The GDPR - 10 vs. 8 - it's still great!

Show Notes

Welcome to the Serious Privacy podcast, where Paul Breitbarth, Dr. K Royal, and Ralph O'Brien celebrated the 10th anniversary of the #GDPR! Yea!! Okay, there is some debate on the birthday date, whether it is 2016 or 2018... where one is when it was signed into law and the other when enforcement went live. 

We challenge poeple to vote! 

We discussed the highs, the lows, the dirty, the clean, the boots on the ground stories - oh what sweet memories.

Powered by TrustArc


Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Transcript

Paul 0:00

Hello and happy birthday from all of us at Sirius Privacy because this week we celebrate 10 years of GDPR. Yes, you heard that correctly. Really? Ten years, not eight, ten. And we're gonna talk all about that, what it has meant, what the results are, what the disappointments are. But here is to ten years GDPR. My name is Paul Breitbart.

SPEAKER_04 0:23

My name is Ralph A. Brian.

K 0:25

And I'm Kay Royal, and welcome to Sirius Privacy, and which we are celebrating a two-year gestation period for the GDPR.

Paul 0:33

And let's be honest, this is we're celebrating April 27, 2016, which is in the Netherlands not just GDPR, but it's also our national holiday. 27th of April is King's Day. Nice. And funnily enough, I chatted with Ralph just before we started recording. The GDPR was signed on the 27th of April 2016 when the Netherlands held the EU presidencies.

K 0:58

Oh wow. So they did that deliberately?

Paul 1:01

No, they did not, but they were so this was signed by a Dutch minister on our national holiday, and it was actually the Minister of Defense who assigned the GDPR into law together with the President of the European Parliament. So not even the Minister of Justice, the Minister of Defense having uh having to attend a ministerial council in Brussels on our national holiday. So yeah, it's a special day for the Netherlands. Ten years of GDPR. But I'm sure Kay you'll have something that we don't want to answer to ask us.

K 1:34

I we I do, but it's actually relatively harmless. Relatively. If a bald person is a chef in a restaurant, do they have to wear a hat to keep their hair out of the food?

SPEAKER_04 1:47

Not their hair, but maybe the sweat. Which might even be worse. So yes, please.

Ralph 1:54

I do have a friend who's a chef who's got a beard and he has got to wear a beard net.

K 1:59

Like a little face mask who goes into ears covering a beard.

Ralph 2:03

He has to wear a beard net. I can't ever recall seeing a bull chef wearing a hairnet. A chef's house, certainly. But interesting.

K 2:12

I don't know if they do or not. That's what it's for and you're saying the sweat the sweat can come anywhere on their body, right?

Ralph 2:19

We shall have to see when we publish the serious privacy cookbook, shall we?

K 2:23

Well our chef has.

Ralph 2:24

Coming soon. None of us will be ready.

K 2:27

There we go. I'm gonna do it. We're gonna do it. We're gonna kick off writing the serious privacy data protection, GPR, whatever, cookbook.

Paul 2:35

Should be ready for your Christmas tree this year.

K 2:38

Exactly. We'll reach out to our serious privacy fans and see if you want to input a recipe attributable to you, of course.

Paul 2:48

Only our fans or maybe previous guests?

K 2:51

Previous guests, they should be fans. What are you talking about?

SPEAKER_04 2:54

Yeah, that's fair.

K 2:55

They should be fans. I can think of one that might not be a fan. We can all Paul and I both know who that one was, but yeah, we could think of one that might not be a fan. But yeah, we might, and we'll have to come up with cool names for it. But I'll put in my southern nanopudin recipe, people. I'm just saying.

Ralph 3:12

Yeah. And I'll put in my split dick that we've talked about before.

K 3:16

So what are we talking about, guys? GDPR. We've got pros, we've got cons, we've got dissents, we've got changes, we got this doesn't work. We got, thank God, it inspired all these other laws around the world. Where are you going to start?

