Wojciech Wiewiorowski: We are not protecting the legal acts, but the people
The GDPR is not going to be implemented all over the world but we want it to be the benchmark of other regulationsSvetoslav Stefanov
The main role of the European Data Protection Supervisor, apart from the supervision of European institutions, is to take part in the legislative processes in the EU in order to help the institutions in drafting legal acts. We try to be as open as possible to any kind of consultations and contacts. We are taking part in consultations, we are organising our own events, and we are putting special emphasis on the cooperation with civil society, the European Data Protection Supervisor says in an interview to Europost.
Mr Wiewiorowski, you have been appointed as European Data Protection Supervisor a few months ago. What issues have you inherited from your predecessors Giovanni Buttarelli and Peter Hustinx?
Giovanni Buttarelli and Peter Hustinx have developed a mature institution which has been functioning for more than fifteen years and which has been well placed in the whole structure of the European bureaucracy. It was quite easy for me to get into the office and to continue the job, especially since for the last five years I've performed the duty of Deputy European Data Protection Supervisor. We may say that there will be no revolution in the office after I started the job as the EDPS. There is an evolution that has progressed in the last fifteen years, and it will be continued in the following years.
In an ever more digitalised world, people are seriously concerned that their personal data could be easily stolen and misused. What can you do in order to calm down such fears?
The main role of the European Data Protection Supervisor, apart from the supervision of European institutions, is to take part in the legislative processes in the EU in order to help the institutions in drafting legal acts. We follow the law and help those who are involved in the legislative process. But, of course, one of our main roles is to contact the people themselves as we are not protecting the legal acts, we are not protecting the data, but we are protecting the human beings. We try to be as open as possible to any kind of consultations and contacts. We are taking part in consultations that are prepared by other institutions, and we are also organising our own events. We are putting special emphasis on the cooperation with civil society and NGOs, with different types of organisations representing industry, academia, scientific society, etc. They are the first addressees of our communications, and we try to learn as much as possible from them.
With the EDPS Strategy 2015-2019 completed, what will be the European Data Protection Supervisor's main goals for the next years?
The reform of the Data Protection Law is not finished. We are still missing one important part of it, which is privacy regulation aimed to replace the one that is in force at the moment. But we can say that the main regulation of the legal principles is already revealed by the GDPR. And this means that we are not going to change the principles of the Data Protection Law, we are not going to review the things that we have in place at the moment, but we are going to transmit the principles to the acquis communautaire, to the European law. So we would like to have a law on transport, agriculture, industry, civil law and penal law being up-to-date with the development in observing of the fundamental rights. That will be our goal from legislative point of view. From the practical point of view, we'll try to have smart administration in the EU. So we'll definitely put a lot of stress on the use of new technologies and innovations in the work of the public administration of the EU, but also the way we're facilitating the use of these new technologies. This is a part of the “third leg” that we would like to put in place, which is the monitoring of the development of new technologies. That is what we need to be much better at and prepared for. And finally, the implementation of the GDPR and the dissemination of these principles to the other areas of the world is an important part of our mission and of the things we want to do in the next few years. We know that the GDPR is not going to be implemented all over the world but we want it to be the benchmark of other regulations. However, our Strategy is conceived to be adaptable to global game changers. In light of the experience with Covid-19, it is necessary to think more in-depth on it in order to be able to cope with entirely unpredictable circumstances.
According to the Commission, the data protection reform was expected to boost economic growth? Does this effectively happen?
The European Data Protection Supervisor is not the one to be asked about economic effects and results, the Commission should be asked such questions. But I firmly believe that the strong protection of fundamental rights will help in boosting the market trust and in establishing a really healthy economy. If you think about results measured in numbers, it is not the EDPS who is to be asked about them. We are not doing statistics.
Sharing data lies at the core of the modern digital economy. However, the border between sharing data and stealing data is too flexible. How can this be fixed in a more sustainable way?
First, we have to understand what we mean by “sharing” and what we mean by “data”. Industrial data may be something totally different from personal data. We are also not saying that the personal data cannot flow. The GDPR is actually about the free flow of data, about the civilised flow of data. But sharing data is not the answer to any economic challenge. But if you want to make the market more competitive, the opening of personal data is most probably not the right answer. I'm not saying that I know the only formula to be used in each and every market for each and every data, but the data should be always taken into context.
Do people get real rights to manage the way their personal data are used and distributed across institutions and organisations?
Definitely they have such rights. Before the GDPR went into force, we have had the situation where to follow a possible breach in the processing of data, you had to know the language of the country where the controller was established and to make that controller pursue the company or entity that was responsible for the breach. Otherwise, it was extremely difficult to follow on the complaint. And now with the one-stop shop system, the data protection authorities all over Europe allow each and every person to file a complaint in an easy way, in the most convenient way for them. At the same time, for the first time in the history of privacy law, the right for class actions has been established in the GDPR regulation. However, their real use is still being reviewed to find out what are the differences in the practical use of such actions in Europe.
