Is GDPR still a mystery? – EDU 01 2018
5 June 2018 | 11:30-13:00 | EVENT ROOM |
Consolidated programme 2018
GDPR is already in effect for 11 days. In an interactive format, we'll discuss what's the mystery, challenge or question you're tackling with. You'll be able both to get first hand information on GDPR basics as well as to clarify particular aspects that you're interested in. Join us for an intro session for both data protection newbies as well as privacy veterans to discuss why GDPR is important and what you need to know about it.
Keywords
Keywords: data protection, privacy, EU law, GDPR, human rights
Session description
In focused discussions we will try to unveil the mysteries surrounding what are your new GDPR rights, what are your obligations as a company or public authority and what do you need to know if you are transferring personal data. To facilitate more spot on discussions, you'll have the opportunity both to clarify fuzzy GDPR notions as well as to get more in depth about the implementation challenges both in EU and in non-EU countries. It will be both a learning experience for the GDPR newbies, as well as best practices and experience sharing exercise for veterans. The discussion will take place in small groups, facilitated by experienced GDPR experts. Please see our key participants below.
Format
At the beginning our key participants will pitch their topic of interest about the GDPR. They will shortly explain why their topic is important and why you should care. After this, participants will discuss in more depth the topic most interested in together with the key participant which will lead the discussion. To better facilitate the knowledge exchange, the discussion in going to take place in smaller groups.
Further reading
- GDPR explained: https://gdprexplained.eu/
- ICO introduction to GDPR: https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
- Bird & Bird overview of the GDPR (2017): https://www.twobirds.com/en/hot-topics/general-data-protection-regulation
People
Focal Point
- Valentina Pavel, ApTI
Organising Team (Org Team)
- Katie Kochladze, Youth And Environment Europe YEE
- Ani Nozadze, Georgian Data Protection Authority
- Adriana Minovic, Diplo Foundation
- Andreea Rusu, IG Fellow
Key Participants
- Adriana Minovic, Diplo Foundation
- Ana Kapanadze, Privacy Logic Group
- Nana Rapava, Georgian DPA
- Tapani Tarvainen, Electronic Frontier Finland
- Martina Ferracane, Hamburg University
- Claudio Lucena, Fundação para a Ciência e a Tecnologia, Portugal
- Peter Kimpian, Data Protection Unit - Council of Europe
- Elena Plexida, ICANN
Moderator
- Vladimir Radunovic, Diplo Foundation
Remote Moderator
The Remote Moderator is in charge of facilitating participation via digital channels such as WebEx and social medial (Twitter, facebook). Remote Moderators monitor and moderate the social media channels and the participants via WebEX and forward questions to the session moderator. Please contact the EuroDIG secretariat if you need help to find a Remote Moderator.
Reporter
- Claudio Lucena
Current discussion, conference calls, schedules and minutes
See the discussion tab on the upper left side of this page. Please use this page to publish:
- dates for virtual meetings or coordination calls
- short summary of calls or email exchange
Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.
The most recent call took place Friday, May 11, 2018 2:00 PM Amsterdam, Berlin, Rome, Stockholm, Vienna. Meeting summary available on the discussion list.
Messages
- Social media platforms in particular bring a great number of people into an environment where privacy and data protection are relevant, but the necessary, public capacity-building and awareness initiatives are not yet in place or widely known.
- The balance between freedom of expression and the protection of personal data seems to have been adequately addressed through the public interest exception, but objective mechanisms and tools to achieve this balance are unclear and not yet in place.
- Resources for local data protection authorities are scarce; this will be an obstacle to implementing the GDPR.
- Convention 108, as an internationally binding instrument, can be an important tool in bringing developing countries closer to the GDPR norms, standards and mechanisms which are reflected in it.
- WHOIS is an important tool for the security and stability of the Internet, and as such, it is the duty of care to the Internet community to maintain it, while ensuring the right balance between privacy and security; we need a clear path with respect to the next steps, with the ICANN steering the process.
- The GDPR is clear, but its implementation is a common problem for all countries, not just a few. There also needs to be awareness of new technologies and business models, and how the GDPR can be applicable in practice.
- The actual empowerment of the user vis à vis the new approach to the notion of consent is still highly uncertain and one of the main issues concerning the implementation of the GDPR.
- It is necessary to determine whether decisions that were implemented before the GDPR are still a basis for transferring data abroad until they are revised again by the European Commission.
Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/resources/gdpr-still-mystery
Video record
Transcript
Provided by: Caption First, Inc. P.O Box 3066. Monument, CO 80132, Phone: +001-877-825-5234, +001-719-481-9835, www.captionfirst.com
This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.
>> Shall we start? Trying to be sharp. We have a lot to be discussed. So welcome to the -- panel with the most sexy title on this EuroDIG. Well, we will compete with the blockchain ones. So the GDPR session. And I'm really pleased to have such a full room. I didn't expect it to be any different. My name is Vladimir Radunovic, from the DiploFoundation. It will be very interactive. Relax.
This is an educational session so the goal of this session is to start with mysteries to try to uncover some of the mysteries and ultimately to get out of this session with -- well, maybe with a more clear picture of what GDPR is about, and what are some of the unclear things and it should be educative for all of us.
It will be interactive. So the format is the following. We will start with a bit of interaction to map, what are the unclear questions? What are the concerns? Then we will have a couple of resource persons which are going to lead the groups. They are going to present with a pitch, the one specific topic they are covering within the GDPR and try to get as many of you to follow them.
As the tourists tourists, running around new CDs with an umbrella. We will split into groups and have 30, 40 minutes in each of the groups. Some will be here, and some outside and some into of the lobby. And we will leave it for the resources as far as where to choose. Afterwards we will come back here and try to summarize, what are the key points that we -- takeaways from each of the groups.
And then maybe underline what are the still open questions we need to discuss further, maybe not in this session and then at the end, we will hear the messages, some of the -- will, the takeaways from the whole group that we can use as messages of session.
I will introduce the resource persons afterwards. I want to start, actually with all of you, as the sounding of the temperature of the room. How many of you would say that -- how many of you firstly, know what the acronym GDPR stands for?
(Laughter)
Well, it's not everyone, right? That's a good start. Note it down. We have something to discuss.
Okay. Then I want you -- we have the room with mics somewhere over there. Can you help me? Serena. You have been running around too much these days. Thank you so much.
I want for all of you around the table to switch on the mic. I want to pick a couple of mysteries and questions for you. What are the questions that you have to pose right now for this panel about GDPR? Be sharp. Be sweet. One question. And please introduce yourself. Shall we start?
Anyone?
Here. Yep?
>> PARTICIPANT: Good morning, everyone. My name is Anastasia, I'm from Ukraine, working for a private law firm. And what actually is the most hot topic is the extraterritorial action of the GDPR and actually how -- like, the controllers outside the EU should comply with GDPR regulation, but how these extraterritorial action could be enforced actually.
