7 EDPD 2017

th
EUROPEAN DATA PROTECTION DAYS
15 + 16 MAY 2017 | BERLIN, GERMANY | CONFERENCE REPORT

The leading European data privacy platform in Germany

www.edpd-conference.com
TABLE OF CONTENTS
1ST DAY | 15 MAY 2017
Opening remarks from EUROFORUM
and the conference chair
Bojana Bellamy 4
Hitting the ground running:
How regulators and businesses can really put data
protection accountability into practice
Giovanni Buttarelli 5
Observations on the GDPR 2018 from Hong Kong’s
perspective
Prof. Stephen Kai-yi Wong 6
Atlantic crossings: US/EU data flows
Hugh Stevenson 7
DISCUSSION The latest developments in international
data protection – one year before the GDPR will apply
Giovanni Buttarelli, Isabelle Falque-Pierrotin, Hugh Stevenson,
Prof. Stephen Kai-yi Wong 8
KEYNOTE
Isabelle Falque-Pierrotin 9
Transitioning towards the GDPR –
Challenges and opportunities
Helen Dixon 10
Privacy Shield
Caitlin Fennessy 11
DISCUSSION International Data Transfers:
Will Privacy Shield enable global data flows and
create legal certainty?
Caitlin Fennessy, Peter Fleischer, Bruno Gencarelli,
Dr Claus-Dieter Ulmer, Alan Winters, 12
DPA Developments in the Philippines
Raymund Enriquez Liboro 13
The scope of EU data protection legislation vs. the scope
of the EU fundamental right to data protection –
which cases may be dealt with by the Court of Justice?
Dr Christoph Sobotta 14
One Year to GDPR: How is Google preparing?
Peter Fleischer 15
Challenges in implementing the GDPR
in an international company
Dr Axel Kessler LL.M. 16
Implementation of GDPR in an Airline:
Ideas and first experiences in practice
Dr Barbara Kirchberg-Lennartz 17
Implementation of GDPR in a large multinational
organization
Mikko Niva 18
DISCUSSION Are businesses “GDPR-ready”?
Dr Axel Kessler LL.M., Dr Barbara Kirchberg-Lennartz,
Dana Louise Simberkoff, JoAnn Stonier 19
PARALLEL SESSIONS Implementation of the GDPR
at eBay – Experiences and learnings
Dr Anna Zeiter LL.M. (Stanford) 20
PARALLEL SESSIONS The new ePrivacy regulation
Ruth Boardman 21
PARALLEL SESSIONS The Universality of consent
in global data protection
Patricia Kosseim 22
PARALLEL SESSIONS Implementation of the data
protection reform and international transfers:
the view from the European Commission
Bruno Gencarelli 23
PARALLEL SESSIONS Grappling with the internet
of things, disruptive technology and cloud of things
in the context of a smart nation initiative
Steve Tan 24
PARALLEL SESSIONS Data protection in Tunisia
as a tool for development
Héla Ben Miled 25
2
TABLE OF CONTENTS
2ND DAY | 16 MAY 2017
Digital Disinformation –
Fake news and hacking in election campaigns
Dr Ben Scott 26
Designing for the GDPR: making it work for data subjects
Stephen Deadman 27
Worldwide standards in data privacy – digital sovereignty
as foundation for a common understanding?
Dr Claus-Dieter Ulmer 28
EU Fundamental rights in the cloud
Marie-Charlotte Roques-Bonnet 29
DPIAs and data mapping: operationalising GDPR and
privacy by design
Kabir Barday 30
Big Data and the GDPR: innovative or conservative?
Yann Padova 31
Big Data – the silver bullet or a threat to a free society?
Amancio Kolompar 32
DISCUSSION How to strike a balance between Big Data
and data protection?
Amancio Kolompar, Yann Padova, Jules Polonetsky 33
Biometrics as personal data: detection, characterization
and recognition
Jonathan Avila 34
Consent and transparency under the GDPR –
will it help to build consumer trust?
Roslyn Vadala 35
A global perspective on multi-jurisdictional
investigations
Cédric Burton 36
PARALLEL SESSIONS Pseudonymization
as a best practice for data protection
Nicola Orlandi 37
PARALLEL SESSIONS Employees sensitive data
collection in Eastern Europe
Dr Marlena Wach 38
PARALLEL SESSIONS The role of the DPO in the GDP
Nathalie Laneret 39
PARALLEL SESSIONS Coordinated data protection
enforcement – The new rules of the game
Dr Friedrich Popp 40
PARALLEL SESSIONS Turning the upcoming GDPR
into a business enabler – the startup perspective
Caroline Olstedt Carlström 41
PARALLEL SESSIONS Getting ready for GDPR:
a look at new tech to automate privacy
Nimrod Vax, Dimitri Sirota 42
PARALLEL SESSIONS Broadcast meets broadband:
Privacy compliance in the media sector
Dr Stefan Hanloser 43
PARALLEL SESSIONS Negotiate cloud contracts
under the GDPR
Paul Van den Bulck 44
PARALLEL SESSIONS The theories of harm in privacy,
data protection and antitrust law
Dr Sára Hoffman 45
PARALLEL SESSIONS Meeting the challenge
of a global GDPR and BCR program
Myriam Gufflet, John Bowman 46
Conference trailer and
Save The Date 47
3
 EDPD 2017 1st Day (15 May 2017)

Opening remarks from EUROFORUM and the conference chair

Bojana Bellamy,
President, Centre for Information Policy Leadership, Hunton & Williams,
UK

In her opening remarks, Ms. Bellamy first reflected on what has hap-
pened during the last year, the predominant topic being the overall
effort to get ready for the entering into force of the General Data
Protection Regulation (GDPR). It is not only a challenge for enter-
prises but also for the lawmakers, who work towards implement-
ing national legislation, as well as authorities, which go through
an equally transformative process. In this context, Ms. Bellamy wel-
comed the EDPD 2017 as opportunity not only to exchange views
with European colleagues but also to speak with leaders from
so-called “third countries” (in the terminology of European data pro-
tection law) such as Canada, China, and the Philippines, who are also
shaping the landscape in the data protection world.
Ms. Bellamy then outlined some general thoughts in connection
with data protection. First, the importance of finding the right bal-
ance between data enablement and data protection. Second, the
right way of thinking about personal data. Data is often called the
new oil but Ms. Bellamy rather thinks of it like the environment, i.e.,
something that needs to be used sustainable, responsibly and with
accountability. Third, the increasing importance of data in interna-
tional trade. According to a 2016 McKinsey survey, global flows in
services have diminished by data transfers have increased.
Ms. Bellamy closed her opening remarks on an optimistic note. When
thinking about the GDPR, we often think about costs, risks and fines.
We should, however, see it as a chance to introduce the data driven
economy in our enterprises, enabling new business models.

4
 EDPD 2017 1st Day (15 May 2017)

Hitting the ground running: How regulators and businesses can really put
data protection accountability into practice
Giovanni Buttarelli,
European Data Protection Supervisor

Mr. Buttarelli, the European Data Protection Supervisor (EDPS), deli­
vered a keynote speech on accountability. Accountability constitutes
a key principle of the General Data Protection Regulation (GDPR). Mr.
Buttarelli opened by stating that one of the key sentences in the Arti-
cle 29 Working Party Opinion no. 3/2010 of 2010 was that EU data
protection principles are often insufficiently reflected in concrete
measures, and that there is a strong need to move from theory to
practice. Now, however, the GDPR includes a direct reference to the
“accountability principle” in Article 5.2 and Article 24.
Mr. Buttarelli then gave his thoughts on how to properly implement
accountability in an organization. First, accountability goes beyond
mere compliance with the rules but implies a cultural change from
inside organizations. In particular, accountability relies greatly on
the level of commitment from the organization’s management, as
evidenced by internal processes and responsibilities. Second, the
Data Protection Officers (DPO) will play a key role with regard to
accountability because they facilitate compliance – e.g., through
the implementation of accountability tools (such as data protection
impact assessments and audits), and because they act as intermediar-
ies between relevant stakeholders (e.g. supervisory authorities, data
subjects, and business units within an organization). Therefore, DPOs
must be granted enough resources and support from their organiza-
tion in order to be able to perform their duties. Third, accountability
is a very practical principle and the question is really how things are
actually done within an organization. Up-to-date documentation,
registers for data transfers and records of where there any exceptions
have been used are very important in this regard.
Mr. Buttarelli then outlined some challenges organizations may
face when implementing accountability. First, considerable leeway
is given to organizations with regard to how to implement internal
measures to ensure compliance with data protection rules, which
may also lead to uncertainty on the part of organizations (but Mr.
Buttarelli also stressed that there is a lot of guidance how to imple-
ment accountability); Second, implementing meaningful measures
will require significant resources in time, money and people in order
to ensure compliance. Third, companies may also run into poten-
tial scalability issues (how to implement accountability measures
depending on the size of their business or the risk associated with
the data processing?).
Mr. Buttarelli then also addressed the role and challenges of the data
protection authorities when it comes to accountability. Privacy and
data protection commissioners around the world should definitely
take a sound, pragmatic approach. „Pragmatic“ means, for example,
as regards documentation obligations, that it is not in the spirit of
the GDPR to ask controllers and processors to each and every detail
of their processing; rather the controller should focus on what is
essential. Also, it may prove difficult for data protection authorities
to understand how the respective company works from the inside in
order to be able to appreciate if the individual accountability meas-
ures put in place are meaningful.

5
 EDPD 2017 1st Day (15 May 2017)

Observations on the GDPR 2018 from Hong Kong’s perspective

Prof. Stephen Kai-yi Wong,

Privacy Commissioner for Personal Data,
Hong Kong

Professor Stephen Wong, the Privacy Commissioner for Personal
Data, Hong Kong, talked about the impact of the imminent imple-
mentation of the European General Data Protection Regulation
(GDPR). First, Prof. Wong gave a bit of a background regarding the
data protection law in Hong Kong, the Personal Data (Privacy) Ordi-
nance (PDPO). The PDPO was enacted in 1995 as first comprehensive
data protection law in Asia. It is to some extent based on the 1980
OECD Privacy Guidelines and the 1995 EU Data Protection Directive.
Mr. Wong then presented some interesting figures. According to a
recent survey, which was designed to assess the GDPR’s impact on
businesses (in particular on multi-national organizations), 86% of
businesses worldwide worry that failure in GDPR compliance has
significant negative impact on businesses. More than 50% of APAC
businesses are among the least prepared for GDPR. 32% of busi-
nesses worldwide worry that their existing systems cannot manage
data effectively.
Mr. Wong then went on to outline some of the diverging aspects
between the Hong Kong PDPO and the GDPR. The Privacy Commis-
sioner for Personal Data in Hong Kong has identified approximately
13 main diverging aspects, however, due to the time restraints Mr.
Wong focused on only three of those: Consent, the right to be for-
gotten and the right to object to processing. With regard to consent,
Mr. Wong explained that under the PDPO, no consent is required for
the initial data collection; the focus is on providing notice. Consent
may, however, be required if collected data is later used for new pur-
poses. Also, no parental consent is required under the PDPO for pro-
cessing a child’s personal data. Mr. Wong made some observations
with regard to the consent issue, namely that an overreliance on
consent may impede business activities and may lead to a “consent
fatigue”. Also, it may be challenging for businesses to obtain consent
efficiently and validly. The second diverging aspect was the right to
be forgotten. This concept is not spelled-out in the PDPO and is more
a question about the misuse of personal data. Third, the PDPO does
not provide a general right to object to processing. A data subject
may, however, withdraw its consent for new data processing pur-
poses and may opt out of direct marketing.

