Privacy in Europe: GDPR vs. information freedom?

12 Jun 2020 11:30h - 13:00h

Event report

The session was moderated by Ms Marina Shentsova (Mercy Corps) and Mr Jörn Erbguth (Geneva Macro Labs), who introduced the discussion by asking whether the General Data Protection Regulation (GDPR) has an overreaching effect on information freedom.

Mr Robert Guerra (Privaterra) spoke about the issues that many civil society actors are facing in relation to information freedom. He explained that the values in cyberspace have evolved over time and incorporated the culture at the time of inception. Discussing the six phases of Internet history, Guerra highlighted that the fifth phase, from 2013-2018, was marked by strong concerns for human rights and online privacy. However, in the current phase, which started in 2018 and is still ongoing, national sovereignty and national firewalls have been the main concerns in policy debates. He also noted that the General Data Protection Regulation (GDPR) is based on the assumption of a functioning rule of law. However, Guerra however pointed to examples in Romania and Hungary where the GDPR has been invoked to shut down the publication of pieces of information. According to him, these examples revealed the extent to which laws are applied differently. As well, this fact shows the importance of striking a balance between the protection of privacy protection without limiting the right to freedom of expression and to the publication of information.

Mr Steve Crocker (Shinkuro, Inc) noted that a fresh look at the DNS Registration Data was needed after the WHOIS model failed to be harmonised and was eventually discarded, leading to the fall with the introduction of the GDPR. He highlighted the need to justify all collection of data or access to data, and that this is a basic principle for all privacy regimes. However, as Crocker explained, collection and access policies are often hierarchical, and it is often difficult to abide by the multitude of policies within national borders. He therefore predicted that the rush to a more nationally aligned cyberspace will only add to the complexity of regulation. He urged a re-evaluation of data to rethink registration data from the ground up in order to find better ways to collect and harmonise all the desired rules of the stakeholders in an effort to harmonize registration data requirements across jurisdictions. Crocker then introduced a model that provides a framework to rethink the way data is collected and accessed. The model includes the implementation of ‘clearing houses’ in which data requesters, collectors, and providers can determine what information may be requested. Additionally, the model will look to increase transparency of the process by providing a common, public common dictionary of data elements that will create a sensitivity for the type of data that is collected and/or shared.

Mr Andreas Maier (Head of Medical Reconstruction Group, Friedrich-Alexander-Universität Erlangen-Nürnberg) emphasised the importance of data for the development of artificial intelligence, but stressed the necessity of having access to high-quality data rather than just any vast amount of information. He explained that in the medical field, GDPR has an important role. In line with the protection of patients, data scientists gain access to relevant information through government-controlled databases, data donations, or auxiliary data sources. Maier noted that the GDPR sometimes is an obstacle to access of data, and that each of the data gathering methods has its own set of challenges ranging from the quality of data to the transferability of information onto other fields.

Ms Lilijana Pecova (CEO, IMPETUS) shared her experiences working with non-EU members that are part of the Council of Europe on privacy-related issues. She noted that while many of these states have mirrored GDPR-style privacy regulations, there are still major challenges on the implementation and enforcement level still exist. Pecova said that the issue in the region goes beyond the mere introduction of laws. The challenge is to achieve a broader understanding of the implications of privacy protection. According to Pecova, the lack of protection of medical data has become obvious in the current times of COVID-19, when information about individuals people who were in quarantine has been published online. These cases highlight the importance of striking a balance between the right of information and that of people’s privacy.