The Data Protection Authority’s balancing act
David Stevens, President of Belgium’s Data Protection Authority speaks exclusively to RAID about the need for greater collaboration between countries and sectors to keep in step with digitalisation.
RAID: GDPR has become the global standard for data protection regulation, but technology and society has changed a lot since its implementation. What can regulators do to keep the pace with innovation and the societal changes accelerated by the pandemic?
David Stevens: We live in a world of constant change. Particularly in the areas of digital and online, it’s hard for everybody to keep up with the pace.
As independent regulatory authorities, we need to monitor economic, technological and societal evolutions in order to be able to take the right decisions and protect citizens. Two years ago, who would have thought that we would have accepted the creation of a government app to register contacts between mobile phones?
Finding the right balance is not always easy, but this is probably the true challenge. At the Belgian authority, we try to be open and accessible, and engage in discussions. We are actively looking to support citizens and professionals in understanding and applying their rights and obligations. Last year we organised a big awareness campaign for citizens, and this year we launched a DPO (Data Protection Officer) platform, supporting privacy professionals to contact each other – and us – for discussion and solutions.
RAID: How can regulators in different sectors work together and learn from each other’s approaches?
David Stevens: Collaboration is essential. The world has become too complex to deal with changes in a “mono-disciplinary” way.
That is precisely one of the reasons why we identified collaboration with other regulatory authorities as one of the main priorities in our Strategic Plan 2020-2025. When unfair conditions are being imposed on a market, this is usually not just a data protection issue. Another example is that cookies can probably no longer be successfully regulated by telecom regulators alone.
And within the Belgian authority itself, we are aiming to develop a more multi-disciplinary approach. We have already engaged different ICT engineers, but I think we also need to add more economic, or risk-management profiles to further strengthen the authority.
RAID: How important is international alignment when it comes to the regulatory challenges created by technology, such as data protection – and how can differences be resolved?
David Stevens: Again, collaboration is essential. While becoming digital the last two decades, the world has also more than ever become global. It no longer makes sense to only focus on national problems/aspects. That’s why collaboration at European level, such as through the European Data Protection Board (EDPB), is so important.
As national regulators, we are all investing quite significantly in this collaboration and consultation, but I have the impression that is not always sufficiently visible. During the last two years, EDPB has focused strongly on the “clarification” of the rules (e.g. by publishing guidelines or recommendations), but we should look for ways to increase collaboration in actual enforcement cases against worldwide players. With the appointment of a new enforcement coordinator, we will soon be “up to speed” in that area as well.
RAID: Does being based in Belgium, alongside the European Commission and European Parliament help you with your relationship with European policy makers, and if so how – and are there any insights you can share with other regulators?
David Stevens: I think the answer is dual, or nuanced, here. Of course, being located in Brussels helps to meet people easily, at formal or informal occasions. That can help to raise understanding or coming to compromises. But with the COVID-19 crisis and all meetings becoming virtual, I think it became clearer to us that that advantage is limited. That probably has to do with the fact that the European institutions are somehow a bubble, also within Brussels.
RAID: International technology companies are also focusing an increasing amount of time and resource in Brussels – what impact does this have on you as a regulatory body being based there – such as increased workload and/or lobbying activities as compared to other national data protection authorities?
David Stevens: Belgium remains of course a relatively small country. Also, compared with European counterparts we’re definitely not “overstaffed”.
We do not have the high concentration of European headquarters for data protection as for example Luxemburg or Ireland, but there are nevertheless some highly visible cases on which we are working as lead supervisory authority, such as the Internet Advertising Bureau (IAB) and its Transparency and Consent Framework (TCF), or the Internet Corporation for Assigned Names and Numbers (ICANN).
Maybe the increase in workload is not that visible for us, because GDPR resulted in a lot of new tasks anyway. Until 2019, our institution was mainly an advisory committee, providing opinions on draft laws and regulation.
RAID: Are there any recent or pending cases that cast any light on any of these issues?
David Stevens: Every case and ruling is important, because we can also clarify the actual application of the principle-based GDPR norms in each case.
Our highest fine until now – EUR 600,000 – is in a case where a global search engine refused a delisting request. That ruling was later successfully appealed in court, mainly because of procedural shortcomings.
From an international perspective, the case on the IAB’s Transparency and Consent Framework is one of our most visible cases. When browsing the internet, I’m starting to see more and more implementations of it, but we have some valuable questions on its conformity with GDPR.
David Stevens, President of Belgium’s Data Protection Authority is speaking on the panel Navigating the Data Rights Minefield at RAID (Regulation of AI, Internet & Data) 2021 on 12 October, online. Register here: http://www.raid.tech/register