6
 EDPD 2017 1st Day (15 May 2017)

Atlantic crossings: US/EU data flows

Hugh Stevenson,
Deputy Director, Federal Trade Commission,
USA

Hugh Stevenson, Deputy Director of the US Federal Trade Commis-
sion, gave a presentation about the challengers of the US/EU data
flows, and how those challenges should be addressed in the view
of the FTC. For the FTC, privacy is part of its consumer protection
mission.
Mr. Steven started off by emphasizing the benefits and importance
of free data flows as they unlock the benefits of the digital economy.
Given that there are different data protection regimes around the
world, interoperability of these regimes is of utmost importance.
One of the examples in this regard is the new US/EU Privacy Shield.
The FTC’s main role in this context is to ensure that US companies
keep the promises they made under the framework, i.e., the enforce-
ment aspect of the framework. Mr. Stevenson summarized some of
the recent improvements that have been made to the work of the
FTC within the framework, such as the prioritization of requests
from European data protection authorities and arbitration providers
as well as the creation of a more standardized referral process for
requests from European data protection authorities.
Mr. Stevenson then went on to outline a few of the current challenges
the FTC is facing with regard to its activities. First, due to the global
nature of today’s digital economy, there is the challenge to collect
all required information in order to effectively cooperate with data
protection authorities. In this area, there have been some improve-
ments as the communication of different privacy enforcement offi-
cials across the country has been bundled by use of an online alert
system. Second, the sharing of information needs to be optimized in
order to enable investigations to move forward more quickly. Third,
it becomes increasingly challenging to keep up with technological
developments and understand the emerging technologies (e.g., the
use of artificial intelligence in connection with investment advice); in
this area, too, there should be more cooperation between the differ-
ent privacy and data protection bodies.
In a short Q&A session at the end, Mr. Stevenson stressed among
other things that all current FTC commissioners are supportive of the
Privacy Shield.

7
 EDPD 2017 1st Day (15 May 2017)

DISCUSSION The latest developments in international data protection –

one year before the GDPR will apply
Giovanni Buttarelli, Isabelle Falque-Pierrotin, Hugh Stevenson, Prof. Stephen Kai-yi Wong,
European Data Protection Chairwoman of CNIL, Chairwoman Deputy Director, Privacy Commissioner for
Supervisor of Article 29 Working Party, France Federal Trade Commission, USA Personal Data, Hong Kong

After the first round of presentations for the day, an interesting
panel discussion developed between Ms. Bellamy, Mr. Buttarelli, Ms.
Falque-Pierrotin, Mr. Stevenson and Prof. Wong with regard to the
topic of whether there is more convergence or more divergence in
data protection regimes on an international level.
Ms. Falque-Pierrotin put forth that in her view, there is more con-
vergence as privacy protection (as well as cyber security) is becom-
ing a high priority around the world and also, there is an increasing
amount of cooperation between regulators on an international level.
It is „everyday life“ to exchange views. Mr. Stevenson expressed his
view that there is a core notion amongst most nations that there are
certain privacy rights, although being expressed in a different way
(e.g., regarding the approaches for balancing interests).
Despite this tendency towards convergence, the panel did, however,
also note that there are great differences in substance and methods.
The right to be forgotten, e.g., is probably one of the more disputed
concepts internationally. In this regard, an interesting point was
raised by Prof. Wong. According to him, there is not only a difference
in the legal frameworks but also a diverging cultural framework. In
Asia, data privacy rights are more community rights than individual
rights. Also, the notion of privacy being a fundamental human right
is not as prevalent in Asia as it is in other parts of the world.
In the end, there was a common understanding that there is no need
for streamlined international rules in order to make international
data protection work but rather, there needs to be an interoperabil-
ity of systems. There are many mechanisms in the General Data Pro-
tection Regulation to ensure such an interoperability (e.g., Binding
Corporate Rules) as well as in other areas such as the CBPRs in Asia.
Ms. Falque-Pierrotin also mentioned digital education as a first level
of bridging gaps.

8
 EDPD 2017 1st Day (15 May 2017)

Atlantic crossings: US/EU data flows

Isabelle Falque-Pierrotin,
Chairwoman of CNIL, Chairwoman of Article 29 Working Party,
France

Ms. Falque-Pierrotin, Chairwoman of the French data protection
authority CNIL and Chairwoman of the Article 29 Working Party,
opened her keynote address by emphasizing that, in her experience,
privacy compliance is no longer seen as a restraint but as an oppor-
tunity for a competitive business advantage by organizations. She
then went on to address two important privacy topics: the General
Data Protection Regulation (GDPR) and the US/EU Privacy Shield.
With regard to the GDPR, Ms. Falque-Pierrotin stressed that imple-
menting the required changes is very important for organizations
and that they must invest time and money in this task.
She then highlighted some features of the GDPR. The Data Protec-
tion Officer (DPO), for example, is a very important function under
the GDPR. When implementing the DPO, companies should make
sure that he or she is not merely a legal person but someone who is
very close to the operational units so that he or she can have enough
insight into the actual business operation. Appointing a DPO is only
mandatory for some enterprises; however, the Article 29 Group recom-
mends to voluntarily appoint a DPO in most instances. Another GDPR
feature to keep in mind is data portability. In particular, the exercise of
this right does not prejudice any other right of a data subject.
Ms. Falque-Pierrotin also made a few remarks regarding the role of
the data protection authorities (DPAs) in light of the implementa-
tion of the GDPR. Their core responsibilities are simplification, clar-
ification, and harmonization. Diverging interpretations of the text
should be avoided. The Article 29 Working Party has started publish-
ing guidance on priority subjects (e.g., portability and the DPO) and
is working on more, namely breach notices, consent and profiling.
These guidelines are evolving, so there may be adjustments down
the road; however, companies should nevertheless expect this guid-
ance to be valid for quite some time now, as legal certainty requires
any revision of these guidelines not to take place too soon.
Ms. Falque-Pierrotin also addressed the increasing cooperation of
DPAs both on a European and on an international level. In the whole
process of moving towards GDPR compliance, DPAs are facing sim-
ilar challenges as data controllers, e.g., regarding the increasing
demand of not only legal expertise but also economic, strategic,
and technical expertise. With regard to the US/EU Privacy Shield,
Ms. Falque-Pierrotin reiterated some of the concerns the Article 29
Working Party has already made publicly. She stressed that the revi-
sion of the Privacy Shield in September of this year will be crucial for
the Working Party’s future position.

9
 EDPD 2017 1st Day (15 May 2017)

Transitioning towards the GDPR – Challenges and opportunities

Helen Dixon,
Data Protection Commissioner,
Ireland

Helen Dixon, from the Data Protection Commissioner in Ireland, shared
some perspective on the General Data Protection Regulation (GDPR)
from her point of view. She started off on a positive note right away,
emphasizing that she feels overall very positive about the outcome of
the legislative process with regard to the GDPR, and also with regard
to the current phase of preparing for the GDPR becoming effective. In
her experience, the view of the majority of companies is that this law
was needed, and that it is good both for individuals and businesses.
She then went on to point out a very interesting fact, which is that it
is the impression of her and her colleagues that while for many pri-
vate organizations, there is an intrinsic urge to comply with the new
requirements, the public sector seems to have less of such an intrinsic
motivation. Ms. Dixon then went on to elaborate on the principle of
accountability under the GDPR. In her view, coming changes will to a
large extent be driven by the accountability issue. It requires organi-
zations to record information on the collection, processing and use of
personal data more vigorously. The simple act of becoming aware of
this information is already hugely powerful. In particular with regard
to the use of cloud computing services, data controllers often do not
seem to have a clear understanding of, e.g., where the data is located,
or which technical and organizational measures are applied. A proper
data governance and privacy by design will all flow from a better
understanding of the way in which an organization is collecting and
processing personal data, as encouraged by the accountability prin-
ciple, which will then prevent unnecessary data protection violations.
Another GDPR principle Ms. Dixon elaborated on is the so-called “one-
stop shop”. In her view, some may have potentially underestimated
the complexity of this mechanism. Also, the competent lead super-
visory authority will need to supervise a law other than the law of its
own jurisdiction, which is another challenge. In closing, Ms. Dixon
emphasized that organizations need to open up to authorities more
when it comes to accountability. Regulatory conversations are good
as they reduce hostility, uncertainty, and paralysis. Organizations
must engage in such conversations, as this will cause them to be much
closer to compliance than without.

10

Privacy Shield
Caitlin Fennessy,
Senior Policy Advisor, Data Flows and Privacy Team, U.S. International Trade Administration,
USA
Caitlin Fennessy of the U.S. International Trade Administration gave an
interesting talk about the US/EU Privacy Shield. Ms. Fennessy started off
by emphasizing the benefit of the framework for the transatlantic econ-
omy. The economic figures when it comes to cross border data flows are
staggering. The two-way trade in digital services and products between
the US and the EU now surpassed 290 billion dollars annually. Data flows
account for a large increase in GDP. The Privacy Shield definitely raises
the bars for data protection and over 2,100 organizations certified in the
first nine months – which is a big achievement.
Ms. Fennessy stressed that both the EU and the US are “in this
together”, which is good as both parties can jointly work on making
the transatlantic digital economy work. Ms. Fennessy also introduced
some recent developments and improvements that were made to
the implementation of the agreed framework. For example, the US
Department of Commerce now has a more handon approach to the
certification process and is committed to a high level of monitoring
compliance and the verification of self-certification requirements.
Other tasks the US International Trade Administration is performing
with regard to the Privacy Shield program is: providing guidance for
companies, facilitating resolution of complaints, outreach and educa-
tion designed for all stakeholders and enhanced cooperation with EU
data protection authorities.
EDPD 2017 1st Day (15 May 2017)
Also, a lot of thought went into the online information about the Pri-
vacy Shield and its participants as there was an understanding that a
better job needs to be done with regard to informing individuals as
to how the framework works (as compared to the original Safe Har-
bor framework). It is important to note that an ongoing cooperation
between the EU and the US is already built into the Privacy Shield
framework. In this regard, the first review will take place in the week
of September 18th, 2017.
11
 EDPD 2017 1st Day (15 May 2017)

DISCUSSION International Data Transfers:

Will Privacy Shield enable global data flows and create legal certainty?
Caitlin Fennessy, Peter Fleischer, Bruno Gencarelli, Dr Claus-Dieter Ulmer, Alan Winters,
Senior Policy Advisor, Data Global Privacy Counsel, Head of Unit International Global Data Privacy Officer, Chief Privacy Officer
Flows and Privacy Team, Google Inc., France Data Flows and Protection, Deutsche Telekom AG, Deputy Chief Global,

U.S. International Trade European Commission Germany Compliance, Tele­
Administration, USA performance Group, USA

The panel participants discussed the US/EU Privacy Shield (in particu-
lar, whether this mechanism will likely create legal certainty), interna-
tional data flows in the context of business process outsourcing and
customer services as well as GDPR compliance in general. Mr. Fleischer,
Global Privacy Counsel at Google, stressed that these issues require
considerable resources. Google for example has about 300 people
working on the Privacy Shield implementation – a number that for an
SME would simply be impossible. With regard to GDPR compliance Mr.
Fleischer explained that Google has seven different services with over
a billion active users, and for example when it comes to dealing with
the onward transfer obligation, they do not yet know how many such
requests will be made. Google will need to scale to any number, which
will be challenging. With regard to the US/EU Privacy Shield, Bruno
Gencarelli, the European Commission’s Head of Unit International
Data Flows and Protection, stressed that the upcoming review of the
framework (scheduled for September 2017) is meant to confirm the
mechanism’s durability.
The second part of the panel discussion then focused on international
data flows in the context of business process outsourcing and cus-
tomer services. Mr. Winters, Chief Privacy Officer and Deputy Chief
Global Compliance Officer at Teleperformance Group, outlined his
first-hand experience in this regard from the perspective of a service
provider. His company is actually spending a lot of time educating
their clients about the implications of privacy for their services. Many
companies are still way behind when it comes to getting GDPR ready.
Mr. Ulmer, Global Data Privacy Officer at Deutsche Telekom AG,
explained that within his organization, they do not rely on the Privacy
Shield but rather on Binding Corporate Rules and Standard Contrac-
tual Clauses. In his view, bilateral solutions such as the Privacy Shield
may not last very long.

12
 EDPD 2017 1st Day (15 May 2017)

DPA Developments in the Philippines

Raymund Enriquez Liboro,

Privacy Commissioner and Chairman, National Privacy Commission,
Republic of the Philippines

Mr. Liboro kicked off his talk introducing the Philippines and the
growing relevance of data protection issues due to reasons such as
the extensive use of internet and social media in the Philippines. As a
measure to be on top of this development, the Data Privacy Act of 2012
was enacted, which governs the rights of a data subject and the obli-
gations of data controllers and processors. The penalties enshrined in
the Act are quite punitive.
The privacy authority of the Philippines then was established only
quite recently in 2016. Its main functions are: rule-making, advisory,
advocacy, investigation, compliance & monitoring, public education,
handling complaints, and enforcement. The work currently done by
the privacy authority was described by Mr. Liboro with the catchy
phrase “catching up and moving fast”. He then went on to elaborate
further on this work. The alignment with global privacy standards is a
top priority for the Philippine regulator. In this context, four circulars
have been issued in 2016 (on government agencies, data sharing, data
breach management and filing complaints) with more to come in 2017.
His other primary job is to educate organizations how to establish pri-
vacy compliance, and in this regard, it is imperative to “keep it simple”,
as a lot of privacy concepts are new for the Filipinos.
The privacy authority has therefore broken data protection compli-
ance down into five main pillars for data controllers that are subject to
the Act: (1) Commit to comply – appoint a Data Protection Officer; (2)
Know your risks - conduct a privacy impact assessment; (3) Be account-
able – create your privacy management program and privacy manual;
(4) Demonstrate your compliance – implement your privacy and data
protection measures; and (5) Be prepared for breach – regularly exer-
cise your breach reporting procedures. All available venues are used
to bring about awareness for these issues, including on social media.
Going forward, Mr. Liboro intends to, among other things, intensify
policy development in high-risk industries and intensify the exchange
with privacy regulators and professionals internationally.

