GDPR Implementation – Blind spots, opportunities, and the way forward – WS 02 2019

From EuroDIG Wiki
Revision as of 17:55, 4 December 2020 by Eurodigwiki-edit (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

19 June 2019 | 14:00-15:30 | MISSISSIPPI | Video recording | Transcription
Consolidated programme 2019 overview

Proposals assigned to this session: ID 10, 27, 38, 66, 70, 72, 79, 102, 107, 129, 145, 176, 179list of all proposals as pdf

Session teaser

The General Data Protection Regulation is known around the world, but how effective has the regulation been? What’s been the impact on citizens in the European Union, neighboring countries, and around the world? This discussion-based workshop will bring stakeholders together to take stock on these and other issues one year after the GDPR came into force.

Session description

PART I: Application of GDPR to different technologies and communities


Such as blockchain, the DNS, cloud service providers, etc.


These may include refugees, the elderly, or different academic or working environments.

PART II: Evaluating the Impact of GDPR

EU Countries

- Discussion question: What is impact, and how do we measure it?

  • Impact on digital rights in Europe
  • Impact on businesses
  • Compliance variations and adaptations within Europe

Non-EU Countries

  • Broader impact on countries beyond the EU
  • Specific country perspectives
  • Impact on broader legislative / regulatory landscape

Wrap up

Rapid-fire takeaways: short interventions describing what we should expect, look out for, monitor, etc. in the coming year


Fishbowl: a moderated in-the-round style driven by substantial conversations and interactions between discussants.

Further reading


Focal Point

  • Collin Kurre

Organising Team (Org Team)

  • Meri Baghdasaryan, YOUthDIG
  • Zoey Barthelemy
  • Raphael Beauregard-Lacroix
  • Amy Brouillette
  • Ayden Férdeline, Technology Policy Fellow, Mozilla
  • Matthias M. Hudobnik
  • Fotjon Kosta, Coordinator of Albania IGF
  • Kristina Olausson, ETNO - European Telecommunications Network Operators' Association
  • Oksana Prykhodko
  • Marina Shentsova, Independent researcher on digital rights protection
  • Bart van den Bergh
  • Michelle van Min
  • Veszna Wessenauer, Ranking Digital Rights

Key Participants

  • Christoph Steck, Manager Public Policy & Internet at Telefonica
  • Diego Narranjo, Senior Policy Advisor at EDRi
  • Elena Plexida, Senior Director for Government and IGO engagement at ICANN
  • Lars Steffen, Director at Eco International
  • Marianne Franklin, Professor at Goldsmiths / Internet Rights & Principles Coalition
  • Meri Kujxhija, Head of the Legislation Sector at the Albanian Information and Data Protection Commissioner's Office
  • Peter Kimpian, Data Protections unit at the Cooncil of Europe
  • Raphael Beauregard-Lacroix, Researcher at University of Michigan


  • Collin Kurre, ARTICLE 19
  • Veszna Wessenauer, Ranking Digital Rights

Remote Moderator Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.


  • Ana Maria Correa, Geneva Internet Platform

Planning calls, minutes, and current discussion

WS2 Org Team Coordination Calls:

  • CALL 1: 11 April @ 1700 CEST. Initial session structure planning.
  • CALL 2: 10 May @ 1700 CEST. Primary objective is identifying people to approach as Key Participants.
  • CALL 3: TBD - 4 June @ 1700 CEST. Final call to wrap up remaining details.

Running session organization notes:

Link to join planning calls:

See the discussion tab on the upper left side of this page to have a look at the current discussion around this workshop's content.


  • The GDPR came to harmonise data protection in the EU and enforce privacy rights. Businesses recognise its importance in our current data driven economy, but there is still some legal uncertainty around it. A standard interpretation of the GDPR should be suitable for companies’ activities. More guidance is also required from data protection authorities. Moreover, a potential blind spot of the GDPR is that it could be harming smaller companies that cannot afford to pay large fines relative to their annual revenue, in contrast to larger companies that can absorb the cost of non-compliance and have the resources to (potentially) provide a remedy.
  • The GDPR involves multiple stakeholders and should take into consideration vulnerable groups, such as university and school students, patients, and refugees. Even if the GDPR represents a global standard on privacy, it is not enough to address the excessive collection of data. Citizens should be offered minimum training at schools, universities, and hospitals to understand the impact of the collection of personal data.
  • In terms of impact, the GDPR makes people more aware of privacy rights. There is a major compliance effort with more than 500 000 data protection officers in Europe that aim to guarantee privacy. However, more transparency about its application and remedies is required. Codes of conduct could be a solution for clarifying the purposes and application of the regulation.
  • Convention 108 is often seen as a bridge between the GDPR, the EU Police Directive, and the rest of the world mainly due to its data transfer regime, and the opportunity it offers to countries for meaningful co-operation within its conventional committee. The convergence towards a high set of privacy principles and rules to which Convention 108 seems to be a good basis needs to be speed-up in order to tackle collective challenges in the digital age.

Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at

Video record


Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-800‑825‑5234,

This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.

>> Everyone is welcome to sit at the table. You don't is have to have a planned intervention to sit around the table.

>> Please, feel free.

>> MODERATOR: Hi, there. Hello and welcome to the session on GDPR Implementation Blind Spots, Opportunities, and the Way Forward. As I said before, everyone who is seated at the chairs is more than welcome to join us at the table, so please feel free to move forward, if you would like.

My name is Collin Kurre from Article 19. I was the focal point for this session, and I will be co-moderating it with Veszna.

>> VESZNA WESSENAUER: Hi, my name is Veszna and I work at Digital Rights.

>> COLLIN KURRE: A couple of house rules, please state your name and association before making an intervention. This helps us with remote participation and transcribing. Also, we're going to be using a timer to make sure people keep remarks brief, and this is in line with the EuroDIG Session Principles of fostering diversity of opinions and hopefully as many viewpoints as we can gather here in this session.

Let's see. We are joined by our remote moderator, Meri B and a Reporter Ana Maria, over here, who will be taking the last few minutes to report on the big action points coming out of this session.

So, with that, I think that we can go ahead and kick it off. You will have seen -- you might have seen on the Wiki that this session will be divided into three parts, so the first part is going to be looking at the application of the GDPR to different technologies and communities. The second part will be looking at evaluating impacts of GDPR. The last matter is a tiny part, which will be kind of a lightning round of wrapping up the discussion where people can give us their hot takes to round out the session.

So, with regards to these Part 1 and Part 2, the topics are quite broad as you saw, so that's in order to leave it open for interpretation, so for stakeholders to respond from their unique perspective about the impacts that they have witnessed or would like to witness.

So thinking back to Part 1, Application of GDPR to different Technologies and Communities. I would like to kick it off with two questions, so we'll be joined by two discussants who can introduce themselves before they speak, and I ask you, what were the biggest challenges in the implementation of GDPR over the past year, and how were or how can they be addressed? Thank you, and I'll turn it over to you.

>> ELENA PLEXIDA: Thank you very much, Collin. Hello, everyone. I'm happy to be here and discuss this issue once again. My name is Elena Plexida and I'm here to work with the government perspective of ICANN and I'm here to speak about that perspective. Everyone is aware what ICANN is doing, coordinating the unifier, the names and numbers, it's a coordination necessary to have one single Internet, and so ICANN was set up to provide this service to the world, and of course the multistakeholder community that comes together and decides on policies for the DNS.

Speaking of challenges with respect to the GDPR, well, it's not a surprise to anyone around here if I speak about the Who Is a little, what is the Who Is, when someone registers the domain name, the company or the person, they have to give their information so that what is the purpose behind it. If there is an issue with your part of the -- with the domain main that you are administering, someone can contact you and you can fix it. This is originally why it was set up, and then over time it developed -- other users developed things for trademark infringement, cybersecurity, law enforcement and that.

