TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Vestager from DPC: Enforcement critical to success of GDPR Related reading: US executive order will address brokers' sensitive data transfers to 'countries of concern'



Taking the keynote stage at the IAPP Data Protection Congress in Brussels, Belgium, Thursday morning, European Commission Executive Vice President-Designate Margrethe Vestager challenged the many privacy professionals in the room to work together in deciding the kind of world we want to live in and promised to contribute to that under the next European Commission. 

"You often hear that data is the new oil, and, of course, there's some truth to that. Oil transformed our economies and put so much more power in the hands of those who had it that it became impossible to compete in any other way," she said. That is also becoming true of today, because "with access to the right data, you get so much access and understanding, and it can be hard for others to compete without it." 

But the data-as-oil metaphor isn't completely on point, Vestager said, because data is richer than oil in that it defines who we are. "Controlling what happens with that data is a fundamental part of human freedom, and it always has been. Throughout our history, human beings have the right to decide what information we share about ourselves and with whom."

We define our relationships by the sorts of things we tell people and disapprove of those who betray confidences, Vestager said. We tell our priests, lawyers and doctors our intimate secrets, and they're bound by duties to keep those secrets. But when it comes to technology and the secrets they know about us, there are no values, there's no Hippocratic Oath.  

And that's dangerous because of the ways data is being mined about us every time we buy a product online or use social media to chat, when we maybe "tend to forget when it comes to the internet that data flows both ways. When we buy a product online, we share data about our interests. When we chat on social media, advertisers build profiles on us. Whenever we search Google, Google is also searching us.

"Not having control of our data makes us very vulnerable … it allows for them to manipulate us more," the commissioner said, adding that filters imposed by search engines and their advertisers "filter how we see the world to match what we've shown an interest in before," which makes it "even more difficult to stumble on new ideas that make us think and change and grow." 

And it's the significant risks to our humanity that make Vestager's job so important, she said. 

"Competition and competition policy have an important role to play ... because the idea of competition is to put consumers in control. For markets to serve consumers and not the other way around," she said, "it means if you don't like the deal we're getting, we can walk away and find something that meets our needs in a better way. And consumers can also use that power to demand something we really maybe care about, including maybe our privacy." 

But that only works when consumers have the ability to compare products and services, and "that can be difficult when companies are secretive about what they plan to do with our data. Strong privacy rules like the [EU General Data Protection Regulation] can help," she said, especially in telling consumers why data is being collected and what it's being used for, but "even then it's not easy for consumers to stay on top of the policies of the dozens of websites and apps we use every day." 

"But competition policy can never ever be the whole answer when it comes to making digitization work for everyone," Vestager said. "But we should never have to bargain for a fundamental standard of privacy, because we have a right for that to be respected." 

Vestager called on data protection authorities globally to have the appropriate power and resources to effectively enforce the rules. 

"Because we can't expect of each individual who just wants to read an interesting article to go through terms and conditions and catch if something's wrong. We need authorities, we need strong enforcement, because only then will the right to control your data become a reality in people's lives, and only then can we start to restore Europeans' trust in a digital world," the commissioner said. "So to tackle the challenges of a data-driven economy, we need both competition and privacy regulation, and we need strong enforcement in both. Neither of these two things can take the place of one another, but in the end, we're dealing with the same digital world. Privacy and competition are both fundamentally there for the same reason: to protect our rights as consumers." 

In the end, Vestager said, it's about working together.

"Digitization affects so many different paths of our lives that all our policies and actions are intertwined, and it’s only by taking a unified view that we can hope to face the challenges of the digital world. It’s vital we keep talking to one another about the things we have in common."

She said when the next European Commission comes into force, it will be her job "to do exactly that as executive vice president of Europe for the digital age. We need to make sure [artificial intelligence] systems respects people's privacy. As competition enforcers, if we find some businesses are using their control of data to deny people to compete, those companies might have to share data they hold in a way that's compliant with data protection rules."

Speaking of her late colleague, European Data Protection Supervisor Giovanni Buttarelli, who died in August, Vestager left privacy professionals with the message that if we work together in this time of fast and radical change, "we can achieve what he wanted to achieve, what he cherished. A digital future that works for humans." 

Photo by Paul Clarke

Credits: 1

Submit for CPEs

1 Comment

If you want to comment on this post, you need to login.

  • comment Giulio di Lernia • Nov 22, 2019
    Reading this article I felt quite disheartened. All these words of asking for more enforcement and about values seem to address the issue a very 'political' way -in the negative connotation of the term. The reality is that GDPR compliance is far from being a real thing: anyone can check how many fines have been given by the DPAs. A ridiculous number, considering that: "Studies have shown that just 20% of companies in the U.S., U.K., and EU are fully GDPR compliant. While over 50% say they’re in the implementation phase, there are still 30% of companies who haven’t taken any steps toward GDPR compliance." (Reference: 
    GDPR has been proposed nearly four years ago and went effective more than a year ago. What I see, in my personal experience and on the news is not much compliance and counterintuitively, no much fines as well.
    GDPR risks to become -if it is not already- a barking rights’ watchdog without teeth.
    Going deeper in the matter, GDPR will need to be linked to more specific obligations, rather than generic "Technical and organisational measures" , cited in Art. 5, 25, 28 and 32, which, in fact, mean near-to nothing. 
    Art. 32: "The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". 
    The critical point here is the word ‘appropriate’: who decides what is ‘appropriate’? It seems that the company itself will decide it. 
    I would not focus now on ‘organisational measures’, as that would require a more organic discussion than just this post.
    I would like instead to discuss the ‘Technical measures’: those are the main focus for Information Security. 
    The 'real' Data Protection lies, in a considerable measure, within the Information Security realm. 
    GDPR was not wanted to be linked to ISO 27001. On the other hand, some DPAs (e.g.: ICO UK) launched a GDPR certification scheme (for voluntary certification), but..
    There is not a mandatory minimum set of Information Security requirements to be compliant.  At today, it seems that the 'appropriateness' of technical measures relies entirely on single companies to decide. It’s basically a gamble for CEOs: spending money for improving Information Security (sure spend) or saving them by accepting the (remote) risk of a DPA reprimand (quite unlikely to be ending in a significant fine).
    “To invest in InfoSec , or not to spend. That is the question:
    Whether 'tis nobler for the budget to suffer
    The slings and arrows of the outrageous security invoices,
    Or to take arms against a sea of DPA warning papers,
    And by a good lawyer oppose them? To spend today. To risk a fine tomorrow, ..Or never. “ – William SecOpspears, CISSP
    Many companies seem to have already found an answer to this Hamletic doubt.
    Will the new commission just sit and enjoy the show? Or take action with a legislative act establishing Information Security minimal requirements?
    Will GDPR be a success without defining specific InfoSec parameters?
    The arduous judgement is left to posterity.