GDPR implementation: Blind spots, opportunities, and the way forward

19 Jun 2019 14:00h - 15:30h

Event report

[Read more session reports and live updates from the EuroDig 2019]

The session was moderated by Ms Collin Kurre (Digital Programme Officer, Article 19) and Ms Veszna Wessenauer (Research Analyst, Ranking Digital Rights) and addressed the effectiveness and application of the EU General Data Protection Regulation (GDPR) to different technologies in European and non-European countries.

Ms Elena Plexida (Senior Director, Government and IGO Engagement, Internet Corporation for Assigned Names and Numbers (ICANN)) mentioned that one of the main challenges regarding the implementation of the GDPR by ICANN concerns the distinction of natural and legal persons because there are millions of registrations that do not differentiate that status of the registrant. Another challenge concerns disclosure because a lot of jurisdictions around the world are involved and they require a different legal basis for disclosure of the process of personal data. Moreover, another challenge regards the international transfer of data. The tools the GDPR offers to regulate international data transfers seems to be adapted to the European situation and not to a global system, such as the Domain Name System (DNS). Plexida pointed out that the GDPR was made for platforms that commercialise private data; it does not fit the DNS, because, first, there is no single database with domain names registration data, and second, this data is collected and processed by different contracted parties.

Mr Lars Steffen (Director, Eco International) stressed that the GDPR’s main purpose is to start a cultural shift and make people aware that privacy is a fundamental value. The GDPR came to harmonise data protection in the EU and enforce privacy rights. Businesses recognise its importance in the current data-driven economy, but there is still some legal uncertainty around it. A standard interpretation of the GDPR should be suitable for companies’ activities. More guidance is also required from data protection authorities.

Ms Marianne Franklin (Professor, Goldsmiths University of London, Internet Rights & Principles Coalition) underlined that the GDPR aims at multiple actors and should take into consideration vulnerable groups, such as university and school students, patients, and refugees. Even if the GDPR represents a global standard on privacy, it is not enough to address the excessive collection of data. Citizens should be offered minimum training at schools, universities, and hospitals to understand the impact of the collection of personal data.

Mr Diego Naranjo (Senior Policy Advisor, European Digital Rights (EDRi)) affirmed that a way to measure the impact of the GDPR is by requiring from the data protection authorities (DPAs) the number of cases they receive and the fines implemented. Naranjo noted that there seems to be a lack of interaction between the DPAs. Moreover, small and medium-sized enterprises (SMEs), nongovernmental organisations (NGOs), and associations need more support to implement the regulation. His organisation receives dozens of requests from these groups requiring free workshops. The DPAs need to assist better these groups that want to properly implement the regulation but lack the right resources for doing it. Naranjo was also astonished by the fact that the Irish DPA had no complaint in the last year, considering that Ireland is the country where many online companies are hosted.

Mr Christoph Steck (Director of Public Policy & Internet, Telefónica) emphasised that, in terms of impact, the GDPR makes people more aware of privacy rights. There is a major compliance effort with more than 500 000 data protection officers in Europe that aim to guarantee privacy. Companies have increasingly invested in privacy departments. Another impact of the regulation is its global application by international companies. Telefónica, for instance, does not want to treat its clients’ privacy differently in the several countries it operates outside of the EU. As a result, the regulation has served as a privacy standard for the company internationally.

Mr Raphael Beauregard-Lacroix (Researcher, University of Michigan) stressed that data privacy goes beyond the individual and it is a collective problem. Generally, individuals have a limited understanding of how their data is used by public and private entities. In that sense, consent is a limited to tool to make citizens aware of their data usage.

Mr Peter Kimpian (Data Protection Unit, Council of Europe (CoE)) addressed the fragmentation of privacy rights. The Convention 108 has offered, for a long time, a response to collective privacy challenges. Since 1980, the Convention has provided a framework to deal with privacy and personal data. Since then, the Convention has offered a bridge between European countries and the rest of the world. It has also influenced the regulation of data protection within the EU. When talking about data protection, the impact of the CoE should be not neglected, especially because the conventions on privacy rights cover areas that the GDPR does not cover and that they reach countries that are outside the EU jurisdiction.

Ms Meri Kujxhija (Head of the Legislation Sector, Albanian Information and Data Protection Commissioner’s Office) emphasised that the GDPR offers two challenges to non-EU countries: first, the harmonisation with the EU law, second, the impact on the private companies that process EU citizens’ personal data. Kujxhija commented that Albania has amended its privacy regulation that will be entirely implemented by the end of 2020.

Kurre concluded by saying that more transparency about the GDPR’s application and remedies is required. Codes of conduct could be a solution for clarifying the purposes and application of the regulation.

By Ana Maria Corrêa