Paul 3:29

What's the U.S. perspective on 10 years GDPR?

K 3:32

Depends on who you ask. And I don't mean to give that as a legal answer, it depends. But I started working for Trust Start in 2016. That's it, that was an interesting time to build towards a regimented law, right? It had been a patchwork quilt of laws in Europe. We all had to figure out which one we wanted to abide with. And it was typically the one that we did more business with. So in UK, Germany, France, things like that. You can't comply with all of them. And now the US is like that. So for privacy people, it was monumental. It was like, are you going to be a DPO? Are you going to be a privacy officer? Companies are you going to work with? Companies were like, do we really have to do this? And they were all using that 4% global revenue potential fine as the stage for, oh my God, here's your exposure. But after it was passed, that was the buildup to the 2018 enforcement date, right? So when it went live, that fear just dissipated. It went away.

Ralph 4:40

It is interesting. Because over over here, speaking from a UK perspective, we had the Data Protection Act all the way back since 1984. We had another 84 Act, the 98 Act, and the other principles were a few. So all the GDPR really did was add a few more rights and the accountability obligations. You'd DPOs, DPIAs, that form of stuff. So yeah, a few more documentation, but the principles and the rights largely remained the same. So I remember thinking, no great work, actually. The work I was doing, funny enough, was for large international organizations covered by extra territorial extent. I was doing a huge amount of work for American companies because they were going from zero, whereas over here you were going from 75%.

K 5:26

No, we did have regulated entities, the healthcare entities, the financial entities, education, we're not going to talk much about that. We did have privacy law here, but they were not GDPR. And GDPR meant that all of a sudden small companies, startup companies that did not think they were in the healthcare, finance, education field, so therefore they had no privacy laws and had to work. All of a sudden they do, because they're selling to these international. And then California is like, what, you think you're not going to do GDPR? Fine, we're going to pass C CPA, so now you have to. So that kind of helped as well.

Ralph 6:04

Yeah, and there was a lot of people, especially like an American company, like an inquiry company in Europe, and they were talking to me and saying, Oh, we need you to get the European company up to up to speed. And then we found out that when they had international transfers back to the US and that they were covered by extraterritorial extended, and I get making the whole organization up to speed rather than just the EU entity or the Europe or the UK entity. So to me, one of the big things the GDPR did was actually make it not just European, was to make that sort of word spread across the globe through the extraterritorial extent. Yeah, of course, we can talk about fear of fines and that sort of thing. And I think that I want to just go back briefly to the date before we go any further, because we are talking about 10 years from the 10th of April. Sorry, sorry, the 27th of April 2016. And a lot of people look at the GDPR and say, wasn't it the 25th of May 2018? And you had this period before the regulators could actually go out and enforce it. And so for a lot of large international businesses, even though the law went live earlier, their sort of target date in their project plan was the 25th of May 2018. So occasionally you'll still people go, Oh, it's eight years, not ten years, we or vice versa. And people realize it's two years older. And in fact, Paul, I'll come back to you here. It was you're older than that by the time they were discussing it in committee before 2016, right? Oh yeah.

