“A gear shift in the culture of data protection.”

 European Data Protection Supervisor Giovanni Buttarelli on the evolution of GDPR and its fitness for purpose in a wolrd of cross-border data flow

The GDPR reinforces a wide range of existing rights regarding digital data and establishes new ones.

Communication Director spoke to Giovanni Buttarelli, the European Data Protection Supervisor – who has been involved in the development of GDPR from the beginning – for his view on the evolution of the regulation, its fitness for purpose in a world of cross-border data flow, and whether it will help or hinder the development of innovative technology.

Interview by David Phillips

From your perspective, what’s new about the GDPR that makes it different from the Data Protection Directive which it replaces?

The GDPR represents a gear shift in the culture of data protection, and from our view point, the merits of this legislation are not only about harmonising a framework which was lacking coherenceand uniformity of approach across Europe; more significantly, the GDPR aims to produce a change in the way we conceive, dream of and speculate about an enforced set of data protection rules. I’ll focus on just two points of main innovations.

The first is the reinforcement of the subjects’ rights with new rights such as those on data portability, privacy by design and privacy by default. Second, and what is essential to me, is the cutting of red tape and focusing on more accountability for the operators. This is at the very centre of the reform.

We will treat data controllers as auditors. They will be required to better impact the data processing they engage in, and they will have much less need to go to national supervising authorities for general prior notification, and to wait for a reply. So they will carry responsibility for their operations and they will also benefit from the new data protection officers. We used to call him or her the ‘faithful guardian of compliance’.

Are you satisfied with the GDPR? Are there aspects where you feel it could have gone further?

As I’ve told everybody, the GDPR is not the best piece of legislation ever; we’ve known this since the very beginning. But when you compare it to the previous legal framework it marks a landmark advancement and its success will very much depend on a pragmatic approach. There are a few missing pieces of legislation – for example, the e-Privacy Regulation, which is key, but currently in the middle of a trade lock.

"The GDPR is not the best piece of legislation ever; we’ve known this since the very beginning."

The GDPR is much more technologically neutral and flexible. But flexibility doesn’t mean lowering safeguards, it means that instead of 25 new legislative rules to be adopted by delegated acts, we will benefit from guidelines to be adopted in consultations, in an inclusive way with data controllers and depending on real needs, and not in one shot.

An important feature of the GDPR is that it is extraterritorial. In a digital economy, how will companies based in the EU manage to stay competitive with markets outside the EU – and consequently enabling/benefiting from the
free flow of data – while adhering to GDPR?

We should consider that first of all we are not speaking about EU citizens but about people in the EU, so the reform is to be applied to everyone regardless of his or her own nationality. In the digital environment, the notion of territoriality and borders is disappearing.

It doesn’t make sense to focus on where the company has its headquarters, its servers or its subsidiaries. What is essential is that you should focus on the place where the services are offered.

"In the digital environment, the notion of territoriality and borders is disappearing."

And there is no space for a divergent approach between European companies offering goods and services locally in the EU and people acting remotely. There is a concentration of markets in the hands of a few companies largely established outside the EU.

Do you foresee personal data issues becoming the subject of trade agreements?

About trade agreements, President Juncker has been very clear to say that these data protection and privacy rights are non-negotiable. I’m not excluding that certain trade agreements may focus on minor issues, such as those relating to trade secrets for instance, or to cloud computing service, but increasingly - and Microsoft’s case against the US department is a leading example - we need to have a global solution to important issues concerning, for example, access by law enforcement bodies, e-evidence and so on. These are not issues that can be unilaterally imposed by any one country.

What’s your impression of how US companies are dealing with GDPR?

I’m impressed by what I see. In 1998, when the First Directive was about to enter into force, everyone, but particularly in the US, was pushing for an extension, they were not ready, they were contesting the rules. But today we’ve received statements from giant companies that they are proudly ready to comply. My perception is that Europe has identified a good approach and therefore there is growing interest and awareness among US companies.

Of course some of them are not very well prepared, but I see more problems among small and medium enterprises, while for the giants there are in principle less strategic critical issues.

Do you believe that data protection has become an integral part of a company’s corporate social responsibility?

I do, because what we’re asking is to embed data protection in the day to day life of a company. We also focus on the reputational risk and liability of the company as a whole. Member states have a marginal maneuver in defining the relevant sanctions in addition to those identified in detail in the GDPR. The GDPR focuses on details of administrative pecuniary sanctions but it doesn't say anything specific about corporate liability and penal responsibilities which are included in the law of many member states.

What I see is a trend where data protection is much less an issue to be – stupidly, in my view – delegated to IT people, to data protection officers or to the legal office, but is increasingly an issue which is relevant to top-level management. So I’m expecting more strategic implications in terms of allocation of resources to be dedicated to privacy impact assessment, and I’m expecting new approaches in terms of reporting lines.

"What I see is a trend where data protection is... increasingly an issue which is relevant to top-level management."

I would also stress that GDPR is not only a source of obligations and requirements. It is a business opportunity, because I see an unbelievable amount of market opportunities, particularly for European companies interested in developing apps for privacy by design, or privacy default software or codes of conduct, not to mention new professions such as those concerning data protection officers and coordinators, accreditation certification… I could continue.

In a hyper-connected, IoT world of exponentially growing innovation — especially AI and robotics — is GDPR really fit for purpose as a primary source of legislation on data privacy? How can we be sure that GDPR won’t hamper developments?

We don’t want to slow down innovation, we do not consider any technology as harmful as such, or that one technology can jeopardise individuals’ rights more than others. We try to anticipate the challenges and focus on future developments to empower distributors and designers, developers, producers – so everybody who is not under the lens of the GDPR, because GDPR is only applicable to data control. The most important point to me is that not everything which is technically feasible is also morally tenable.

There is an issue of sustainability from an ethical viewpoint and this relates to every kind of sector. The question is not the technology as such but how it is developed in practice.

Of the latest development in the past few years — cloud computing, big data, PIMS, IoT, AI – which, in your opinion, has been the most ‘harmful’ from a data privacy perspective?

When I chaired the working group that drafted the first telecom directive, we were not prepared to apply it to the internet, which became reality a little bit later. We didn't imagine the success of social networks, which brought a lot of problems from a data protection viewpoint. On the other hand we have been very timely in approaching issues such as internet of things.

The internet of things is still not a big reality and perhaps it will be replaced by something else, while for instance on drones we have been very successful and what is happening now on EU and national level is consistent with our input.

So I'm not scared of specific technologies. Of course, now the attention is on big data, on robotics, on artificial intelligence, but looking to the future gives you a lot of inspiration to be of help to society as a whole. Of course we are focussed on the present but if we want to be effective, attention should be paid to good innovation..

About the EDPS

The European Data Protection Supervisor is an independent supervisory authority whose primary objective is to ensure that European institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies. The EDPS also cooperates with other data protection authorities in order to promote a consistent approach to data protection throughout Europe. The main platform for cooperation is the Article 29 Data Protection Working Party. The EDPS takes part in the activities of the Working Party, which plays an important role in the uniform application of the Data Protection Directive and the superseding General Data Protection Regulation.

Giovanni Buttarelli

Giovanni Buttarelli has been assistant European Data Protection Supervisor since January 2009. He was appointed by a joint decision of the European Parliament and the Council of 14 January 2009 for a term of five years. Before entering his office, he was secretary general to the Italian Data Protection Authority since 1997. A member of the Italian judiciary, he has attended to many committees on data protection and related issues at international level.