The Data Protection Officers in Wonderland
With every passing month, the onset of the General Data Protection Regulation 2016/679 gathers additional momentum. However, despite there being less than six months from 25 May 2018, when the GDPR came into effect, many data breaches have occurred and many debates on its correct implementation are still taking place Europe-wide.
In reality, all sector stakeholders, including the EU bodies, national regulators, supervising authorities, professional associations, controller/processor organizations and citizens are concerned, for different reasons each, about the GDPR’s correct implementation. So far, the European Data Protection Board (ex Art. 29 WP), an independent body which unites the European Data Protection Authorities, provides general guidance to promote a common understanding on European data protection laws.
Diverging GDPR national implementing laws
In the meantime, most EU member States have published national implementing laws of the GDPR’s “open” provisions that are subject to national interpretations. As a result, diverging national privacy rules on specific issues have come into effect in various jurisdictions.
Those rules refer, inter alia, to issues such as the age of “digital” consent (set between 13-16 years by national privacy laws), to the DPO appointment conditions (mandatory in Germany for controllers employing ten permanent employees engaged in data processing activities), to the rights of employees, as well as to the processing conditions of biometric, genetic and judicial data (which in Italy is considered legitimate if the relevant data are encrypted and sufficient security guarantees are provided to data subjects).
In line with the GDPR, national privacy laws also provide for limitations of the data subjects’ rights on various grounds (national security, defense, legal claims etc). In this direction, the right of access in France on records related to national security is made conditional on prior relevant authorization by the Council of State.
Equally, in some countries (Austria, Finland) insurance companies are allowed to process data on criminal convictions based on their legitimate controller interests’ assessment. In other jurisdictions (e.g. Denmark, Ireland) protective clauses are introduced for public bodies and small and medium entreprises. In this regard, prior warning has to be addressed by the privacy regulator before imposing fines on SMEs in Hungary while the maximum pecuniary fines to be imposed against non-profit public bodies are capped to 200.000€ in Cyprus. Moreover, there are variations as regards the cases where a DPIA is mandatory. National privacy laws also contain clauses for civil and penal liability against controllers and processors filing false declarations or proven unwilling to cooperate with the Supervisory Authority.
The likely impact of diverging privacy laws
The GDPR deliberately contains a margin for national interpretation taking into account national interests, legal traditions and specificities. As a result, national “escape clauses” on the age of minors’ digital consent, special categories’ data, profiling, “high risk” activities, DPO appointment conditions, data transfers based on public interest, fines, labor relations, professional secrecy, national identity cards are perfectly in line with the GDPR.
However, in practice, such national variations will require particular attention by Privacy Authorities handling cross-border complaints. Concretely speaking, a particular act of a multinational controller denying data subjects’ right access to the data may be proven punishable in one jurisdiction and GDPR-compliant in another. Similarly, a 13-year old child may validly consent to an online service offered in his home country (e.g. Belgium) while requiring parental consent when buying online goods through the same online shop during a travel to a neighboring country (e.g. Luxembourg).
Sharp increase of GDPR complaints
From a quantitative viewpoint, according to the data published by the supervising authorities, there has been a sharp increase on the number of post GDPR national and cross- border complaints (exceeding 200 in November 2018). In this regard, France’s CNIL recently announced that it has received 3,767 complaints since 25 May, when GDPR came into force, which represents a significant 64% increase from 2,294 complaints over the same period last record year.
Data from the UK’s Information Commissioner’s Office (ICO) also has shown a big rise in privacy complaints since the new regulation came into force, with 6,281 complaints filed between 25 May 25 and 3 July, more than double compared to the 2,417 complaints lodged during the same period a year earlier. Similar increases were registered in Ireland with 1,184 data breach reports two months after GDPR enactment date. The same increase of the number of complaints appears to exist in all EU member states.
Fines for pre-GDPR and post-GDPR breaches
Recently, Privacy Authorities announced fines for GDPR breaches that occurred under the old regime (e.g. ICO pronounced 500.000£ fines against Facebook/Cambrige Analytica and Equifax, which is the maximum fine under the 1998 UK Data Protection Act). In the same direction, the CNPD in Portugal has fined a public hospital with 400.000€ for alleged violations of the GDPR data processing principles resulting from third party unauthorized access to patient data.
In November 2018, a German (Baden-Württemberg) privacy regulator fined a firm just €20,000 after a hacker stole unencrypted data on hundreds of thousands of customers of a local chat app. Supervising authorities are currently investigating important post-GDPR data breaches and collective complaints lodged by activist privacy organizations (Noyb, La Quadrature du Net) on behalf of consumers, as provided by the GDPR and national law.
Pending complaints in Austria, Belgium, France, Germany and Ireland allege invalid consent collection practices applied by social networks (Facebook, LinkedIn) and tech giants (Amazon, Apple, Instagram, Google). Finally, the first court decisions on the prominently legal qualifications of the DPO, as opposed to ISO 27001 Auditing and Information Security qualifications, have been issued (Friuli Venezia Giulia court case 135/2018 in Italy).