Paul 7:29

No, I was still working at just working at the Dutch CPA when this was this was adopted. Indeed, the law says the regulation shall enter into force on the 20th day following that of its publication in the official journal of the Union, and it shall apply from the 25th of May 2018. So the 27th of April 2016 was the adoption. I believe it was published in the official journal a few days later, and after that, 20 days before it actually went into force, but with all the articles only applying in 2018. So that was the whole time period. We're celebrating basically now that the negotiations were completed, it was adopted, everybody had put their signature on it and agreed. But that is following a legislative process that started basically in 2009 already. In 2009, the previous data protection directive, Directive 9546 EC, was evaluated, and the conclusion at the time was we are going to need a new instrument, also in light of the new EU treaties, the Treaty on the Functioning of the European Union, which in Article 16 recognizes that there should be a universal data protection law for the European Union, which meant that it could no longer be a directive which all the member states need to implement and everybody implements slightly differently, but that it needed to be a regulation, so a single law that applies the same across the board and the European Union. So from 2009 onwards, the European Commission started with consultations, with discussions with public fora, also conversations with the data protection authorities to find out what should this new law look like. I think in part that was also influenced by the now Global Privacy Assembly, then International Conference of Data Protection and Privacy Commissioners, which adopted in 2009 the Madrid standards. So the standards that the DPAs consider any international data protection law should fulfill. So those were all the core elements. The data protection authorities, around the same time, the EU data protection authorities, adopted a document called The Future of Privacy, together with the EDPS, where they presented their vision on what this new law should be like. And then the commission started drafting. And I remember that just before Christmas 2011, the first drafts of the GDPR leaked. And top of mind, I believe that was draft version number 57 or something like that. So it was not version one that was leaked, but this was the first one that circulated online. And that immediately also led to a lot of comments from the regulatory community, from civil society, from businesses, that it was too strict, that it was too flexible. And I'm pretty sure the leak was deliberate, because you also see that between that version, the 2011, December 2011 version, and the version that was finally published on the 25th of January 2012, I believe it was the 25th, but in any case January 2012, which was then the official commission proposal, that there were quite some significant changes between those two versions, especially when it comes to exceptions that are available or were no longer available for small and mid-sized companies. The leaked draft had quite a few exceptions for SMEs, which were almost all gone in the final published version, because everybody said this is all very nice, but just the size of an organization does not matter if they process sensitive personal data. At the time, companies like small companies, then small companies like Twitter, would only have a handful of employees, but they would process massive volumes of personal data. So just the size wasn't very telling, and therefore what we now know as the risk-based approach was introduced in the GDPR much more heavily than it was present in that 2011 version.

Ralph 11:45

Well, I've dealt with very small companies. I remember a company of 10 people in Norwich in the UK I dealt with that claim to have the largest geolocation database in the world ever. Because of the cloud and the way data scaled, you don't actually have to have a very large company to be processing huge amounts of information, and of course, very sensitive or special category information as well.

K 12:07

And what I was going to say is I remember the early days of GDPR, and maybe I don't remember this accurately. I did look it up one time and it seemed that it was accurate. But Paul, since you are intimately involved in all of that, correct my understanding that originally the right to oh God, what is it? It's not export have a copy of your data. The right to portability originally was thought of in the cases of things like music and books, where you were with one vendor and you bought all these things, and then you go to another vendor and you want to port your stuff over. But after the initial thoughts, when they captured it on paper, they realized that violates all kinds of IP laws and all companies got upset and you're like, no, they can buy it on our service. Essentially, they're not buying it. It doesn't belong to them. It's right. They're licensing it on our company.

Ralph 13:10

For example, if I'm going from, I don't know, Spotify to Apple Music, even though I can't take the license for the music with me, I think I can say, look, this is what was registered on my account. I'm in a contract with you, send my playlist to the next um provider.

Paul 13:24

Yeah, because if something is personal, it is your taste in music. Yeah. And if you curate your own playlists, that's also the example that I always give when teaching, when talking about the right to data portability, my own playlists are something that's very personal to me and that uniquely identifies me.

K 13:44

Yeah. And you own that. But you don't own the music that you've used to create the playlist using a service.