What can people actually do in case they find out their personal data are being stolen and misused?
First of all they should inform the data protection authorities and the controllers that something has happened. The controllers may not be fully aware of the data breach. The controller is the first one to help the person in such situation. In case this help is not possible or accessible, the person whose data have been breached should contact the data protection authorities in order to get advice how to get a secure data environment.
Is the “right to be forgotten”, introduced under the GDPR legislation, actually implemented?
Actually, the “right to be forgotten” has not been established under the GDPR. It happened before. This notion appeared in the so-called Google Spain case, which was judged by the Court of Justice of the European Union. This is not a new right, but it was not called by this term in legal act before GDPR. I would say that this is not the best notion as it is not actually the right to be forgotten but to have the data erased from different kinds of resources. This is a follow-up to the right that we have already had in the past. But now, with a more precise legal ground, it is easier to be achieved. However, we have to remember it will not lead to an absolute 'forgetting' of a person.
Are there any institutions and organisations punished so far for mishandling of personal data?
There were sanctions that have been issued by the data protection authorities around the world. As for European institutions, there were decisions banning processing of certain data but no sanctions from a financial point of view so far. It is an ultimate goal, it will be used only if an organisation or institution is not following the recommendations of the EDPS. And we generally do not have problems with institutions not following our decisions. They do.
How do agreements for the transfer of PNR data between the EU and the USA, Canada and Australia correspond with the GDPR?
There are exceptions from the GDPR general rules. From the regulator point of view, we have always had doubt, we understand that exceptions exist, for example, in the anti-money laundering cooperation between the countries, but while in anti-money laundering we can easily find the effect and efficiency of such an incursion of privacy, we hardly get examples of real usefulness of the PNR data for the purposes they should be collected for. So, I remain very sceptical about the possibility of using this solution because in our opinion they are going too far into privacy, not giving real results that would be showing that something has been done.
Have you ever dealt with drastic examples of stolen identities?
Yes, as SA (Supervisory Authority) on national and on European level, I have met with data breaches, or with misuse of personal data that was reported. Some were horrible, some were bordering on being absurd or funny, and being dangerous at the same time. Let me point at the example of a priest at a church who put information online about the donations that were given by the inhabitants of a small village. While the priest was showing names of donors and the amount of donations, at the same time he was revealing the identity of people who donated a small amount or that did not donate at all. This is an example of how the use of personal data can affect individuals, or categories of individuals, regardless to whom belongs the data.
In February, prior to the pandemic lockdown, you've organised a workshop on challenges and opportunities linked to Artificial Intelligence and facial recognition. What were its conclusions?
The first conclusion was that AI is a very, very broad term used for a long time for marketing purposes, and there is a tendency to put in one basket almost everything called AI, which probably is not the best solution. We should make clear what we mean by AI. If we mean the algorithms that are communicating with one another and creating automated decision-making processes, then we can say that quite a lot of that is under the GDPR. So we probably do not need a big change in the GDPR law, if we need any. But what we definitely need is more work on data protection impact assessments that are one of the instruments prepared by the GDPR, and finding out who and how is responsible for such assessments. As of facial recognition, what makes us especially concerned is the possibility to identify the person, not the verification but the identification. We are OK with the verification, but the problem is when the camera sees the face and tries to identify the person among many by comparing a number of biometric data which are stored somewhere. Once used in public areas by entities that are not law enforcement authorities, this creates a big danger of changing the whole culture of the civilisation we are dealing with. The use by law enforcement entities should also be limited, and it should stay under strict independent supervision. For facial recognition, I would say - let's not go too fast and let's not run for the result.
How can we guarantee that AI will be always at our service, considering that with it becoming more and more autonomous, fears of the opposite are on the rise?
I don't want to limit the discussion about AI to arguably science-fiction ideas of machines taking over humans. This is probably an important discussion but rather for those who are dealing with philosophy, sociology and futurology. I would like to drive attention to the fact that AI is not in our future, it is something that is going on right now. If there isn't still a system that is intelligent in an artificial way, those technologies that we are talking about and which are based on the algorithms in decisions, they are fully implemented in our lives, and sometimes we don't even have a clue about that. So let's make the discussion practical, and not turn it into a futurological one. Although I absolutely accept the fact that politicians and parliaments should think also in this long-term way. But for the regulators, the more important thing is what is going on right now.
Wojciech Wiewiorowski was appointed as the European Data Protection Supervisor in December 2019. Before that, he served as Assistant EDPS from 2014 to 2019 and as Inspector General for the Protection of Personal Data at the Polish Data Protection Authority from 2010 to 2014. He graduated law in 1995 at the University of Gdansk, where he was awarded the academic degree of Doctor in Constitutional Law in 2000. Mr Wiewiorowski is the author of numerous studies, publications and lectures in the field of personal data protection, IT law, e-government and legal informatics. His areas of scientific activity include Polish and European IT law, the processing and security of information, legal information retrieval systems, etc.