Spring Conference 2016 - Speech - Giuseppe Busia, Secretary General...
Spring Conference 2016 - Speech - Giuseppe Busia, Secretary General Italian DPA
Spring Conference of European Data Protection Authorities
(Budapest, 26-27 May 2016)
Italian Data Protection Authority – Garante per la protezione dei dati personali
Ladies and Gentlemen,
It is both a great pleasure and a privilege for me to be here today and take the floor on behalf of the Article 29 Working Party, its Chairwoman, Isabelle Falque-Pierrotin, and its Vicechairs, Antonello Soro and Ventsislav Karadjov.
First of all, I want to express my great thanks and congratulations to Attila Peterfalvi and to all the Colleagues of the Hungarian National Authority for Data Protection and Freedom of Information for the splendid organization of this Conference.
Today, the Data Protection Authorities from Member States of the EU and of the Council of Europe are going -as usual in the Spring time- to discuss crucial matters of common interest and to exchange information and experiences on different topics.
As we well know, among the different topics we are used to dealing with, this year there is THE topic: the EU Data Protection Regulation (GDPR), finally published at the beginning of this month, together with a new directive on the processing of personal data for law enforcement purposes.
But this is not enough: there is also the upcoming revised Convention 108/81, which has also to be revised because, like the 1995 Directive on data protection, it was considered in need of ´modernisation‘.
We can say that these three legal instruments will make up the real Data Protection Package, which is expected to ensure a ´future-proof‘ legal framework capable to keep in touch with new technology and a globalised world.
This is why the WP29 decided to devote a large part of its work to this issue and for this reason adopted an Action Plan for 2016 focused on the new legal framework, in order to facilitate -for the benefit of all the stakeholders- the implementation of this new Package.
We are beginning to experiment on the new European Data Protection Board, where the DPAs will operate; within this framework, the WP started working via a ´shared building area‘, in which each DPA is doing its part and its best to be ready for day one, i.e. when the Regulation comes fully into force.
We are fully engaged to achieve both efficiency and operability.
A ‘Forward-Looking´ Regulation, a Good Regulation
Which are the main challenges -or some of them- we will have to face in this context?
Let me then focus on the new EU data protection Regulation.
As we well know, a Regulation has two main characteristics: direct applicability and, partly for this reason, capability to create a truly unified rule in Europe.
Having regard to the former element, the new rules would be ready to be applicable - theoretically.
As we know, in fact, there are many provisions of the Regulation that require Member States and DPAs to make clarifications, adaptations, and additions before being implemented, and this is what DPAs are already doing and what they are required to do in the coming months.
Can this element –the need for implementing steps- be considered as a limit of the new Regulation?
Probably this is not the case.
The need to specify, somehow to complete and fully implement the GDPR is a value as well as the only way to allow a rule on data protection to keep itself updated according to the continuous development of technology and reality.
This, of course, is both an opportunity and a challenge, especially for the DPAs
Global Regulation through the European and Transatlantic Regulation
As I said, the second main feature of the Regulation is its capability to create a truly unified rule across Europe. And of course, we know and recognize the great importance of this improvement compared to a Directive, the 95/46/EC.
Thus, the new Regulation will enable us to have a truly unified data protection law in Europe.
Is a European law sufficient, or do we need more?
In many cases –let us think about the right to be forgotten on the web- we know that, to be effective, to really protect the fundamental rights of our citizens, we would need global rules or, at least, global principles.
In this regard, the good news is that sometimes, despite the regional applicability of the European rules, those rules can play a role also by influencing juridical regimes of other countries - both because of the new regime of applicability to all the entities that use data coming from Europe and, more importantly, because of the natural attitude of some rules to expand their effects outside their boundaries, especially when they regulate the processing of data on the web.
For that reason, we have a big responsibility, which in some ways goes beyond what may appear on the surface of things.
This is also why we were very careful and firm in examining the new Privacy Shield regarding the transfer of data to the US.
As we know that our rules will become a global standard in many cases, we (but we are convinced that the US have the same interest) have to build them up in a way that they can be strong enough to protect individuals also in other countries that have less democratic traditions than the EU, the Council of Europe and the US.
Somehow one might say we will have to act locally, to regulate globally.
A New Landscape: Machine Learning and Data-Drinking World
The legal instruments I recalled will have to be applied in a landscape that is also new.
Big Data and Artificial intelligence are changing our relationship to our personal data. It used to be a question of the data we gave to controllers. But now, companies have data about us we never had, as data subjects, and which probably we do not know anything about.
Of course, the Regulation is based on the traditional basic principles But we know we have to apply them to a new reality.
Let me give only two examples of the elements of this new landscape.
