The Future of GDPR In Europe

Transcript of the conversation

Punit  00:00
So on January 27, we all will be celebrating the privacy day or data protection day. And it is worthwhile that we look at the digital society, the AI regulation, the privacy regulation from none other than someone who is in the EU Parliament and part of crafting creating all these legislations and laws and asking him on how does he see all these into playing? And what is the message that he has for businesses and us as practitioners, when we are guiding businesses on implementing privacy, compliance or AI regulation? So I'm talking about none other than Axel Voss, a Member of Parliament for European Parliament, and also the member of European People's Party, and he's a lawyer, so he does understand law and has a perspective on data protection, AI and privacy. So here we are with Mr. Axel Voss. Welcome, Axel. 

Axel  01:02 
Yes, thank you. Thanks for the invitation. And for the upcoming discussion.  

Punit  01:08 
Thank you so much. I'm looking forward to it. And let's start with an icebreaker. How would you describe GDPR? In one word,  

Axel  01:16 
in one word, successful, over successful.  

Punit  01:21 
That's wonderful to hear. It's very optimistic, and I like it. So could you describe it a bit? What do you mean when you say successful?  

Axel  01:31 
So the intention of the GDPR. The first intention is to protect the privacy of our citizens. And this means, of course, read the reduce of processing personal data. But this is happening so successfully, that we are not taking part really in a global competition in digital issues. So how so you can see, I'm not really, really happy about the GDPR is handled by the data protection officers today or the data protection administration's today. But it's extremely necessary in the digital world, that we are protecting the privacy of our citizens, because everything in our day by day life will be digitalized.  

Punit  02:29 
Absolutely, it will be digitalized. And there are two questions that I have now, in that response. One, I wanted to understand where is the digital, because word would be more and more digital as we go along. and EU has its own digital strategy. And where does EU see itself in the digital world, say 1020 years from now. 

Axel  02:55 
So my vision is probably a little bit different from what we will see because the majority in the European Parliament and the political, not existing political will of the European Commission is somehow has its consequences, of course in these digital competition of the global race on digital issues. And so that's why it's hard to predict. Normally, I would say we need a kind of the starting point and saying yes, we are protecting privacy. And now we are balancing these so that the European data industry or the European Digital industry, have a good start and the good framework, legal framework of all of these and can implement a lot. So AI, artificial intelligence is the next step we need to come forward with. But also here we are regulating a bit too strong. So it's not there already. But what we are discussing right now is not this openness. I would like to see that the European Digital industry can really start it's more and more a kind of an restriction. There is no motivation in all of these. We are not giving the framework what I would consider would be necessary. And that's why it's hard to predict where we might stand in a couple of years still hoping that we are setting here the right points. But in reality, I can't see it right now. And I still have the feeling we will is still in this middle of nowhere, somehow we are taking part a bit of it, but we are not leading the whole development. So that's why we need more to prioritize, we need more money to invest, we need the skills and so on. And this has to link to be linked together. And this can't be done by setting a legal framework after the other. So this is what I'm thinking. We, you we are not unleashing the potential of the European Digital industry?  

Punit  05:48 
No, I think there's a long way to go. And nobody knows which way the world will develop. Because with the pandemic, the digital adoption has increased significantly. But when we look at the digital, and you mentioned, you're not entirely happy if I understood with the AI regulation, and it's been being a bit more restrictive, what do you mean by that?  

Axel  06:10 
Yeah, so my colleagues from other political parties, and seeing these more is a kind of a consumer protection law, instead of regulating a product. And this has consequences in the content of the AI regulation. And this is, then once again, that we are fearing that we have too much regulation, too complicated issues, too restrictive content in this regulation. And that's why I think we might see some of the AI, let's say industry in Europe, will more train their algorithms somewhere else. And this is not the intention of our laws. So that's why I think we can be more helpful and building a better frame of it. But the political majority is not there for this. So in a democracy, you can't have what you think it's necessary to have. It's, it's, it's making me not happy what we are doing right now there. So we can be better. And even the council, the European Council, is, has already achieved a bit more than the parliament. But also here, I would say it's not enough already. I don't know how how you are seeing this from the outside part of Europe. But I still have the feeling we are not unleashing the potential of the European Union and its digital industry. We have some wonderful experts, but we are not allowing them to do what they can do. And hear a legislator is all the time ask imbalancing problems. So privacy is not the only fundamental right, we have to protect. And it's not the only way forward, we have at least already a lot of privacy tech in place. But we are not using this as a balance for processing data and secure protecting your citizens. Also in the health data level, we can do more also in protecting the privacy, but giving a lot of data to the industry for training, and testing, and so on. And this is not what is happening right now. 