Areas of ambiguity
Despite the global interest on the GDPR, many ambiguities keep on existing around areas like what data needs to be protected, how can privacy by design and by default be implemented, whether the appointment of a DPO is necessary, who can be appointed in this position and which are his/her necessary professional qualifications, certifications and liabilities.
Other alleged loopholes relate to the applicability of the GDPR on controllers located outside the EU "offering" goods or services to EU citizens, to data losing GDPR protection including “inferred data”, namely data not directly collected by the data subjects such as web searches, playlists, on line preferences (the so-called “invisible” data chains), to the exact definition of "legitimate interests" of the controller and so on.
Big challenges for data protection officers
In view of the recent global data breaches which occurred in social media and the numerous hacking cases of airline payment systems, ticketing platforms, genetic data sites, connected cars, telecom operators, hotel billing systems, insurance companies, fitness apps downloaded on smartphones, data controllers and their DPOs in Europe are expected to face significant challenges.
Since most of them inevitably possess limited practical experience with their new role, they need continuous assistance and advice on how to fulfill their demanding tasks. Data breach notifications, managing privacy policies, handling consumer complaints and client representation before the supervisory authorities are only part of their obligations.
The emerging convergence between broadband platforms, IoT, cloud computing, surveillance technologies with increased tracking capabilities, drones, facial recognition and blockchain transactions, where it is hard to define the controller and processor roles since they all access the same database, raises new privacy risks and requests concerted action to face the issues at stake.
The DPO skills and qualifications
Independently from their background and their mandatory or voluntary designation, DPOs, natural persons or legal entities, have the same responsibilities under the GDPR. In order to properly fulfill their mission, they should possess skills from various disciplines such as legal, technical, IT, auditing, and information security.
The DPO should be able to understand key data protection concepts, principles and obligations together with the role and actions of the EDPS and data protection authorities. They should be able to manage applicable cyber-security tools and provide guidance to the board of directors and staff, perform audits, reporting, implement data processing agreements, liaise with the CISO, the IT, marketing and sales departments, manage third party risk through adequate budget and resources for privacy, security and training.
All those monitoring activities should be exercised while avoiding conflicts of interest acting under conditions of guaranteed professional independence. In view of the increased GDPR requirements, the DPO would appear as a fictional creature, a mythological beast known in Greek mythology as the “Centaurus”, namely half-man, to rationally implement and monitor compliance and half- horse, to kick hackers and privacy infringers away from any organization.
Monitoring privacy risks
The risky operational and technological environment requires DPOs to be able to conduct privacy impact assessments, handle data subjects’ requests, ensure effective data governance, mitigate enterprise risk, monitor compliance and effectively cooperate with the supervisory authority, while limiting their exposure to professional and personal liability.
To this end, privacy professionals should constantly increase their technical and legal understanding and awareness, improve their skills and benefit from continuous training and voluntary professional certification. Some EU countries (Spain, France) have already proposed accreditation requirements for certification bodies to meet together with DPO voluntary certification schemes, as a way of demonstrating compliance with the GDPR, in line with the accountability principle.
Gaining and maintaining cross-sector expertise is crucial but perhaps not sufficient since privacy professionals appointed in this role need to apply not only the GDPR but also multiple regulatory frameworks per sector (business compliance, codes of conduct, health and safety regulations, standards, clinical trials, anti-bribery, money laundering legislation etc).
Personal lessons learned as national and European regulator
According to the institutional design of articles 37-39 of the GDPR, the data protection officer has to be independent while employed by an organisation either as an internal employee or as external advisor through a service contract.
DPOs must oversee security in cooperation with the CISO but also evaluate the security measures without entering into conflicts of interest. By the same token, the DPO should be the interface of the organisation with the Supervisory Authority while interacting in simple language with citizens and data subjects. In other words, Data Protection Officers should be trained to manage complexity.
Managing complexity has been a permanent challenge for me as national and European electronic communications regulator, safeguarding the independence, transparency and accountability principles. On the one hand, as President of the Hellenic Telecommunications and Post Commission (EETT) (2009-2013) and Chair 2013 of BEREC, the Body of European Regulators for Electronic Communications, established by Regulation (EC) No 1211/2009, I had the chance to be deeply involved in policy making while monitoring the application of the EU regulatory framework in the respective sectors.
Throughout this process I learned that effectively accomplishing this mission relies on the regulator’s vision, strategy, administrative support, quality of staff, communication tools and financial capabilities. In the same direction, the newly established European Data Protection Board (EDPB) is expected to provide guidance, disseminate best practices and gradually gain broad experience and wide stakeholder recognition.