13
 EDPD 2017 1st Day (15 May 2017)

The scope of EU data protection legislation vs. the scope of the EU fundamental
right to data protection – which cases may be dealt with by the Court of Justice?
Dr Christoph Sobotta,
Legal Secretary (Référendaire), Chambers of Advocate General Kokott,
Court of Justice of the European Union

In his presentation, Dr Sobotta compared the scope of the Data
Protection Directive and the General Data Protection Regulation to
the scope of Article 8 of the Charter of Fundamental Rights of the
European Union. Dr Sobotta first introduced the different concepts
of scope, namely temporal scope (e.g., the transition from the Data
Protection Directive to the GDPR on May 25th, 2018), territorial scope
(including the Google Spain and Schrems decisions of the European
Court of Justice as well as the concept under Art. 3 of the GDPR), per-
sonal scope and material scope. With regard to personal scope, Dr
Sobotta reminded the audience that while the Data Protection Direc-
tive and the GDPR are addressed to the data controller as obligated
party, the provisions of the Charter are addressed to the institutions,
bodies, offices and agencies of the European Union and to the mem-
ber states when they are implementing European Union law.
The main focus of the presentation then was the comparison of the
material scope of the Data Protection Directive, the GDPR and Article
8 of the Charter. While the exclusions of scope under the Data Pro-
tection Directive exclude areas where Art. 8 of the Charter applies, in
particular issues of public security, the GDPR provides for a broader
material scope that overlaps more with the Charter. As regards obli-
gations of private data controllers, Art. 8 of the Charter will primarily
apply by guiding the interpretation of the GDPR.

14
 EDPD 2017 1st Day (15 May 2017)

One Year to GDPR: How is Google preparing?

Peter Fleischer,
Global Privacy Counsel, Google Inc.,
France

Peter Fleischer, Global Privacy Counsel at Google, outlined in his pres-
entation how Google is preparing for the coming into force of the
General Data Protection Regulation (GDPR) in 2018. First, Mr. Fleischer
presented the interface and categories of functions Google offers its
users, the categories being “Choice” (e.g., during account creation
or during operation), “Transparency” (i.e., making it easier to see
what data Google collects), “Control” (through privacy settings) and
“Security”.
Google created a single space for Google users to manage all their pri-
vacy and security settings. In 2016, 1.6 billion unique users used this
tool – evidence that it is easy enough to use intuitively. Mr. Fleischer
also said a few words regarding Google’s Privacy Shield program. For
example, the annual review process lasts four months. Every product
is subject to privacy design documents and an in-depth review. Hun-
dreds of products were reviewed and certified in 2016, with hundreds
of lawyers, engineers and product managers involved. With regard to
law enforcement requests, Mr. Fleischer pointed out that the number
of requests is going up. The number of requests where data was pro-
duced, however, is very stable.
The next topic that was discussed was machine learning. Machine
learning is now a crucial component in Google’s most popular ser-
vices, with so called deep learning becoming more and more impor-
tant. Privacy considerations are important with regard to the input
(what can go into the system), the output, and also the training and
processing that takes place in between. In the following Q&A session,
Mr. Fleischer touched upon a variety of issues: the new ePrivacy revi-
sion is disregarding some of the discussions the privacy community
had with regard to not relying too much on consent. For startups that
want to comply with the GDPR requirements although they have very
little resources, Mr. Fleischer had the advice to keep it very simple and
boil the requirements down to two or three core points for internal
discussions.

15
 EDPD 2017 1st Day (15 May 2017)

Challenges in implementing the GDPR in an international company

Dr Axel Kessler LL.M.,

Head of Legal Data Privacy, Siemens AG,
Germany

In his presentation, Dr Kessler, Head of Legal Data Privacy at Siemens
AG, gave hands-on advice with regard to ways in which international
companies can face the challenges of implementing the General Data
Protection Regulation (GDPR). In particular, Dr Kessler addressed the
issue of combining compliance with different legal requirements in
the same technical and organizational tools. According to Article 30
para. 1 GDPR, a controller shall maintain a “record of processing activ-
ities” under its responsibility. According to Article 35 para. 7 GDPR,
any data protection impact assessment shall contain certain mini-
mum information. According to Article 28 para. 3 GDPR, the contract
with a data processor shall set out certain documented information.
According to Article 13 para. 1 GDPR, certain information about the
processing shall be provided to the data subject. Dr Kessler illustrated
by way of a SIEMENS-internal documentation system, how recording
of all this different information can be achieved in a streamlined and
combined fashion.

16
 EDPD 2017 1st Day (15 May 2017)

Implementation of GDPR in an Airline: Ideas and first experiences in practice

Dr Barbara Kirchberg-Lennartz,
Global Data Privacy Officer, Deutsche Lufthansa AG,
Germany

In her presentation, Dr Barbara Kirchberg-Lennartz, Data Protection
Officer of the Lufthansa Group, gave her ideas and first experiences
with regard to implementing the General Data Protection Regulation
(GDPR) at her organization. First, Ms. Kirchberg-Lennartz gave an
overview over the amount of personal data that is processed in con-
nection with the airline operation: First, there is passenger data for
reservation, ticketing, arrival and after flight services. Second, data is
collected in connection with the customer loyalty program (Miles &
More members). Third, there is the data of the employees. Ms. Kirch-
berg-Lennartz then put forth that only a small part of the challenges
of the GDPR are actually clearly visible. The “devil is in the detail”, so to
speak, and this only becomes apparent once one spends a considera-
ble time already on implementing the GDPR. For example, there is an
extreme fast development in data processing and transparency is not
easily achieved. Also, there is a lack of legal certainty of the new data
protection rules.
It is therefore not clear to companies which risks are the most signif-
icant, and where they have to be active. The impact of the GDPR on
organizations is very high. They have to establish a data protection
and IT security management, implement specific data protection pro-
cesses to avoid risks, consult and train within their organization and
monitor compliance. In the end, it is all about risk mitigation that con-
cerns the top management as well as everybody else.

17
 EDPD 2017 1st Day (15 May 2017)

Implementation of GDPR in a large multinational organization

Mikko Niva,
Group Privacy Officer and Head of Legal, Vodafone Group Services Limited,
UK

Mikko Niva, Group Privacy Officer and Head of Legal at Vodafone
Group, gave a presentation on first-hand practical experiences with
regard to implementing the GDPR requirements in a large multina-
tional organization such as Vodafone. Needless to say that the imple-
mentation is a real challenge for organizations.
In his view, the complex task of establishing GDPR compliance can
be made more manageable by grouping the requirements into three
“lines”. The first line is the “Business” line. It is the “first” line because
at this level, the ultimate responsibility for implementing and observ-
ing the privacy requirements on a day-to-day basis is located. The
second line is the “Privacy” line. Here, the legal requirements are
translated into specific policies, baseline requirements and compli-
ance processes. The work products developed at this level deter-
mine the actions taken within the Business line. The third line then
is the “Audit” line. At this level, detailed audits ensure policy compli-
ance with a view to the other two lines. For the implementation of
the GDPR requirements to work, it is imperative that legal require-
ments are pushed down to a lower level of privacy expertise through
detailed design patterns and guidelines (every company only has a
limited number of recurring problems, and these need repeatable
solutions) and standardized compliance processes. Also, establishing
accountability within the organization is a key to achieve compliance
in the “Business” line.
At Vodafone, for example, there are more than 200 individuals with
direct responsibilities pertaining to privacy requirements, with
detailed (e.g., monthly) reporting obligations. Mr. Niva then spent
some time on the concept of privacy by design, which is also an
important tool to ensure privacy compliance on the Business level.
Here, the practical recommendation was to tie security and privacy by
design to the business processes and phases that are the reality with
regard to the organization’s operation (e.g.: concept phase; design
and build phase; test, go-live, operation and decommissioning).

18
 EDPD 2017 1st Day (15 May 2017)

DISCUSSION
Are businesses “GDPR-ready”?
Dr Axel Kessler LL.M., Dr Barbara Kirchberg-Lennartz, Dana Louise Simberkoff, JoAnn Stonier,
Head of Legal Data Privacy, Global Data Privacy Officer, Chief Compliance and Risk Officer, Chief Information Governance &
Siemens AG, Germany Deutsche Lufthansa AG, Germany AvePoint, USA Privacy Officer, Mastercard, USA

In the last panel discussion for the day, the participants discussed the
issue of whether businesses are “GDPR-ready”. The Centre for Informa-
tion Policy Leadership (CIPL), a global privacy and security think tank,
and AvePoint launched a global GDPR readiness survey, in particular
to assess the current state of readiness for the GDPR, benchmark and
evaluate readiness in relation to industry peers on an ongoing basis,
and understand key changes and compliance obligations under the
GDPR. The survey focused on the key change areas in GDPR, including
consent, legitimate interest, profiling, data portability, privacy impact
assessments, data protection by design, DPOs and resources, data
breach reporting, transfers to third countries, accountability and pri-
vacy management programs.
Ms. Simberkoff summarized the outcome of the survey; in particular,
there seems to be a lack of technology tools in organizations in order
to implement data privacy compliance tasks, and protect personal
data. Technology could, however, do more and also help with regard
to the right of access, consent management, privacy transparency
dashboards, privacy program demonstration etc. The senior man-
agement key concerns were the enhanced sanctions and data breach
reporting obligations, stricter rules on consent and data reuse, the
expanding individual rights and the changes to international privacy
programs. Ms. Simberkoff stressed that GDPR implementation is good
data lifecycle management.
Ms. Stonier then raised interesting point, namely that the GDPR imple-
mentation is an even bigger task as one thinks at first sight. Compa-
nies are now required to create systems and processes in order to
enable GDPR compliance, however, such solutions not only have to
be appropriate for the problems of today but also for the problems
of the future. Given the legal uncertainty when it comes to the GDPR
implementation, it is even harder to look beyond and what problems
may arise in the future.
The panel then gave some advice as to what to do if an organization
has not yet started implementing the GDPR. First, one should get a
grip of the text of the GDPR and the guidance of the Article 29 Work-
ing Party in that regard. Then, it is important to create an inventory
and to know what personal data the organization collects and pro-
cesses. Finally, privacy professionals within organizations should use
the GDPR as an opportunity to “become (even more) relevant” in the
organization.

19
 EDPD 2017 1st Day (15 May 2017)

PARALLEL SESSIONS
Implementation of the GDPR at eBay – Experiences and learnings
Dr Anna Zeiter LL.M. (Stanford),
Head of Data Protection, EMEA, eBay International AG,
Switzerland

In her presentation, Dr Anna Zeiter gave an overview over the phases
that eBay has been and is still going through with regard to the
implementation of the General Data Protection Regulation (GDPR),
which may serve as guideline to other entities as well.
The first phase already started beginning of 2016 (January 2016 through
March 2016) and was about raising awareness for the issue within the
organization and starting internal communication. The second phase,
a gap analysis, occurred from April 2016 through August 2016. It com-
prised of carrying out interviews with legal teams and business units,
the usage of assessment tools and the drafting of a gap analysis report.
At the end of the second phase, a list with action items was compiled,
including, for example, the following items to be looked at more
closely in the subsequent process: data mapping, processes for the
new data subject access rights, privacy impact assessment, privacy by
design and by default, a review of consent based processing, a review
of the position of the data protection officer (DPO), the introduction of
a privacy champion program, data deletion and retention, data breach
responses and privacy trainings. Phase 3 basically comprised of asking
for the required budget to implement the identified action items. The
fourth and currently still ongoing phase is the actual implementation
phase (October 2016 through December 2017). Here, it is about creat-
ing projects and subprojects, assigning responsibilities and involving
stakeholders. A practical tip of Ms. Zeiter was to use professional project
managers for this phase. The fifth and final phase, which also overlaps
a bit with Phase 4, is the monitoring phase (October 2017 through June
2018). Here, the success regarding implementing the requirements will
be assessed and correcting measures taken, if required.
Dr Zeiter then gave a recount of some experiences she made along
the way, and gave some recommendations. Communication is proba-
bly the key to having a successful implementation. Management and
stakeholders should be informed as early as possible. It should be clear
to everybody what they need to do. Also, monitor the implementation
progress and change the approach if required. Dr Zeiter then concluded
her presentation with some remarks regarding the positive aspects of
the GDPR implementation: privacy is in the spotlight in every organiza-
tion and it is an opportunity to ask questions the privacy professional in
charge has not been asking before, and to challenge current processes
within the company in order to enhance privacy.