Punit  09:18 
I see. I think I would more have the European perspective, because most of my colleagues and I'm also in Brussels being looking at things from EU perspective. But I find AI regulation as good one because it has that framework because it essentially talks about the same principles, accountability, transparency, and if you apply them in right way, and bundle them with the general rules of data protection, and create your own framework as a corporate then you are complying with the data protection and AI regulation together. And that's the way however the challenges where I see in EU most colleagues are expecting a prescriptive approach saying do this and that a law should not provide the GDPR does not provide AI also should not provide, it should remain guideline or principle based approach wherein accountability is on the side of the implementer. And the law provides means to check means to ask for a few things and means to punish or put penalties, it's like having speed cameras speed cameras are not there that we want to click a lot of photos, we want to put them because if someone is driving fast, we have the means to recognize them and reprimand them to do the right thing. Because typically, the Parliament would like none of the cameras to be used. But it has to insane where the laws are there. So in my view, AI regulation compared to what I've seen in the Chinese or the US framework, it's a good one, because it's based on the same human principles of accountability, transparency, explainability, and so on. However, it does make it complicated for binary in general engineers who are looking for real clear guidance algorithms, or even lawyers who need prescriptive. So we need more guidance on which to how to interpret in with different scenarios, different industries, different situations. That's my personal opinion.
  
Axel  11:19 
Yeah, yeah. So we are still working and thinking on a trustworthy AI element, what you just explained. But also, I think we need to provide data. And that we are able also in processing data from different categories. So if we still would like to have and result like non biased AI, non discriminatory, and gender balanced and so on, you will need a lot of massively personal data. And here, we need to come forward. And but so far, the legal environment for this, like the GDPR, for instance, is not providing this data. And that's why I think if you need to come and I have two cases in mind where we need to help. And at first, if big companies have already data collected, and they would like to use the data for a different purpose, you need a kind of an environment where you can do this with with supervision, and so on. And the second case is our company companies who are probably starting so startups who do not have data enough for doing this, then the we should provide the data for training their algorithms, for instance. And here, we are coming to a political situation where we are not open enough for this. And so there is still some hope left, that we might come forward with it. But so far, what I'm hearing sometimes from the negotiations are in the ER, during the negotiations, I would say it seems sometimes helpless, because the potential is not fulfilled in such a way we can do it. And at least the Europeans with its legal framework, if this is GDPR, this is AI EC, the AI act the upcoming one, then we need also to be more intelligent in having solutions. And this from my point of view is so far not happening. But so we haven't ended the negotiation so far. But but we have still to work for it. And as an EPP group, but we have to wait, it's not very easy. And still I have the feeling that we are approaching these not in the in the best way we could. And that's why I'm a little bit pessimistic right now, the last round of negotiations was, again, not very motivating, in in a way that I would think differently on it. But we will see and so we might come into an end in the European Parliament in March for our approach as a parliamentary approach, and then we have to go to the negotiations with the council. And yeah, let's cross fingers that we putting something in place was what is really necessary. Of course, it is welcome also, that we are dealing with these and giving these frame and more thinking in a way how the European society is dealing with algorithms. That's a wonderful idea and the good ways forward. But so far how we are doing this internally. I'm not satisfied with.  

Punit  15:32 
And when we talk about AI, there's also an element of usage of data. AI is one part of it, but usage of personal data for clinical research, for example, for normal research, it may be aI driven, or it may be non AI driven. But that's also relevant. And I think, in the GDPR, if we can create, eventually, some provisions, some rules, that data can be reused by the same organization for research perspective, of course, as you mentioned, under supervision, similarly, for clinical trials, if that data is allowed, I think it'll improve a lot of things because that clinical trials will also improve the society going forward. What's your view on that? 
 
Axel  16:14 
Yeah, yeah, you're right. So the whole data strategy is going also, beyond the AI. It's about now the GDPR. Now we have on the table, the so called DATA Act, it's more industrial data, machine data, and so on. And then we have in addition here, the data governance act, where we still would like to motivate everyone a bit more in sharing data. And also here comes in place the question of health data that we are creating in health data space. And in addition, also motivating our administrations in sharing more data. So this is also part of the data's strategy. Here regarding the health data, especially, it's, we might face also kind of a little problem with the GDPR. But we have also the possibility and again, balancing everything better than what we are doing right now. And we have a kind of the possibility in creating a way forward that we can collect also health data for better analyzes of these mounds big amount of data around. But once again, we need to balance if we are not achieving this to balance the risks on every side. Not and if we are just having this ideological approach and saying our we have to protect everything, then it's we are not having our potential, what we might have. So there is still a way forward, especially with a health data, we need to be very, let's say sensitive in trying the balances. And because it's sensitive data and to we need to balance but what is the damage if we are not doing this. So, of course, it might not affect on the data situation, but it might affect the upcoming developments in medicine and treatments and so on. And we should be proud of it. And therefore, we should also be more motivated and more encouraged to use the data in a proper way. And so that no individual will be harmed at the end.  

