Assistant European Data Protection Supervisor Wojciech Wiewiórowski will see the bloc move into a new era of data protection and privacy for all individuals within the European Union once the EU’s General Data Protection Regulation comes into force on May 25. Wiewiórowski – a lawyer by training with a doctorate in constitutional law, has had success in the private sector, academia, and in the public administration. Before becoming the Assistant EDPS, he also served as Inspector General for the Protection of Personal Data (Polish Data Protection Commissioner) between 2010 and 2014. In that capacity, he was also Vice Chair of the Working Party Art. 29.
New Europe’s editor, Alexandros Koronakis, recently sat down with Wiewiórowski to discuss data protection in the 21st century, and the challenges that lie ahead.
The GDPR is going to be fully applicable as of May 25. What will be the enforcement challenges in your view?
This is not a revolution. This is not something which never existed and now suddenly appears. The challenge that exists is the fact that, while under the directive, the implementation was the essence of the enforcement in a certain countries. Now with the GDPR being a regulation, we want to create a system which works more or less the same in all of the countries in the European Union. That is a challenge because when you look at the practices of previous years of data protection and enforcement of data protection in Europe, you will find countries where sanctioning was the main way of enforcement but you will also find countries where there were no financial sanctions and fines at all.
We don’t want the previous situation where the entrepreneurs, and businesses in Europe would have to know 28 different systems and have to operate in 28 different jurisdictions, which differ not only by the authorities responsible, but also how the enforcement duties are implemented.
So, this full harmonization, or at least very deep harmonization is the biggest hope, but also the biggest challenge.
A hope for those who are defending fundamental rights because we want it to be effective.
A hope for those also who are working on the market who may not meet all the 28 different systems. But the challenge is that we somehow have to remember that the Irish approach to data protection is different than the German one and the Estonian approach to data protection is different than the Spanish one.
The GDPR will establish the EU Data Protection Board (EDPB), with the EDPS functioning as the secretariat of the board. How are you getting ready for this and how are you structuring it?
The EDPB as such is not that much different by its structure from the Article 29 Working Party. So far, it has been the Article 29 WP which consisted of all data protection authorities on a national level from all the countries of the European Union. Theoretically, when you look at the composition of the WP and the EDPB they seem to be the same, or almost the same.
There is one significant difference between these bodies though. While the Article 29 WP was an advisory body, the body that was supposed to help the other institutions in fulfilling the duties concerning data protection, the EDPB will start to be the real decision-making body that will have the real impact on what’s going on in the field. The Article 29 WP built its strength by the well-prepared opinions and its quite effective way of doing things.
The EDPS has a dual role in the EDPB. On one hand we are one of the members, so you have 28 members plus the EDPS as the 29th member. On the other hand, we are providing the secretariat. The challenge for us is to not mix these two roles. This requires changes in the structure of the EDPS.
Are you given additional resources to make it happen?
Yes, we have the possibility to add new resources but we have to remember what the size of the institution is. The EDPS is made up of about 70 people and are growing to about 90. But this is not 900 or 1500; in reality, there will be about 90 people working here and about 20 of them will work for the EDPB. At the same time, this growth is connected to other duties that we have gotten; for example, full supervision over Europol which was given to us in 2017.
Artificial Intelligence and autonomous cars are technologies undergoing rapid development. The GDPR should be tech neutral, but Article 22 on automated decision making raised criticism for hindering developments. What’s your take?
We do not want to ‘block’ anything because that is not what data protection is for. Even the directive from 1995 was a directive about protection of personal data and the free flow of this data. The free flow of data is also important for us.
I often compare it to maritime transport. We are dealing with similar issues: The people who want to cooperate with one another across borders and not be limited by the borders. We want to have passenger transport, but we don’t want to have human cargo. So, we don’t mind if the people are profiled. Profiling people is something which is the normal thing in the new economy and knowledge management. The question is whether the person wants to be profiled and if the person knows how they are being profiled. Now about autonomous cars: Actually, the biggest revolution is with connected cars. And that revolution is going on right now! The fact that the car can operate autonomously without a driver is a big challenge for the transportation systems and the rules of the road, but not necessarily for data protection. For data protection, it is more important that the car is actually the mobile device, like a mobile phone, that is sending the information to different stakeholders.Moreover, the car is interconnected with different other devices that you use.