20

PARALLEL SESSIONS
The new ePrivacy regulation
Ruth Boardman,
Partner, Bird & Bird LLP,
UK
Ruth Boardman introduces the draft of the new e-Privacy regulation by
showing the particularisation of data protection for the communication
sector into 3 overlapping areas of law. The e-Privacy regulation itself,
the GDPR and as a third area the Art 8 of the ECHR and national regula-
tions concerning the secrecy of correspondence.
Just like other European regulations this new directive aims to iron out
the differences in national law on e-Privacy and to broaden the scope of
electronic communications services.
The proposed regulation is going to regulate websites, browsers and
apps around the world by applying to over-the-top service providers
such as unmanaged VoIP, instant messaging, webmail and social media
messaging. Next to these it will apply to IoT technology and M2M
communication.
One big change to current regulation is the new one differentiating
between use of metadata and use of content. While the use of metadata
will be more easily achievable, for the use of content the draft stipulates
authorisation from DPAs. For the latter, the regulation will be flexible
to fit with national legislation e.g. regarding laws on national security
purposes.
Although the new e-Privacy regulation was created by a different set of
regulators than the GDPR there are certain links to the GDPR, such as the
ambitious aim to apply from May 2018. Furthermore, the e-Privacy reg-
ulation shares the definition of consent given by the GDPR and foresees
the DPAs to supervise the communication sector as well.
Regarding the fines there will be parallels with the GDRP too, picking
up its higher fines, also suggesting a similar split to 4% and 2% of the
annual worldwide turnover of an undertaking. The provisions for cook-
ies and marketing will be put in the less serious category of the 2% rate.
Looking at the e-Privacy regulations´ impact on electronic market-
ing, one big change is going to be the definition of direct marketing it
covers. The proposal does not simply talk about e-mail marketing but
more broadly about electronic communication services used for direct
EDPD 2017 1st Day (15 May 2017)
marketing. By that the opt-in rule that applies to e-mail marketing may
apply to all kinds of adds displayed online, whether they are targeted or
even not could be subject to these rules. As the Article 29 Working Party
picked up in its recent opinion, some of the technological updating,
which the proposed regulation is supposed to do, has not quite been
worded effectively.
Ad regards to cookies regulation draft broadly maintains the existing
cookie consent rules but, as Ruth Boardman points out, Article 8 (d) of
the regulation raises some new questions, e.g. to what extent web audi-
ence measuring will be covered.
Until now the e-Privacy regulation is a draft only, so we have to follow
the process and see how the final version will turn out, to make definite
statements about its concrete implications.
21
 EDPD 2017 1st Day (15 May 2017)

PARALLEL SESSIONS
The Universality of consent in global data protection
Patricia Kosseim,
Senior General Counsel and Director General Legal Services, Policy, Research and Technology Analysis Branch,
Office of the Privacy Commissioner of Canada

Patricia Kosseim from the Office of the Privacy Commissioner of
Canada, elaborated in her talk about the nature of consent; under
Canadian law, consent is an outflow of a constitutional right. Ms.
Kosseim started by giving a brief historic overview as to the different
views people have taken on the concept of consent over time. Plato,
for example, was not a proponent of consent - according to him, a
few “wise men” were tasked with determining how processes should
run within a state. According to Aristotle, consent was the bond that
holds people together. Finally, consent has become a form of indi-
vidual empowerment, which can turn slavery into employment and
privacy violations into just and fair processing.
Ms. Kosseim then went on to compare the concept of consent spe-
cifically in the three jurisdictions Europe, US and Canada. In Europe,
informed consent emergent as the gold standard and expresses
respect of persons as persons. However, in cases were data process-
ing benefitted society as a whole (e.g., in clinical research), consent
became unsustainable. In these cases (amongst others), Europe has
moved away from the consent requirement. However, moving away
from consent made other improvements necessary, such as stronger
safeguard and a more robust framework. The concept in the USA is
very different from that. Here, privacy is grounded in the liberty and
freedom from state intrusion. The level of protection of information
voluntarily handed over is usually very low. This so called “third-
party doctrine” (i.e., people who voluntarily give information to third
parties such as banks, phone companies, internet service providers
etc. have “no reasonable expectation of privacy.”) has been a minor
“mistake” in the past but now the adverse effects are multiplied. In
Canada however, the concept of consent is followed very strictly.
Search engines, for example, do not really fit under Canadian privacy
laws. According to Ms. Kosseim, it is crucial that Canada revisit the
laws pertaining to consent. The Office of the Privacy Commissioner
of Canada is currently in the process of drafting policy position.

22
 EDPD 2017 1st Day (15 May 2017)

PARALLEL SESSIONS Implementation of the data protection reform and

international transfers: the view from the European Commission
Bruno Gencarelli,
Head of Unit International DataFlows and Protection,
European Commission

The GDPR didn’t fall from the sky. Lots of the rules and principles of the
GDPR are not new but grown and developed over the years on ground
of former regulations, so it is a mix of continuity and innovation in
terms of data protection. You could say that evolution brought down
a revolution.
The beauty of the GDPR is that it moves from the ex ante approach of
preauthorisation and prenotification to an ex post system that is to a
much larger extent based on accountability and credible enforcement.
We cannot get everything at the same time. The benefits and flexibil-
ity of accountability on the one hand and more guidelines for each and
every means of the regulation on the other hand.
Now it is not about renegotiating the GDPR, but about getting a
feedback from the different stakeholders. This regulation will apply
next year, independently of whether the member states have or have
not exercised what in most cases is a possibility, not an obligation for
national legislation. When it comes to the areas where member states
are allowed a certain degree of flexibility, that latitude must be exercised
within the parameters of the regulation. We have an exercise to meet
monthly with the member states firstly to understand where they are in
terms of national implementation and see what are the approaches they
are taking, in order to find a convergent approach.
Secondly to specify on topics and areas of the regulation on which they
need clarification, as the member states each are in different phases of
the implementation process. For this we need continuing dialogues as
an important part of our work to guarantee that one of the main objec-
tives of the regulation is pursued: uniformity and harmonisation.
Another general objective of the regulation is to have a high level of
protection as well as a free flow of data within the EU. Any national leg-
islation will have to be tested against this goal.
The regulation has left the Commission with a number of implementing
and delegate powers, regarding the area of certification, which is parti­
cularly adapted to show compliance in a transitioning system. For this
reason, we have launched studies to understand different certification
solutions that exist, to find best practice examples and go on from there.
How can we work with synergies of those different certification systems,
and what kind of certification do we have in mind? Is certification a com-
prehensive instrument for demonstrating compliance with the regula-
tion? Is it a tool for international transfers? Is certification of technologi-
cal solutions important for compliance with specific provisions?
We want to set up a multi-stakeholder expert group, composed of rep-
resentatives of legal practitioners, academics, and businesses including
SMEs. Its task will be to identify potential challenges in the application
of the GDPR and advising the Commission in how to address those
challenges.
Our work will not end in May 2018, it is about how we want to progress
in the application of the GDPR and other issues will be raised. We as DPA
want this process to be as open as possible.

23
 EDPD 2017 1st Day (15 May 2017)

PARALLEL SESSIONS Grappling with the internet of things, disruptive

technology and cloud of things in the context of a smart nation initiative
Steve Tan,
Partner, Deputy Head, Technology, Media & Telecommunications, Rajah & Tann Singapore LLP,
Singapore

Steve Tan, partner at Rajah & Tann Singapore LLP, kicked-off his pres-
entation about becoming a “Smart Nation” by introducing the key
drivers for such a development: disruptive technologies, Internet
and cloud of things as well as big data and data analytics. Mr. Tan
then mainly focused on the topic of Internet and cloud of things.
Cloud computing has become a key enabler for Internet of Things
(IoT) and disruptive technology. Cloud computing and IoT also go
hand in hand because otherwise, no real scalability is achieved.
Mr. Tan then presented four typical use cases of the cloud of things:
(1) Retail (e.g., tracking and monitoring of consumer behavior and
preferences; marketing activities based on analysis); (2) Health- the data; data ownership). Mr. Tan illustrated these issues by listing
care (e.g., remote monitoring of health information, dietary intake; all the different players that can be involved in such services: ISPs,
healthcare wearables and mobile applications); (3) Insurance (e.g., device manufacturers, software owners, retailers, app vendors, data
auto-insurance premiums based on driving behavior, incentives for center owners etc. Mr. Tan then also briefly outlined Singapore’s
health insurance based on fitness activities); and (4) Government cybersecurity strategy on its way to becoming a Smart Nation.
(e.g., Smart Nation programs; better inter-agency cooperation;
predictive technology for crime prevention). There are several chal-
lenges associated with these kind of services, namely data protec-
tion issues (transparency, information imbalance, consent and fair
usage); the allocation of risks, liabilities and rights; the issue of cross
border regulation and jurisdiction and security aspects (securing

24

PARALLEL SESSIONS
Data protection in Tunisia as a tool for development
Héla Bey Ben Miled,
Judge, Tunisian Administrative Court of Justice, UN Data Privacy Advisory Group,
Tunisia
Tunisia is going through a crucial period of change, trying to pre-
serve and strengthen democracy and struggling for development.
The speaker began by giving a brief overview of the legal framework
protecting personal data in Tunisia, stating that it is fairly close to
European standards as regards e.g. the definition of personal data,
principles relating to data processing, consent conditions and the
rights of data subjects.
Héla Bey Ben Miled outlined examples of specific cases where the
promotion of personal data can contribute to strengthen democracy
and encourage political development and foster social develop-
ment. The protection of privacy on the one hand and personal data
on the other hand have become two separate fundamental rights in
the constitution of post-revolution Tunisia and a guarantee of good
governance and democracy.
In 2016 a new law on the right to access to information was intro-
duced, that provides for a wide application of access to information,
request and appeal procedures and the establishment of an inde-
pendent Access to Information Authority (ATIA), that is separate
from the DPA. The ATIA decides what can be considered as personal
or public information. But access to information can serve democ-
racy only if it follows data protection principles and emphasis should
be placed on the anonymization techniques, given the underlying
risk of reidentification.
EDPD 2017 1st Day (15 May 2017)
When it comes to the issue of economic development, Tunisia has
to prepare for the extra-territorial reach of the GDPR. Updating the
Tunisian data protection law in accordance with the GDPR can help
the new investment law to have its desired effects, such as attracting
foreign investment.
Fostering social development could be reached through the creation
of a private credit scoring that enhances access to credit for low-in-
come workers and small institutions. As the risk of errors, profiling
and blacklisting which could lead to discrimination remains high, the
DPA required strong data protection safeguards.
25
 EDPD 2017 2nd Day (16 May 2017)

Digital Disinformation – Fake news and hacking in election campaigns

Dr Ben Scott,
Member of the Management Board,
Stiftung Neue Verantwortung and former advisor to Secretary of State Hillary Clinton,
USA

The desinformation by fake news prior to the voting in the US elec-
tions and the cyberattacks on the US Democratic National Commit-
tee are really alarming. Statistical analyses of Facebook Engage-
ments for Election stories showed that fake news are more popular
than real news. We don’t know what exactly is going on and it is so
far not clear how extensively false news impact elections.
The development of a fake news typology shows the complexity
and the variety of sources: (i) Link to false news by „Klick this right
now“ mechanism, (ii) foreign state media or intellegence agencies,
(iii) hyper parties media / tribal political voices (like Breitbart), (iv)
Facebook Dark Posts or Twitter Bots; (v) press / media (further distri-
bution of fake news) and (vi) Twitter.
But how does this work? Typically, we had so far a two steps infor-
mation flow from media to our trusted network of five to ten people
(like family or friends). Today, the trusted network is online (Face-
book, etc.) and comprises hundreds of people.
What can we do about it? Political parties and campaigns should
have a base line of cyber security. We should also support better jour-
nalism as an important public value. As a long term goal we should
teach our children the basic tools and reestablish social norms. In a
short term, we could fight fake news by taking simple steps like fact
checking, by clicking „Fake“ buttons or by direct confrontation.
We can also discuss more regulation of social media like effective
fact checking tools. But putting responsibility to social media plat-
forms to delete content is a misguided approach. At the end it is
a human problem, not a technical problem. The problem can be
solved by humans only in creating a social value of contesting fake
news. The human problem can be addressed by technical solutions
(machine learning tools, algorithm changes, cut-off tools, reputation
checks, credibility scores, etc.).