>> VLADIMIR RADUNOVIC: Thank you. Taking notes. Well, we should have prepared an easier one for the beginning. Next, please. Grab the mic. I'm sure you have questions.
Why are you here?
(Laughter)
Professor?
>> PARTICIPANT: Thank you very much, I would be interested in how freedom of expression can be preserved because there's an exception for public interest and public space, but it's not very clear how this is implemented in practice.
>> VLADIMIR RADUNOVIC: Okay. Noted. More?
Are you really so shy? Any other questions? There's a remote question, yes, please.
>> PARTICIPANT: So there is a question, when can SMAs find helpful resources for implementing GDPR?
>> VLADIMIR RADUNOVIC: Who was that?
>> PARTICIPANT: From Amaly deSilva.
>> VLADIMIR RADUNOVIC: Good. Thank you very much.
Any other points? Seriously? Introduce yourself, please.
>> PARTICIPANT: My name is Shac, and coming from Switzerland, from the private sector. One the big questions, companies all around the world are asking -- or are asking themselves in the compliance, whether GDPR has the potential to become a world standard or not.
>> VLADIMIR RADUNOVIC: Good. GDPR as a world standard. Okay.
Oksana.
>> PARTICIPANT: I'm Oksana, the European media platform, and I'm also from the Ukraine. For example, regarding official representatives, participation in EuroDIG, is it possible to hide official representatives behind the GDPR?
Thank you.
>> VLADIMIR RADUNOVIC: Good. Yes.
>> PARTICIPANT: Actually, our question we plan to discuss, how does GDPR play as a restriction to trade? Yeah. For those that don't do trade law, there's a way in the WTO, the World Trade Organization to require a country to eliminate the restriction if it's efficient to trade which is not justified under one of the exceptions. So the countries may be forced to eliminate privacy, and could GDPR be subject to that?
>> VLADIMIR RADUNOVIC: You just misused your pitch minutes.
I'm kidding.
A question there? Introduce yourself.
>> PARTICIPANT: This is Veronica from digital cities in Romania. Why aren't we ready for GDPR after so many years of negotiating it and three years of preparing it?
>> VLADIMIR RADUNOVIC: Okay. We will skip that question.
(Laughter)
Good question!
Michael.
>> PARTICIPANT: Hi. Hi, my name is Michael. I live in Serbia. I guess I don't really know how to formulate this question precisely, but I will say given the fact that GDPR mandates that organizations and companies outside of Europe reflect their policies based on -- to reflect GDPR, how does this influence how potentially other countries could create laws that then make other -- that make those companies or other countries comply with that? So that sort of thing. I think you get it.
Is that clear?
No?
We'll come back to it.
>> VLADIMIR RADUNOVIC: You can probably raise it again in your group to clarify further.
Okay. Other?
>> PARTICIPANT: I'm Patrick from UNICEF and I think there are some open questions around how the GDPR protects the rights of children as data subjects being things like accessibility of terms and conditions, age of consent, profiling for marketing and advertising. So it would be interesting to see how this shakes out in the Member States and more generally.
>> PARTICIPANT: Hello, I'm an activist for the council groups no hate speech.
My -- it's more like a comment -- what I'm about to say is more like a comment or question. Before the 20th of May, I got a bunch of emails saying you need to reaffirm your email address to our company and stuff like that. The problem was that I never signed up to those companies, but I think -- so my question is, do you think that the GDPR is kind of used as a tool for continuous illegality in that aspect?
Thank you.
>> VLADIMIR RADUNOVIC: Thank you. Okay. We have one in the back and then we will turn to the table.
>> PARTICIPANT: Hi, I'm Alex from Moldova.
>> VLADIMIR RADUNOVIC: Switch on the mic.
>> PARTICIPANT: How GDPR impacts Indian enterprises working with the European cities and data.
>> VLADIMIR RADUNOVIC: Good. Yes.
>> PARTICIPANT: University of Cambridge, does the GDPR put too much burden on the individual?
>> VLADIMIR RADUNOVIC: I hope you are taking notes, hmm?
Good. Okay. Any other? Shall we stop there for the moment?
Good. Thanks a lot. The first lesson learned is that we failed the test of GDPR because you didn't ask how we are going to use your names when you presented yourself and we didn't tell you what we are going to use your name for.
So when asking you to introduce yourself, we actually are going to use your names only for the sake of remote moderation and the captioning. I don't know if they will misuse it any other way.
>> They are registering it.
>> VLADIMIR RADUNOVIC: And the next part is the pitches. So we have -- we are thinking whether to start with five groups but it's so many of us, we will actually do eight groups.
So the next thing is we have a couple of resource persons which are going to lead the group work, the group discussions on eight topics. I will give them the floor one after another to give a short pitch on what they are going to cover within their group. Try to make a note of the topic and the person you want to follow, because immediately after that actually these persons are going to stand and leave and you have to go with them.
Some will be upstairs and some here. And for the remote participants, how many of them we have?
>> We have five.
>> VLADIMIR RADUNOVIC: That's a good group already. For the remote participants they can probably express now their wish for the topics when they are listening and we will try to have one group next to the remote desk so the group is also integrated.
So I will start from my right, as it goes, and I will let you introduce yourselves because of the lack of policies about using the names and stuff.
(Laughter)
Adrianna, your minutes, actually.
>> ADRIANA MINOVIC: Hi. Hi. I'm Adrianna. I'm coming from Belgrade, Serbia. My background is a lawyer, working in ICT for many years, government, private sector, cooperating with Diplo. Today, I will be speaking about what GDPR really brings for private sector, data controllers and data processors.
For me, the biggest change is the change in the corporate culture and corporate compliance, and how do you perceive it within one organization? But which are the practical implications that they are really bringing management to think about the GDPR. You can find out at my table.
Thanks.
>> VLADIMIR RADUNOVIC: Thanks. So Adrianna, related to controllers, processors and so on.
>> Good morning, everyone, thank you for coming. My name is Claudio Lucena. I'm working for the foundation for the science and technology in Portugal. We have been structuring and working with capacity building programs for GDPR for the past two years. Now one of the modules that we thought was addressing a specific subsystem that was not in the directive and one the main environmental changes in the digital aspect is the social media platforms. So the social media platforms are something that are for the first time specifically addressed in legislation, in the body of law like that.
The idea was to put a lens from everything, consent, portability, right to be forgotten from the aspect of social media. So that's what our group will focus on. We will study or discuss the problems of GDPR specific to social media platforms. Thank you.
I'm also reporting the session for Geneva Internet platform. And I would appreciate if you wish and if you could state your names before you address. Thank you.
>> NANA RAPAVA: Hello, I'm Nana. GDPR is all about the rules dork this and don't do that, data protection officer, data security, and so on, nonstop.