Paul 13:51

The playlist itself, the references to the songs, that is personal data. And then I want to be able to bring that playlist along to another service, and all the songs that they have a license for, at least, they should provide as part of my playlist. And of course, I can't force them to show me songs for which they do not have a license. But the playlist itself is, in my strong opinion, personal data. But going back to your comment on data portability, rumor has it, and I've never been able to confirm that, that this was actually an explicit wish of Vivian Redding, who was the Commissioner for Justice and Consumer Protection, who proposed to GDPR. And she had said that one of the difficult parts with personal data and data lock-in in the online environment is that it makes it harder for consumers to move away from a company if they are dissatisfied by their service offerings. So consumers should be able to act with their feet, be able to leave a company and not be locked in because of their data. That is why the right to data portability was created in the first place. It was based on the idea that you could take your mobile phone number from one phone provider to the other, which was introduced in the EU a couple of years prior. And the idea was that you would be able to do that with all different kinds of services. And I remember very vividly that one of the examples that was given at the introduction of the GDPR was that it should also be possible to change your to change banks. The commissioner at the time only forgot that at the same time as GDPR was being negotiated, there was also a new financial regulation negotiated, which changed our bank account numbers to include the name of your bank. Meaning that you can no longer take your bank account number because the name of your bank is included in your bank account number. They've solved that, of course, with automatic payments that they are arranged in the backgrounds, but you cannot take your bank account number from one bank to the other anymore.

Ralph 16:07

In the UK, we've got this thing called open banking now, where actually literally, from an app from one bank, you can surface your account from another bank through the other bank's app, which is really interesting. And actually, yeah, one of the things I love about portability, the way I teach it, is it's actually more of a competition law than a data protection law element. It's really about encouraging people to move around the market and get good deals and not just stay locked into one provider forever. So I can't say that.

K 16:32

It's the free movement of data. Yeah. That's exactly what it is.

Ralph 16:38

People think it's a privacy law, and actually, when you read through the GDPR, it doesn't say the word privacy anyway. It says, yeah, protect the fundamental rights for freedoms when processing people's data and on the free movement of such data.

K 16:50

To encourage the free movement of data globally.

Paul 16:53

That's an very important part, which is often forgotten because it is indeed two pillars. A lot of people look at GDPR as the data protection law, the law for everything, the law that says no to everything, which is also not true. It's your rule book on how to play with personal data, how to process personal data. But as important is the requirement to ensure a free flow of personal data, both inside the European Union, which is one of the very first recitals, but also internationally. So also for data transfers, there is such a thing as a free flow of personal data, as long as you play by the rules.

K 17:35

Exactly. And a talented privacy or data protection officer is absolutely able, in most cases, to find a way for companies, projects, departments, divisions to be able to do what it is they're thinking of doing, as long as it's not completely illegal and unethical, by simply telling them what rules they need to go by to do it. So the end result may be the same. You just might not get there the way that you're envisioning. But the law provides processes for you to be able to find a way to do what you want to do. It's just, you might have to ask for consent. You might have to change your notice. You might have to put in a few controls, but the end result can almost always be the same. But I remember in building up to the enforcement date of GDPR, like I said, presented to a lot of executives and boards, and it was that 4% fee they were worried about. The majority of them are like, but they're going to delay it, right? No, Europe doesn't usually delay laws. I know they've got one now.

Paul 18:39

Or not an agreement on that one yet.

K 18:41

Yeah. They usually do what they say they're going to do, and they mean what they say they mean. So what they're saying, they're going live on May 25th, 2018. You can pretty much count on it. They're going to go live May 25th, 2018. So that was a shock to American companies because we're used to laws over here being delayed. Both companies file enough complaints that they can't comply with it or whatever. Again, California passed the CCPA and basically put that to bed. But the interesting thing was I had a client who had all articles of the GDPR memorized. And I had been warned about him and doing our little road show with Trueo and these others. I think it was BHG, Truyo, Trust Arc, whatever, going around doing these very expensive and nice roadshows, was told that he did that. He would quite often test people. So he did throw out a chapter number article to me at dinner. And I said, I said, I'll be honest, I don't work with that one very often. I said, the one that gives me the most trouble is Article 102. He shut up for about 30 minutes.

Ralph 19:53

For those people, there are 99 articles for most people. Yeah. And for most people, only the first 50 they've got to worry about anyway.

K 20:00

Exactly.

