GDPR to make the world a better place
23 June 2017 | 0
Dara Murphy TD, erstwhile Minister of State with responsibility for data protection, opened the recent Data Summit in Dublin, describing the potential for a confluence of data and technology to improve the daily life of citizens, balancing privacy and innovation.
The minister said the summit was also about the drive to realise the country’s potential to be a leader in data, ensuring we have the mix of skills and the regulatory regime and environment to foster innovation and creativity, as well as protecting and securing data.
“In Ireland, we have the right balance to lead this discussion,” said the minister, about the role of data in modern society.
The conference was addressed by the data protection commissioner Helen Dixon.
Dixon said the keyword for her address was context, and “why it really is king in understanding the implications of data protection law.”
“We live in interesting times,” she said, “interesting times fuelled in part by the fact that we are all agents of the digital revolution.”
However, she characterised that revolution as being unlike any other, where we see “change well beyond the velocity of any other industrial revolution”.
Despite the challenges around data, Dixon said we have seen the benefits of technology, showing the potential for what can be done. “We now have a better understanding of climate change, hospital infections, genetic markers for cancers.”
Data protection authorities have a watchdog role in this environment, she said.
Dixon said that often organisations, some from the public sector, ask the wrong questions when it comes to data protection, and can often focus on the technology. This may sometimes lead people to the erroneous impression, she said for example, that the ‘DPC doesn’t like wearables’.
Clarifying the position, she said “Data protection commissioners don’t make the policy choices, and we are not here to like or dislike any technologies or policies, our role is to ensure that appropriate data privacy analysis has been conducted so that any such measure can be lawfully implemented.”
Many public sector bodies, she added, seem to struggle with the high level, principles-based nature of data protection law, and often need help in stepping through the detail of privacy impact, impact assessment and the full range of implications in any data gathering and processing exercise.
“There is no book that tells us the answer to any data protection implementation question, it hands off the details in every case,” she said. “And the organisation proposing it is best placed to conduct that analysis in the first instance.”
The commissioner went on to talk specifically about the General Data Protection Regulation (GDPR), and said it was about understanding our choices with regard to personal data. The regulation, she said, is seeking to protect personal data, but also strengthen the digital economy to have consumers trust it.
“Rather than being mutually exclusive, data protection law and the strengthening of the digital economy are complementary,” said Dixon.
“GDPR will transform our relationship with digital service providers of all kinds.”
The real strength of GDPR, she added, is in the new accountability and transparency requirements that it implements. These will drive the most significant new behaviours by organisations and by data subjects.
She said she fully expected GDPR to become a global standard, and influence data protection everywhere.
The regulation, she said, recognises a risk based approach to implementation, where context is all important in terms of the analysis of risk to a data subject and mitigation measures that should be taken.
It will have practical implications, such as forcing transparency in terms and conditions (T&C) in products, applications and services to be more explicit, concise and intelligible.
However, despite the apparently onerous nature of compliance, the commissioner was also cognisant of the value to organisations.
Companies that distinguish their products and services by data privacy standards will start to win, she said.
GDPR recognises the potential for innovation and technology, said the commissioner, but it simply demands that it is done in a responsible way, where there is accountability and transparency where the implications for each of us in controlling our identities and access to our personal data.
“GDPR won’t and can’t solve all the issues our internet world is throwing up,” said Dixon, “other laws will be needed in certain areas to regulate other aspects. But the GDPR we believe, is overall going to make the world a better place.”
Rights and security
A panel discussion on data protection and other fundamental rights explored the idea of balancing privacy and rights, especially in today’s world of terror threats.
Stewart A Baker, a partner in US legal firm Steptoe & Johnson who has worked directly with the Department of Homeland Security (DHS), was highly critical.
GDPR leads us down the wrong road by focusing too exclusively on privacy—privacy by design hampers security interests, said Baker.
The panel, also featuring Data Commissioner Dixon, Prof Joe Cannataci, UN special rapporteur on Right to Privacy, and John Frank, vice president, EU governmental affairs, Microsoft, disagreed to varying degrees.
A question was put to the panel from a distinguished member of the audience, and also a speaker at the conference, Vint Cerf.
Liberty and security
Cerf said that with regard to privacy, we would all like to think that companies protect data, but countries also have an obligation to protect citizens. A social contract might be, he said, that there may be a need for the loss of some freedoms in exchange for safety, and invited discussion.
Inevitably, another audience member cited Benjamin Franklin, who is credited as saying that those who would give up essential liberties for temporary safety deserve neither.
The broader view was that privacy, innovation and security are not necessarily mutually exclusive. Baker insisted that the Silicon Valley reaction to the revelations of Edward Snowden on mass surveillance was wrong. He said that messaging services such as WhatsApp using encryption simply made the job of law enforcement, especially when it comes to counter terrorism, harder.
The other panellists tended not to agree, and Prof Cannataci expressed deep concerns at the prospect of backdoors being introduced to encryption, or products in general, saying such measures would do nothing for security and would lead to an undermining of confidence which would have more deleterious effects.
The summit was also notable for the first appearance of An Taoiseach Leo Varadkar in that role.
Expressing the position that “We need a digital protection regime that people can trust,” and a robust regulatory system and a government that recognises the need for robust protections, one of the first actions of the Taoiseach in forming his new cabinet was to remove minister Murphy from his position of responsibility for data protection, and merge the function with Trade, Employment, Business and the EU Digital Single Market, under minister Pat Breen TD.