Greetings from Dublin!
It has been a busy few weeks for privacy practitioners in Ireland. First, there was a hugely successful data summit, hosted by the Irish government in the home of Irish sport: Croke Park.
The conference was opened by Data Protection Minister Pat Breen, followed closely by Minister for Communication Climate Action and Environment Denis Naughten, who announced that he had just signed the EU NIS Directive into Irish law. For a variety of reasons, Ireland is fast becoming the global hub of data protection, and this conference was organized to explore some of the key issues around the role of data in an increasingly connected and digitized world particularly, the implications for regulation and privacy.
The Data Summit kicked off with an excellent first panel session, which was, for me, the highlight. The Data Protection Commission’s Dale Sunderland spoke on the balance between innovation and regulation and noted that “co-existence of both is necessary. Innovation must be people-centric with a 'do no harm' philosophy.” This idea of balance was a topic revisited in a number of sessions throughout the day.
Johnny Ryan, CPO at privacy-focused web browser Brave, announced that “there is a massive and systematic data breach at the heart of the behavioral advertising industry.” Brave has, with other providers, recently made a complaint to a number of EU supervisory authorities about the activities of search engines. Ryan’s enthusiasm for his subject was infectious, and he called upon regulators to apply the rules to the behavioral advertising industry, succinctly noting that, “GDPR adds teeth to the known rules,” a phrase that was later repeated by Andrea Jelinek, head of the EDPB. Jelinek noted that the EU-U.S. Privacy Shield is under review, but there have been no conclusive answers given to concerns raised by supervisory authorities. She was “hopeful” that answers would be given before the formal review 18-19 October. On the topic of GDPR, Julie Brill introduced Microsoft’s global privacy framework — largely reflecting GDPR principles. This gives strength to the view that Europe’s GDPR is fast becoming the world’s premier privacy framework.
Later in the week, IAPP members gathered in the beautiful surroundings of the Members Room of the RDS in Dublin for a breakfast KnowledgeNet, sponsored by Clearstream, with speakers from Clearstream and Spearline discussing vendor management and applying project management principles to privacy projects. I also took the opportunity to share some insights about the post-GDPR landscape, both as IAPP country leader and as a lawyer working with clients in my law firm. As IAPP country leader, I was delighted to announce that Irish IAPP membership has tripled in the past 12 months and that we are seeing a big rise in people achieving certification. With 44,000 members worldwide, these figures increase daily. As a lawyer in practice, we are seeing a huge increase in data breach reporting, with our firm advising on at least two breach incidents a week, as well as a significant rise in data subject access requests.
The hot topic since GDPR implementation has been enforcement — more particularly, who would be the first organizations to be audited by the DPC and who would be the first to be fined. The first question was answered earlier this summer when a number of local authorities were audited. The second question has not yet been answered as it takes time; an incident must have occurred after 25 May. The DPC must then undertake an investigation, make a finding, and apply an administrative fine. So, watch this space.
Finally, in breaking news, there was bad news for Facebook this week, following a data breach that impacted approximately 50 million data subjects, 10 percent of whom were based in the EU. As lead supervisory authority for Facebook under the GDPR, the DPC was notified of the breach and pronounced themselves “concerned” that the breach occurred Tuesday, but the office was notified potentially outside the GDPR's 72-hour time limit. The DPC also noted that the notification lacked detail. A formal investigation of Facebook was announced by the DPC’s office this week.
On reflection, and given the topic of balance, privacy pros haven’t seen much work-life balance in the past 12 months, and that seems unlikely to change in the short term. With a rapidly evolving post-GDPR landscape, there is a real need for more people to train as privacy pros. It’s up to us, the more seasoned members of the privacy community, to get our more junior team members trained and actively involved in our community. That way, we can see the community grow and thrive with new talent and enthusiasm and further “balance” can be found!
If you want to comment on this post, you need to login.