NPA 2022: EU data protection authorites demands adequate funding
Author: Kave Noori
The Nordic Privacy Arena (NPA) is an annual conference for people working in the field of data protection. The 7th edition of the NPA was held as a semi digital event on 26-27 September 2022. The conference featured no less than 23 agenda items on data protection and had more than 300 number of on-site participants at the Münchenbryggeriet in Stockholm. A few participants also attended online. This is the first of three articles highlighting some of the lectures and discussions that took place.
In her opening speech at the Nordic Privacy Arena, Caroline Olstedt Carlström, chair of the Swedish Data Protection Forum, said that the organization is celebrating its 10th anniversary this year. Seven of those years have been spent hosting the Nordic Privacy Arena. She went on to say that the Forum has over 800 members from all over Sweden and a distinguished board of eleven people who are specialists in information, security and privacy.
European Data Protection Board gets a pool of experts but needs more funding
Dr. Andrea Jelinek delivered the first keynote address, discussing the role of the European Data Protection Board (EDPB) in ensuring consistent interpretation of data protection law across the European Union (EU) and European Economic Area (EEA). In 2021 alone, the EDPB adopted 14 guidelines and recommendations on topics such as personal data breaches, codes of conduct as a tool for transfers, virtual voice assistants, and the storage of credit card data in the context of online transactions.
Dr. Jelinek went on to say that the EDPB is studying more than 80 cloud services used in the public sector and will report its findings by the end of the year. She also informed that a pool of experts has been established to assist national DPAs in areas such as IT, auditing, security, and data science. The EDPB is now focusing on enforcement and intends to prioritize this area in the future.
Furthermore Dr. Jelinek said that the EDPB and the European Data Protection Supervisor (EDPS) recently sent an open letter to the European Parliament, the European Council, and the European Commission asking for sufficient budgetary resources and staff for 2023. They argue that without adequate funding, the EDPB will not be able to meet its legal obligations and data subjects’ rights will suffer.
Panel discussion on international data transfers
The panel discussion on international transfers, was the second last agenda item on the first day. The panel consisted of
- Peter Fleischer – global privacy counsel for Google.
- Kim Parviainen – litigation attorney specializing in intellectual property and digital law.
- Allan Frank – ICT security specialist and LLM at the Danish DPA.
- Nikolaus Forgó – head of the Innovation and Digitalization in Law department at University of Vienna.
- Eva Jarbekk, partner at Schjødt, Oslo and former chair of the Norwegian Court of Appeal for Data Protection, moderated the event.
Allan Frank began by saying that the Danish DPA has been investigating the issues raised by the Schrems II ruling. He pointed out that many controllers do not know what providers are doing with their data, and that this lack of knowledge can lead to compliance problems. The Danish DPA has issued guidance on transfers to help controllers address these issues. Allan Frank said data controllers should have control over data, not the other way around, as is the case now.
Kim Parviainen said that forcing European companies to develop local solutions may not lead to the development of European champions who can compete with American giants. He suggested that a more “balanced” approach may be needed to avoid “balkanizing” the Internet.
Peter Fleischer of Google believes that the European Union’s concern with data transfers is more about digital sovereignty than privacy. He noted that the invalidation of the Privacy Shield by the European Court of Justice was based on the theoretical possibility of U.S. government surveillance, not the actual likelihood of such surveillance taking place. Fleischer said it is easy to have a debate about theoretical risks, but that he advocates for a facts-based discussion. For example, he said there has never been a government request for Google Analytics data.
Fleischer went on to say that the U.S. and European governments are trying to negotiate the successor agreement to the Privacy Shield and that he believes they are on a good path to finish the task. However, he added that the parties are being cautious about the new data transfer framework because it will be challenged in court. Technology companies are limited in what they can provide to solve political problems, but Fleischer said Google is considering technical solutions to work around data transfers compliance issues, such as local data storage and on-device processing. He also mentioned the use of privacy enhancing technologies.
Eva Jarbekk (moderator) noted that it seems to be a good business idea to solve political problems with technical solutions and passed the floor to Nikolaus from Vienna.
Nikolaus Forgó said that there is an ongoing debate in Austria about whether the use of Google Fonts could be a violation of the rules on data transfer to third countries. The reason is a strange situation where one individual is suing or threatening to sue hundreds of data controllers for this possible breach. He said this is a good example of how people are trying to make money off the GDPR. Another panellist referred to this practice as ambulance chasing*. Nikolaus agreed and said that the Austrian DPA has published a guide on this topic, but unfortunately this guide has no impact on civil litigation. Nikolaus Forgó said that the GDPR was created before the iPhone was invented and that it may be outdated as cloud computing has changed a lot since then. He said that it might be necessary to review the GDPR.
* Ambulance chasing – Ambulance chasing is the term used to describe the unethical practice of lawyers seeking out clients who have recently been involved in accidents.
Open letter on EDPB budget proposal for 2023, dated 12 September 2022
Swedish Privacy Forum news article, February 4, 2022, on the legality of Google Analytics and other tools for webmasters (Swedish)