned whether the new obligations meant that controllers and processors should become more precise about organisational and technical measures. They brought from the discussion the idea that the actual empowerment of the user vis-à-vis the new approach to the notion of consent is still highly uncertain and one of the main issues concerning the implementation of the GDPR. The group also highlighted that the identification of data subjects in general and the identification of minors in particular must be a serious concern. There is a fear that data controllers will not be able to consistently verify age; there is a perception that different age verification tools have failed because of a lack of public interest.

The discussions coordinated by Ms Martina Ferracane (PhD student, Hamburg University) focused on international data transfers. Ferracane reported that the group showed a concern that decisions regarding adequacy were still highly political; they were not sure if it is a good thing. They pointed out that it is necessary to determine whether decisions that were implemented before the GDPR are still a basis for transferring data abroad until they are revised again by the European Commission. They highlighted raised issues concerning the adequacy of the protection of data which is brought inside the EU from countries which are outside of it. One further issue related to certification procedures and more specifically to how to keep it a dynamic process, rather than a one-time achievement, after which companies could stop improving.

Finally, still reporting from a group that focused on international effects of the GDPR, Mr Peter Kimpian (National Expert, Data Protection Unit at the Council of Europe) mentioned that Convention 108 of the Council of Europe can bring an appropriate level of data protection, and that they are promoting it internationally as a binding instrument. He said that the GDPR is looked at as an external leg of the privacy acquis which also comprises the directive and case law. The group raised the issue of extraterritorial applicability and direct enforceability of the whole protective framework of the GDPR in countries which are not members of the EU but which are signatories to Convention 108. They noted that this is an open question, but argued that it could be important in bringing third countries closer to GDPR norms and the standards and mechanisms reflected in it.

To sum up, the moderator pointed out that except for the broader question of why people in general are not yet ready for the GDPR, all the other questions and issues raised at the beginning of the session had been touched on and addressed, if not answered in the group work and interactions.