26
 EDPD 2017 2nd Day (16 May 2017)

Designing for the GDPR: making it work for data subjects

Stephen Deadman,
Global Deputy Chief Privacy Officer, Facebook,
UK

How can we ensure that the GDPR gets it right for the people? Imple-
menting the GDPR is a difficult mission. But success comes out of
collaboration with the industry. Building transparency and control is
at the heart of „getting it right“. How we give transparency control is
a challenge of designing.
If we focus on Start Up partnerships we see a dilemma: One the one
hand Start Ups give personal data value and on the other hand they
have to handle complicated data protection rules. Start Ups typically
have a short time thinking process and the handling of personal data
could be a question of live or death for Start Ups. However, Designers
tackle dilemmas like this all the time.
In March 2017 we carried out the Design Jam event (Creating trust, To get it right we need
transparency and control to empower people in the digital world). ■ Humility – we don’t have all the answers
Designers, privacy experts, engineers, advocates, companies and
other experts joined the event. The goal of the event was to define ■ C ollaboration – between industry and DPAs,
concepts of control. The participants created a selection of ideas and but also with other ­disciplines like design and UX
we discussed the set of ideas with people in Skype interviews and in
street interviews to receive constructive feedback. ■ A gilty and scale – we must be agile, and solutions must be
able to scale
Design is an iterative, never ending circle. In contrast, legal compli-
ance is definitive, and therefor linear. „Getting it right“ isn’t a sta-
tionary target. Since compliance was the main driver within the last
30 years, we have not made much progress in these years.

27
 EDPD 2017 2nd Day (16 May 2017)

Worldwide standards in data privacy –

digital sovereignty as foundation for a common understanding?
Dr Claus-Dieter Ulmer,
Global Data Privacy Officer, Deutsche Telekom AG,
Germany

I want to focus on the question whether digital sovereignty is a
foundation for a common understanding. The digital era is changing
industry’s paradigms regarding business models, technology and
customers – but what about the privacy paradigms?
One can separate between a (i) more absolute approach or (ii) a
more open approach. The more absolute approach is characterized
by data privacy in the sense of fully protecting the individual (noth-
ing is allowed without prior consent). But is consent good enough
and will companies ever be able to comply? A more open approach
can be characterized as follows: Data generally belongs to the one
who is processing it and as long as there is no regulation, everything
goes. It is the individuals responsibility to act against unwanted data
protection and the government acts more as an observer. This open
approach does not match the situation today.
Public skepticism and lack of trust endanger digital business models.
In this respect I refer to the (i) the CERES study „Digital Self-Determi-
nation“, (ii) the Dimap study „EU and Digitization“ and (iii) the NTIA
survey – US. According to the studies, Customers expectations and
demands are transparency and „digital sovereignty“. But, is there a
level playing field between companies and consumers? The answer
is: Despite any regulation – if we as a company do not take our digital
responsibility, we will have a problem.
There are ways for co-operation adhering to the principle of digi-
tal sovereignty. Specifically – examples for possible standardization
areas are:
■ Transparency: Simple and easy to understand consumer informa-
tion like Data privacy „One Pager“, Data Cockpit or Data privacy
Bot’s.
■ F reedom of Choice: Processing for fulfilment of contractual obli-
gations with no additional consent (level 1); further processing
that might be expectable from users view can be subject to opt
out (level 2); not expected further processing is subject to opt in
(level 3).
■ R isk Minimization: Privacy by Design as a fundamental process
requirement (pseudonymization and anonymization)
So let’s go forward and restart existing initiatives again and start new
ones. Please invite participants from all over the world if you start or
continue working on standards. Adhere to „Design Thinking“!

28
 EDPD 2017 2nd Day (16 May 2017)

EU Fundamental rights in the cloud

Marie-Charlotte Roques-Bonnet,
Director of EMEA Privacy Policy, Microsoft EMEA,
France

What is new for Microsoft and others regarding GDPR and operating a
cloud. The GDPR stipulates, in particular, new requirements regarding
(i) transparency of information, (ii) accountability, (iii) Data Protection
Impact Assessment, (iv) processors and (v) compensation and liability
rights. The core new obligations are to be framed by the WP 29.
But looking deeper to the cloud and the EU fundamental rights:
Where do challenges really come from? First of all, recent key EUCJ
cases in 2014 and 2015 as well as the upcoming case Data Protection
Commissioner vs. Maximillian Schrems on legality of Standard Con-
tractual Clauses (Model Clauses) have or will have an impact.
Regarding the operation of a cloud I want to focus on five challenges:
■ CHALLENGE 1: Demonstrating trustworthy data transfers using
EU valid tool.
In this respect Microsoft was proud to become the first global cloud
service provider listed and certified under the Privacy Shield. How-
ever, brand new tools are expected to frame the transfers under the
GDPR (besides the EU model clauses and the BCRs): national Stand-
ard Contractual Clauses, Code of Conducts and Certfications.
■ CHALLENGE 2: Demonstrating 100% transparency on Microsoft
users‘ rights
First of all, Microsoft has a broad privacy statement which was has
been materially updated in March 2017. In addition, new Windows
features enable privacy settings for the devices (e.g., regarding diag-
nostics data, speech recognition). This is mandatory to customers
(and not privacy by default).
■ CHALLENGE 3: Demonstrating 100% transparency on law enforce-
ment requests
The number of government or law enforcement requests for cus-
tomer data increased in the last years. Microsoft reached a per-
centage of 75% accepted requests. Microsoft provides a number of
disclosures to help stakeholders evaluate how we are meeting our
commitments (Microsoft Transparency Hub), e.g. regarding National
Security Orders or Content Removal requests.
■ CHALLENGE 4: Addressing EU data subjects‘ real concerns and get
back trust.
A trustee model in Germany addresses the concerns. Datacenters
are in Germany, with access controlled by German data trustee. Also
access to customer data is controlled by the data trustees. State-of-
the-art security measures are implemented including 24-hour mon-
itoring and security staff. In addition, there are physical barriers,
fencing and extensive environmental protection.
■ CHALLENGE 5: Being worldwide, an accountable processor as per
GDPR standards.
The core GDPR challenges for Microsoft are (i) processors liability
(CSP/data breaches – to be covered by controller/processor agree-
ments), (ii) risk based approach (TOMs – assisting controllers by
risks‘ assessments), (iii) accountability is to be demonstrated (new
processes – documentation to be provided) and (iv) EU OSS and data
transfers framing (main establishment determining the lead DPA)

29
 EDPD 2017 2nd Day (16 May 2017)

DPIAs and data mapping: operationalising GDPR and privacy by design

Kabir Barday,
CEO, OneTrust,
UK

Regarding the operationalization of the GDPR, I want to focus on
two areas: Data mapping and Data Protection Impact Assessment
(DPIA). To understand data mapping we have to understand what
data inventory is. Data Inventory is a record of all of the personal
data and associated information an organization has. A data map is a
visualization based on the underlying data in the inventory (it is not
data discovery).
Article 30 GDPR stipulates requirements for controllers and proces-
sors regarding „Records of Processing Activities“. Additional require-
ments for data mapping that go beyond Article 30 are specified in
Article 6, Article 15 and Article 32. Additional Guidance is provided
by the Regulators (e.g. CNIL Article 30 Template).
Implementing data mapping is a 7-Step-Process:
■ S TEP 1: Determine what you already have (List of assets,
business processes, etc.)
■ S TEP 2: Gap analyses – Decide what you need (Art. 30 +)
■ STEP 3: Mapping by process vs. application (or hybrid approach) ■ Prior Consultation with DPA required when risk cannot be mitigated
■ STEP 4: Decide how to populate your map (questionnaire, etc.)
■ S TEP 5: Which business team to start with (e.g. complex team vs. ­ ■ The DPO doesn’t need to lead the DPIA, but should provide advice
high risk team)
■ S TEP 6: Who is doing the work (early involvement of privacy In practice take the W29 Guidance on DPIAs into account and reas-
and matter experts) sess your DPIA at least every three years. A proposal for operation-
■ S TEP 7: Keep it updated (e.g., re-audit on risk based schedule alising the DPIA: (1) Threshold (is there an impact?) (2) Risk Assess-
„what changed“). ment (DPIA trigger?) (3) DPIA (can I mitigate the risk?) (4) DPA
consultation.
DPIA has to be separated from PIA; PIA is a different assessment with
different requirements. The Top 6 GDPR requirements for DPIA are
■ Risk must be analyzed from the view of the data subject, not the
business, and include likelihood and severity
■ Include the additional reference lists being produced by the EU
regulators on types of process that trigger DPIA
■ Data subject views should be reviewed during the DPIA
■ Additional questions should be in a DPIA in order to demonstrate
overall accountability with GDPR and privacy by design
during DPIA

30

Big Data and the GDPR: innovative or conservative?
Yann Padova,
Commissaire, Commission de Régulation de l’Energie,
France
Big Data and the GDPR is a difficult mission. The defining qualities
of Big Data are (i) capture lots of data whenever you can, (ii) reuse
data frequently, (iii), keep data as long as possible and (iv) „Let the
data speak“: data will foster hypotheses rather than prove existing
hypotheses.
As a consequence Big Data (i) seems to be „unpredictable by design“,
(ii) produces correlations, inferences and predictions that defy
human understanding and (iii) triggers major regulatory challenges:
how can we regulate something we do not understand? So, is Big
Data and privacy principles a love and hate story? Where does the
GDPR stand? I want to focus on three topics: data collection, purpose
specification and data retention:
With regard to data collection the GDPR has an conservative approach.
The GDPR is restrictive because of a reinforced consent, which can be
withdrawn „at any time“. As a result, there is need for a broad consent
for repurposing and data is no longer likely to be compliant.
With regard to purpose specification principle the GDPR has a more
„flexible“ approach. The „statistical purpose“ is (i) not limited to
public entities, (ii) is explicitly deemed not to violate the need to
stay with a specific purpose, (iii) is not narrowly defined and can be
construed broadly; (iv) further statistical processing do not require a
specific legal ground as long as „appropriate safeguards“ are imple-
mented. The GDPR delegates to Member States important compe-
tences to define the extent of the pathways it opens. Another option
is the compatibility check mechanism. However, the data subject
must be informed of any further processing.
EDPD 2017 2nd Day (16 May 2017)
With regard to data retention the GDPR has also a more flexible
approach. Data should be kept for no longer than is necessary for the
purposes for which it was collected. But, it may be stored for longer
periods for statistical purposes provided that „appropriate safe-
guards“ are implemented. Again, the GDPR delegates to Member
States important competences to define the extent of the pathways
it opens. Pseudonymization can be seen as a response to technical
advances that challenge the very possibility of anonymization.
The question is: What to do and what comes next? Potential devel-
opments/approaches are national fragmentation, contract solutions
or regulatory guidance. Are we going towards an ethical regulation
of algorithm?
31

