It has been a busy couple of days for David Stevens. His last day as the data protection officer at market research company Nielsen was April 23. On the 24th, he became chairman of the newly formed Belgian Data Protection Authority.
The new office, representing a small country of just 11.3 million, presents an opportunity for the DPA to establish itself in the European regulatory scheme. And while it may be a small country, its size isn't proportional to its importance, Stevens said.
"We have always been one of the pioneers in European integration. Why? We are so small, everybody crosses our country. We are a blend of many languages and cultures and the capital of Europe in a way. And I think with the [EU General Data Protection Regulation], it foresees a framework to work together to consult and collaborate between regulatory authorities of the different member states. And so I think the challenge is to effectively do that," Stevens said.
The new office is a result of the GDPR's mandate that each member state has an official data protection authority with real enforcement powers.
The old commission was mainly an advisory, judicial body, Stevens explained. Now, it's officially moving away from that and "toward being a modern regulatory authority."
Though this transition will surely require new skills, Stevens and his board of five full-time directors are likely to retain the staff from the former Privacy Commission, comprising 60 to 70 full-time staffers.
While Stevens — who spent 15 years pursuing his academic degrees before becoming a data protection officer for Telenet and then Nielsen — acknowledged that the early days will be spent getting the office operationalized. He also said the timing of its birth is significant. One year into the post-GDPR era, privacy authorities are still getting a feel for how to interact not only among each other, but also with those whom they regulate.
"I think we are almost all agreed that it's a critical moment for the application and the implementation for GDPR," he said. "Not only for the one-stop-shop. ... But we're also at a critical moment in the relationship towards the industry," which is asking for more guidance.
The transition from DPO to DPA is an interesting one and perhaps indicative of what could become an ongoing trend given the massive proliferation of DPOs under the GDPR. Could a career path as a DPO be the kind of training wheels future DPAs could use to be effective regulators?
That remains to be seen; it's early days. But Stevens himself acknowledges his resume's significance in giving him the expertise needed to get the job done. Not to mention landing him the gig in the first place.
"Moving from private sector to regulator, I really believe I can bring a lot of added value to the role," Stevens said. "It has been really interesting to learn about the enforcement actions and priorities about the different EU regulators, and potentially even more to learn how companies deal with privacy, the risk assessments they make, the investments, etc. These functions also enabled me to establish a very broad network of privacy professionals, which I'm sure will remain valuable being a regulator."
That said, Stevens is eager to discuss with his new colleagues just what kind of approach to take.
"We need to make up our minds to see how to apply [the GDPR], because if we apply it to the full and to the letter, we could easily kill a lot of data processing going on, and that's not the objective." Rather, he thinks the right approach should be to be strategic in protecting citizens' privacy without severely and detrimentally increasing the cost of compliance to businesses.
"If we do that, we really are serving our citizens," he said. "Privacy clearly is a fundamental right, and it's a fundamental right under pressure. At least in Europe, we are quite clear on that."
But because privacy is at risk doesn't mean Stevens plans to come out hard and fast with heavy penalties for noncompliant players.
"Imposing fines is not our primary objective," he said. "We'd rather have companies and authorities comply with the GDPR. But when it is needed, we will not hesitate to effectively enforce."
It's perhaps his experience in the private sector that gives him a sense of restraint. There's a risk in regulating technologies that ultimately benefit users' lives too stringently or preemptively, Stevens noted.
Twenty-five years ago, he explained, if you'd asked people if they wanted a mobile phone that would make them reachable at any moment, they would have said, "'No, I don't need that. I have one at home; I have one at the office. And, if I'm very well established, I have one in my car.' That's an indication to me that we need some sort of openness toward new technologies and new solutions. They do give us opportunities we didn't have before, but need to be interpreted in a way that also safeguard or protect privacy."
In his approach as a regulator, Stevens wants to be "young, flexible, dynamic. We want to be open and listen to public and private actors," he said.
However, that doesn't mean he won't enforce the law or impose penalties against bad actors when they're due. He's not articulating that companies under his jurisdiction have some sort of free pass. Having been a DPO, he understands that a company's healthy fear of being handed a piece of paper with a dollar sign on it can be an important deterrent.
"I think no authority is being considered serious if they don't effectively enforce. So, yes, there will be fines," he said. "[But] there will be fines for an obvious reason, and not because, given the lack of clarity, somebody misinterpreted or misjudged something, but because there still are companies who really didn't do anything or a lot in order to become compliant with the GDPR."
For example, if looking at two similar companies side by side, both of whom have had a breach, and one willingly tried to document their processing activities — they have a DPO, they invested resources in a privacy management tool or framework and they have a privacy program — and the other has done very little, the enforcement approach is probably not going to be equal.
"We are humans," he said. "I mean if one of my children has been naughty and they didn't do it willingly, then I'm probably more flexible than if they very well knew they couldn't do it and still did it anyway. So companies need to themselves organize to make sure they are compliant with GDPR and national implementations, and they shouldn't wait for the authority to tell them what they need to do or cannot do. They also have a responsibility to come to informed judgments on what they need to do and how they need to comply."
After all, companies generally have more resources to comply with the law than DPAs have resources to enforce it, Stevens said.
He points to a case spanning back to 2015 as a good example of Belgium stepping up and flexing its regulatory muscle. Remember, this was far before the EU General Data Protection Regulation came into effect. Belgium's then–Privacy Commission took Facebook to task for allegedly illegally collecting the personal data of Belgian citizens, even those who weren't users of the social networking giant.
The Facebook case was referred to Brussels commercial court in 2015 because the company and privacy commission couldn't come to a resolution. While a court in 2018 said Facebook had to stop collecting the data and delete what it had already collected, Facebook appealed the case. Now, in the coming days, the appeals court will pronounce whether the privacy commission was competent from a territorial perspective: That is, did the commission have the authority to make decisions about Facebook? Or, should Ireland, where Facebook is headquartered, have had jurisdiction there? This was pre-one-stop shop, you'll remember.
Stevens said investigations such as that are the kind he looks forward to doing more of in a more efficient way at the European level. He expects not only significant member state collaboration on the pressing privacy issues of the day, but also even increasing global cooperation in the future.
"And even if we don't all have the same view or interpretation and have some difficulties in reaching a consensus," he said of his European co-regulators, "well, that's Europe, that's how it works."
If you want to comment on this post, you need to login.