With GDPR, I can put together an entire system, meaning the Who Is data is no longer public available, and only the ones not personal data are public available and the rest are hidden. Now the community is working on access system, or disclosure system for those that need access to the data for legitimate uses, such as law enforcement as we mentioned.

Now, speaking of challenges, this thing has been all full of challenges for the IT community, of course. And I will briefly mention some. Legal person versus natural person, at the beginning we were saying, okay, it should be pretty easy, let's find who is a natural person and who is a legal person and not hide the data for everyone. Right. That's not very easy because we're talking about millions of registrations, and when they register, they register without having to differentiate which is which, and it is practically impossible for the contracted parties that have this data to go back and verify all of them, so we forget about it.

Let alone that when the DPAs provide guidance, they said with respect to the email, you might have a registration data that comes from a legal entity, but if there is a professional email, that is let's say my name, Elena Plexida, a professional email, it gives professional information because it's affiliated with the company that you work for, so that's another challenge, so you have to hide it again.

Another challenge, with the purposes for processing, you have to have errors with processing, it's very natural, but it's very difficult to establish the ICANN itself can have purposes for processing because it's a different penalty. You cannot say we're doing that in the public interest, that has to be vested somewhere in the law and not because the bylaws of ICANN say we do it in the public interest. It has to do with the process of the contracted parties and so it's a difficulty.

And now, the community as I mentioned is working for access disclosure, or disclosure, and this is very, very difficult obviously, because we're talking about different jurisdictions around the world, law enforcement around the world needs to have different legal basis and how do you bring this together in the global system, that's very difficult. The international transfer of data involved. And Chapter 5 gives some tools, many tools, of GDPR, but honestly those tools do not seem to be fit for a global system, such as DNS, it's for European situation.

Overall, my point is that GDPR was not made for systems such as DNS and made for platforms that are commercializing that our private data and here, we're not talking about commercializing private data, the contracted parties do not gain anything out of it and they just have to do it. There is no single database, so that was a great challenge when talking with authorities, it's difficult to explain the fundamentals of DNS and ICANN really doesn't have the data, it's the contracted parties that have it.

And so I'm referring to Articles of the GDPR now, but there are real challenges, and as an example you might have heard that there have been recently ongoing DNS hijacking from some months actually, started from Middle East, but affected Member States, went to Sweden and mainly Cyprus had a serious incident and so the domain name -- the country code domain name of the country was compromised and when that is compromised everything below is compromised as well. So who is important in situations like that to have and mitigate on time?

But I would like to refer to more challenges --


-- would you like me to?

>> MODERATOR: I'm sorry, it's just a really nice song.

>> COLLIN KURRE: If you could maybe, I noted down several challenges that you listed, maybe if you could just briefly summarize some of the solutions that you might have encountered?

>> ELENA PLEXIDA: Now you ask me to make a big jump, so I will not do that and I will end with food for thought.


>> ELENA PLEXIDA: GDPR is only the first of legislation related to privacy, there are going to be more, we know that. We saw legislation trying to address cookies, giving back the end user the right to use own cookies in privacy setting. Fine. But the way it was written, it was breaking up routing of Internet.

Another example as food for thought, the European Court of Justice ruled in 2016 that dynamic IP addresses are personal information. If you take this ruling and the GDPR to its extreme, we wouldn't be able to have the Internet. Obviously, no one is doing this interpretation and taking it to this extremely, but I'm just giving it as an example and food for thought, and I stop here because I don't have time, otherwise I would continue.

>> AUDIENCE MEMBER: (Speaking off mic)

>> AUDIENCE MEMBER: There is a little more from the stakeholder side. I'm happy to share. It's up to you.

>> COLLIN KURRE: Maybe we can come back to that because I think we're going to turn over to our second discussant next. Oh, yeah, of course. And we're actually going to be -- so here we were looking at a global technology, the Global DNS System and how it might have been impacted by the GDPR and we've got some really great examples of challenges like purpose, fragmented jurisdiction and legal basis, legal person versus natural person, which are all issues to contend with but now we'll go to Lars who is coming from a different perspective as an industry organization that represents all different kinds it.

>> LARS STEFFEN: I'm Lars and I'm asked not to cover who is it and all the other things around this, but building on what Elena just described is exactly what I would like to address on a higher level is that, that the GDPR was -- the intention of the GDPR is to start a cultural shift that the awareness of privacy is higher in the industry that we are working in it, and it was not only to spread fear of penalties and high fines.

But what we've seen one year after this whole thing started is that the original intention to get the thing started was the fear of the penalties and of the cultural change in the industry, which we see is now starting within the companies that we are working with.

And so from now on, the biggest question that we see among our membership is the legal certainty and the standardized interpretation of the GDPR because as just described, we have one legislation that covers all different kinds of organizations, companies, whatever, it doesn't make any difference which kind of organization you are, but all have to comply to the same rules and regulations.

So, against this background, we don't see many cases still that have been ruled out, and we have a few examples in the previous session about GDPR that the first fines are being discussed and that you have the 50 million with Google and several other cases, but for the average company within our membership, which are SMBs, this is still quite abstract and so what we don't have right now are enough court cases where you can read out, okay, how this GDPR is being interpreted and how it's being ruled out in a standardized manner.

So, from this point of view, we would like to see more certainty because there are a few cases, when you compare them, there is one example the legal, for example, where you have a case where you have a dataset of 300,000 datasets and where you only have a fine of $200,000, which you can interpret that you can just proceed with what we've seen in the past, and then you just calculate this cost into your regular activities, and on the other hand you also have some fines like the Google example where you say, okay, this might be something which is for a company of that size, but which is quite threatening to other parts of this industry.

So, against this background, I would like to -- we would like to see as an association in the name of our members, to see more guidance and more clarity in the interpretation of the GDPR. Thank you.

>> COLLIN KURRE: Great. Thank you very much. With that, I would like to open the floor for you to comment at this point. We'll have an open discussion for anybody to either further ask questions of our wonderful discussants who led this section or to give their own explanation or their own impression of what the challenges and potential solutions to overcome these challenges have been over the past year.

>> VESZNA WESSENAUER: Thank you. Lori Schulman from INTA.

>> COLLIN KURRE: I'm going to interrupt one more. The lead discussants were leading off with five-minute intervals and now it's going to go down to three.

>> LORI SCHULMAN: Okay. I got it. I won't talk about the expedited policy development process either. I understand we don't want to get into the weeds of ICANN, but I would say that like ICANN solutions, the EPDP, whatever you think of it, it is a solution. I just wanted to point that out, that this is the multistakeholder community getting together, negotiating.

There was a Phase 1 report that went to the ICANN Board which was substantially accepted, not fully accepted, and what was interesting about that is what was not fully accepted were two of the challenges that Elena highlighted, one was how to define purposes in a way that would encompass the very clear and encompass the needs of the entire ICANN community and not just a subset of the community; one, and secondly, there is great debate of capturing the organization's name inside the Who Is data and there is a solution out there and I wanted to point out, the EPDP, whatever you think of the minutia of the work it is a solution that ICANN is moving forward with, number one.

Number two, I would present as a challenge, and as a solution particularly, my organization represents trademark owners and aside from the issues that are happening at ICANN, there are other issues here in terms of discovery, and I was at an event yesterday where I just learned that, you know, our members of the community are asking for information of the purchasers of tainted products to let people know that they've bought counterfeit or tainted products that they have a tainted product in their possession and they should be very careful, particularly one that could be ingested by humans or animals, quite frankly, and there could be great harm there, and there are some parties that are argued GDPR and saying that we're not going to tell you who bought our counterfeit goods and we're not going to share with you where we may have distributed a bad product because of GDPR, which to me highlights the issue of the lack of balance.

And what had happened is in this particular case, the law firm had to write two or three letters, and in the third letter, did a very explicit legal balancing test, and then there was a decision that had to be made by this company, do I face potentially going to court and get a restraining order or do I face a GDPR fine? So I think there is still sort of this idea of not -- not understanding well what balance might mean, and that might go to Lars' point about not having enough guidance about the court cases, but I do think there should be an element of common sense and public safety and that goes into this balancing test on a private level and not just waiting for the courts to decide, and I'll stop it there.