But what is the value of the rules? There's no one to enforce them, right? So this is what the Data Protection Authority does. It supervises compliance with the GDPR. What can we expect from a DPA? Can it prosecute us and fine us? What would be the penalties for noncompliance with the GDPRs and answers to all of these questions, would you get in my group and everyone who chooses my group, follow me to the lobby.
>> So that means Nana took the lobby. I'm Elena.
>> ELENA PLEXIDA: Who is the commissioner, I refer to it this day, and I have to say that I have used to be a Member State before and I used to work for the European Commission before and as a European citizen, I'm very proud of this law, I'm happy that there has been a law enacted in the EU that makes my privacy and the privacy of the individuals a value and protects us.
There are nevertheless, consequences of what is in its purpose a very good law, and disability and the security of the Internet through its effect. So in my group, we will discuss why this is possible, how this is happening, explain and hopefully address and contribute how to resolve this. Thank you.
>> TAPANI TARVAINEN: Hello, I'm Tapani from Electronic Frontier Finland. And I will lead the discussion about one little word "consent." But, of course in GDPR context, that's a rather big word. Things like when do you have to ask for consent, when you can't ask for consent? How can you ask for it? How can't you ask it? Are these kind of emails, please confirm that you would like to require these emails. How do you withdrawal your consent and what does it imply? What do you have to do about it? All kinds of little things that the consent seems to seep into almost everything within the GDPR.
So you follow me I don't know where, but I'm sure we assigned a spot to go.
>> ANA KAPANADZE: Good morning, I'm Anna. We will look at the GDPR introduced to us and if this is enough, if data subjects are aware of their lives and I will discuss the issues with you. Thank you.
>> MARTINA FERRACANE: Hello, I'm mar teen and I will coordinate the discussion with Peter, the new way of receiving adequacy decision, and we will come out to the new proposals in the code of conduct and the certificates and the GDPR which are not yet discussed and we will also talk about our GDPR and convention and how they play with each other because Peter has been working on the modernization of Convention 108.
>> VLADIMIR RADUNOVIC: Good. That's it. We have seven groups but it's actually seven.
Do we have any preference from the remote participants? Not yet. So we will have to assign them one of the groups.
So before we split, I will have to ask all of you to one by one stand up again so that people can see you.
Adrianna covering controllers and data controls and processes.
So just to memorize who you are following if you are interested in data controllers and processes.
Okay. You can sit down. Thank you.
You have to stand up in a minute again. Claudio.
>> CLAUDIO LUCENA: Ask for a straw poll who are likely to follow them.
>> VLADIMIR RADUNOVIC: That makes sense. Who is interested in data controls and processes? Two, three, five, six. Adrianna.
Next one, Claudio, GDPR and social media who interested in GDPR and social media? Quite a good group.
Next, Nana, the roll of the DPAs and DPOs, the data processing authorities good, four, five, six.
Elena who is GDPR? Ike and crew. That's good.
>> ELENA PLEXIDA: Can we follow two?
Are.
>> VLADIMIR RADUNOVIC: We had that challenge yesterday.
Okay. Tapani, the consent. Only four? I'm sure there will be more.
Good. Then Anna, data subject rights. Data subject rights.
Ana, you will have to explain it again.
(Laughter)
No, seriously, do you want to explain again? Give another pitch?
>> ANA KAPANADZE: Is it working? Well, there are some rights of data subjects in GDPR I would like to cover. I would like to discuss them, what do they mean, and how does this impact our everyday lives and do we know about them? Do we know what is going behind the desks? Do we know about processing and compiling and so on and what can we do? And if these rights, the right to be forgot and the portability, if they are enough to protect our environment.
>> VLADIMIR RADUNOVIC: Should I ask you again or simply follow her if you wish. Okay. At least one. There will be more. And the last one is Martina.
So Martina is covering the data transfers, the international transfers. You can stand up so they see you. Who is interested in that? Who will follow data transfer, Council of Europe and so on? Two, maybe three.
Any comments from the remote? Not for the moment.
So we have time until what was it 11:50, right? 12:30. Sorry.
Yeah, we have until 1:00. So until 12:30 and then 12:30, we meet here. And we'll go this way. To firstly, Adrianna will sit here. So whoever wants to sit with Adrianna on the controllers processes is here.
The second one is Claudio. Claudio can go that corner, right? Claudio is covering social media, he will be in that corner.
The third one is Nana. Nana will go to the lobby. So where the reception desk, right there's a nice fireplace. Nana is going there. She's the role of the DPA and DPO, follow Nana there.
Elena, who is and GDPR is also in the lobby. We have two places in the lobby. So go with Elena in the lobby.
Tapani is staying here, in that part of the room. Tapani here. And see if there is -- okay. Ana is joining with Tapani and we will have the consent and the data subject rights here in this room and finally, Martina is going out, if it's okay with you, in the garden. So whoever wants to chill out, you go to the garden to the data transfer, the international data transfer.
See you at 12:30.
(Group discussions)
>> Okay. This is the remote participation microphone. It's not actually working. Okay. It's working. Okay. Let's unmute this computer so that remote participants can hear us and we can hear them. Any of you guys online, if you would like to take part in this discussion, we can give you the microphone so you can speak.
So whatever you want to -- the remote participants to hear, it has to go through this microphone.
>> Hello.
>> One of the challenges that your group has is you have remote participants. If they wish to, they should be listening to you. Use the microphone or have it somewhere else. And if they wish to speak, they can also speak. She knows she can unmute or otherwise if they don't want to speak, they can type the questions. That's fine. It's important that you try to use the mic at least somewhere here so they can hear. Thanks.
>> Thanks. Sorry. Today here we will discuss the role of data processors and data controllers because I think in the last few months we were all hearing, you know, what GDPR brings to the individual, how can you exercise your rights and the most important topic was, you know, what can you do as an individual?
On the other side, when it comes to the companies and the corporate sectors, you will just hear, oh, this is so hard burden. It's a huge task to do. We need to prepare for two years to be compliant and other questions.
So that's why I wanted, you know, just to go briefly through what GDPR really brings to the companies, and what you really need to do in terms of practical implications of your business and how to be sure to be compliant.
In the first place from my practical experiences, I have to say the GDPR brings the change in the corporate culture. For the first time, you have one human rights instruments discussed on the top level management, you know, like on the board sessions you are discussing, you know the GDPR privacy and everything, and how privacy is affecting your business. This was definitely not like this up until now, because, you know, it was not so common to, you know, inflict the privacy questions and the human rights questions into the business area. That's why especially if you see how is the DPO are all designed, in most companies, it is reporting directly to the CEO or to the executive board. It is quite clear, you know, that the GDPR and the privacy has really, really high role in the position in the corporate sector.
Also, what is important is the novelties that it brings into the very business. On one side, definitely, it is usually said it brings most of the changes to the data controls because they are, you know, the first point to get into the privacy, you know, your data and everything that you collect.