Ralph 20:01

Over 50 were then looking at the regulators, let's face it. It's really interesting because we talk about it as a thing that harmonizes. It's a regulation, it had direct effect. It went into everybody's law. But actually, there's and I haven't it's correct if the numbers are wrong here. There's about almost half the articles that allow member states to do something different. Yes. Yeah, there's a little fit thing in the bottom that says, yeah, hey, member states can do something different here. Member states can have exemption, member state control.

Paul 20:28

As long as this is in line with union or member state law.

K 20:31

Yeah.

unknown 20:31

Yeah.

K 20:32

And that's a line with the US with federal and state preemption. It's not something that was new as a concept. Yeah. But they haven't. Is that your point?

Ralph 20:40

This is it. Have we Yeah. Have we achieved harmonization? Or are these exemptions still enough that we still have to look at the national law in each country? I'd personally say yes. Yeah.

Paul 20:50

Yeah, we do. In any case, for a number of topics, we should. First of all, the scope of application on who is a data subject, we need to look at national law because according to the GDPR, a data subject is a living person. But exceptions can apply. And for example, in Scandinavia, but also in Italy and I believe in some other southern European countries, GDPR actually also applies to the deceased. So that is already an exception. Then we have the age of minors. GDPR has, of course, certain exceptions to the age of consent for information society services, or anything you do online, which was set to 16, but member states are allowed to lower it to 13 or anything in between. And yet about a third of the member states is at 16, about a third is at 13, and the other third is at 14 or 15. So there is no harmonization there. There are many, many others. Some also make sense because they really relate to national law, for example, to layer laws or healthcare laws or things like that, which are not harmonized at the European level. And some of the Them don't make sense, but they are there. And this is a directive disguised as a regulation or a regulation disguised as a directive, whatever you want to call it. This is not full harmonization, but that's also, if I'm honest, that's also almost impossible because of the topic and the range of topics we're dealing with. It's not for nothing that the GDPR is called the law for everything, because almost everything that happens in today's society, and especially in our online society, links back to personal data. So that means that there is so much sectoral law, specific law that also touches upon the interpretation and the application of data protection rules. It's almost impossible to have one law without harmonizing the full European legislative, the full European law book, which is not going to happen anytime soon. We've seen that with enforcement, where they've now tried with the procedural GDPR to bring some more alignment because administrative law is not European law, and therefore the whole investigatory process was not harmonized and not aligned.

Ralph 23:08

Well, and then you've got divergence as well. Before we go on to the digital omnibus and Brexit and all of those interesting stuff, you have to remember what the scope of the GDPR even is, because there's the Law Enforcement Directive, for example, that covers that's exempt from the GDPR, but if you're processing data for law enforcement purposes, you've got the passenger name records, and then you've got the slightly wonky relationship between GDPR and e-privacy. Remember, there was supposed to be an e-privacy regulation published at the same time as the GDPR. Yeah.

Paul 23:38

It was published in draft.

Ralph 23:41

Well, you know, that you can't just look at the GDPR alone. It's got to be taken in context with gambling law, healthcare and law enforcement law, church law.

K 23:50

I think extraterritoriality was one of the biggest provinces. I met someone that said that GDPR does not apply if the person's living in the U.S. And I said, that's not true. They said it applies to EU residents. I'm like, no.

Paul 24:06

That's a U.S. concept.

K 24:08

It does, and it's much broader than that. And this was just in the past year. And I told Pert, I'm like, no. I said, universities have students that come from Europe. They have professors that come from Europe. Companies bring in scientists. She said, yeah, but as soon as they get U.S. citizenship, then the GDPR no longer applies. I'm like, no. I said, no, it doesn't apply if a European is vacationing in the U.S. and they stay at a hotel or they go into the hospital for emergency care, as long as that hospital or that hotel did not deliberately reach out to Europe to recruit Europe people to come there.