>> COLLIN KURRE: Great. Thanks. Do we have anybody else that would like to bring a different perspective to the table.

>> AUDIENCE MEMBER: David from European and Digital Rights. Regarding the issues from ICANN, I feel like I'm back in the '90s. We have been keeping the same discussions since then and I hear this issue of the natural person and what is the purpose of processing and though this is not really news now. This has been here since the 1995, at least in Europe, and we've been very clear and ICANN seems not aware the legislation was in place and perhaps not respecting it, but it seems clear now with the GDPR clearly into force some time later -- minimize that explaining that need to explain to other registrars and just keep that role of maintaining the Domain Name System. I don't think the role of ICANN should be and that's not your fault, but the fault of the law enforcement agencies, to be the private policies of the Internet and I think that should be a role, your role is to maintain only the DNS system.

And regarding the GDPR, it's made for platforms with single database and I don't think that's so accurate, and I've been involved in the GDPR discussions for almost four years and the discussion was about everyone, and you have very lobby groups from the small owners in Denmark and you have the big tech companies and NGOs and everyone is there and the GDPR has made a good balance, even too balanced if you ask me, and it is not news. Again, the issue of the obligation of how to use legitimate interest, all of that is pretty clear and the DPAs are making it even more clear, the guidance by DPAs, EDPAs, EDPD, and generally, I think the way forward is to try to stick to the law, to hire better lawyers even though they don't know how to enforce the GDPR and respect following the rights.

>> COLLIN KURRE: Thank you. If we could steer clear from the specific example of ICANN and maybe speak about challenges related to European digital rights, that would be preferable to this conference. But if you would like to comment on that, Raul, please.

>> AUDIENCE MEMBER: (Speaking off mic)

>> COLLIN KURRE: I had a feeling. Well, is there anybody else who would like to speak about maybe a different perspective from a different community or even a different part of the DNS community with how it relates to GDPR?

If not, I'm happy to continue this conversation, but I don't want ICANN to suck all the air out of the room.


Okay. Maybe to get our creative, you know, juices flowing, please raise your hand if you have come into contact with GDPR in the past year.

I see there are people who have not. That's impressive! Keep your hand raised if you had had any kind of challenge with GDPR in the past year.

Keep your hand raised if your challenge has not been spoken about in this session so far.

Yes, ma'am, would you like to join the discussion?

>> AUDIENCE MEMBER: Hi. Well, I had to --

>> COLLIN KURRE: Could you please state your name.

>> AUDIENCE MEMBER: I'm Elena from the World News Association of Publishers, and I just got to the session, but I think I understood correctly that I had two kind of challenges, one as a private citizen, it is really too burdensome, it is so boring, I mean, to deal with all the privacy authorizations and so much so that I see myself, and I know what I'm doing, and I couldn't even imagine those who don't know what they're doing, giving authorizations left and right just to get through them and get to what I need to do on the Internet.

And then on a professional point of view, instead, I see that countries are being slow in enacting their part of the GDPR, which is as far as I'm concerned, the approval of the journalistic exception.

>> COLLIN KURRE: Yeah. Thank you very much. That seems to be a bit of a common refrain so far as maybe people don't quite understand that there is a lack of certainty around what the provisions mean in both the legal sense and on the private citizen scale that people might not understand what GDPR is or how it affects them.

Somebody else had their hand raised in the last round. Would they like to express another perspective on the GDPR challenges or ways to overcome these challenges?

>> AUDIENCE MEMBER: (Speaking off mic) Thank you, Collin. I'm sorry, I will mention ICANN again and I just have to. I mean, you have to give me the right to respond to what I heard, but I also promise to talk about solutions in this response.

So, yes, I wanted to mention I was asked to talk about challenges and that's why I insisted so much on challenges. If you look on the other side of the coin, you will see that GDPR with referring to whatever else has given an opportunity to the ICANN community, which is the one that decides, to look at it in another perspective because indeed they have been the challenge for quite some time, it's not new, you're right on that.

But it's not out of lack of respect. You cannot say that ICANN did not pay as much attention, but you can also say the legislators weren't aware considering the legislation, and they didn't have their mind on Who Is and the proof is how involved we are right now in finding a solution for the law enforcement and for everyone else, and you're also right in the part that ICANN and organization like ICANN is not going to be the police and should not be the one who resolve these kind of issues. No. It's just caught in the middle of it and this will bring me to the solution that I wanted to suggest going forward and so I think talking about challenges going forward is going to be more and more legislation that we're going to see a digital need for policy of the regions, particularly privacy for sure, and we heard today Commissioner said clearly make no mistake this is just the beginning of Internet regulation and we should find ways to work, find ways to work together, it's not that we haven't been working together, particularly in Europe there is no secrecy, but we have to work together when legislators are drafting something, it should be in full understanding of what the consequences are and that's not straightforward and a solution we need to look into.

>> AUDIENCE MEMBER: What you're referring to is a proactive engagement with stakeholders in the legislative process and more active monitoring of legislation schemes to ensure the legislation is having the desired effect.

>> AUDIENCE MEMBER: Yeah, I mean, for more proactive engagement from all parties. The private companies, they have input to give and technical organizations such as ICANN, I don't want to be misunderstood here but they have nothing to say with respect to the political choices, that's the prerogative of legislators, but they can explain how the Internet works, for example. And the like, the Civil Society, they also have a say there but we have to work better together. It's all interrelated in the Internet world. That's what I'm trying to say.

>> AUDIENCE MEMBER: I work for Attorney, Frontier Finland. I've been doing a course for citizens on GDPR from the citizen's perspective who don't really know their rights or how to exercise them, but one of the challenges that we encounter several times when doing data goes to different companies is that they wouldn't have the physical address of their data profession officer, and I think that's explicitly against the law.

And I think like, for example, if you look at Facebook, I don't think they have displayed that anywhere either, at least I haven't found it.

>> COLLIN KURRE: Great. That's a potential solution that you've done is having a training course for citizens to allow them to know how to better exercise their rights.

We've got some fliers here. If I could have a change-gears intervention and putting my other hat on as Article 19, one of the things that I've been considering, partially in preparation for this session, would be how the different provisions of GDPR could be applied to different specific industries or pieces of tech; so for example, if were considering codes of conduct, which is one of the things that we were talking about earlier, and if you consider a very specific type of operator, for example, a recursive resolver operator, which is something that's more a topic of more conversation now with DNS-over-HTTPS being deployed and then it might be an interesting consideration to think about what would a code of conduct look like for something like a recursive resolver operator? How could that -- how could that be generated? What kind of positive feedback loop could that potentially create? Because if you have -- I think there is a lot of room within the GDPR and its provisions to create a kind of boomerang effect where if you toss the legislation out and companies comply, then by virtue of complying with the level of transparency and accountability required by law it would shed light on government requests for data and content takedowns they might be receiving so might create some kind of accountability, pro-social competition and so that could potentially be something to consider.

So, putting back the moderator hat then, we've got about one minute left in this section. Did you have something to add, Lori, and then we'll go to Peter? Wait. Let me -- let's just -- could you shuffle that mic down there. Great. Thank you.

>> AUDIENCE MEMBER: Yeah. I wanted to talk generally, and maybe this goes to the next session about digital empowerment, citizen empowerment, because I think this goes to the question of balance and some of the points that my colleague from the Publishers' Association made about that just on a human level, seeing a sign that says we accept cookies, and then you click okay because you don't understand or don't have the time or don't -- you know, all the questions you're being asked you're not even sure you have an answer for, I think that's a big issue behind GDPR because as principal, based as it is, and it goes to my point about balance as well. If we don't have the tools and means to really push this cultural shift, having a law is not going to do any good, quite frankly.