But, on the other hand, even though many people think the data processors are somehow in the -- you know, looser position, they don't need to comply that much, I would strongly disagree with that.
The first pact is in essence, GDPR is asking for your partners, like your data controller for all of your partners to be compliant also with GDPR. So it's one change that is, you know, just reflecting from one point to each other. If you want to cooperate with me, GDPR controller, somehow you need to ensure that you are also GDPR compliant. If you get data subject requests I don't know for information or deletion of the data or whatever, I will also ask for you as my processor to exercise this right.
Also you need to keep some records if the DPA comes to see my processing activities. So you can be subjective to some control and many other things especially cooperation and brief notification and other steps, but definitely the two most important changes from my perspective, and most challenging unfortunately up until now, that are not that elaborate or see how to be exercised in the very practices privacy by design and privacy by default.
Because now for the first time, you really need -- when you are in one corporation and you are doing any business process like marketing or sales or something like that, you need to think about the privacy. And from the very beginning you need to include your DPO in the very process. So when you are starting to design your business model, how you recollect data, and how you will use this data, you need to consult your DPO. This was uncommon for legal folks, but nonetheless to the privacy matters.
Also what is important for some companies you need to do privacy impact assessment which is one of the most challenging things I would have to say, because the companies need to really, you know, see whether the risks, whether the implications and to weigh these two and present and, you know, all of these things that we are doing are not presenting, you know, the high risks for, you know, violation of right to privacy and right to individuals.
So pretty much you need to some pattern other check list but you need to go deep into this process and think what you are doing, how you are doing and how this is affecting individuals and in the very end, to demonstrate all of this in the document like privacy impact assessment.
So for me, from the very practice, the most important implication on the data controls and the data processes but I would really like to hear from all of you what are your concerns.
Sorry.
>> PARTICIPANT: Do I have to? I'm Elissa Stamel, I'm from the electronic certification and cybersecurity from Albania. The authority. So what is my concern? Okay, we passed the law. We implement -- do I have to speak like this?
Okay. Sorry. Thank you. So my concern is that as an authority, that I'm supposed to -- since Albania is not yet into the European Union, but we have implemented the direction, as it's supposed to be implemented.
My concern is how I'm supposed to control those, how they are implementing the law that I already passed. This is my problem.
We have made a list of, let's say, critical infrastructure, which the companies are mostly banks and issues for us at the moment.
I suppose, if they are applying those -- if I'm an authority, I can go and control and I'm allowed by law to make the certain control on these data. Problem is -- up to what point I can track that they are okay with the -- all the topics that used to be a control, because business anyhow, they are supposed to be -- how they are supposed to connect.
The European countries, working in Albania, and I'm supposed to implement this, right, the way it's implemented in Europe. I'm doing this for these individuals, but I have to do also for the other ones. So these are some of the topics that I wanted to check according to your information.
>> ADRIANA MINOVIC: So my first what type of authorities are and how you drafted your legislation and what are your authorization are with respect. How do you control and to what extent, I agree with you, most of the countries started from this, which are the biggest company who are collecting the data like the banks and the telecom operators and so it's quite clear. I don't think that the point of GDPR, you know, was to that much control over the various subjects. I think that the point was hey, folks, let's self-regulate. Here are the rules. Try to implement. And if you see that, you know, GDPR is asking for you, that your processors are compliant, the very corporate companies, controllers over there in the chain, there's the high level of corporate culture. They will not cooperate with you if you are not compliant. And where you specify in detail, what you do, and what technical organization measures you implement. The very companies will force one to each other, into the very change to be the GDPR compliant. That pretty much is the task of national authorities because, you know, I think it is unfeasible and impracticable to expect. How many people do you have, I don't know, to have the full control over all corporate identities. That's not the case in other areas more traditional like tax or something else, nonetheless, into the privacy.
I think this how to say -- that will just develop and when companies are forcing their business partners to be compliant, the biggest how to say, motivating force to be compliant.
You have some list of the primary companies that you will check for sure, but in essence for everything else, you will react upon the notification of anybody who is complain with the behavior. So that will be your trigger. I don't think it's feasible for the corporate identities.
This will be challenging into, you know, big companies that you have under the list and to see what they are doing or even to react upon notification.
But pretty much, I think that when the practice, you know, starts and everything starts, you know, living and everything starts going where the data subjects approach you, you see from their requests what are their concerns when they have in the company, what to look for. That's my opinion.
Anybody?
Sorry.
>> PARTICIPANT: Hello, my name is Elena and I have been working as a lawyer for the European court of human rights and the Council of Europe and today I'm representing a law firm. We advise a lot of businesses related to Internet and so here I face in connection with the GDPR. First of all, I say in Russia it seems it's a little misrepresented and misinterpreted because there's some information about the GDPR and the requirements, which I -- from my personal few are not correct. And this is a problem of interpretation and this stresses small businesses, which is a huge burden and GDPR to illustrate, and they have been sending out newsletters for ten years for particular clients and now they have to stop this practice because they don't have the proper consent, which is required on GDPR. Nobody understands that the main question is related Europe, and it's difficult. It's not in Russia. The GDPR should be applied more or less if the company has international business or some Internet -- some international clients automatically applies.
And this puts some stress because there's personal data regulations which at some point might also conflict to the GDPR and the main question is the law, which says that all communications should be kept during six months, and they should be kept for three years.
Apparently there's a conflict with GDPR, which says because that can be done for legal purposes and whether this is a good purpose for GDPR and European authorities. That's my first question, because otherwise, there may be things that they may be forced to leave the European market, if this is a dual legal requirement.
And the second question is what is the relation between the blockchain requirements and in blockchain you cannot delete information. Also under the GDPR, you have to keep information for a certain period of time and then you have to get rid of this and I also don't understand how it will work.
And my third question is about transfer of personal data. And you cannot transfer to some countries if they are not considered good. On the other hand, you to have the Council of Europe convention, which was recently amended on the 18th of May and it says data can be freely transferred to the countries in this convention, which in my opinion maybe I'm mistaken. Correct me if I'm mistaken, but in my opinion, the personal data can be freely transferred and special consents within the territory of all Member States the Council of Europe.
So these are my questions I would like to raise.
>> PARTICIPANT: We have a remote question, from Amaly deSilva. Accountants in particular are developing GDPR application management and as a part of the professional area of practice.
>> ADRIANA MINOVIC: Okay. Thanks. I will briefly refer to your questions. As you said, well, the problem with the interpretation is the GDPR is not -- I think it's a common problem for any country. It's not only Russia. For me, GDPR, it's really great first step to regulate the issue of the privacy, but as all first steps, it is the first step. So lets be realistic. This is something that will need to be further developed that needs to be interpreted according to the practice and to the development of technology.
When GDPR started to be drafted, I think it was in 2012, if I'm not mistaken, then it's how much, four years to, you know, sorry. Yeah. They need a few years develop GDPR and at that time, the technology goes further. As you mentioned the blockchain. And today it's the biggest change you will probably implement the concern to the black chain and I don't see the answer at this stage or at this point.
