Poland’s data protection outlook: A conversation with the DPA

Poland is in the process of amending its 13-year-old data protection law. Inspector General for Personal Data Protection (GIODO) Wojciech Rafa? Wiewiórowski, who was elected last July, spoke with the

about the data protection challenges facing Poland, including the speed at which technology develops and the struggle to keep pace legislatively. Wiewiórowski says he envisions Poland playing a leading role in the changes to EU data protection laws and discusses the key issues filling his schedule at present, including  working with stakeholders and government on the future implementation of the smart grid and working with the direct marketing industry on a best practices code.

Poland’s Data Protection Act has been in effect since 1997, which, Wiewiórowski says, gives Poland a 13-year foundation in data protection within a European context. “We are not the Wild West or the wild east as far as data protection is concerned,” he says. However, Wiewiórowski says the privacy laws used to govern the Internet are now outdated, and tools from the twentieth century are being applied to twenty-first century technologies, which he compares to trying to fit a square peg through a round hole. The law must catch up with advances in technology, he says, with an understanding that technology will continue to advance.

“That is the challenge for the legislature in Poland;  that is the challenge for the lawmakers,” he says. “We know that even if we catch the things we want in 2010, in 2013 the world will once again look a bit different.”

According to the commissioner, closing the gap between emerging technologies and legislation will require some significant work, as legislative action is at a nascent stage in Poland. In the meantime, there are existing problems to be resolved, such as the amount of data kept by Poland’s secret services and the electronic sharing of information through the

, which was passed last year by the European Council and establishes rules for cross-border sharing of police databases in the EU. He says that while European programs move toward electronic records on the basis of free data flow for all European countries, neither the legal nor the organizational environments in the EU are prepared.

“From the perspective of the police, this is very interesting and useful. But creating such a system for all 27 countries of the EU is quite a challenge for authorities because the authorities of one country will have access to very sensitive data that may be in the hands of another country in the EU. “So we have to be careful to deal with it in the right manner,” he says. “For us, that’s a huge challenge.” Wiewiórowski adds that the new framework allows for much broader information sharing than the former framework, the Hague Programme, which expired in 2009.

New services such as Google’s Street View are also poised to create data protection and privacy problems in Poland’s near future.

recently reported that Wiewiórowski is

the legality of the service, and the commissioner told the

“We are looking at the problems that have arisen in countries like France, Germany and the Czech Republic and are waiting for the problem in Poland. We’re trying to be prepared.”

Poland began amending its data protection law in 2009, and it is expected to be complete by the end of 2011.  Wiewiórowski says the law aims to regulate more than is typically included in privacy law by adding sector-specific language, including that related to the medical and banking sectors and the new EU regulations on maritime passengers.

“There is huge work to be done in the next year and a half and then the legal procedure in parliament,” Wiewiórowski said. Noting Poland’s geographic size and that it is “quite a huge part of the European market,” he says he would like the nation to be one of the main actors in changes to data protection law across the European Union, which EU Commissioner Viviane Reding has said will be “significant.”

Wiewiórowski points to recent negotiations with the direct marketing industry as evidence that data protection authorities can work with industry to find solutions acceptable for both sides of the room.

“Cooperating with the direct marketing industry in Poland is one of our benchmark solutions,” Wiewiórowski says, adding that his office is promoting a best practices code to be implemented within the Chamber of Commerce and involving sector-specific organizations.

There have been ongoing problems with the direct marketing sector in Poland for the last 10 years, Wiewiórowski says, but they are meeting in the middle.

“We have proposed an ethical code and what the best practice code should look like,” he said. “We started a war with them 10 years ago, and now we have practical cooperation on a day-by-day basis. So this is the benchmark we give to other sectors. We say, listen, even with such a difficult sector like direct marketing, we can find good solutions that are acceptable both for them and the data protection authorities.”

Wiewiórowski said there are still complaints about the direct marketing industry, but it’s useful to show other industries the progress that’s been made on the best practices code in terms of how problems can be solved. He cites recent success working with the Catholic Church to create the best practice code “

.” Bishop Stanis?aw Budzik signed the guidelines, which explain obligations imposed on the data controller in pastoral work and note Internet risks.

“It may work. You can do it even with such a traditional sector like the Catholic Church,”  Wiewiórowski says.

According to the commissioner, the smart grid is also a concern to be addressed. Grid adoption is about seven years away in Poland, and it is on Parliament’s radar, but Wiewiórowski says he’s concerned that various sectors, including lawyers and data protection professionals, don’t yet understand the ways the smart grid could affect them and the average citizen in the future. He says, however, that Poland has so far done a good job of involving data protection authorities early on in the smart grid planning stages, which pleasantly surprised him. “The data protection authorities have been invited to the discussion from the very beginning,” he said, allowing for privacy and data protection issues to be found early and  solved “together, with the data protection authority, not against or apart from it.”