I think a deeper dive into policy and consumer empowerment is where that really should begin.

>> AUDIENCE MEMBER: I'm Peter from Council of Europe. It would be very difficult to say this in a minute but I try. I think everybody was working very much in the past in silos and everybody was very much developing instruments and technical solutions and so on and so forth, but it doesn't necessarily cross each other and so as Elena alluded to, maybe GDPR was not entirely taking into account all the repercussion it might have for international technical organization or ICANN, or not only ICANN but other technical communities that were not taking into account all the developments that have been taken at the policy level, and so I think that breaking the silos, it's really needed.

But we have been saying this for years and years, and so I think it's really time now, and to start working together. And if I can make 20 seconds of self-marketing, Council of Europe just started this and invited Internet companies to be involved in the work that we are doing for our Member States which is policy and standard setting activity and to sit on the table, then we have to find ways how it will happen and create together policies, taking into account the wide variety of issues at stake and the complexity of the world that we wish to regulate at the Council of Europe level and Digital Age.

>> COLLIN KURRE: Thank you. So, with that, the first little -- the first section of Part 1 has been wrapped up. Oh, can you make it ultra brief? There ought to be a floating mic somewhere around here. Please don't forget to state your name and affiliation.

>> AUDIENCE MEMBER: I'm Barren from Tech Freedom, first I want to echo what the lady said about media. The Romanian case is profoundly troubling and understanding the job of figuring out the protections for freedom of protection is left to the Nation States, this is a profoundly disturbing case, but I wanted to point out the GDPR does not deal with the issue of de-identification of data by saying that data that is completely perfectly anonymized is not could have had but by not addressing the issue of how to deal with the imperfect de-identification of data you remove the incentive for companies to try to de-identify data and be good stewards of data in that way and doesn't serve privacy and doesn't give companies the way to keep data that might be useful and so this is an issue that really has to be addressed in order to both protect privacy and capture the beneficial uses of data.

>> COLLIN KURRE: Thank you. That was very enlightening. With that, we have wrapped up our first discussion on the application of GDPR to different technologies. We're going to be moving -- I'm really sorry, but we've got a schedule to keep because we've got quite a lot of topics to cover.

Perhaps, if there is going to be a bit of an open mic at the end for some hot takes, so I will turn to you first if that's okay, for a hot take at the end. All right. Great.

So with that, we're going to move into a discussion on the different communities that GDPR has been applied to, so actually when we're talking about the press and journalists, that is a community in and of itself. So we've already kind of touched on this to begin with, but I'm going to turn to Marianne, if you would like to introduce yourself and speak a bit about the topic.

>> MARIANNE FRANKLIN: Thank you very much. I'm Marianne Franklin with and representing -- and my day job is Professor at Goldsmith, so thank you to my employer for allowing me to be here. I have now 4 minutes and 42 seconds. I'm going to talk about three sorts of communities, the elderly; number two, school pupils and university students; and number three, refugees and asylum seekers. When I say communities, I'm using it as a category really. Communities are always made of diverse groups and have diverse needs within said community and that community can be within the international jurisdiction or in fact straddle several.

We're living in an aging society, we've all been school students and university students more or less or we have children who are and some of us may be working directly with refugee and newcomer communities.

I would specify these three groups, if you like, broader communities, as not being very well served by the GDPR, precisely for the reasons that have been already brought up.

The GDPR is not about privacy online. It is one important step in operationalizing that principle of privacy online and as my colleague pointed out, without true anonymity online there is no true privacy online.

Now, as we know, implementation like interpretation is 9/10th of the law and that's where we are a year on, implementation and interpretation.

So let's think of these three communities. Privacy is just one of the human rights that have been guaranteed by international law, regional law, and in some cases, national legal standards, but international human rights law, privacy is but one of the human rights, it's embedded in other rights.

Data protection actually dovetails many other issues that are being raised, and so let me just break this down so you can understand what I'm talking about three somewhat counter intuitive communities and I'll let you use your imagination.

The elderly, we now have increasing levels of authentication, increasing levels of behavioral tracking, and the elderly are particularly prone to being confronted with the need to remember more and more complicated passwords, which actually makes them more dependent on careers, families, more open to take abuse which is now actually a term, it's happening all the time, and more open to having their digital identity stolen and that I can attest to from not only personal but research experience.

School pupils, 5-year-olds, 3-year-olds, are their school administrations understanding the need to protect data anyway, let alone by law. University students are now being subjected to excessive amounts of data, data gathering, biometric data, automatic role keeping, a form of surveillance quite horrifying, and just to have a protection regulation in place does not get us out of the fact that they'll actually collecting that much information about someone sitting in a lecture, so I think talking about data protection, begs the questions of what data is being collected in the first place and whether that much data should be collected.

So the more and more data you collect, the more and more you need to protect it so it becomes a self-fulfilling prophecy. Our most trying and difficult conversation, refugee, asylum seekers, refugees, immigrants, the amount of information these people are required to give is not with human rights standards. Refugees are embedded in human rights and not alongside and not an accident. There is no data protection for someone in a detention center, there is no data protection for someone seeking asylum at the border, privacy and we can judge by how they apply to the most vulnerable groups and complex situations in our society if we're going to judge how well it's been applied, not to the privileged, not to the well-informed, but to those who are information poor, unable perhaps to understand these complex regulations, where they can go for legal readdress.

So my first problem is if data is the new oil, then we're talking about sustainability on the same level we need to talk about climate change, and I don't think the GDPR is one size fits all, even though it is a very important step in the right direction in principle. It is a global standard around the world and people are seeing it as an important advance, but if it is the new oil, we should be thinking about how that oil is being harvested, who is in charge of it, who has access.

So I have concerns about the GDPR being somehow a proxy for larger questions around not just privacy but access to information, journalistic rights to investigate crimes, and public issues. University students to actually study issues like terrorism and do south without becoming tracks and surveyed and put into -- here is my thing, and I've got my last thing to say, I'm terrible for texts -- I'm sorry, okay. (Laughing) My solution is to collect less data. It's very simple. We don't need to give our sexual preference, we don't need to give our age, and don't even need to give our gender for the most simple service, so let's start collecting less data and GDPR implementation might become simpler.

Last but not least, meaningful training, meaningful training at the lowest level, kindergarten, schools, universities, hospitals, old people’s homes, retirement villages, that leads to robust forms of consent and compliance to the spirit and not just the letter of the law, and also allows for affordable and easy access to the right to legal redress which the GDPR, if I understand correctly, was all about in the first place. Thank you very much.

>> COLLIN KURRE: Thank you for that. If I can just pick up on two points that others might want to expand upon or comment back to, I understand that one of your primary concerns with regards to the three communities you identified is potential negative impacts or isolation of groups that are already vulnerable to marginalization within our society, and another thing that you said, that I thought was really interesting, was that the GDPR may well be a standard for advancing these kinds of debates, but it can't be a proxy for larger societal questions.

Would anybody else like to expand upon this notion of application of GDPR to communities or comment on these two points?

>> MARIANNE FRANKLIN: Did I say it all? (Laughing)

>> COLLIN KURRE: There has got to be someone. I know there are a couple of journalists in the room that might want to comment on the application to their community. We might be able to think about people who might be residents but not European citizens, that has come up in the past. Going once -- yes, please. Let's see if we can get to you. We need like a balloon on the mic.

>> AUDIENCE MEMBER: It's a very nice thing to focus on several people that you mention, the older people, the elderly, the young ones and then refugee, so I was wondering if do you think that the misuse of data here towards these people to what extent actually it has affected maybe these people or are you seeing issues related with these people that have in larger developed the ways on how people become more when they think because I'm not from here, I'm not from Europe, but I saw like the news and interesting of the rights movement and so on and so forth, so I was wondering how far this is actually the uses of data where maybe GDPR may not be well functioning yet because especially related towards these people or maybe it comes from these people to other people has affect in this case. Do you think this is a loophole created by GDPR?