So that is something that will be elaborate in the practice. I think I read recently that even in Austria, I don't know if anybody is familiar, they have the new legislation that pretty much with interpretation of who are -- you know to who you apply, it covered the business entities which is quite absurd. So that's how you see that some things are not, you know, still seen how to be applicable in the practice.
And I think we will now need to see how they implement all of this and whether we see the burdens and what are implications with GDPR to every business model in order to say, okay, we need this to ingest. And also when you read the GDPR, there are many places where you have like, how to say, limitations that some things will be done if this is feasible, if this can be exercised. So from the very tone of GDPR, you see there is recognized need that this needs to be implemented into the private practices and to see how everything will go.
As for the burden on the small companies, also the key issue in every country because the first are the small companies who will really raise their voices and, hey, this is too big, you know, compliance effort for us. We don't have money, and we cannot do this. And this is tough for our business, but from my point of view, I think we should really ask the question: What is the small company?
Do you think that the small company is somebody who is doing, you know -- gathering all the data from many sites and do many surveys or selling the products online and who has maybe a few employees because most of the things is done based on some algorithms or based on some software or has a really big turnover. That's why I think we should try to redefine what is the small and medium enterprises in the sense of the digital economy. Because it's not really the same as the -- in the traditional, you know, economy where we learned to measure the size of the company by the number of employees, by the size of the profits, he is.
For GDPR, you see one risk approach and risk balanced, you know, in the very text, where you are pretty much looking -- what are you doing with data? And how much data do you have? And how big risk you pose to the question of privacy. That should be the primary criteria for you to see whether this compliance is a big burden to you or not. For example, if we were talking about the company that is producing food or something like, that I think you would all agree that it would not be fair to say. Okay, let's exempt small companies from going through the food quality process because they don't have the money to do, you know, the food quality process. I think that's the same ratio we should comply here. What is their business model, when we are talking about the small and the big companies.
And I'm not sure what was -- sorry. As far as transfer, my colleagues in the other groups are elaborating on that. I agree with you, the convention one, you were saying that you can freely transfer data between the countries and now there's only a few countries and for others you need the permission or some other instrument to transfer the information. And this is a topic that is not elaborated to a different extent and it will lead to more interpretation in the practice.
And as far as from the moderated questions, if I understood Vlad, it's definitely some -- the comment is what consultants counts, they are developing certain data management application systems and that becomes popular nowadays. You can see one trust and many other providers that are providing you with certain solution of how to be GDPR compliant.
But the essence is with GDPR you have a lot of paperwork, you know to prove your efforts and prove that you -- to see your policies. To prove that you are exercising records, how do you respond to this and that, you know, whether you are deleting this after a year or two?
How do you implement -- if you are selling goods online, to -- on each user, you delete the data after two years, you know, if we buy goods every day so you have the contracts starting from different periods, et cetera. So pretty much, they are amending the tools that can be very useful for the bureaucrats. But as much as you say, like you say, you have contract management systems in the company, that's pretty much the same thing. It's useful and handy, but in essence, it is not making things done. You need to design everything that you can put into the system that will just do the bureaucratic, instead of you.
Okay. Yeah.
>> PARTICIPANT: There's a comment about Russia specific, and my name is Andrea Sherbowitz and I represent the university with the constitutional law and the human rights for Internet users making legal research.
The principal difference between the GDPR and the other measures on the human rights protections, for example, applied in Russia. For example, as I know -- it's my opinion, just my opinion, that Russian legislation on the personal data has no purposes for user rights protection.
It has purposes of, I think a kind of political reaction towards the external political thinks.
As far as nobody could cull the law for human rights protection. It is a harsh respective measure. You couldn't even compare the level of human rights protection in the Europe and in the Russia in particular. And so that -- I think if the GDPR would be applied in Russia, it will be a real purpose of human rights protection. It has -- I'm not dealing with particulars. I'm dealing with, for example, infrastructural things on the websites, for example. If the website is not complied with the law of personal data protection in Russia, it could be blocked like the linked in dot com was blocked in Russia, due to the compliance with this personal data. It's an instrument to close websites. It's not an instrument for protection of rights. It has another principal and other purpose. And so we have to understand this information.
But also a small illustration from some groups of people, you know, airlines have notifications, including we have changes of the personal data policies due to the enactment of GDPR. And people in Russia are thinking, why it's not European. It's Russian company and it should not be complying -- okay, they. Some people, I think, from the Russian Internet, let's stop flying to Europe. So not to comply with the other. It's infringement of the sovereignty. So, you know, what the talks are happening now in Russia and I don't know exactly what to do. When people would like to infringe their own rights for so-called sovereignty, I don't know. It's not a real sovereignty. It's so-called sovereignty, because I believe they are not sovereign states. All states have treaties and negotiations between and -- okay. So that -- that is the exact situation with Russia. It's happening.
And the next step is the enactment of law, where they have to read everything -- they have to store every single message of user for the six months with the possibility of -- with the possibility of transferring it to the security services. So that it's -- it's starting from 1st of July.
Thank you.
>> I'm Martin from the University of Economics in Slovakia, and I'm curious to know, like GDPR is amazing. But during the practice in Slovakia, many small companies have no clue what they should do and they are becoming victims of law firms or some other advisors who are selling them documentation and they don't really know what they need. So they are paying thousands of Euros for basically some papers and after all, they are going to have a note pad and they won't apply anything into practice. I guess some education is needed and required to explain people and explain businesses that it's amazing that they paid for documentation, but that's what you really need. You don't need to comply with all the things if you are invoicing data or some phone numbers. And if you don't deal or sell the information, it's much less than if you work with all the data.
But, like they don't have to pay for all the things and they should know what they should do after all, you know?
>> ADRIANA MINOVIC: A very small comment. I would totally agree with you. Some clients have received different pieces of advice from different law firms which were controversial, snob really understands what are the rights and the obligations of the parts of controllers and processors and the question of provision of more information and explanation is a topical question, I think.
>> PARTICIPANT: Okay. So a if you quick questions. I think everybody who has been on the map, has gone for minimal GDPR compliance and basically a lot of this stuff should have been done during the earlier legislation as well. You should know what you are doing with the data. Since the earlier legislation didn't have teeth. Well, we have so much other stuff to do. Let's not bother with this one because they are kind of unknown, just some reputation or something. But nothing really serious hitting your profits. And I guess if you have done and if you know what, where, why, when, who and how, the traditional question set who is doing what with the data, how are you processing the data, what are the reasons you have the data for, then you are pretty well equipped at the moment, but, of course with the GDPR in force, it doesn't mean that the work ends now. You need to maintain the information, and that's the tricky part.