Paul 24:45

I guess she is confused with the U.S. Bill of Rights. With the U.S. Bill of Rights, which says all people are to be treated equal under law as long as they are American citizens or residents.

K 24:57

But my point to her was look, this is settled. This is not something up to debate. So whether you like my logic or not, this is settled.

Paul 25:08

Read Article 3 of the GDPR, which says that GDPR applies if the controller or the processor is based in the European Union or offers goods and services or monitors behavior of people in the European Union.

Ralph 25:21

Citizenship irrelevant. You could be a US firm targeting US citizens in Europe, and it would apply.

K 25:26

Exactly. As an American traveling in Europe, GDPR applies to me because I'm in Europe.

Ralph 25:32

And we see this all the time. And actually, over 10 years, we talk about the digital omnibus and changing the law and all of this kind of stuff. And I think, no, make clear what the original law was, enforce the original law properly before you start changing it, because there are still people out there that start their article with it applies if you're processing to H20U citizens. There are still people out there that say you must get consent to everything and forget about the other legal basis. Oh no. You know, the myths are all still out there.

SPEAKER_02 26:00

Wait, Ralph, can we talk about reconsent? Do you remember that?

Paul 26:06

Oh, you mean the barrage of emails that we got like 20,000 a day? Can you please consent to our privacy notice?

SPEAKER_00 26:15

Which doing that inherently means that they did not previously consent.

Paul 26:20

And that they never re never understood the requirement of providing notice, which is a unilateral act by a company to its customers.

K 26:29

And when GDPR went live, the day it went live, one of the companies I was working with wrote with me and said, Thank God, we sent out our reconsent emails yesterday. I went, What? You did what? He's like, Yeah, he said the CEO came to us and said, Hey, I'm seeing all these reconsent emails from companies. Is it on our plan? He said, and I realized you didn't have it in there. And I'm like, because you don't need to do it, and I would never ask you to do it or tell you to do it or expect you to do it because we shouldn't be doing it. He said, Oh. I sent them last night.

Ralph 27:04

It was Honda and Flybee. They got fined for sending out an email to everyone saying, We're not sure if we can send to email you. So here's an email to ask your consent.

SPEAKER_00 27:14

And I was like, Oh my God. I'm like, what did you do? And they're like, so we shouldn't have done it. I'm like, no, it wasn't on the roadmap. Anything not on the roadmap, you should not be doing. I remember that. Oh my God. None of my other clients did it, thank God. That one did.

Ralph 27:31

And I was Yeah, very musing. Okay. So that was the beginnings. Now let's jump to 10 years on. What's the do we think it's being effective? Do we think any what anyone's better off? Do we think that the legacy of the GDPR is one of success or failure?

K 27:51

I think it's successful. I look at all the countries that have been inspired by the GDPR to either pass privacy laws or to revise theirs. And they may not actually be line by line GDPR laws, but they were inspired by the GDPR to actually create one. And probably the biggest change that we see is cross-border transfers and data residency. I would say that's probably one of the biggest things I see that has been inspired by GDPR.

Paul 28:21

I see there is a bigger thing, and that is individual awareness. People, citizens, individuals, data subjects are much more aware that there is such a thing as data protection and privacy and that they can hold companies to account, that they can hold countries to account, that they can hold their governments to account.

K 28:44

I'm rolling my eyes here, and I'm definitely giving him sideways stink eye here because really Yes, really.

Paul 28:50

I'm I am convinced that that is the case. And not just in Europe. I think in many countries around the world, thanks to the whole wave of data protection laws that has ensued from the GDPR, there is a lot more awareness that there is a fundamental right to data protection. And indeed, I don't include the US, most states of the US in that statement. I think the state of California probably recognizes a fundamental right to data protection to some extent, but even California does only recognize it for its own citizens and residents and not for everybody else. But yes, awareness for me is a really big thing. I think that's a positive as an NRCPO. I also sometimes think that's a negative because you also get a lot of additional deletion requests because of that.