And also from understanding of this GDPR, and it's interesting for me to hear and maybe it can be discussed here as well is the privacy divide, so it refers to the Washington Post where they say that if you can give up your privacy and then you get the service, and but if you pay this amount, your privacy will be protected. So the speaker said that under the GDPR this is allowed, but how do you see about this? Do you think this is one of the next homework that maybe the next regulation or maybe GDPR needs to be amended maybe in the next? I think that's all. Thank you.


>> AUDIENCE MEMBER: Thank you for giving the floor. My name is Sunho from UNESCO. I think, frankly, about the journalist community which is quite forgotten to some extent because journalism is playing a role and on one hand, they need to have very secured communication with sources, to protect their sources so they can investigate crimes, corruptions.

On the other hand, UNESCO is observing the trend of the digital attacks against the journalists and the freelancers and media actors and now there is more and more track and they are more vulnerable in digital age to be attacked by digital means, so I do feel that's a community that maybe GDPR can be more sensitive to.

I know there is an article in the GDPR to try to reconcile the rights to privacy and those of expression, but I think in reality I think maybe more can be done on this regard.

The second issue is about independent media websites and last week I was in Nebraska, I don't know anybody else there, and I was reading lunch of the report by CIMA, center of international media association. I found there are a number of independent media, small protection news websites and they were tracked and that data was collected by third parties and a new risk, a new trend that we need to keep a close look at.

Certainly, the news websites and many Internet companies they are collecting data as part of the business model which I'm still doubting about the legitimacy if -- that seems not very much conducive to right to privacy and neither to the right of free expression, but it seems that the Internet is also independent of media, more vulnerable, and not collecting data by themselves but that being collected by third parties which can be quite risky for the users and also producers of this kind of independent content.

>> COLLIN KURRE: Thank you. I'm very sorry but we really have to start with the next part, which is -- which is about impact, so we've been talking about the challenges a lot and let's now turn to the impact we've seen already, or actually the question is what is the impact that we want to see?

This part is going to be about two main topics. We're going to discuss the impact we see in the European Union and the impact we see or the impact we want to see outside of the European Union, so the global impact itself.

Luckily, we have a diverse group of key discussants in this part, so I'm going to ask Diego to maybe start and talk about the European perspective, yeah. Just take it away.

>> DIEGO NARRANJO: Thanks, from European Digital Rights again. So how to measure the impact and what I like to see. Well, how to measure impact is very clear. We've been working on this small project called GDPR today. We edit every two months on different countries analyzing a lot of data and we ask all the DPAs is a number of complaints and the number of procedures they opened and that they closed, and then the amount of fines and how many of them they issued and, generally, they also approve any costs -- so we try to gather a lot of data from DPAs regarding enforcement because I think that's clear.

The European Commission has published also now some infographic about it and I don't think it's very comprehensive or I haven't seen the full, at least, and neither has the EPDP to my knowledge. I missed last week when I was away, but the clear thing is the data missing -- we have to ask the DPAs constantly to get the data, we got the information from all 15 of them, which is quite a lot but not all of them, and so that's one of the issue, the issue of enforcement and monitoring how GDPR is enforced so we can see if work is done properly or not.

We see strong coordination between the DPAs in cases of especially international cases between two Member States, it's not so clear who is going to take the lead, who is going to follow up. And then we see that the data protection by design, it's not taken seriously and the famous issue with the consent in a website, is so absurd that it's not even laughable, and I think that needs to be taken seriously and -- has taken Google to court because of that.

We need to be clear in how -- in how the adaptations are around the legitimate interest legal basis because that's one of the legal basis most frequently used by companies who say this is my legitimate interest to make money; and therefore, I'm going to use this data that I actually don't need, so we need to be a bit more clear about that.

And generally also, we think there needs to be more support for SMEs, for NGOs and associations who want to do things right, but they don't know how to do that. I got dozens of requests from NGOs asking for a free workshop on GDPR which I couldn't do so more action needed by DPAs to help those people, associations, especially smaller ones, who want to do things right.

On the international level, now we have the GDPR at the EU level and we cannot forget about Convention 108 +, the Convention of personal data and that's one very instrumental data and we've been asked not only by abroad to sign and ratified as soon as possible but for that, they need to have first their own data protection laws and the way it stands you have a good data protection law in compliance with the Convention then you can sign and ratify the Convention and that's one of our goals at the midterm.

And generally in the GDPR, we thought it was the best possible outcome in that current political, but it's not perfect, and I think that there is more work to be done; especially around enforcement and ensuring compliance which I think a stronger fine, something that hasn't done it, but there are rich DPA where most of the big tech companies are hosted and have been issued zero fines in one year which is outstanding to say the least.

>> COLLIN KURRE: Thank you. So you just announced some of the good news and bad news as well if I understood it. So basically, the data we see around enforcement is promising but it's still in the beginning and hard to say if it's enough, right.

And you've mentioned about the adaptations of the different GDPR provisions, and I'm looking at Raphael, if you could maybe tell us about the country’s specific adaptations and variations? I'm sorry. Okay. Now, we're going to --

I think it maybe makes more sense. Yeah. Thank you.

>> RAPHAEL BEAUREGARD-LACROIX: Thank you, Veszna. I'm Raphael, a researcher at the University of Michigan in the U.S., so I'll have a quick word and maybe not specifically about adaptations of the GDPR to maybe local practices or local law, which is maybe very strategic question, but more about whether the GDPR should accommodate for various beliefs or various practices about privacy, about data protection that we find just even across Western Europe and not to say about the whole Europe or even globally.

There is a feeling, which is widely shared, that there are in the GDPR, certain types of loopholes which the states have already used to diminish or to reduce or to weaken individual rights, individual data protection entitlements.

The perspective I want to bring out here is maybe the other side of the coin as well. The fact that the exercise or the non-exercise of certain data-protection entitlements can have an effect which goes beyond the individual, in a sense that it's outside of the control of the individual, and it's maybe even outside kind of the limited understanding of all the repercussions that our choices can have; especially, in the case of data protection or data processing which is consented to. And the example I like to use is the loyalty points card that we probably have for grocery stores, for pharmacies, or for any kind of stores.

And these effects can also vary across different European societies, meaning that there are some types of processing which will be seen as legitimate and which may have positive effects in the one place in Europe and it would not be the case somewhere else, so maybe if we have more time I would be glad to discuss some examples, but if we have anyone from a Nordic country here might be familiar with the fact that text data is public, at least in good part, in several Nordic countries which it's completely unacceptable in many other places in Europe, so that's one example.

So maybe one -- my key point here is really the fact that just kind of stacking or giving more and more entitlements to individuals and promoting this idea of individual control and maybe individual sovereignty may lead us to ignore this other side of the equation, which is the effect that our choices can have on everyone else on the society, which we are part of individually. Thank you.

>> VESZNA WESSENAUER: Thank you. That's actually I think that brings us very nicely to the cooperation practice like Telefonica, you have to operate in different countries but have to operate in different country, and it would be nice to hear about the practices in terms of GDPR compliance and maybe I also add a few things after your comment from my digital rights perspective on this.

>> CHRISTOPH STECK: Thanks very much, happy to do so. So we had the changes first.

>> VESZNA WESSENAUER: Could you introduce yourself?

>> CHRISTOPH STECK: Christoph Steck. I think GDPR from our perspective is a good thing and created a lot of good things. There are challenges, no doubt about it, but we should be aware that there is not kind of businesses saying that GDPR is bad. My company and many others have supported GDPR and the idea of GDPR right from the start and we still support it.

I will speak about the impact on from various perspectives, especially with the EU, and I think you only look at people in the EU, citizens in the EU and there is a positive story that at least two-thirds of Europeans and this comes from the other week, they asked 30,000 Europeans, so quite a good sample, and they know about GDPR, and 70% even know about one right they have under GDPR and that's amazing.