When you want to synchronize your laptop or tablet with the computer inside the car, you have to remember what you are doing. Do you synch just the music you want to use in the car, or are you also transferring your information from your address book to the car? Then you have to think about the files that are appearing in the car. If you are a lawyer or a doctor, maybe this data is sensitive data for your customers and is not necessary for the car. So, the connected car is more revolutionary than the autonomous one. This is a challenge for data protection authorities because we have to understand how this all works.
Coming back to Article 22 and all the other articles accused of limiting the development, it is rather the way to civilize the development which will happen anyway. There are some borders we don’t want to cross. One of these is that there will be no situation where there is an automatic decision which you cannot protest against.
This is a red line for not just European lawyers, but European culture.
The global digital economy requires interoperability approaches for systems and convergence. If we look at privacy, what does this boil down to? Should everybody copy-paste the GDPR? Or is there room for alternatives?
The GDPR was devised in Europe. Even if Sweden and Italy or Portugal and Ireland don’t share the same legal traditions and culture, there is also a common background that we are coming from.
I am not saying that data protection regulation is the same, or will look the same in all places in the world. In the Japanese language, the word for “privacy” doesn’t exist, so it’s hard to say that everything will be observed by this culture; on the other hand, other aspects connected to intimacy are stronger there than in our cultures. So cultural differences exist.
I don’t want to say that the GDPR is something you can copy and paste and will work all over the world.
Just like with the American Constitution. There were countries in South America that copied the US constitution, but it didn’t work, because it was a different system. But, it is true that the GDPR has started to be a template for one of the solutions for the international and global partners. And we are happy about that.
I don’t think that in the foreseeable future we will have an international treaty covering all things connected to personal data.
What we have to remember, though, is that just 10 years ago, there were probably 50 countries around the world that had data protection laws, data protection authorities, and more or less a stable system of privacy protection. Now a typical horizontal data protection law exists in more than 120 countries and is becoming more popular.
Moreover, countries who were not thinking about data protection, have started to introduce such laws, or rethink whether this is part of their culture as well. In India for example, last year we had a significant judgment of their supreme court, which said that privacy is also a fundamental right according to the Indian constitution.
Global data flows are vital for the digital economy. The EU champions the adequacy model, while other countries look at cross-border privacy rules as a viable tool for data transfers. Now that the European Commission is negotiating with Japan and Korea, is this model sustainable considering that some major economies in the world will not catch up?
We have to remember there are several tools that are provided by the GDPR as far as the recognition of the system existing outside of Europe. Typical adequacy is only one of the tools. The classical decision of adequacy appeared not to be very popular. We had 13 countries and territories that had typical adequacy decisions that will also have to be reassessed under the new laws.
There are also other tools provided. These other tools were the specific adequacy decisions like the old Safe Harbor and the Privacy Shield at the moment, but also standard contractual clauses and binding corporate rules, which I would stress are beginning to be part of the background of European law at the moment.
The GDPR also says there are other tools like codes of conduct that may allow you to deal with international transfers.
I would love to have as many countries as possible with adequacy decisions across the world. But, as you said, not all of them are prepared to do so. Even some of them applying right now are saying: ‘This is not us applying to you; this a deal. We want to be adequate in Europe, but Europe wants to be adequate in our market as well.’ It is a deal and this is more or less what Japan said.
When we think about binding corporate rules like, for example, more flexible standards in the Asia-Pacific Economic Cooperation (APEC) regime, I may say that their goal is to create a system which may work under binding corporate rules (BCR) and be recognizable in other parts of the world. For example, the cross-border privacy rules (CBPR) which is the system for APEC counties. So you have one schema of cooperation that is described in BCR but can also serve as the background of certifications in different systems – as it is in the APEC region.
We have to remember the CBPR solutions are not as popular as they were expected to be. As far as I know there is only one company that is giving certifications in the USA. The only one in Japan has just lost the only certified company, and now Singapore is thinking about creating another certification body for CBPR.
I would be happy to have the development of other systems like the CBPR as long as there might be the same schema that works for both BCR and the solutions for other regimes.
ePrivacy was supposed to complement and specify the GDPR, but the text is still under scrutiny in the European Council and won’t see the light of day anytime soon. Critics say that the scope is too broad, especially when it comes to Machine to Machine. The EDPS was very vocal in the inclusion of the Internet of Things (IoT) – the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity. Is there a possible compromise?
I hope there is a possible compromise. There are several things which are important for EDPS but we know the market is discussing slightly different parts of ePrivacy as the most controversial ones. What is important for EDPS is the fact that the directive on ePrivacy was, so far, the only legal act of the European Union dealing with the confidentiality of communication. In our initial talks some years ago we said this confidentiality should be a part of the GDPR but there was a decision to make it in another legal document. It is not up to us to decide politically and formally.