Big Data – the silver bullet or a threat to a free society?
Amancio Kolompar,
Director Privacy Compliance, Liberty Global B.V.,
The Netherlands
After shortly introducing Liberty Global, Amancio Kolompar pre-
sents some of his own thoughts about the use of Big Data, by intro-
ducing the proposition „I have nothing to hide“ , that often comes
to mind, when speaking about privacy. Stating, that the problem
behind this proposition is, that I do not decide what I have to hide,
so in consequence I may have many things to fear. Leading to a dys-
topian perspective that Big Data may very well mean the end of the
free democratic society as we know it.
How did we end up at the point, where government agencies, as we
know since the Snowden revelations, via metadata have all kinds of
deep inside knowledge of individuals? We have a host of principles,
guidelines and laws, that should protect privacy. What we see today,
happened under the Data Protection Directive 95/46/EC. Now we
have to see, what impacts the GDPR will have.
Big Data is about this three dimensions: Volume, velocity and vari-
ety, but what makes it controversial is not the size, but the point that
through Big Data analysis, things that at first sight are not correlated,
get correlated by statistical algorithms. Today data is used in lots of
ways they are not anticipated to be, leading to questionable develop-
ments. Giving an example, today it is possible by analyzing only 300
Facebook likes, to know more about a person, than the partner does.
Amancio Kolompar is asking, what that data world does to an individ-
ual? What does this do to us as humans? Giving examples like Real-Time
Pricing and Predictive Policing he points out, that the use of Big Data
gets critical, when correlations lead to decisions about individuals.
Following the example of Predictive Policing, discussing some of the
ethical problems behind it and how it could turn our legal system
upside down, Kolompar talks about the Communist Party in China
that is busy introducing a credit system, that takes all kinds of data
elements including social media data into account for scoring peo-
ple, resulting in the fact that anything a person does, says, likes, who
they are friends with and so on will have an immediate effect on its
future life and chances. These developments could lead people to
regulate themselves and their behavior on a large scale. In conse-
quence, we have no privacy and a huge loss of liberty.
Technology gets closer and closer to our bodies, it gets part of our-
selves and modifies and changes who we are as human beings, how
we act and interact. We start changing and rewireing ourselves until
we will not be ourselves anymore.
So, what can we do? We got the GDPR a legal tool, we could come
to more and more regulations trying to find solutions. Or we should
EDPD 2017 2nd Day (16 May 2017)
be viewing different sectors having similar problems such as the
biology sector as a good example. The biology sector with genetic
research and genetic engineering has very early on recognized that
the technology we have in our hands has some dangers and we have
to look at these dangers before we put them out into the wild. They
have included ethics for many years and they have considered ethi-
cal aspects to be onward.
We need to better understand what the possible and potential com-
plications for society can be, before we start using big data in the
shown ways.
When we talk about Artificial Intelligence (AI) it is happening already
that we talk about ethics and we should take the same route when
using big data, because it is not me who decides how data can be
used against me in future. In a free democratic society, most phi-
losophers believe that the base for a free democratic society is our
ability to make free decisions and have free open discussions. Let’s
keep that in mind.
32
 EDPD 2017 2nd Day (16 May 2017)

DISCUSSION
How to strike a balance between Big Data and data protection?
Amancio Kolompar, Yann Padova, Jules Polonetsky,
Director Privacy Compliance, Global Data Privacy Officer, Commissaire, CEO, Future of Privacy Forum,
Liberty Global B.V., Commission de Régulation de l‘Energie, USA
The Netherlands France

At the beginning the Panel discussion focussed on AI and what we can
learn from discussions with scientists and people working in the AI
business. AI is about statistics and it is the first time when it is not about
understanding the data. AI companies are making very good predic-
tions on the basis of data. But AI is not designed to have morality and
no one buys the outcome of AI to work in a more moralistic way. You are
not going to like it but that is what is going to happen tomorrow. The
idea to build gate keeping in the surroundings of AI was mentioned,
but not to „fix“ the AI. So, from a data protection perspective, we need
to understand the difference between AI and Big Data.
So what is Big Data and when do we call it Big Data? A scientist men-
tioned that he always has had data and he always has had a lot of it, an
now it is called Big Data? Technology people say, that they are getting
incredible advances in everything they are doing with the data: more
accurate and faster. Therefore, we need to go back to school a little bit
to understand what valuable network means.
Jules Polonetsky pointed out that is important to understand that AI
and Big Data is a completely different concept. Big Data means I have
a theory and I go ahead to teach the theory. So we say to the machine:
take this data. Then I have a outcome at the end and I say: I don’t
know why but you have very high risk of 99.9 %, etc.. So as a result, we
learn from data and one can make better decisions on the basis of the
outcome.
In the second part, the Panel discussion focused on privacy measures
and the speakers agreed that this is a real challenge. We are talking
about something that has grown and that has not been designed.
The panel speakers liked the idea of gate keepers in the sense of „soft
guards“. It is not always a question of legal compliance, it is a question
of checks and balances, internal and external review as well as ethics
and moral.
The panel speakers discussed new ideas in this respect, like the imple-
mentation of external advisory boards. But how will such a board work
and what about a valid scalability of such gate keepers? A speaker
referred to the corporate responsibility approach of some companies
which is a good way to go. The companies define fundamental prin-
ciples and take responsibility in what they do. Then the discussion
focussed more on the idea to install external or internal Ethics Advisory
Boards. Such Ethics Boards should a have a wide range of experts or
expert groups. But such a Board has to act in a transparency way: What
is the mission and what is the plan of the board?
The panel speakers also discussed the idea of the Regulatory Sandbox
approach in the financial sector (FinTech) regarding the correspond-
ence with regulatory authorities. They agreed that this opens the space
for experimentation.
Overall, the panel speakers came to the conclusion that, in principle,
the regulation has to „play the game“ to come up with a user friendly
and innovative legal framework. Sometimes we might say that the risk
is too high. But should we then conclude that the big data process is
forbidden or should we better mitigate the risk? Sometimes the law
is not the first step and we first need good judgement and decision
making regarding ethical rules and then we can implement the law as
a second step.

33

Biometrics as personal data: detection, characterization and recognition
Jonathan Avila,
Vice President and Chief Privacy Officer, Wal-Mart Stores, Inc.,
USA
The biometric process comprises the measurement of key elements
of „unique“ biological characteristics (iris, fingerprints / palm line,
facial characteristics, gait). The measurements are processed through
algorithm. The product of ALGORITHM is numerical value. There is
increasing accuracy of biometric results.
Biometric data are used in different ways. We can use biometric data
for (i) detection purposes (e.g., an automated counter/detector of
human presence), (ii) characterization purposes (gender, age, etc. for
analytic purposes) and recognition purposes (e.g., pseudonymous
use, personally identifiable use).
The risk to personal privacy regarding such data is not uniform across
uses of biometric technology. A dystopian vision is of society in which
all individual members are under constand surveillance through auto-
mated means, including use of biometrics. However, the following rel-
ative risks of various types or uses of biometrics can be distinguished:
■ Detection is of relatively low risk (captures individual’s presence at
single point in time; registers mere presence of anonymous individ-
ual, no need to retain data for extended persiods)
■ Characterization may increase the risk (more data elements tied to
pseudonymous identity; but still single point-in-time analyses with
generally no need to retain data for extended periods)
■ Recognition presents highest potential risk for „continous surveil-
lance“ (data is personally identifiable; individual may be tracked
across time and location; many uses may involve extended retention).
With regard to the risks to civil liberties of governmental use of biom-
etrics, civil rights advocates‘ are concernd about law enforcement
use of biometrics. The concerns center on facial recognition (i.e., not
detection or characterization). The concerns encompasses (i) potential
ethnic/racial bias, (ii) indiscriminate use of broad databases for poten-
tial matches, (iii) use without prior individualized suspicion of criminal
activity, (iv) real-time scanning of public places, (v) lack of systemized
testing to ensure accuracy and (vi) inadequate human verfification of
individual automated results.
In addition, the balancing of societal and individual interests should
be taken into account (e.g. when considering secondary use of data
without notice or consent; use of broad databases without clear con-
nection to type of criminal act).
EDPD 2017 2nd Day (16 May 2017)
What is the EU regulatory response to risks resulting from use of biom-
etric data? The GDPR defines biometric data in Article 4. The process-
ing of certain biometric data constitutes „processing of a special cat-
egory of personal data“ (Article 9 GDPR). But the central question is
which types of processing of biometric data are „specific to the physi-
cal [or] physiological identity of [a] natural person“ and/or are capable
of „unique identifying a natural person“. What about facial detection,
facial characterization or facial recognition and what about processing
of fingerprints/palm lines data to control misuse of multi-day music
festival tickets? We need a new approach for biometric data and not
complicated rules. We can think about a risk based approach taking
into account, for example, that customers don’t want profiling or tak-
ing into account certain thresholds or level of suspicion.
34

Consent and transparency under the GDPR – will it help to build consumer trust?
Roslyn Vadala,
Senior Legal Counsel Data Privacy, Nestlé Group,
Switzerland
Roslyn Vadala began by presenting a case study regarding consent
and transparency under the GDPR. The principles of fair and trans-
parent processing under the GDPR requires that a data subject is suf-
ficiently informed. There is a „shopping list“ of requirements listed
in the GDPR. Communication shal be concise, transparent, intelligi-
ble, with clear and plain language, easy to understand. In addition,
the GDPR stipulates consent principles (e.g., unbundled, affirmative
action, granular, transparent and easy to withdraw).
A survey as of 2016 (US online adults) shows that consumers are con-
cerned about privacy. But what do consumers want? Another survey
showing that consumers want trust, transparency and easier privacy
tools. As a principle, consumers don’t excuse privacy hickups. But do
consumers really wan’t transparency and how transparent do we have
to be? The key challenge here is the balancing of requirements. The
concern is that too many requirements build up confusion and – as a
result – less trust for consumers.
EDPD 2017 2nd Day (16 May 2017)
Regarding transparency, considerations for actions are: Regarding consent, considerations for actions are:
■ Look at your business model and decide what is the best way to ■ Is consent the best ground for your processing?
create and maintain trust with your customers/consumers Review your list of processing to see if any other grounds apply.
■ Audit your current notices – what do we already have? ■ Review your current consents – can you still rely on them
post May 25, 2018?
■ How much detail to provide customers/ consumers and when?
■ Update your consent language to meet the requirements –
■ Do customers / consumers want to be informed each time about the how to make it easy and digestible?
use of their personal data?
■ Can you obtain consent at different times depending
■ Should we concentrate only uses that are not in their reasonable on the processing?
expectations?
■ Are we creating notice fatigue, which will „damage“ trust?
■ How to be creative in presenting the information?
■ What about scaleability?
35
 A global perspective on multi-jurisdictional investigations
Cédric Burton,
Partner, Privacy & Data Protection, Wilson Sonsini Goodrich & Rosati,
Belgium
The new system under the GDPR is aimed at increasing both investi-
gations into and sanctions for non-compliance. In particular, the GDPR
gives the EU Data protection Authorities (DPAs) teeth. Under the the
GDPR we will have (i) massive fines (instead of low fines under current
EU law), (ii) stronger powers for DPAs, (iii) regulatory harmonization,
(iv) new remedies for data subjects; and (v) the risk is now also financial
(instead of mainly reputational).
The GDPR introduces a two tiered system of massive administrative
fines (fine up to EUR 10,000,000 or 2% of global turnover resp. fine up to
EUR 20,000,000 or 4% of global turnover). However, a number of ques-
tion remain open, e.g.. what is „total worldwide annual turnover of the
preceding financial year“ and is the relevant turnover only the turnover
of an EU entity (or entire group incl. non-EU entities?)?
The increased powers for DPAs under the GDPR includes investigative
powers (e.g., information orders, power to conduct investigations, dawn
raids), corrective powers (e.g., issue warnings or reprimands, impose
limitation on processing, power to impose massive fines) as well as
authorization and advisory powers (e.g., proir consultation; approval of
standard data processing agreements, approval of BCRs).
Regarding the regulatory harmonization two topics have to be
mentioned
■ The GDPR aims to remedy regulatory fragmentation: (i) One-stop
shop mechanism for cross-border data processing activities (compa-
nies will deal with one DPA) and (ii) consistency mechanism ensures
harmonized application of GDPR
■ The European Data Protection Board (EDPB) as a central regulatory
body will be installed which will replace WP29 and which will have
power to issue binding decisions.
The increased legal remedies for individual comprises, inter alia,
■ the right to complain to a DPA
■ the right to challenge DPA’s decisions before courts
■ the right to obtain an effective judicial remedy against a controller ■ High fines and strong enforcement powers coupled with many areas
or a processor
■ the right to seek compensation for damages against a controller or
a processor.
How can you challenge EDPB and DPA decisions? EDPB decisions can be
challenged bevor the CJEU and DPA decisions can be challenged before
national courts.
What are the conclusions regarding investigations? The first conclusion
is that GDPR will have a significant impact on global investigations:
■ GDPR will change the global regulatory landscape; it is a game
changer (until now, risk was much higher in other parts of the world,
e.g., U.S.).
■ Handling global investigations requires a risk balancing exercise
(understand enforcement culture; assess risks and set your strategy
at the outset of global investigation)
■ Biggest investigations often start with a local issue (do not under-
estimate local data subject access requests and regulatory inquiries).
The second conclusion is that EU data protection law will be contentious:
of uncertainties.
■ Expect legal challenges of DPA’s decisions.
■ National courts (CJEU to a lesser extent) will be a new interpreter of
EU data protection law.
■ Ultimately, case law will bring maturity to EU data protection law.
36