You will want to develop further or at least in the company I work with. We have the minimal viable thing we can get done now, but we really want to do that better, so that will be a huge, huge thing for us, because we have a lot of internal APIs for example, that we use to process all kinds of information internally and we realize this will be a big huge tangle and we have to untangle the whole thing. And I guess real word examples and interpretations will start coming and we will see how they really work out.
>> PARTICIPANT: I have some -- Julia from Ukraine, I presented there, a security service company. It's a company, which provides cybersecurity, different services and we have some problems because we are not clear understand how if my company has GDPR or not.
It's understandable that people can go and ask how you are protesting my information -- like the information about me, but which other company can go and to ask to, like -- your compliance or not, and if we -- if it doesn't comply with GDPR, for who we need to pay money. I mean, like, that's my question.
>> ADRIANA MINOVIC: Just briefly elaborate everything. I would refer to your point and what is most important, yes, GDPR is started from a few days ago, but the privacy and the data protection is something that was development much, much earlier, you know, and it was present in the previous legislative acts and so here is the issue, why we didn't pay that much attention to this topic earlier and now we need to reorganize everything because we have strict penalties and other things.
So I don't think -- yes, GDPR brings new things but only in the manner how they are structured, you know, you have more clear maybe guidance and more clear set of rules concretely what to do and you have really strict penalties if you are not complied with GDPR. So that's pretty much maybe the change, you know, because the companies are really paying attention.
But that also brings us back to the question, as you said that how do you know who to certify you, how do you know who to trust and which advisers? But that's pretty much the issue, you know -- well, let's see from the perspective of the company.
For example, when you outsource some legal issue to the law offices, how does the legal team know who to trust or whether your advice is good or not good. But you have the legal department in the company that knows which law offices, you know, acceptable, according to your terms. You can check it because you are a lawyer. You have, you know, legal ratio to see if they are on the fine grounds or not, for me, it's the same as GDPR. There's to quick answer. There are a lot of GDPR consultants unfortunately, lately, and many of them don't have a clue about GDPR and they can freely sell, you know, because internally, you don't have anybody to train that, and you are blinding trusting because you need to be GDPR compliant. But there's the point that now companies will need to boost GDPR practice in house if they want to really focus on the GDPR and for the companies, they are processing the personal date, is the very business model. For me, this is important than any other unit. This is coordinated to your business. You know legal and everything, fine, that's great, but this is your business model. You need to know, you know, how to be compliant.
So pretty much here you see one compliance area to becoming part of the business and the commercial strategy. That's really important. That's why we will need to boost in-house knowledge and I think that would be the best solution for everything, but now, of course, in this initial phase, there will be a lot of, you know, things that are not done really according to GDPR and the known best manner. That needs to go sometime to check that somebody is giving you right or wrong advice.
And this brings me also to the certification point, yes, GDPR defines that you can introduce some certification mechanisms for the companies but to be honest, at least in my region, I haven't heard that -- any of that kind of bodies formally instituted up until now. I don't know what is your practice in your jurisdictions, but I don't think that this will be very soon because first, we will need to see how to implement GDPR, what will be best way to implement it and to get the credited body to certify whether you are GDPR compliant or not.
I think the best approach to this is now that you can hire some other company which is doing GDPR compliant to go through your records and see everything and this is okay or not okay. This is not a form of certification. This is more like implemented for you and lastly.
On the more political questions from your side, while I understand what you want to say, that it's going on in Russia with GDPR, but I think that, you know what, if you want to use some legislative tool for the political purpose, it's not relevant whether it's GDPR or something else. We have seen the situations where the media, freedom and other legislative acts were used for the political purposes.
>> VLADIMIR RADUNOVIC: Time up. Let's get back to our seats.
Okay. Let's take the seats.
Take your seats. Get some water.
Well, I hope the group work was useful. I see some exchanges of business cards. That's a good signal.
Thanks for the energy and I owe the apology to the two groups in the lobby. They were suddenly kicked out of the lobby because they were too noisy. So some of you had to be in the sun and I will apologize for that. We will ask for another round of beer and wine after that. We have 20 minutes or something to run through where the groups are. Unfortunately, we didn't have enough time to switch groups so could you actually visit more than one group. So it was rather focused.
But this should be an opportunity to exchange a little bit of a broader thinking about the topics. I will run through each of the groups. I will first ask the resource person of the group to within a minute summarize the main takeaways and then I will ask you from all the groups or the others if you have anything quickly like a tweet, a takeaway, a lesson learned or a question that might have remained open that we should still discuss.
And when I say a tweet, 240 characters if possible and you can also tweet. I encourage you to tweet while we are talking. So if you have anything you want to tweet, use the EuroDIG hashtag. Claudio.
>> CLAUDIO LUCENA: I would like to thank the group. It was a fruitful education. It's an educational session but it's also an opportunity for exchange, right, and so a couple of problems were raised. I would summarize basically in two, if anyone from the group wants to elaborate for a minute, the most pressing problems that we find were -- it was new reality of social -- of social media platforms brings much more people to the environment of data protection and privacy. So we need much more awareness and capacity building. We were not able to identify concrete, initiate, open wide initiatives of capacity building and awareness in that sense.
In the other one, it started exactly with the question which was posed here by our fellow about the balance between the freedom of expression and data protection and privacy issues. We found that the exception of public interest might be an adequate rule to address the problem, but we do not have yet in place the adequate mechanisms and tools to tackle that if anyone wants to add from that, please.
>> VLADIMIR RADUNOVIC: Anyone from the group wants to add anything? A take away, a question, something that remained unresolved? Seriously?
Good. Such an efficient group.
Okay. Anyone else who wants to comment on social media and GDPR? Out of the group? Anyone who has any additional question that you might like to raise? No? Okay. We had one question from remote but I'm not sure what was the focus of it? Should we read it now or -- let's read it now. That's fine.
>> PARTICIPANT: Establishment of online resources have practical applications, and legal development, legal enterprise, participation, et cetera, is the outcome of this meeting will be superb.
>> VLADIMIR RADUNOVIC: The comments are good. Claudio is the rapporteur, for the session which is an interesting session.
Adrianna, to just to update us on the data controls and processes. The key messages.
>> ADRIANA MINOVIC: As far as from this topic we have discussion, much more question than being able to answer in such short notice, but in the essence, everything was going on from the point of local authorities, how they will be able to -- the oversight the implementation of GDPR because we have less manpower in the local authorities than being able to control all the companies and to really check what is going on on the field and definitely, we saw that one of the mechanisms that will be at least will be applicable for the time being in the practice is to react upon the notifications.
And to see when you get certain complaints and what direction to go and what direction and everything. That will be definitely -- it's our opinion the first thing how to handle the oversight of GDPR.
Also, there were questions about the problem between the protection of GDPR and the national legislation because as you all probably know, in many legislations, there are different, you know, interpretations in the national laws, also many misunderstandings and this is definitely something that will need to be just, you know, clear to the practice, years and years of practice and the best practice is implementing from one country to another country.