The principle of minimization -opportunely reaffirmed in the new legal framework- has to be adapted to the seemingly opposite logic of the new technologies that need a growing amount of personal data also to develop and offer advanced social services to people. And this is so not only for marketing purposes: for instance, to improve cancer treatment it is necessary to collect more data from different patients and from different sources on patients´ experience. The more data is collected, the more one can hope to find the right treatment for the person concerned and for other people.
Thus, in as growing number of cases, these technologies need personal data to work better: we can say that they ´drink data‘, and personal data is becoming day by day the new gasoline to provide services and products to individuals.
I will quote a second example: we know that there are many risks when a decision taken on the basis of the automated processing of data affects an individual.
But nowadays, Artificial Intelligence, using machine learning, is able to offer sophisticated services - including highly helpful ones as I recalled with regard to the health sector - based on in-depth profiling, and an increasing number of decisions -previously made by humans- are now made, in practice, by algorithms or anyhow with a growing contribution from algorithms. This applies to the decision to admit a student to an university, to engage somebody for a job, to lend money, to find a better health treatment, and so on.
In any case, we cannot accept the argument that data protection principles are not fit for the purpose in the context of a ´data-drinking‘ and algorithm-driven economy. Those principles should not be seen as a barrier to progress, but as the framework to promote privacy rights and a stimulus to develop innovative approaches to informing and engaging the public. And, they should also be regarded as an element to be valued by European companies, as a competitive asset in offering better services to their customers and users.
All these elements -if I may say that- show that there is a growing responsibility placed now on the shoulders of DPAs and of all the stakeholders, who will be also directly involved mainly through the accountability principle.
Unprecedented Problems, Unprecedented Tools
The landscape described above is also dynamic, it changes every day and generates unprecedented problems, which require unprecedented tools.
In this new world, the real engine of the whole system is no longer the individual personal data, but the profile, the particular combination of data that is used to offer personalized services and products.
However, we know that, according to the GDPR and the Directive, profiling is subject to the rules governing the processing of personal data. Therefore we must balance two opposite sides of the same coin: the protection and development of human well-being.
For this reason, maybe our efforts should focus on enlarging our perspective, looking beyond, and shifting –more than in the past- our attention from the individual data to the profile.
The new legal framework can help us in this task, offering some significant options: let me highlight three of these tools:
1) The GDPR can enable us to provide more transparency to the data subject: indeed it sets a higher standard of transparency than Directive 95/46/EC, by adding a number of new fields of information that must be provided in all information notices, including (Article 12) the rights available to data subjects and modalities for facilitating the exercise of said rights, and information on data transfers. And, which is important, there is also the obligation to clarify the ´logic‘ of the processing. And this requires us to make additional efforts to ensure that the person concerned is really aware of the logic used to build up the profile and maybe of the functioning of the algorithms used.
In this regard, let me also recall that the modernised Convention 108 also provides for the right to ´obtain knowledge of the reasoning underlying data processing‘ in particular if the results of this processing impact the individual.
2) The GDPR also reinforced the right to access and rectification: one way to counterbalance the ´tyranny‘ of algorithms may consist in giving individuals the right to ´rectify‘ the sources of the information that is fed into the ´big data‘ analytics.
Maybe this is nothing new, but the Regulation, for instance, clarifies that rectification may take place by adding a ´notice‘ or ´statement‘ to the original information – in the context of search engine results or profiling, this might be very important. The source is left unchanged, but a caveat is added to its use.
3) The creation of the new, powerful right to data portability aims to increase user´s choice of online services. The GDPR gives data subjects the right to receive the personal data concerning them and have such data transferred to a different controller.
For this reason, one issue to take on board is that this right might encompass not only the data, but also the profiles, the true essence of today´s identity.
Thus, also regarding these tools, we should develop a broader approach, taking account of the bigger picture, knowing that today more than in the past the data protection principles have to be tested also against ethical, political, and social issues.
Modernizing the Spring Conference
Before concluding, let me pose a final question about our activities in thesedays: Is it possible to think of some kind of modernization of the Spring Conference in this modernized framework of legal instruments and technology?
Maybe yes: we have also to reconsider our approach to these forums, we have to be creative and to think ´out of the box‘.
Indeed, the way in which the Spring Conference is different from other data protection forums should be valued, beginning from its varied and broader participation. Here, we can profit from the possibility to develop a reasoning in depth, also because we have more time at our disposal, and from a more relaxed atmosphere, without the constraints one sometimes encounters when discussing issues in other forums. And we all can understand the importance of such elements especially in these times of transition and transformation.
I am sure this is the spirit in which this Conference was organized, and today we are going to make the first step towards a possible modernization also of the Spring Conference´s role within the framework described above.
Many thanks again to our Hungarian Colleagues, and many thanks to all of you for listening.