K 29:41

They don't understand it.

Ralph 29:43

They might honestly have that right, you know, especially for Erasure. We get a lot of Erasure requests where people think they've got the right what they don't.

Paul 29:50

And then I explained to them this is not an absolute right. And as long as you want to have an account with our company, then we need to process your personal data. And as long as there are payments still open, we cannot close your account. You first need to pay, and then we will close your account and we will delete your personal data.

unknown 30:07

Yeah.

Ralph 30:08

The example I would use is taxation and criminal records. If I don't want to be taxed, delete my data. I don't want to go to jail, delete my data. Exactly. Society would pull apart pretty quickly, wouldn't it?

SPEAKER_00 30:16

Yeah, we're sorry, you can't do that.

Paul 30:18

I don't want to vote. Take my name of the electoral roll. Yeah. Is it a success? Because that was your question, Ralph. I'm not completely sure, to be honest. I see a lot of positives. I also see that we are not there yet. I know data protection authorities, most of them, are working very hard to enforce the law, to provide additional guidance. And still I believe we don't have enough of that. We need more and better guidance, but most of all, we need more transparency on enforcement because the only thing we see is the big cases, the ones that lead to a sign, the ones that end up in the newspaper headlines or the blog headlines that we talk about on the podcast. But there are so many small cases being dealt with by data protection authorities just with a warning letter or a phone call or something like that. And that's the kind of interpretation of law that we don't see as companies, as data subjects, and where I do think that we need much more transparency from authorities.

K 31:25

I agree. I don't think it's the be-all and end-all, but I do think it's been good, and I think it's had a positive impact.

Ralph 31:31

Yeah, I agree with Paul on the regulatory issue. You look at the ICO's annual reports, I forget the exact number, but it's like about 43,000 complaints, and they say almost 50% of them will be no further action. And the other 50% are mostly resolved by, as you say, letters, warnings.

Paul 31:48

Informal resolution.

Ralph 31:49

Informal resolution. They write to someone and say, look, we know it's your your notice and right, you haven't given that person their access request. And the company goes, Oh crap, the regulator's written to us, let's do it. And actually the actual level of what it called formal enforcement action, fines, penalties, reprimands, is less than zero percent of the actual caseload. It's uh 0.0 something.

K 32:11

But they would be the ones we care about.

Paul 32:14

No. Well, I care about the others as well, because they're they are interpretation of law. So if the DPA writes a letter to my neighbor saying, hey, that Amazon ring video camera doorbell that you have, you are not supposed to let it record all the time and you cannot aim it at the street. Right. That is an interpretation of law that should be public and not with the full name and address of the person.

K 32:40

They should have a running list of the interpretations that they have. And I think it was Helen Dixon when she was over at the Irish came on our website came on our website, Ward Have Mercy. Came on serious privacy and was saying that's a lot of what her work is, these little one-off things, but that they were public in their newsletter or their website or something in publishing the rules, right? And saying, okay, people, you can't point your ring camera at the at the street, stop that. And things like that. That we, I don't know exactly how transparent because I don't go to their website. But she was talking about it, is that that was one criticism that she had of a lot of data protection agencies and supervisors, was that they don't give that guidance. You don't have to publish the letter, you don't have to tell who it is, but you should have a running list of things you've been asked to think about and what your decision was.

Paul 33:32

Yeah, I think that would be really valuable. And that that is also my big hope for the next couple of years. The other hope, and then I'm also looking to hear your hopes, is that we don't make too big of a mess of this digital omnibus because it has a serious risk of undermining some of the foundational protections offered by the GDPR. I'm perfectly okay in reopening GDPR and having a foundational discussion, what should we change? But then also let's have that discussion and not only aim it at, oh, GDPR is an administrative burden and we need to alleviate the burden by just doing away with fundamental protections. Let's then also have a serious debate about the future of international transfers and make that into a system that's actually functional and future-proof, reliable in every jurisdiction.