And 60% even say they read privacy statements and policies, which is quite a surprise to me because I think that many people don't care so much about it, but really that 60% do that.

It's true that this went down, x you compare the numbers from 2015 and 2019, this number went down by nearly 10% and which brings us maybe to one of the challenges again which is certain fatigue around these policies and the clicking and so on, and I will come to that in a second.

In general, I think more awareness, which is quite good, and speaking for companies in general, of course there has been a major compliance effort and just to give you one number, there are around 500,000 DPOs today in Europe, so half a million people and companies responsible for privacy and data protection and these are not new job, these people have been around before, most of them at least, but they are clearly entitled internally to be responsible for this issue, so that on its own, imagine every day, you know, 500,000 people in Europe and companies are working on privacy data protection. It's a massive impact and apart from all the other issues.

But I think even more importantly, the whole issue of data protection is raised to a broad level, has been before something your legal department cared for or something, and suddenly now a lot of companies have to kind of make decisions to maximum executive levels, and I think they had to reflect about the role they have in a data society. I mean, the role they wanted to have for that company regarding privacy and data protection.

For example, in my company, the question immediately came up, okay, so we have to comply in Europe, of course, no doubt about it. But how about Latin America? So can we internally create a privacy policy for Telefonica that applies to Berlin and another country, and if you open on that level, it's quite interesting the dynamics you see because, of course, the response from nearly all executives has been, no, no, we cannot, these are all my customers and I cannot say that I will treat someone so to speak better and others I will treat worse and so the effect has been immediately kind of a global implementation of these rules internally and in policy, and if you look around the board, you see nearly all companies went down that road. Very few companies just complied, you know, at least the big global companies.

And I also think it has created an impact that companies have put their data house in order. You know, basically, we have created new systems, we have created much more organized supervision and governance of data. I think that's also the solution forward, and as I mentioned before, there is a certain fatigue regarding giving the agreements to policies.

I think we have to think about more dynamic ways of doing these things and I think the ticking the box approach is a compliance approach, but I think we have to look into new ways, using for example, new customer interfaces to give even more granular choices about what people want to do with data or can do with data and so on.

I think that's going to be the future and that's the interesting part, something that we call internally, data ethics, you know, how can you really create empowerment of users of customers regarding their data? How can you be even more transparent, give more portability, et cetera, et cetera, these are the key questions we have and are considering currently.

Finally, government, EU government, I think they have to live up to the fact that the idea of GDPR was to create a harmonized approach, a harmonized approach across Europe, and a harmonized approach also across sectors, and I think that gold plating of GDPR, and you know, that's something that governments in certain parts are trying to do and that's not the idea. The idea is that we create a common standard and that's it. Full stop.

I mean, that was a regulation and not a directive as before, so I think we have to kind of stick to that rule. I personally, also believe that creating now higher privacy standards or different privacy rules for specific sectors like banks or telecommunication is not the right approach and I think these things should be included in GDPR, and I think that's maybe one of the improvements we can do over the next time, to kind of include these issues in GDPR. I mean, there might be secrecy of communication and other issues and I agree to that, but maybe it's the no the right thing to create separate laws but really to have one central law.

And then the international -- with that, the international impact, I think again it has been good. I mean, there is a more harmonized approach to privacy now in the world, and it's maybe not the -- not as we would have wished it to happen. Of course, international policy-making on data has totally failed in the last years, there is no effort which has created anything like a kind of common approach, and so now it's going the other way. I mean, Europe stepped ahead and created the first modern data protection law, and then basically, now due to the sheer force of economic policy, a lot of people are kind of falling in line, japan, Brazil, India, United States, and so I think that we're creating some form of more harmonized international world which is good because the future is the same you create rights and independent authority supervising the rights, which is actually not a bad approach, and you have seen maybe that the G20, another Japanese presidency is now talking about creating a trusted data space and basically globally, which is the same idea. And so I think that we have quite a positive impact on the international policymaking, with all the challenges, and I see the challenges as well but I believe in is very good, actually, going forward not only for competition, not only for people, but also really for creating this kind of common understanding that in a data-driven economy, the issue of privacy has to be taken seriously.

>> VESZNA WESSENAUER: Thank you. Maybe I'll just add a quick comment about ranking digital rights and for those of you that are not familiar with the ranking digital rights, we look at the communication and Internet companies around the world. And Telefonica is part of the companies and it's interesting that you say what we see the GDPR actually did increase awareness around privacy, but what we've seen in the index when looking at the privacy policies of the European telecommunication companies, it's actually these companies don't tell much more about the GDPR obligations than they -- than before GDPR became applicable. So in terms of transparency around privacy rights and or privacy policies of these companies, we don't see more transparency and many would argue, of course, that we shouldn't put the onus on the users about understanding all of these rights, but I think that's an interesting question and that's an important question from an average citizen's perspective, shouldn't they also be aware of all the obligations and rights they have under the GDPR. That is to say we don't measure GDPR compliance but we look at company disclosures and policies.

And, Christoph, you also mentioned, yeah, you also mentioned something which I think is very relevant and brings us to Peter about the fragmentation of privacy rights and different applications in different countries, and I wanted to ask Peter about, from like the Council of Europe perspective, if we can -- we have a question? Maybe can we wait? We're going to have an open floor. Yeah. Is this very connected to the European perspective or can you wait until we finish with the global perspective? Great. Thank you.

Yeah, so my question would be, what can we see is there a big difference between the application of the GDPR or the impact of GDPR, and of course there is, but what difference do we see in the European Member States and the non-European Member States in Europe and other parts of the world?

>> PETER KIMPIAN: Yes, thank you very much. So my name is Peter Kimpian and I work with the Data Protection United of the Council of Europe and I think the first question I'd like to -- or I have to answer to the audience is why we are speaking about Convention 108 here at the GDPR Panel and it's a very valid question, but those who are familiar with the construction of the international protection mechanism and protection framework, I think for those questions this is not that.

There is a situation, and where countries have been facing challenges, and it hasn't started today with the adoption of the GDPR and the right to privacy and data protection has a very wide precedence, even within the European Union and in different parts of the world as well.

But I'm very happy that I cannot only share with you my thoughts on that because last week we had an international conference on Convention 108 and Distinguished Speakers such as UN Special Report on the Right of Policy and Policy Director of the French Authority shared their thoughts and I would use these thoughts to highlight some of the facts and some of the possibilities that we have -- that we have with Convention 108 with respect to GDPR.

So, I think first and foremost, and to answer this question of what is Convention 108, I think one of the speakers put it very rightly that it is a common response to collective challenges, and I think it has always been like this, so Convention 108 has been open to signature first in 1981 with a completely different -- a completely different -- how to say, circumstances. And now, it's again coming -- coming into importance as from an EU perspective, it can be seen as a, how do you say in French, a bridge between EU and other parts of the world.

When it comes first and foremost to transfer of data, and the transfer regime that Convention 108 puts in place, and secondly by the cooperation between authorities that the Convention Committee can ensure. It is always a non-negligible fact that within Convention 108 and within the Committee as work we have as much as 20 recommendations to additional protocols and one amending protocol which means, of course, lots of international negotiations and lots of lectures, but also lots of consensus on different issues and on very controversial issues as well.

And you might be familiar with the current status, but just for the records, currently we have 55 Member States to the Convention with 25 Observers; so basically, we can reach out when I speak about this consensus to roughly 67 countries in the world.

The measures were equally really important in the past. I was mentioning 20 recommendations and the Representative of the European Commission gave some examples during the conference on how it influenced European Union legislation that the Committee developed in the past.

The Convention 108 has a high-level convergence with the instruments, notably the GDPR and the Policy Directive, which is even more revolutionary than the GDPR, according to some. The modernization process that we recently went through has been attended actively by the European Commission and during this negotiation, which lasted seven years and which have been very difficult, they made sure that the new version of the Convention is fully compatible and consistent with the GDPR and other EU instruments.