The other arguments were also that there's a lack of knowledge about the GDPR and who are you to hire, to advise you with respect GDPR compliant when you are at the company, but that's also the issue of building know-how, where you can be able to, you know, see how to cope with the GDPR issues because in the essence, data protection and privacy will be one of the core activities in every business model that is based on processing the personal data.
So that will be any my personal opinion, mandatory function in every company that's dealing with personal data. There is also the very good argument about the -- you know, how to prepare for GDPR because it comes so sudden, but as my colleagues mentioned, the privacy and the data protection is not something that is -- that came with GDPR and came in long, long before and the fact that many companies were not prepared for it because -- it is because the -- you know, the corporations were not paying that much attention to the privacy and the data protection and that's why we had a lot of issues lately in the data breaches which is to come and draft the legislation that will really deal with the data protection and the privacy with strict rules and penalties and obligations and put the issue on the higher level and that's pretty much to sum up everything.
>> VLADIMIR RADUNOVIC: It seems like it wasn't that general. Any tweets from your side. Questions, comments, takeaways. Nothing?
Do you want a tweet?
>> PARTICIPANT: Treat.
>> VLADIMIR RADUNOVIC: Please do tweet at the same time.
Moving on, Nana, the role of the Data Protection Authorities.
>> NANA RAPAVA: Thank you. Well, I think Adriana pretty much answered the question, which was not answered in my group, why are we not ready for the GDPR. The snowfall companies wouldn't want to comply. The participants of my group sadly, the companies had time to get ready for it. They could have hired someone, and still the question remains unanswered why we are not ready and the second question is why are we not important? Reason the Data Protection Authorities ready? That was the second big question.
And if someone would like to elaborate, not exactly from my group, for example. So anyone, I would be glad to hear the answer.
>> VLADIMIR RADUNOVIC: Thanks, anyone challenged to respond to this. That's probably something we will save for the next discussion.
Any other comments on the role of the Data Protection Authorities. Yes, please go ahead.
>> PARTICIPANT: I was in the same group. I think one of the outcomes, but what came to my mind afterwards is did the EU do a really good job, explain what the GDPR really means. It's not only about the Data Protection Authorities within the EU, which are probably not ready, but also about the Data Protection Authorities outside the EU who face any tougher challenge?
>> VLADIMIR RADUNOVIC: Good. There was a comment over there. Where the roaming mic?
>> PARTICIPANT: So my institute has collaborated with the Turkish DPA and so the data protection laws in Turkey, relatively are new. We passed a law, like would years ago. And I would say that they are struggling a lot because they don't have the resources and they don't have enough, like, people now.
Even they do so, the people, they have is not -- well -- but they are not qualified enough, if you may say so. Yes, outside of the EU, this is a country who tries to you know, keep up with the data privacy laws, but we have a long way to go.
>> PARTICIPANT: We discuss this also in our group, with certificates and code of conducts and what was suggested is that, yes, it would be possible for the document authorities to check if any start-up is actually complying with the code of conduct but the suggestion that was given by a person working at DPA is to work on empowering the data subjects to be the ones that go to the DPA and may show that the SME is not respecting the rights and empowering DPAs to check on everybody.
>> VLADIMIR RADUNOVIC: It's interesting there are cross cutting ideas. Any other comment, tweet in don't forget to tweet this.
Good.
Then we move on, on ICANN, right, and who is or -- well, ICANN. Who is GDPR?
>> ELENA PLEXIDA: Yes, that was a popular group. We had to move up and down I would say it was not an educational session, because in the group, other people actually know what is going on and very, very knowledgeable about the domain names. So we took a different approach and we discussed if we were as knowledgeable about the issue to discuss the problem with the DPA, what would be the core points we would like to point out and to frame the discussion.
Such core points would be that there is no sing database. It's a decentralized database, which makes a difference in the distinction and that the enforcement of contracts -- the contracted parties has a limb and it's the local law which always supersedes the contracted parties have with ICANN. And another important thing is the users of who it is today. It is a big discussion whether this is actually part of the mission of the Internet pore whether it's just used over time. Therefore you shouldn't be caring about them when you are saying -- which is the purpose for processing.
So that's something to clarify to a third person, how do these users link in the end in the core mission and also we would expand the peculiarity of the community and how it develops between the policies and what could be an enforcement issue and what could not be.
And then thinking of what we would like to see the main messages from our discussion, we would say that -- because there were provocative questions in the group, hmm?
So we came up with the message that we should care about the who is. It's linked to the Internet community as such, but in a balanced way between the privacy and the need for security of the network and that -- on the way ahead, because there is a long process of who it becomes compliant. We need a clear path forward with respect to next steps and there should be ICANN to define the process. I think this is pretty much it. Thank you to everyone.
>> VLADIMIR RADUNOVIC: And you were smart to move into another room. That was a good idea. When I jumped in, there was a good discussion. I wonder if anyone wants to add anything or open another question that we should continue discussing in future, anyone from the group that wants to add?
No? That was pretty much a good summary. Any other comments or tweets from the who is aspects? Nope?
Then we move on Tapani. I wonder whether you managed to add a little bit of biometric issues into the group, or probably you didn't have time, hmm?
>> TAPANI TARVAINEN: No, we found out it was lots to discuss in this little word. And it was a rambling discussion, fortunately, our volunteer made notes and she will summarize the details.
>> So in our group, we tried to discuss consent and then we find out that we still have more questions than answers in this group. We tried to see the definition of consent and what is the difference between consent and explicit consent which is offered in sensitive data article, regarding sensitive data. We also tried to think about the ways how the data controller can demonstrate they had valid consent in online role and if there are some technical measures, they need to use for the demonstration of some logs or something like that.
We also thought about what does it mean to provide a clear information for data subject, because is it enough to say that we will use your data for advertising or does it mean that we need to clarify what the process will be behind this purpose? What does it mean? Does it mean profiling or not, and et cetera, et cetera. We also tried to address the issue regarding sensitive data and the user fees and how can it be used if it manifestly made public from the data subject. And then the big issue then was identification of data subjects regarding minors and regarding just in general data subjects, and we had these questions and I think for best practices and for some other expert opinions. Thank you.
>> VLADIMIR RADUNOVIC: Would one of the discussion, you need to discuss this strange word of consent?
>> TAPANI TARVAINEN: Yes. We could have entire workshop on this very subject.
>> VLADIMIR RADUNOVIC: So the next sexy word is consent. Good to know.
>> PARTICIPANT: Elissa. I agree with the part of the consent. Before you give the consent, you should know what he or she is giving consent to. So the problem of consent is that we have to make something like a broader information to our citizen that what we are consenting to or at least know, for what the data will be used. Can we know they are being protected for what we consented? That is my problem, right now as an authority.
Sorry for the intrusion.
