Giovanni Buttarelli discusses his role as the European Data Protection Supervisor, getting valid consent under the GDPR, and why the Privacy Shield may only be a short-to-mid-term solution.
Thomson Reuters senior associate editor of privacy and data security, Melissa Sachs, spoke with Giovanni Buttarelli about his office’s role in the new data protection framework with the General Data Protection Regulation (GDPR), how regulators should tackle fake news, privacy by design principles, and why the Privacy Shield may only be a short-to-mid-term solution.
MELISSA SACHS: Can you give a little background about your role as the European Data Protection Supervisor (EDPS)? What is your role with the Article 29 Data Protection Working Party (WP29), and what will be your role with the European Data Protection Board (EDPB)?
GIOVANNI BUTTARELLI: My office serves as an ambassador on EU privacy and data protection. We are an independent data protection authority that enforces and monitors small, medium, and large-scale personal data processing. We advise on data protection issues in proposals for new legislation and policy developments. In a similar role, we serve as amicus curiae, or friend of the court, to the Court of Justice, the EU’s highest court, on these issues. We work with member states and sister authorities.
Recently, I attended the last meeting of the WP29, where we talked about promoting uniform application of the GDPR, which takes effect May 25. My office will provide the secretariat to the EDPB, which has decision-making authority to ensure consistency and one-stop shop mechanisms.
Another role my office serves is to offer analytical, logistical, and day-to-day support to ensure safe communications between members and with other institutions. We follow-up, and draft publications, decisions, and opinions.
SACHS: What do you think is the role of your office in regulating online manipulation and personal data, especially when it comes to political campaigns?
BUTTARELLI: At the G7 summit last year, I gave a talk on fake news and how data protection authorities need to be competent in this area.
Right now, we have a new generation of processing activities. Organizations are intensively collecting data from Bluetooth-connected keyboards, dictation systems, Wi-Fi, and machine-to-machine exchanges of information.
At the same time, organizations increasingly share data with third parties and keep this practice entirely hidden from and unknown to data subjects. We need to address this to adhere to principles of equality and democracy. This is an issue for the 2018 mid-terms in the U.S. and the EU elections in 2019.
In our March 19 EDPS Opinion on online manipulation and personal data, we make an appeal for working less in silos to address this problem. For example, “fake news” raises consumer protection and antitrust issues in addition to data protection and privacy issues. We, as regulators, need to synchronize our actions and cooperate to address this problem.
SACHS: Did you have any major takeaways from Mark Zuckerberg’s testimony before the U.S. Congress? A March 21 article reported that you called this “the scandal of the century.” Why is that and what actions do you want to see from Facebook before the end of 2018?
BUTTARELLI: To say sorry is not enough. In the EU, we do not consider what happened a mistake or misunderstanding or even a surprise, but as a symptom of a standard and predominant business model that extends to data brokers, data firms and other new organizations.
The reason I speak of these revelations as a scandal is because these revelations have far-reaching consequences. They have effects similar to what we learned from Edward Snowden’s revelations in terms of confidence and trust. This is not only an issue for Facebook, but all social media tech giants, which are not considering the dignity of their consumers and subscribers. They are not looking at them as individuals, but as experiments. The tech giants need to start considering fairness and transparency. They build a lot on free-of-charge services, but they use our data without explanation or feedback on how to be better in control.
Under Article 25 of the GDPR, there is mandatory privacy by design and privacy by default. We hope to see more privacy-friendly solutions embedded into default settings for computers, smartphones and tablets that consumers must actively deactivate, making it their choice to have less privacy. But, it also should not be a yes-or-no approach.
The WP29 released a statement on how we are forming a social media working group. We described how we are committed to a joint analysis and working together with one voice, regardless of the investigation in specific countries.
Companies need to have a strategy for the longer term. The GDPR applies to companies profiling or targeting EU citizens. It doesn’t matter where their headquarters are located.
SACHS: What privacy-by-design principles should developers or businesses implement to help users understand their privacy rights or websites’ terms more thoroughly? Is this a place for regulators to step in?
BUTTARELLI: We’ve been buried in GDPR negotiations and preparations, but the next chapter is finalizing the ePrivacy Regulation. However, as of May 25, an affirmative act will be necessary to give consent to certain processing modalities. This consent needs to be freely given, informed and unambiguous. It can be written or electronic. However, to know if a data subject’s consent is valid when ticking a box or just visiting a website will depend on how clearly the context is indicated.
Silence does not constitute consent, but instead data subjects will need to indicate “I agree,” especially with more sensitive data or when the data will be processed for different purposes.
We do not want organizations to present data subjects with legalese and ask them to check the box. Instead, we need to look at data protection and privacy principles from a digital, dynamic viewpoint. This is a challenge as we become more conversant with new technologies.
Our office is part of an initiative to reward two winning participants in a competition to design a privacy-friendly app for mobile phones for individuals to better interact with their doctors without being tracked.
SACHS: Your office recently issued an opinion on the interoperability of EU information systems and, in 2018, it expects to address cross-border access of law enforcement authorities to electronic evidence and financial data. How will the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) or the implementation efforts of member states regarding the NIS Directive affect your opinions?
BUTTARELLI: Relevant for the EU, the Commission on April 17 announced a proposal for new rules to make it easier and faster for the police and judicial authorities to obtain electronic evidence (including emails or cloud-stored documents) they need to investigate, prosecute and convict criminals and terrorists. Our office carefully analyzed the text, and we see that there is a need to follow the work of the Convention on Cybercrime, also known as the Budapest Convention, which the EU, its 28 member states, the U.S., and other countries have ratified.
In an announcement to our opinion on the interoperability of EU information, our office called for a wider debate on these issues. We look favorably on the interoperability of EU systems, particularly in the financial sector, and which applications are allowed in terms of security.
As for the CLOUD Act in the US, we are interested to see how it interacts with Article 48 of the GDPR, which is about transfers or disclosures that EU law does not authorize.
SACHS: You mentioned in an article earlier this year that if companies comply with the GDPR, the Privacy Shield may become obsolete. In 2017, the FTC settled charges with companies that allegedly misled consumers about their participation in formal cross-border data transfer programs, including the EU-US Privacy Shield (see In re Decusoft, LLC; In re Md7, LLC; and In re Tru Commc’n, Inc.). If the Privacy Shield becomes obsolete, what role do you foresee for U.S. regulators with cross-border data transfers to the EU?
BUTTARELLI: In that conversation, I expressed that we need to build on the lessons learned with Safe Harbor. We have been loyally pushing for proper implementation of Privacy Shield, but improvements are still necessary and we are still waiting for clarifications from the U.S. government. It is not that Privacy Shield is obsolete, but it is an instrument for the short-to-mid-term.
Former FCC Chairman Tom Wheeler recently wrote an opinion piece for The New York Times about privacy and personal data as a commodity in which he said, “The New World must learn from the Old World.”
If companies comply with the GDPR, the Privacy Shield mechanism to transfer data becomes much less relevant.
For additional content concerning the use of personal data in the digital age, be sure to explore the rest of our multimedia series: A new dawn for data privacy and transparency.