The -- this new version and we'll bring an absolute novelty, which is to allow international governmental organizations to join this Convention, and it will include, and we hope so, the European Union as well. The European Union and one of its strategies, which they published in 2017, they expressly put this out as a strategy -- a strategy of the European commission to join Convention 108.

>> VESZNA WESSENAUER: Sorry, Peter, could you please, wrap up.

>> PETER KIMPIAN: Maybe one or two ideas. One area where it can also offer an unprecedented -- an unprecedented level of cooperation is the public security and everything which is around public security.

As Convention 108 is also covering areas which other privacy regulation is not covering namely national security, defense, and other areas as well.

The Convention was proven very useful for countries like Tunisia in democratic transition to gain authority which has been established and standard-setting capabilities was also mentioned by Argentinian example, where the Argentinian national strategy on AI was based on one of our guidances that we issued recently on Artificial Intelligence.

>> VESZNA WESSENAUER: Thanks a lot. I would like to turn to Meri because we have data protection perspective from Albania here. Could you tell us about the impact of GDPR, what impact would you like to see around GDPR?

>> MERI KUJXHIJA: Hello. My name is Meri and I come from Albania Data Protection Commissioner and part of Legal Department and to speak briefly about impact of GDPR in our country, in fact, it represents two full challenges, which we rely first the EU integration, so we have to align our national framework with, and then secondly the regulations impact on the economic vis-a-vis our enterprises.

So first, we have to amend our legislation with the GDPR's and now we are in the steps of the screening process, and this process is due to be completed by the end of 2020.

And, meanwhile, we have taken some prior measures and have the DPOs in our sub-legal, and added our privacy police in regard with the GDPR and we have done some raising of awareness with public and private sectors, and of course, the controllers and the processer who are processing personal data of EU citizens and specifically in the areas of bank have education, telecommunication, marketing, et cetera.

And but meanwhile, there is as into the entry into force of the application of the GDPR, we have many questions and concerns are addressed to our office, the Albania Information and Data Protection Commissioner, and mainly, with reference to Article 3 of the GDPR and so the scope, and namely the territorial scope of the regulations.

And let me briefly, very briefly highlight some several issues, and so Albanian controls have raised concerns with regard to they need more clarification about the procedures that the Board or that the EU Supervisory Authorities will follow in eventual cases of imposing administrative fines and penalties.

Another issue the controllers raised was a question mark regarding -- they want concrete examples about the -- about the -- regarding the application of the GDPR to non-EU processers that process the data resulting from the targeting of EU data subjects by the controllers.

Another important issues they raised was about the non-EU controllers and processer that perform international transfer of data transfer should the non-EU controllers apply Chapter 5 of the GDPR, the measures of Chapter 5 of the GDPR and so these are some issues and from our points of the Albanian Commissioner, we also had considered as relevant the fact that we test with regard to the cooperation between our authority like regulatory authority of the country and the EU Supervisory Authorities regarding the cooperation of online inspection. Yes. One minute.

So these are some issues we raised during the enforcement of the GDPR. The last thing I want to say just briefly, I want to remind you that the 41st edition of ICD International Conference of Data Protection and Privacy Commissioners will be held in the Western Balkans and our authorities will organize this conference and so we're very glad and we think very important issues will be taken at the 41st Education in October; and so therefore, I have this opportunity to announce our invitation and to join us with your inputs and expertise, of course. Thank you.

>> VESZNA WESSENAUER: Before we open the floor up, would you like to elaborate a bit more on the economic impacts of GDPR on industry in Albania?

>> MERI KUJXHIJA: Yes. For now, we are, you know, in the steps much awareness and we have a lot of trainings and we have done some cooperation with Ernst and Young and other controllers, but still we haven't done -- we haven't concreted cases. But some cases that we have are with telemarketing call centers from Italy, and we have collaboration with tele-privacy and so we have done some inspection, but just recommendation but not penalties and fines.

>> VESZNA WESSENAUER: Thank you. I think we have some time to open the floor for discussion around the impact of the GDPR. I think you were the first one from previous sections, and then you, and then there is one. Thanks.

>> AUDIENCE MEMBER: So, my name is Bob. Okay, architecture entrepreneur and 5th year in data collection and we found a way to do some different things with the HTTP protocol as it was described.

And I think as an Internet users, you all have the freedom of using the Internet as it's meant to be, and I think the complexity and impact is more on the protocol itself instead of all the policies that we want to make on top of it because I think there is an overregulation at the moment based on the GDPR, but I think --

>> VESZNA WESSENAUER: Overregulation?

>> AUDIENCE MEMBER: I think there will be an overregulation, absolutely, because the California Act, the child control -- 52 states in the U.S. that are making their own privacy regulation, and in Brazil it's already there, and so I think we're in a World Wide Web where the freedom of Internet is there, the protocol is supporting that, and so the difficulty is that if, for example, what was just mentioned, if someone is re-targeting from a non-European country to European citizens, the GDPR is there.

So, if you can't create a protocol and more classification on the legal part of it and like the W3C tried to do with the HTTP protocol, there is a tremendous opportunity out there to comply to all of these regulations because the right to be forgotten, freedom of people, freedom of speech, these will all be in microenvironments where people want to be themselves and want to express themselves on the World Wide Web.

And I want to address data as not an oil because we think it's an oil, but it's water. Because if you are a refugee, you don't have a birth date even and so data is also one and if you want to be an oil sheik with the oil, it's water because we need it and it's there but we are the authors of our own data on Google, et cetera, but they took it from us to be the products of their infrastructure.

And I think there is something that the policymakers need to look for and the authorities because they own the browser, they own the networks, they own the free Google analytics and so I think if you look up Facebook, I think there are the dominant players that we need to take into -- yeah, into considerations why and how far within the regulations.

And if you want to have an insight about what we invented, and it's patenting the technology where we can support ICANN with the HTTP with Telefonica to reach out to me because we did something very interesting with research of the university.

>> VESZNA WESSENAUER: Thank you. We have to -- now the time is even less, so you have two minutes, everyone has two minutes for intervention.

>> AUDIENCE MEMBER: Hi, I'm Mr. Castro from Brazilian Internet Committee. For some of you that are not aware we have approved national law on data protection last year and we just approved the creation of the new authority, the national authority.

This legislation is fully in spirit of the GDPR, and for this reason, we're very interested in learning from you about this important issues that have been raised here like those from the colleague from Albania about fines and notifications, and there is one particular issue that I would like to learn from anyone who can tell me, is how to treat the legacy, the historical data.

Because our law says that the National Authority have the power to rule the use of this data, and it is a very sensitive subject, and I thank a lot if someone can call me in private and talk to me about how GDPR is with this. Thank you so much.

>> VESZNA WESSENAUER: Wonderful. Yes, first, thank you.

>> AUDIENCE MEMBER: Thank you. I'm Demitri, representing Georgia. Thanks to the previous speakers from Albania who said mostly everything that I wanted to say, and so I will have two minutes, right? One and a half.

So as you know we have an association agreement and we are not Member State yet but we have an Association Agreement but due to Article 3, the territorial scope, as everyone knows, causes a lot of questions for non-EU countries. It became the subject of interpretation.

So, in Georgia, not only this issue but also a lot of other issues from GDPR, are being interpreted differently from different levels from businesses from supervisor from the state representative, et cetera.

And the main question that I wanted to say a lot of things, but today in Georgia, we have a law which is in compliance with the repealed directive, the previous one which GDPR repealed, and there is now a new draft law which is GDPR compliant.

But anyway, my discussion question is, how to manage -- we all know that we have no court practice because no one can go to court no Georgia and make or demand something for some GDPR Article and so thus we have no court interpretations of Articles.

On the other hand, the supervisor has just the ability to give recommendations and these recommendations are also based on some good practices, on which they personally think that are valuable, and so how can we share the most valuable and most trusted interpretations and recommendations that are connected to some different articles from GDPR?