PARALLEL SESSIONS
Pseudonymization as a best practice for data protection
Nicola Orlandi,
Head Data Privacy Pharma, Global Privacy Office, Novartis International AG,
Switzerland
We are entering a new era for the use of health data, as Pharma is
accessing an unprecedented depth and breadth of health data. Dig-
ital Medicine will change the healthcare environment, and the sec-
ondary use of individual patient data for research plays an increasing
role in modernizing our healthcare systems, driving medicines inno-
vation, improving therapies and fostering better patient outcomes.
The potential of big data analysis is given by digital solutions to
improve trial administration, digital innovation to aid in patient care
and to better emphasize therapy outcomes. We are moving towards
a system beyond pills, meaning that we cannot simply provide pills
to the patient anymore, but we are collecting additional information
with apps and sensors to better the help for the patient. In future, we
will also talk about Artificial Intelligence in this context.
To meet individual and social expectations, the use of personal
data needs a responsible and systematic approach to privacy
management.
The social embedment of privacy is changing and we have lots of
new concepts in the GDPR, such as data protection by design and
default (Art. 25(1)) and pseudonymization, as defined in Art. 4(5) and
security of processing (Art. 32(1)(a)). In order to benefit from avail-
able data, we have to minimize the use of identifiable information.
Especially in the pharma sector pseudonymization must be part of
the general governance of data to limit the risks to individuals and
meet the data protection obligations, help controllers and proces-
sors to support the creation of a reliable governance for processing
health data and move to new results in scientific research.
The GDPR explicitly in Art. 89(1) refers to pseudonymization as one
of the measures supporting data minimization in processing data
for scientific research. Art. 9 and Art. 5.1(b) allow further processing
for research, when the rights and freedom of individuals are guaran-
teed. Crucial for the GDPR will be its framework to define research
in future.
EDPD 2017 2nd Day (16 May 2017)
Pseydonymization and key-coding is a common practice in the
pharma industry, based on multiple safeguards in clinical practice.
Adopting and improving this practice would support the data mini-
mization principle, combine security and validation of research and
support the further use of personal data for research.
Defining harmonized standards or best practice within the pharma
sector will help to clarify boundaries between pseudonymized,
anonymous and identifiable personal data and enable companies to
take grounded and consistent decisions when assessing risks. It will
also implement a general privacy-by-design approach on the one
hand and help explore new scientific research on the other.
37

PARALLEL SESSIONS
Employees sensitive data collection in Eastern Europe
Dr Marlena Wach,
Legal Counsel, Data Privacy, Accenture,
Poland
Sensitive data typically processed by an employer are data regarding
physical or mental health, criminal convictions, disablities or recial
origin. Such type of data are typical used in processes like recruit-
ment and selection, employment records, monitoring at work and
worker’s health processes. Regarding the different jurisdiction in
Eastern Europe I want to present the respective legal framework for
such data processing.
RUSSIA: Employers must submit a notification on processing of per-
sonal data and server location to the DPA – Roskomnador. Written
consent is required for (i) processing of biometric and sensitive data,
(ii) transfers of countries that do not provide an adequate level of
protection; and (iii) personal data of Russian citizen must be stored
on databases located on Russian-based servers.
HUNGARY: Sensitive data processing is allowed (i) with written
consent of the data subject, (ii) in case processing serves fundamen-
tal constitutional rights or public interests, or (iii) the processing
is neccessary for national security purposes, crime prevention and
investigation.
SERBIA: Data on the health status of individuals are categorised as
particularly sensitive data, and are prohibited from disclosure to
other parties (unless with express written consent of the patient
or a court decision); failure to maintain confidentiality can be pun-
ished with a fine, or a maximum 3 year prison sentence for criminal
offences. Sensitive data processing is allowed (i) upon prior informed
consent or (ii) on the basis of statutory authorization.
CROATIA: DPA requires employee consent for processing special cat-
egories of personal data. Processing is also allowed on the basis of
special regulations as well as for medical diagnosis, health care or
management of health institutions. A public body can request City
Councillors to provide the number of employees in the city admin-
istration and urban societies, dates of employment, and job titles;
any information on political affiliation requires the consent of the
employee.
POLAND: It is important that, according to the Polish Supreme
Administrative Court, employee’s consent does not legitimate pro-
cessing of employee’s biometric data. The consent sought by the
employer is never freely given and invalid. In employment relation
EDPD 2017 2nd Day (16 May 2017)
ship employee is dependent on the employer. Processing of employ-
ees’ biometric data is allowed in case it is necessary for the purpose
of legitimate interests of a controller (employer) like securing access
to dangerous materials, state or trade secrecy.
CZECH REPUBLIC: Sensitive data processing is allowed (i) with
explicit written consent, (ii) in case necessary for providing health
care, public health protection or health insurance, (iii) on the basis
of special laws or (iv) in the course of legitimate activities. Dynamic
biometric signature as a form of authentication requires informed
and explicit consent, notification to the data protection authority,
and the use of a high quality and proven security technology (i.e.
encryption).
In summary, there is a great diversity in the various Eastern Europe
jurisdictions regarding processing requirements for sensitive data;
in particular with respect to the definition of such data, explicit
consent, surveillance monitoring of work, background checks and
restriction to transfer to third countries.
38

PARALLEL SESSIONS
The role of the DPO in the GDPR
Nathalie Laneret,
Group Data Protection Officer, Capgemini,
France
Nathalie Laneret is introducing the role of a DPO by focusing on 3 rel-
evant questions appearing in this field. Firstly, do I need to appoint a
DPO if I don’t have the obligation to appoint one?
If you are not falling within the criteria mentioned in the GDPR, how
do you decide whether to have or have not a DPO? Appointing a DPO
is necessary to implement GDPR. The DPO is the agent of accounta-
bility and we could even say that on a high level the DPO is an ele-
ment of privacy by design, because if a DPO is involved in any kind of
processing, it somehow is privacy by design.
Next argument in favour for appointing a DPO is to have somebody,
who is responsible for this issue. Another way in trying to decide
whether to have an DPO or not, is to look at what is your privacy risk
profile. What is your business? What are you doing? Are you process-
ing a lot of personal data? Are you processing a lot of sensitive per-
sonal data? Do you transfer personal data a lot? Depending on your
answers, you may have to decide to appoint a DPO. Another criterion
would be to look at your privacy business profile. Are you a digital
company? Is it something my clients are going to be looking at? What
are my competitors doing? Do they have a DPO? If yes, then maybe I
should do appoint one, too? Also, it is something you could leverage.
You could make it an advantage in your daily business. And finally, if
you have Binding Corporate Rules, you have to have a DPO as well.
If you decide to not appoint a DPO, you have to document it and you
better have good arguments because the DPAs are going to chal-
lenge you on accountability and want to have a look on what kind
of resilience you have taken and what type of arguments you have
for not having a DPO. If you appoint a DPO, you have to know, that
all the requirements of GDPR will apply. Another way is to appoint a
person, being in charge of the topic, but instead of naming the posi-
tion DPO, you could call it for instance Privacy Director.
She continues by talking secondly about the profile and the skills,
the DPO should have. Naming them as legal skills, compliance, IT
knowledge, risk management expertise, quality, audit, program
management, communication, training, crisis management, media-
tor, facilitator, business partner and strategic leader. To find some-
one with all the named qualities is nearly impossible. What you could
do is to have one central DPO, who is in touch with all departments
and persons knowing their fields or you have several DPOs with dif-
ferent backgrounds to meet all the asked skills. In the end, we have
to be pragmatic due to limited resources. We won’t be perfect in
everything.
Coming to the soft skills, DPOs need to be able to communicate,
explain, educate, convince, talk whether it is to the top manage-
ment, the DPA or an employee. They have to make difficult topics
EDPD 2017 2nd Day (16 May 2017)
easy to understand in order to be efficient and they need to have
good interpersonal skills, be creative and develop strategies, think-
ing out of the box and knowing the business, networking within it.
Last but not least you need passion and enthusiasm.
Thirdly, she issues the proper governance that you should have in
place in your privacy office. Your DPO should report to the highest
management but that must not mean a direct report. You could have
a report chain instead.
If you cannot afford to appoint a DPO on a full-time base who takes
this role upon other missions, the GDPR requires that you have to
make sure, that this person does not face a conflict of interests. DPO
cannot decide about processing procedures and mainly be a proces-
sor himself for instance. Otherwise you must fear sanctions from the
DPAs.
In the end, you must be able to show to the authorities that you have
system of checks and balances in place next to the accountability
principles, that you have.
As there are many models, there is not one solution for all and even
GDPR does not dictate the exact way, you should organize, as long as
it is the right governance in line with your company culture.
39

PARALLEL SESSIONS
Coordinated data protection enforcement – The new rules of the game
Dr Friedrich Popp,
Senior Associate, Debevoise & Plimpton LLP,
Germany
There is a current deficit regarding the enforcement of data protec-
tion regulation in the different EU member states. As a result, law
firms need local counsel to provide cross-border advice. But techni-
cal progress facilitates large-scale and cross-border data processing
operations by powerful data controllers.
The GDPR responses to the current enforcement deficit in various ways:
■ Uniform law across EU with effective sanctions;
■ cooperation of supervisory authorities (SA) to join forces;
■ consistency mechanism seeks EU-wide homogeneous application;
■ organizations can coordinate and represent individual data
subjects’ interests.
The intra-EU cross-border cooperation of SA will be improved under
the GDPR by implementing (i) a one-stop shop and cooperation of
lead SA with concerned SA, (ii) mutual assistance of SA, (iii) joint
operations, including joint investigations and enforcement meas
ures, and (iv) consistency mechanisms, including the European Data
Protection Board. In addition, regarding third countries, interna-
tional cooperation mechanism will be improved by treaty- or frame-
work-based SA cooperation (e.g., Privacy Shield) as well as the Inter-
national Conference of Data Protection and Privacy Commissioners,
the Global Privacy Enforcement Network, etc.
Furthermore, under the GDPR organizations will be able to act as
representatives for data subjects’s interests which will also improve
the enforcement. Data subject’s right to mandate organizations act-
ing on its behalf comprises (i) complaints with SA, (ii) effective judi-
cial remedy against SA decision, (iii) effective judicial remedy against
a controller or processor and (iv) the right to compensation (if the
law of the Member State so permits). Member State laws can also
permit organizations to pursue data protection infringements (not
compensation).
EDPD 2017 2nd Day (16 May 2017)
Finally, it is important that the GDPR objectives are supported by
consumer and competition laws. From a consumer perspective there
are further legal aspects of processing of personal information, like
consumer laws (e.g., unfair terms in consumer contracts, unfair com-
petition laws and competition laws (e.g. abuse of dominant position).
The question is: Can we expect a coordination of data protection,
consumer protection and competition authorities? In this respect
the European Data Protection Supervisor proposal (9/2016) has to
be mentioned: The proposal refers to implement a Digital Clearing
House to pool knowledge of regulators in the digital sector to mutu-
ally enhance respective enforcement activities.
40
 EDPD 2017 2nd Day (16 May 2017)

PARALLEL SESSIONS
Turning the upcoming GDPR into a business enabler – the startup perspective

Caroline Olstedt Carlström,

Vice President Privacy, Klarna AB,
Sweden

Caroline Olstedt Carlström points out that the customer relationship
to companies regarding data privacy is a counterpoise to the mere
legal compliance part and important to Klarna AB, herself, the com-
pany´s partners, users and also the general public, as the existence of
a Ministry for Financial Markets and Consumer Affairs shows.
She has 5 privacy specialists in her team, a lot for a company the size
of Klarna AB.
In Sweden, from a user or citizen perspective has had a very moder-
ate relationship to privacy, which is likely changing, as the number of
requests, complaints and inquiries are increasing.
As regards to the accountability this is becoming very important to
the company´s partners, the merchants they work with in the net-
work, so the company seeks to turn this into a competitive advan-
tage instead since 2012.
Denmark, Finland and Sweden right now are the leading nations as
regards to jurisdiction about digitalization, connectivity, etc. Den-
mark and Sweden have a focus on startup economy and a very open-
minded and trusting public in this concern and 4200 registered DPOs
increasing rapidly. Still, the speaker states we need so many more.
But the cultural change needed for DPOs is being underestimated,
as many of them right now do not do qualified or challenging work.
The 2016 report of the Stockholm School of Economics and KPMG on
risk management states a misalignment between what is perceived
as risks and high risks by companies compared to the users´ percep-
tion, entailing a questionnaire on 13 topics. Opposite to the users´
opinion directors e.g. did not think that wrongful disclosure of user
data (e.g.) to direct marketing companies would lead to problems.
Only Third World child labour was widely perceived as problematic,
as regards to risk mitigation.
Data privacy considerations now are part of meeting customer
expectations, as it is their trust that has to be earned, not compliance.
In this sense, from a startup perspective, the data has a great poten-
tial nevertheless, and privacy specialists have to be brought in, as
not only the legal requirements are to be taken care of but also eth-
ical and other issues that might arise in the company. These can be
great challenges for DPOs in organisations.
For that matter you need to be a change agent, you need to do lead-
and-protect management, etc. And you also need to be thoughtful
and contribute honest and strategic perspectives. Given this needed
widespread notion of company requirements in handling user data
right now it´s truly a challenge.
And as thinking outside the box is important for balancing between
different interests, as is the advantage of a little company to more
easily change processes at an afterwards review.
Klarna AB tries to focus on the consumers/users. Improvement of
customer service performance works in close collaboration with
privacy specialists, transparency towards the customer being very
important. As there are digital introverts and digital extroverts there
must be very different ways to meet these customers, for which the
company has developed a complex “Privacy Dashboard” with a lot
of ways of interaction with the consumers about their preferences,
communicating about different products. We put a lot of focus on
promoting a corporate privacy culture, awareness and training, from
e-learning to face-to-face training, competitions, etc.