I would love to have several parts of ePrivacy in place. Personally, I think the confidentiality of communication is the most important part of the story. Allow me not to speculate how long it will take to reach an agreement between the Council and the Parliament. We had the same story with the GDPR, which we expected to have in 2014, but took two more years for us to have the final text.
With the GDPR, there was no division in the Parliament. But with ePrivacy you can see the division is quite big. It is hard to say when we will have ePrivacy. Unfortunately, we will definitely not have it on 25 May 2018 as originally planned.
The GDPR takes into account several legal grounds for processing, while ePrivacy relies heavily on consent. Is this going to create some inconsistencies in the future EU privacy framework?
I would not call them inconsistencies, but it is definitely true that the consent plays a bigger role in ePrivacy regulation. We also have to remember the scope of the operations which we are dealing with in ePrivacy is a little bit smaller and more limited than it is with GDPR. I like the approach of the GDPR and I am happy that so many representatives of the market want to now defend the principles of GDPR because I remember five or six years ago them contesting the way the GDPR was approaching the subject. According to the GDPR there are six equal legal grounds for processing the data and consent is only one of those six.
Access to data by law enforcement authorities is recognized as a very complex issue that governments have yet to deal with without weakening encryption. The European Commission will soon publish its e-evidence proposal. Are you involved in these discussions? What is your view?
We are involved in this discussion but we are not responsible for the preparation of the proposal from the Commission. We have had several meetings with these Directorates-General – DG Justice and DG Home – that are preparing it. They were informing us more or less on which stage of the preparation they are at at the moment. We very clearly distinguish the discussion about e-evidence from the discussion about the future of encryption. Although they are discussed at the same time on the political level, on the technical and legal level these are two different things.
E-evidence and cross border access to e-evidence is necessary in the single market. If you want to have a single market the access to electronic evidence has to exist. What we want to have is a situation where it is organized in a civilized way.
With encryption and the limits to all the crypto works, we are very skeptical and we don’t hide it. We don’t think that the weakening of encryption and the weakening of any kind of cybersecure solutions may help even the law enforcement authorities.
So big skepticism on all the attacks on encryption. At the same time, I am quite a big supporter of cross border access to electronic evidence. I was always of the opinion that the condition sine qua non for law enforcement authorities to have full access to the tools of the 21st century is to have the supervisory authorities over the law enforcement authorities. There has to be independent supervision of what is going on there. I’m not saying it is data protection authorities who should do that. But we should first of all have it, it should be effective and you should know who is doing it.
Right now, the situation all over Europe is completely different. You can see the results of the research by the Fundamental Rights Agency. Their second report, they prepared this year, shows the schemas of the supervision over law enforcement authorities are completely different in different countries of the European Union.
The EDPS will, for the first time, organise the Privacy Commissioner Conference in Brussels at the end of October. What are the expectations? Any insight on the programme?
The tradition of the Privacy Commissioner conferences started in the 80’s. The 40th edition is going to take place in Brussels. It is the first time it is organized by EDPS and the first time it is organized by the data protection authority which is not a national DPA, but which is the DPA of international organizations and international entities like the EU institutions.
There are two parts of this conference, as always. The first part is the closed part which is only for data protection authorities. There are two days of discussion between data protection authorities in private. The second part is open, where we invite representatives of academia, business, NGOs and everyone who can attend. It is a normal international conference.
The closed session, which is for the data protection authorities, is always focused on one subject. This topic will be decided by the data protection authorities themselves, but we are almost sure it will be connected with either artificial intelligence or topics relating to the new data mining techniques and big data. But, definitely artificial intelligence is something that is right now on the top of the discussion.
The EDPS is responsible for the open part of the conference and we decided ‘ethics’ should be the main topic. We chose this to depart from the typical compliance approach that the DPAs should have being the supervisors of the market, and tried to also think about the ombudsman perspective they have. Also, we will discuss the position of those who should think not only in the perspective of one year, two years, or four years, but trying to find out how the world will operate in the future. That’s also why we decided to be much more open to the representatives of the other sectors of science. Not only the lawyers, not only the people connected to IT, but also those who know more about economics, about sociology, and about how society operates. Or, for example, also those who know about bioethics, about how the use of these techniques can be potentially good for the society while at the same time creating potential problems.