>> VESZNA WESSENAUER: Thank you. I don't think I have the answer, but maybe if someone has the answer in the room, please turn to you.

Marianne? I think there is a mic.

>> MARIANNE FRANKLIN: Hi. Thanks. My first point is about whether data is oil or water, and these are metaphors being used, I know, and I take your point. But however water like oil is now being monetized, water like oil has become a commercial for-profit enterprise as a natural resource, so unfortunately, the facts of the matter is that our data is actually commercially valuable and data protection as opposed -- it's supposed to mitigate some of these more extreme forms of monetization and commercialization.

And I want people not to forget the GDPR means many things in jurisdictions despite the rulebooks, the regulation is in place and can be poorly implemented, poorly interpreted, and that's the question that faces us. So I'd like to ask whether there is going to be investment from the EU level in granular research that will take each jurisdiction or different communities in jurisdictions and across jurisdictions and take a long hard look at the GDPR not on its own in isolation, but in the wider context in terms of what it promises, what it can deliver if well implemented, and if appropriately implemented, and what it cannot possibly offer so that we don't get caught up in once again, one-size-fits-all trap that conversations about Internet policy end up. We come up with the right regulation, the right silver bullet, and we will have solved all the social, cultural, economic, and political problems of our time today.

So as I applaud GDPR for what the achievement is, to get so many people to sign on in so many countries to sign on, but this is not a time to be complacent. Water, oil, all unsustainable if we carry on like we are, with or without this protection regulation. With or without it, and that's my concern thinking into the future as the globe crawls to being overheated, mainly due to data centers, so come to flash panel 13 tomorrow and learn more. Thank you.

>> VESZNA WESSENAUER: Thank you, Marianne. So let's -- I think we can finish with a nice wrap up and I would like to ask key discussants, but actually everyone to contribute with the rapid-fire takeaway. You all have 30 seconds and I can start. (Laughing)

I would like to see more transparency -- so what I would like you to say is what you expect in the next year regarding the impact of GDPR, what to look out for, what to be monitoring, and if you were to gather here in a year, what would you like to discuss and see and see as a positive or negative or rather positive impact?

So I would like to see more transparency around the applications and the rights under the GDPR so that users are more aware of their rights provided by the GDPR and hence they can file more complaints and ask for remedies.

Anyone else?

>> COLLIN KURRE: Maybe I'll go next to kind of jump around with the mic, and then putting my Article 19 hat back on, what I would like to see over the course of the next year is more work done on attempting to operationalize the different provisions of the GDPR, so thinking about privacy impact assessments, thinking about codes of conduct, what would that look like and how would that -- how would that be able to further the spirit of the regulation?

>> AUDIENCE MEMBER: David from University of Waterdam. I would like to see more studies on the discrepancies between the technological developments that we now face and will face in the next, let's say 24 months, and the status that was, let's say, underlying the thoughts that were laid down in the GDPR because I truly fear that the divide will grow and that the impact of GDPR will suffer from that.

>> AUDIENCE MEMBER: I just want to use the metaphor translated from my native language, I think the GDPR and analysis of GDPR, should follow that laws should be not only as sharp toward the people from the common area and so on, but also to the people or legal entity which is higher. So in this case maybe we should see the impact assessment of the GDPR for things like Facebook, so I think that's the impact assessment we need to see.

>> AUDIENCE MEMBER: And following along impact assessment from the bottom up, so sets a best practice with respect to the least well-endowed members of the communities, top down and bottom up, we forget bottom up. Much more investment in education, business, schools, universities, retirement home, hospitals large, small, public, private, and the gig economy caregivers that we rely on more and more to help them understand some of the principles and challenges of the GDPR to bring in tailor-made implementation. Thank you.

>> AUDIENCE MEMBER: 30 seconds, so harmonize enforcement and equal laws across the EU. We saw bad example from Romania and we don't like to see that, and in other countries we like to see more coordination from the DPAs and we'd like to see, of course, see more court cases and complaints against especially the bigger companies and, perhaps asking for too much, but like to see at least one fine from the Irish DPA.


>> AUDIENCE MEMBER: What we have been experiencing in the past few months and years is that, it's a convergence towards a high-level privacy standards and practice around the globe so I wish it is speed up because I share the previous speaker's concern that we might be behind the clock with that. Thanks.

>> AUDIENCE MEMBER: I often hear in the discussions people saying oh, the intention was good and it's just a question of implementation. I have to say as a lawyer, I find that insanely frustrated. Many of these problems are, in fact, problems with the way that the law was drafted, with the failure to stress test the example given about the Who Is Registry is a very obvious example of inherent problems in the law, and it's not a problem of simple mis implementation of the law. These are things that really need and require an assessment of the GDPR from the ground up.

>> VESZNA WESSENAUER: Thank you. One last.

>> AUDIENCE MEMBER: Ying Lin from Switzerland, and I would like to follow up on what you said over there. In Switzerland, we are just trying right now to make the better GDPR. Several Swiss perspective as a country we are bound to be rather close to GDPR, to retain the data protection equivalence, but at the same time we have the opportunity to make it better in a sense that it's more practical and not going quite to the details, the level of details that transpired into the GDPR and the 100 pages. So the draft in Switzerland right now is around maybe 12 pages with, basically, the same content from building basically on Convention 108, and just trying to be then as close as possible to GDPR, but just to follow up the political requirements of the European Union, and but actually it's a brave, a very brave attempt to do something better but we're not sure yet whether we will succeed.

>> VESZNA WESSENAUER: Thank you. Those 12 pages must be readability at the 1,000 level.

Now, we're going to move to our reporter, Ana Maria, who is going to --

>> (Speaking off mic)

>> VESZNA WESSENAUER: If you want to come down here. We could have had one more hot take. I'm sorry about that. Christoph, did you want to say something?

>> COLLIN KURRE: Christoph, super quick hot take?

>> CHRISTOPH STECK: Super quick. I think that compliance with the law is good and the law can be maybe good or better, but I think that's a little bit like in the Internet world you launch a version and then improve it, and so I think the same with GDPR there will be improvements and it will become better over time, but the second thing is that I think we should not believe that just laws will solve the issue and I think that we need a new kind of ethics around data usage and I think that needs to be something which cannot always be put into law, and I think we need a new, as I said before, a new approach to these things from companies and also more responsibility from people to take care about these issues, so I think something like a data ethical approach to use of data, I think it's the future and the law will be just a safety net, but there will be competition even to higher levels.


>> ANA MARIA CORREA: Okay. I will try to wrap up very briefly. First, the GDPR came to harmonize data protection in Europe and enforce privacy rights. Business recognize the importance in our current data-driven economy, but there are legal uncertainty around it. A standard interpretation of the GDPR should be suitable for company activities and more guidance is also required from the authorities and the GDPR involves multiple stakeholders and should take into consideration vulnerable groups such as university and school students, patients, and refugees, even if the GDPR represents a global standard on privacy, it's not enough to address the excessive collection of data. Citizens should be offered minimal training in schools, universities, hospitals, to understand the impact of the collection of personal data.

In terms of impact the GDPR makes people more aware of privacy rights, and there is a major compliance effort with more than 500,000 DPOs in Europe entitled to guaranteed privacy and finally more transparency about the application and remedies are required, codes of conduct could be a solution for clarifying the purpose and application of the regulation, and so do you all agree or with the messages?

>> COLLIN KURRE: If you have any thoughts or disagreements, please pick up your pen or get your thumb's ready. It's Please send us your thoughts and if you hate this, tell us and we'll fix it. And that message will go to me, to Veszna and rest of the org team and we'll make any changes as required.

Thank you, everyone. I'm Collin from Article 19.

>> VESZNA WESSENAUER: I'm Veszna from Ranking Digital Rights. Thanks for coming.


(Session completed at 3:33 PM Local Time)

This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.