Punit  19:25 
Sure. And now when we talk about AI or privacy or data, there are many elements. One is the legislation element, which we talked about. Second is the consumer aspect because you want to protect the citizen. And the third is the business aspect, which is where we say we need to find the balance. But then both element also the people who would be implementing they're also citizens, but that's about talent retention, talent creation, skill creation, so that all these things things can happen. So other initiatives that the EU, Parliament and EU in general is thinking about creating time And in privacy in AI in these legislation and then finding that balance, which we are talking about. 

Axel  20:06 
Yeah. So it's you already mentioned, it needs more than a kind of a legal act or legal tool around and having a directive or regulation in place. It needs a combination of all of these what you have mentioned. So you need the talents, you need money, you need the infrastructure, and you need good over the good legal framework, so the impossibility of processing data, but also protecting the fundamental rights of our citizens. So this all has to come together. And that's why I think we are not good enough, right now. We should be better, we can be better, but we should be more open minded to it. And to install all these elements, what you are listed right now already. So the AI act at the end will be the fundament of everything what is coming. So that's why I'm so keen on it in getting this right and having a kind of a good starting point here. So and if you're looking at disruptive step, move forward to the metaverse, you will need data you will need a I need blockchain and you will probably need an identity and so on. And here, we should also prepare ourselves in this direction. But if you're looking to also analyzing data means today, being better. So if this is security, or this is your health, and that's why we have to understand that data processing is not something what is bad. Now, it's today reality, in the data driven word, you need to have all these in place. And with the technology of AI, all of a sudden, you are able to pick these things out what you need in developing your, your, your technique, or your your, your instruments in having a kind of a good business model. So that's why AI the AI act itself is so important. But without data, you're nothing. So that's why also data of course, it's extremely important. And we have to bring this together. And so both are pillars of the future world of digitalization. And that's why I'm so yeah, I'm underlining these a lot. And that's why I'm try to to get this in a right balance. But I'm always repeating, we need this balance, because it's not an kind of only looking on these on one side now. We have everything in place, but we have to use it.  

Punit  23:29 
Absolutely. I think we have a lot of legislation. But if we put it to good use, that will help a lot. And in that context. Recently, you raise the question around the German data protection authorities not acting enough on the use of legitimate interest. And they're not being a hierarchy between different purposes. Can you enlighten us something around that?  

Axel  23:53
Yeah. So at first, especially if you're looking to the German data protection, as I have still feeling they are approaching these more ideologically in saying our we have to make sure that no data will be processed and that this might not be possible in 150%. And this is not the right approach on it. You have to have more these kind of fundament in saying, Oh, you would like to have a business model like this? Let's find out what is the best way forward if you need personal data in it. And this is not happening. So I'm asking here for kind of a different mindset and more servers service orientation of the digital data set sort of protection authorities. So this is how I'm seeing this and then if we're coming to the European Court of data protection. We still do not have an full harmonized markets throughout the European Union in using data. So the Irish data protection authorities ation or administration is interpreting this differently like the Germans. And the German one is more looking again and again, how we can invert business models and developing, instead of saying no, no, we have to enable this. So harmonization full harmonization is not taking place, therefore, really responsibility should have the European Data Protection Board, then they are trying, but they are then coming with guidelines, were not practical enough. It's too complicated what they are doing not in all of these, but a lot of these. And this is also what I'm asking myself, What are they doing do they have not the same ambition like we should all have in enabling business models instead of hindering. So they could be also a bit more open and having a kind of a different approach and a different mindset on it, then, of course, the legislator itself, itself, they can also think differently on the GDPR. Instead, we know there are existing problems, we never have discussed blockchain, we never have have discussed artificial intelligence, and so on, we have a lot of problems in adapting new technology, and why we are not correcting these in the GDPR. directly, instead of having again and again and a new legal tool, it would be better to have one tool in place what is coherent and consistent. And and so now with every new tool, we are creating a bit of more legal uncertainties, and it's not legal secure enough at the end. So and then, of course, but this is already very much asking, if we are looking to some principles of the GDPR. Like data minimization like deleting of data or processing data only for one purpose. This is not what is needed for the future. So deleting data means throwing away resources in these days. So it might be wonderful and 150% very good instrument for, for the personal data and for the protection of your privacy. But if we can still install some elements in saying, Oh, you might use this also for different purposes, but you have to secure that the privacy of our citizens are not harmed, then this would be already enough. So we are fulfilling the idea of privacy and we're fulfilling the idea of businesses. So that's why I think we can be better. But we need the political will and the motivation. Also, on the side of the data protection authorities that they are coming more with a surveillance, service orientated mindset.  