>> VLADIMIR RADUNOVIC: No question. The question of how to implement it.
We discussed precisely that and what details have to be given and that's a difficult question.
>> VLADIMIR RADUNOVIC: Okay that can remain as one of the messages to discuss further. Sounds good. Anyone want to add anything? Yes.
>> PARTICIPANT: Not to contradict what the rapporteur said from the group but to integrate. I think there was an important discussion about the child specific issues and the reason -- the specific problem about age verification and there is a need for research on the age verification tools that at the moment are not really developed and nobody is investing money, probably there is need for public money to be invested in that area because at the moment, the private sector for understandable reason doesn't want to go very much deep in this. Thank you.
>> VLADIMIR RADUNOVIC: Thanks. Any other comments?
>> PARTICIPANT: Yes, thank you. Briefly, I think it was a great development that we had the consent and the human rights aspects combined in our group, because I think the consent issue is where users rights prominently come in. It's where us users really implement their right to be informed and one way to tackle the issue, how to -- how to deal with this, that before users give their consent, they must really rid the conditions and everything. It's empowering users which has to do with literacy, and that's where states have to invest a lot.
>> VLADIMIR RADUNOVIC: Thanks good message also. Somebody tweet also.
>> PARTICIPANT: We also talked about a situation where you are trying to sign up for an online service and you can give your consent or deny service. So is that really consent or is it forced consent? So it leads to an extensive debate.
>> VLADIMIR RADUNOVIC: Good. Thanks.
Note taken. Okay. Martina.
>> MARTINA FERRACANE: So in our discussion, the first part of the discussion of the GDPR, Chapter 5 and then we spoke about Council of Europe, the modernization of the convention 108 and the first part and the second part of the discussion and we also agreed that there are more questions open now than there were before we started discussing.
First of all, about the decisions, I think everybody agrees that they are very political and that's not necessarily a good thing that these decisions are politicized in the EU. We also spoke about how are we going to do with the decisions that were implemented before GDPR until they are reviewed again by the commission. Are they still a basis for transferring data abroad or not, and what about privacy shield. We all know that, like, it might not really still provide adequate protection for the consumers. What about it? It's still an open question.
We'll talk about the fact that we speak about protecting data, when outside the EU but what about the protection that the data gets from outside EU to the EU are Member States protecting the data appropriately, and not doing what the US is do.
And the new certificates for transferring data abroad, we -- the discussion is still open there. How do we want this to be shaped in the way that they don't become leek a fixed certificate, like ISO and companies do not keep up to date with privacy and now to make sure that the privacy is protected. And also, there is the point about the DPAs, like if we have certificates on code of conduct, how can we make sure that DPAs make sure that the companies are still complying with the code of conduct over time and not just when they get the certificate and just not doing it in the long term.
And about the Council of Europe.
>> PARTICIPANT: Yes thank you very much. Certainly there are open questions from the Council of Europe point of view. I think I mentioned 108 can bring an appropriate level of data protection, which can translate to an EU language as an adequate level of data protection for third countries which is very important and that is what we are promoting in our organization together with other instruments as well. From EU perspective, the convention can be looked at as an external lag of the privacy key, if I can say so, which will comprise GDPR directive and the case law together, because it's much more than the EU, than the mere GDPR. And we looked briefly into our case example.
For instance, in Tunisia, if we are doing business in Tunisia. We are dealing with European Union, there's certainly a question of enforceability or extraterritorial reality which is, again, an open question and we didn't discuss that, but that is it, more or less. However, with the convention one way, we could have in Tunisia, the whole privacy framework installed together with independent supervisory authority, data subject rights and direct enforceability for data processing for the purposes of national security, for instance, which GDPR or the directive, he will not end up here. So we end up here with a lot of questions and ways forward.
>> VLADIMIR RADUNOVIC: Any questions on this topic or any tweets?
Sure.
>> PARTICIPANT: Well, in our group, it was also briefly mentioned what impact the that convention 108, might have on national legislation of non-EU countries, and it was said that the fact that the modernized convention 108 is a binding instrument on countries in Europe, that are outside the EU, this may trigger a wave of national legislation on data protection in exactly the non-EU states which will then bring a more or less common level of data protection throughout Europe.
>> VLADIMIR RADUNOVIC: Which gets us back to the initial question, can it become a global standard to some extent, right?
Any other comments? Running through the questions at the beginning which we had, I think most of them, you can correct me if I'm wrong, those of you that asked the questions were to some extend touched upon if not responded. Probably not responded. The only one that remains is why aren't we ready for the GDPR but we won't mention that one.
At the end to close exercise with have a couple of messages I think from Claudio, are you there? You have a mic. So, yeah, he will read the messages and if anyone has anything against the message, let us know, otherwise, I think we can consider it that we agree. Claudio?
>> CLAUDIO LUCENA: Thank you very much. Do we have seven groups or eight? I tried to get a grasp of each one in the following messages and I ended up prioritizing my group because of the obvious fact I followed the discussion. Social media platforms bring much more people into privacy and data protection are relevant but the necessary public capacity building and awareness initiatives are not yet in place or widely known.
The balance between freedom of expression and the protection of personal data seems to be adequately addressed through public interest but mechanisms and tools to achieve this balance are unclear. Resources for local data protections are scarce. Pair.
GDPR rules clear but the implementation is a problem for all countries not just a few. There also needs to be awareness of new technologies and business models and how GDPR can be applicable in practice.
The actual empowerment of the user vis-a-vis the new approach, the notion of consent is still highly up certain and one the main concerns concerning the implementation -- there is so much concern. We will work on that. It's hard to determine whether this is a basis for transferring data abroad until they are revised again by the commission.
>> VLADIMIR RADUNOVIC: Thanks Claudio. Any major objections to any of those? It seems quite reasonable.
>> PARTICIPANT: Of course no objection but maybe a question. Wouldn't we want to make -- it was discussed. I mean, if you don't -- you don't have very much strong feelings against it, it can eliminate some of the mystery coming to GDPR from third countries and we are currently.
>> VLADIMIR RADUNOVIC: Claudio, you can add that. Do you want to repeat? You can do it afterwards. Okay. Good.
Nigel, you wanted something to add or -- do you want to add?
>> PARTICIPANT: Basically what I said before, indeed there's no bullet on that. Would we want to include a bullet on key messages.
>> CLAUDIO LUCENA: It's the only one I didn't have --
>> PARTICIPANT: I can help you on that.
>> VLADIMIR RADUNOVIC: We are close to the end. Lunch is outside. At the end, I just have to mention a couple of names that contributed to this session, basically in planning and that we owe the thanks for the session. Valentina Pavel who couldn't make it to be with us. And Ani Nozadze, and Katie Kochladze, and Adrianna Minovic, and Andrea Rusu, and thank you all for coming here and having a great discussion. Thank you for joining us. We will see you around for lunch.
Thanks.
(end of session)
This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.