Ralph 34:26

If I've got a big criticism of the GDPR, is that it seems to have resulted in a lot of evidential paperwork that doesn't lead to benefits for the data subject or protections for the data subject. This idea of Article 24, demonstrate compliance. People have taken that to heart. It's do a DPIA. But the DPIA has become the end rather than the means. A therefore I've got the piece of paper I can waive at a regulator rather than do a DPIA so I can bring in technical and organizational measures to protect the data subject. And I think some of those and I think that's especially true of international transfers. So you put in an SCC with an organization on the other side of the globe. I don't care. I care what they're doing to protect the data subject. And quite often I find lawyers sign these SCCs without actually doing any work.

Paul 35:15

If they sign them at all, if they are not just incorporated by reference on an online data protection addendum that the data processor can change at will. Exactly.

Ralph 35:24

So for me, it's practical protections for the individuals that matter. And that is where I would say the GDPR has failed, in that i i in that there's an awful lot of work done by some very good data protection people out there, lawyers, data protection who are doing hard work, but actually are they delivering the practical protections for the individual as a result of that hard work? And is that disconnect between the real world and the evidential compliance paperwork that I think is the real failure, if there is on one to be had here. That's my negative. But what was your hope? My hope was, and I am I am a silver lining person, my my my hope for the future is that people have recognized that in a world where and I think this we were talking about Salman Rusty last week, he said it that in the modern day privacy has stopped being a special thing and everything is it's lost its value in a way. And that people say, if you can't show it, has it really happened, if you can't evidence it, has it really happened. In the world where we do put everything online and everywhere we go, we've got to have an app and we've got to register, and it's very difficult to operate in a world without leaving that digital fingerprint. For me, it's not so much about privacy. It's never about, do I leave the fingerprint? It's about, am I taken care of? Is that fingerprint taken care of? Which is not about privacy, it's about the data protection of me when I have given the data. Right? And so that's my hope. My hope is that rather than looking at it as a tick box compliance or else we'll break the law, instead of looking at tick box compliance instead of break the law, it's do companies have it in their hearts to put the human first? How's that for the hope? Yeah.

SPEAKER_04 37:04

Kay, what's your hope?

K 37:05

My hope. My hope is that, or I let's say this is a pro and it leads to a hope. One of the best things I've seen come out of the GDPR is opening the door for so many professionals to enter the field globally, right? Even on inspiring other countries globally. And most of these people that we've met have a passion for protecting the individual. They protect the company by protecting the individuals. And I think that has been a very good thing. And I would hope at some point that it would never be Europe versus the US or the US versus every other damn country in the world. We have a different approach to privacy than the rest of the world does. Um, and I would love, I don't know if that means the US has to pass a federal law or we have to find some thingy that's going to come in place that means we can transfer data. I think it's just a different approach to human life, to revenue, to commerce, to IP, to chasing the dollar, to everything else in the world. I think the US probably does have a different mindset than a lot of other countries out there, probably not as different as you might think in some of the other countries, but a different mindset than the UK, than Canada, than the EU. And I think that's telling in the way that the way you treat personal data has developed, right? And I'm not going to say one way is better than the other, frankly, because I enjoy our Wild West here in the America and how we give the individuals the ability to start a business and chase the dollar and achieve their dreams and everything. There is a lot to be said for that as well.

Ralph 38:53

Yeah, the big tech companies aren't in Europe.

K 38:56

Yeah, no. My hope is that we can bring these together at some point. Can we not have a global standard for this? And the answer is probably no. But my hope is that we get a little closer. I don't see that happening in the next two and a half years. But that would be my hope.

Paul 39:16

Maybe by season 10 of the podcast we'll have another celebration on something like this. Right. For now, we should read up because we are well over time. But here's two 10 years GDPR. And on that note, see you next week. Goodbye.

SPEAKER_04 39:34

Goodbye. Bye y'all.