Punit  28:52 
That's good to know service oriented mindset would help certainly because sometimes people are scared of going to a Data Protection Authority. But as this episode gets published on the Data Protection day, I like to ask you to share two messages, one for the businesses who are in the EU and or maybe outside the EU, and aiming to implement privacy AI on all these legislations. And then second, but let's first do the business one. If I'm a business owner, or anyone is a business owner, what would you tell them how? I know it's challenging for them? So I like to have an assuring message. 
 
Axel  29:32 
Yeah. And so of course, I would like to tell them in saying please go ahead with your idea. If you're not doing this, Allah will do so that's why you need to concentrate on it make it as possible, as secure as possible already from the starting point. And so it's privacy by design. So that we that you are Coming forward and not delaying the whole process with the consent of data protection authority. So you need to concentrate on your product, and you have to have in mind as secure as possible as privacy protected as possible, and then you will be on the right side.

Punit  30:23 
that wonderful message. And if I'm someone who's implementing it, meaning professional practitioner, in data protection in AI, what would be your message on the Data Protection day for them  

Axel  30:42 
it's more than less the same, and enable it that you can get out of your idea of the possibility of what you would like to achieve the best outcome. And he for once again, you need to have this service orientated mindset. And to, and also, this is how I'm seeing a legislator, we are not there in trying to reduce your potential somewhere, we should be there in saying, Oh, if you would like to do this, then this is a frame for it. And please make sure that you are not overstepping the rights of others and so on. But it's all a question at the end of mind setting and the using the potential what is already there. And here for it. Yes, it's complicated to do it this way. But it's more successful at the end. So that's why I think we need a bit more anarchy in the legislative level and need more courage in in balancing the possibilities. So this is not only one solution there.  

Punit  32:17 
That's a wonderful message. So if you're a business, go ahead with your idea while respecting the law. And if you are a enabler, if you're a practitioner, enable them to a service oriented mindset. So don't have a mindset of control. I have to implement the GDPR I have to enable the product. And in that sense, I have to implement GDPR. It's a wonderful message. And being conscious of your time and busy agenda, I would say. Thank you so much. Excellent. It was so wonderful to have you and learn from your wisdom and knowledge.  

Axel  32:45 
Yeah, yeah. Thank you. All the best.

ABOUT THE GUEST 

Axel Voss (CDU) - born in 1963 - studied law at the Universities of Trier, Freiburg and Munich. Since 1994, he is working as a lawyer. From 1994 to 2000, he was a civil advisor at the EU Commission's representation in Germany. Afterwards, he worked for nine years as lecturer for European Affairs at the RheinAhrCampus of the College of Koblenz.  

He became a Member of the European Parliament in 2009, where he represents the Mittelrhein area, which includes the cities of Cologne, Bonn and Leverkusen and the districts Rhein-Sieg and Rhein-Erft. Axel Voss is EPP-coordinator for the Committee on Legal Affairs as well as deputy member of the Committee on Civil Liberties, Justice and Home Affairs and from 2020 to 2022 member and rapporteur in the special Committee on Artificial Intelligence. Besides questions of European Law, his main area of expertise is the digitization of our daily life. For the European People’s Party group, he was among others (shadow-)rapporteur for the new Copyright Directive, the General Data Protection Regulation (GDPR), the Passenger Name Record Directive (PNR) as well as for the updated Eurojust Regulation. At the moment, he is (shadow-)rapporteur for the AI Act and the Corporate Sustainability Due Diligence Directive. 

Axel Voss is also CDU chair of the regional section Mittelrhein, regional chair of the Europe Union Bonn/Rhein-Sieg and Vice President of the Mérite Européen Friendship and Assistance Association, Germany.  For more information: www.axel-voss-europa.de 

ABOUT THE HOST 

Punit Bhatia is one of the leading privacy experts, who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high privacy awareness and compliance as a business priority. Selectively, Punit is open to mentor and coach privacy professionals. Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How To Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 30 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts. As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one’s value to have joy in life. He has developed the philosophy named ‘ABC for joy of life’ which passionately shares. Punit is based out of Belgium, the heart of Europe.  

RESOURCES 

Podcast www.fit4privacy.com/podcast 
Blog www.fit4privacy.com/blog 
YouTube Channel youtube.com/fit4privacy 
Email hello@fit4privacy.com