41
 EDPD 2017 2nd Day (16 May 2017)

PARALLEL SESSIONS
Getting ready for GDPR: a look at new tech to automate privacy

Nimrod Vax, Dimitri Sirota,

co-founder BigID, co-founder BigID,
USA USA

The presentation is about new categories of technical tools and solu-
tions. The current tools solves yesterday’s problems. This applies for
privacy GRC / PIA tools, data management, data protection (e.g., data
leak prevention) and privacy consulting (e.g. mapping of business
processes to document data flows). The GDPR brings new require-
ments and the current tools will not satifying these GDPR require-
ments (like data subject rights, data flow mapping automation, data
risk assessment, breach notification and data consent tracking).
So why can traditional tools cannot address subject access requests
(SAR)? There is a lack of identity context which restricts current tools
ability. Traditional tools (i) doesn’t know who’s data it is, (ii) cannot
detect Contectual PII, (iii) have too many false positives and (iv) don’t
know where is the data going.
As a result, we need an inventory by data subject as technical solution
(identity data index). The data subjects request automation. The iden-
tity data index provides all data subject information at your fingertips.
It enables to
■ quickly find personal data;
■ export personal data;
■ correlate consent approvals;
■ trigger data deletion; and
■ provide as self service.
In addition, the identity index helps you to minimize your exposure
with respect to responsible breach responses. You can quickly find
who is impacted, pinpoint the breach source, notify only the impacted
person, scan dark web breach files and pinpoint breach time.
Further new technical solutions relate to:
DATA MAPPING TRUE AUTOMATION: Once you know where the
data is, you have to understand who is accessing it. The data map-
ping tool enables you to (i) auto discover data flows, (ii) enrich them
with business information, (iii) to operate continuous compliance
and (iv) to have an automated maintenance.
DATA RISK ASSESSMENT AND OPERATIONALIZATION: You have to
assess the risk based on the data, not based on a hunch. As a result,
you need a data driven assessment, risk preference customization,
multiple scores and perspectives and, finally, actionable security.
Overall, you should keep a flexible approach, i.e. allow both a bot-
tom up approach or a top down business driven approach. Enable
your business users to interact and enrich the data automation. It’s
always going to be a combined effort.

42
 EDPD 2017 2nd Day (16 May 2017)

PARALLEL SESSIONS
Broadcast meets broadband: Privacy compliance in the media sector

Dr Stefan Hanloser,
VP Data Protection Law, ProSiebenSat.1 Media SE,
Germany

In his presentation, Dr. Hanloser introduced the portfolio of the Pro7­
Sat1-Group, the multitude of different privacy aspects that poten-
tially arise, and why data protection is an important question for
Pro7Sat1. There are four different sectors into which the affiliates
of the Pro7Sat1-Group fall: broadcasting (accounting for 58% of the
group’s revenue), digital entertainment (12% of the group’s reve-
nue), commerce (20% of the group’s revenue) and production (10%
of the group’s revenue). On the one end of the spectrum of privacy
issues that arise in the context of such a diverse portfolio there are
standard issues such as traditional targeted advertising. Users visit
group websites, which leads to the generation of usage profiles that
are then used for targeted ads. On the other end of the spectrum are
issues that are more specific to the business, for example the merg-
ing of broadcasting with the Internet. The legal regimes for these
two areas are quite different, as well as the competent authorities.
They need to be aligned for new products such as HbbTV. This is
dealt with for example with the help of a working group comprising
of media groups and data protection authorities.

43

PARALLEL SESSIONS
Negotiate cloud contracts under the GDPR
Paul Van den Bulck,
Partner, McGuireWoods LLP,
Belgium
When we look on cloud computing and cloud contracts we have to
deal with tensions: Connectivity on the one hand, which is essential
to cloud computing, and security on the other hand. In addition, we
have to manage multitude of different types of clouds and a mul-
titude of actors in a cloud environment (user, integrator, provider
subprovider, etc.). A good example to demonstrate the challenges
is the Internet of things, which is a cloud based system with massive
automatic generation and data transfer.
The risks for actors in a cloud are, inter alia, (i) data leaks (accidental
or intentional), (ii) confusion of roles, which is an new type of risk,
(iii) access risks, (iv) crosschecking capabilities and (v) new purposes
(e.g., targeted advertising). What are the responsibilities under the
GDPR? The main responsible party is the data controller, However,
under the GDPR, the processor has a selfstanding security obligation
(not only contractual) and is jointly liable with the controller with
regard to data subjects.
If we look into solutions for the mentioned challenges and risks, it
is important that general compliance incorporates, and is prereq-
uisite for, technical security. In additions, the GDPR stipulates rules
for sub-processing chains: (i) the controller must choose processors
capable of meeting the requirements of the GDPR, (ii) the processor
cannot subcontract without authorization of the controller and (iii)
processing must be governed by a contract stipulating, inter alia,
instructions of the controller, confidentiality agreement, technical
security, mirroring mechanism with sub-processors, assists the con-
troller (data breaches/accountability) and audits.
With respect to solutions it is also important to take into account (i)
data minimization and anonymization, (ii) privacy by design and by
default, and (iii) storage in the EEA and transfer of data only under
adequacy decisions or mechanisms. The parties should also prevent
or allocate responsibilities by specifying processor’s and control-
ler’s obligations (e.g., modalities and frequency of audits, catch all
EDPD 2017 2nd Day (16 May 2017)
clauses, authentication responsibility, notification in case of data
breaches and use of safeguards for international data transfers). Fur-
thermore, codes of conduct (like BSI-ANSSI) and certifications (and
standardization, like ITU-T) should be imposed by the cloud contract.
Finally, it is important to understand the sanctions system under
the GDPR and to take this into account when negotiating cloud con-
tracts. Controller and process are joint liable towards data subjects
for the entire damage. Security negligence or failure to notify data
breache are sanctioned with material fines (up to 10 million EUR or
2% of worldwide annual turnover).
44

PARALLEL SESSIONS
The theories of harm in privacy, data protection and antitrust law
Dr Sára Hoffman,
Associate, Privacy and Data Protection Practice, Wilson Sonsini Goodrich & Rosati LLP,
Belgium
In her presentation, Dr. Sára Hoffman of Wilson Sonsini Goodrich &
Rosati discussed the role of privacy and data protection law in an
antitrust context. There are two major roles of personal data in an
antitrust assessment. The first is personal data as payment (“data
is the new currency”), the second personal data as input resource
(“data is the new oil”). Personal data does, however, have some char-
acteristics which differentiates it from traditional payment methods
and input resources, and these differences will need to be taken into
account for the antitrust assessment. A comparison between money
as payment method and personal data as payment method shows,
for example, that while money is interchangeable and its value can
easily be determined, personal data is non-interchangeable and its
value cannot easily be determined.
Similar differences apply when comparing personal data as input
resource with traditional forms of input resource, such as oil. Oil is
exclusive (it cannot be at the disposal of more than one entity at the
same time), perishable and difficult to get. Personal data is non-ex-
clusive (different entities can collect the same data), non-perishable
and it is “within reach” (i.e., not a scarce resource). With regard to
the assessment of the value of data, it should also be noted that the
purpose for its use may change, which makes the assessment even
harder. Taking all of this into account, consumers are harmed if the
quality of products and services decrease due to lower privacy and
data protection standards. Such lower standards could be caused by
an elimination of competitive forces on the market places if barriers
to market entry or expansion are set due to restricted data availabil-
EDPD 2017 2nd Day (16 May 2017)
ity, or if “preemptive mergers” restrict access to data by integrating
the supply of data into one company. So far, however, the European
Commission has not yet identified data protection issues as a sub-
stantive concern in any merger.
Dr. Hoffman concluded her presentation with the practical recom-
mendation for privacy practitioners to “translate” their privacy con-
cerns into the concepts introduced during the presentation – this
way, you speak the same language with antitrust lawyers.
45
 EDPD 2017 2nd Day (16 May 2017)

PARALLEL SESSIONS
Meeting the challenge of a global GDPR and BCR program

Myriam Gufflet, John Bowman,

Principal, Promontory GDPR Programme Lead, Senior Principal, Promontory GDPR Programme Lead,
UK UK

The new privacy requirements under the GDPR have an impact to
major organizations. Compliance with the GDPR imposes both sig-
nificant operational and administrative implications; examples are:
■ Operational impacts: International data transfers, right to be
forgoten an to erasure, right to data portability, subject access
requests (SARS), sanctions.
■ Administrative impacts: Harmonisation across the EU, dealing
with the authorities, territorial scope, data protection officers.
How do privacy programmes addresses EU privacy requirements?
A privacy programmes provides the legal framework to facilitate
group-wide data transfers and supports transition to the GDPR
requirements. The programme has to focus on data origin (EU and
non-EU) and whether EU data are hosted / processed / accessed by
EU or non-EU entities. Binding Corporate Rules (BCRs) provide the
legal basis for the transfer of data between EU and non-EU entities.
The key elements (phases) of a GDPR implementation approach are
(i) initial project set up (incl. budget decisions), (ii) scoping and plan-
ning (key stakeholders, toolkit, methodology, etc.), (iii) information
gathering (document review, interviews, etc.), (iv) readiness assess-
ment (key compliance gap, etc.), (v) remediation planning (plan,
roadmap, budget, etc.), and (vi) implementation (remediation, oper-
ational changes). The elements should be coordinated by a Project
Management office.
The main scope and application of BCRs is a transfer mechanism to
ensure intra-group adequate privacy protection. BCRs are officially
recognized as a valid legal transfer mechanism under the GDPR.
However, BCR require implementation of accountability measures
for effective compliance and BCRs may cover both controller activi-
ties (BCR-C) and processor activities (BCR-P). Nearly 90 organisations
had their BCR approved and approx. 50 BCRs are in the approval
process.
The current BCR requirements are already close to the GDPR. The
majority of WP29 requirements are covered and there only a few
additional requirements (e.g., privacy by design and by default,
rights to restriction and to portability). In addition, the EDPB is enti-
tled to issue guidelines, recommendations and best practices to fur-
ther specify BCR and requirements.
As a result, there is no material change in the BCR produre since we
have a consistency approach (lead DPA draft decision EDPB opin-
ion Lead DPA decision EDPB binding decision). However, the
European Commission may specify the format and procedures for
information exchange between applicants and DPAs via implement-
ing acts (Article 47). In any case, it is important to adapt the existing
BCR and take into account the time frame.

46
 nce
See the confere
trailer here:

http://www.euroforum.de/edpd/edpd-trailer/

E!
SAVE THE DAT
018
14 + 15 MAY 2

8 EDPD 2018
th
EUROPEAN DATA PROTECTION DAYS

IMPRESSUM EUROFORUM  ∙  Prinzenallee 3  ∙  40549 Düsseldorf V.i.S.d.P. Elke Schneider Text von Lena Alex, Stephan Kress, Joachim Grittmann

#EDPD18 | www.edpd-conference.com 47