In the years to come the EDPB shall gather national expertise and is expected to play in the privacy sector a similar role to the one of BEREC in the electronic communications sector. In this process, time is of essence, since BEREC benefited from the experience gained by its predecessor, the European Regulators Group for electronic communications networks and services, which was established as an advisory group to the Commission since 2002.
Personal lessons learned as communications attorney and privacy professional
On the other hand, my current activity as privacy advisor, communications attorney and university professor has convinced me that undertaking the DPO role requires a set of combined skills together with a coordinated team work.
Our consulting company, Telecom Experts, possessing legal, security, business and risk expertise, apart from acting as a DPOs training vehicle (in view of their certification under ISO 17024 by ESYD - the Greek Council of Accreditation), has successfully accomplished several GDPR compliance projects in various sectors in Greece (academia, industries, infrastructure providers, electronic payments, healthcare, pharmaceuticals, transports, tourism, retail etc). We have subsequently been nominated before the Greek Privacy Authority as DPOs of various clients from the above sectors.
In our understanding, although specific market, technological and business requirements exist in each sector, DPOs practically face similar issues and have similar concerns, which they definitely cannot face alone. Obviously, the intensity of the issues at stake for the DPOs, whether internal (employees) or external (on a service contract), natural persons (lawyers, auditors, compliance officers, IT experts) or legal entities (law firms, security advisors), highly varies per sector. For instance, the compliance risks are in theory bigger in the context of public authorities, large scale controllers and processors performing systematic monitoring of data subjects or criminal convictions, as compared to voluntarily designated DPOs in less risky activities of smaller entities.
DPO coverage for professional liability is necessary
However, under the GDPR, any processing operation may be scrutinized by the Supervising Authorities either ipso jure or following a data subject’s complaint. Data breach notifications, client representation in data breaches during open-ended investigations and administrative hearings and communication with the data subjects is definitely not an easy task. Furthermore, in many breach cases, investigations may result into GDPR violations and turnover-based fines against controllers and processors.
Any administrative fines imposed may in turn generate civil and penal liability for the client. In view of the important financial penalties involved, the controller or processor organization management may not be prevented from attacking the DPO for malpractice, fault or negligence. This may happen despite guidance provided by the Article 29 WP which excludes the DPO personal liability. In fact, many national implementing laws of the GDPR contain provisions which may entail civil and criminal liability of the controller or the processor.
For instance, personal liability may be engaged when the controller or processor does not cooperate with the supervising authority or does not perform a DPIA, where required. In this regard, it is crucial for DPOs, as independent officials, to benefit from the coverage of an adequate director and assistance (D&O) coverage, which is contingent on the level of their position within a company or organisation.
The creation of the Panhellenic DPO Network
For those reasons, and in order to face those common challenges from a national perspective, we have created the “Panhellenic Network of Professional Data Protection Officers” as an independent non-profit body in Greece. As described in the DPO network statutes, published in our website (https://www.dponetwork.gr/), our goal is to create a permanent professional forum between peers.
Our institutional body will promote dialogue with the State, the Supervisory Authorities, other European privacy professional associations, EU bodies, controllers, processors and data subjects. We will also enable networking and voluntary certification, while providing continuous DPO support and representation, together with training and dissemination of international best practices (i.e. privacy risk assessment, handling data subjects’ requests, reporting data breaches etc).
We maintain that shaping this new DPO profession in the spirit of the GDPR and promoting European harmonized certification schemes requires a coordinated interdisciplinary approach between all sector stakeholders. In this perspective, our DPO Network founding members comprise a team of lawyers, university professors, auditors, IT experts, risk analysts and policymakers devising regulatory frameworks for privacy in the converged audio-communications sector.
DPO Network members may become, upon approval of their CV by a scientific committee, qualified DPOs, natural or legal persons already employed in this task or desirous to be employed in the public or private sector in Greece and internationally. All members pay an annual financial contribution to cover our operating expenses.
The DPO Network vision and activities
Our annual work plan, to be voted by members in the next DPO Network plenary meeting, comprises a set of themes which cover all the main concerns of this new profession (data breach notifications, liability insurance, voluntary certification, DPIAs, audits, privacy hearing simulations, security requirements, pseudonymisation/anomymisation techniques, use of Governance Risk Compliance tools etc).
The most relevant subjects selected by our members shall be analyzed by expert working groups through role play, group exercises, thematic seminars and specialized lectures by widely recognised privacy professionals. The results of our joint work shall be presented during our regular meetings. To further increase our practical understanding of the sector, IT and security experts will present detailed explanations on our members' questions related to data protection and security.
As Panhellenic DPO Network Chair, I am committed to work hard, together with my colleagues and all sector stakeholders towards achieving our common goals. My vision is that our network plays an important role towards facilitating the adoption of a more citizen-centric, business friendly, cost-effective and privacy protective regulatory paradigm in our country. In this context, the role of the DPO can be pivotal towards creating a data protection culture in the European digital economy and society, while safeguarding privacy rights enshrined in International Treaties and national Constitutions around the globe.