On November 27th, at the Egmont Palace, a rather extravagant but always elegant venue in the heart of Brussels, the Think Digital Summit took place. The Digital Post could not have missed the opportunity of attending
It is the second year the Think Digital Summit runs by the initiative of the European Business Summit. This year’s Summit touched upon issues such as data protection and privacy of consumers and citizens, growth of SME’s and Start Ups within the Digital Single Market, and last on critical digital infrastructure for developing a 5G network across Europe. The speakers were MEP’s, EU officials, policy makers, and representatives from the business sector. The Summit was smartly structured into three thematic panels in form of debates mainly polarizing between speakers from public institutions defending EU policies and corporate representatives advocating on business interests. The debate formation was not only vibrant managing to keep the participants interest alive for more than 6 hours but also gave us the opportunity to witness diverse interests and objectives collide or concede depending on the speakers’ background and the topic discussed.
In his opening keynote speech Giovanni Buttarelli, the European Data Protection Supervisor acknowledged the increasing demand for transparency and the need for all individual voices to be heard and transposed. Building on his statement, he pointed out an ‘‘unfair balance’’ between corporations handling a big amount of data, and on the other hand citizens merely giving away valuable personal data, oblivious of this transaction. Having framed this imbalance he labelled opacity as the biggest threat set to individuals and suggested this threat should be tackled by regulation.
Data Protection and Privacy of the European Digital Future
The topic which ignited a rather polemic but nevertheless constructive debate was the General Data Protection Regulation (GDPR) or officially Regulation 2016/679 (Click here) and which monopolized the discussion of the first panel. According to EU officials the GDPR objective is to achieve an equilibrium between the full respect of fundamental human rights and business development, being at the same time an innovation friendly regulation. GDPR comes into force at the end of May 2018, so we will have to wait and see whether it will reach its full potential and purpose. Furthermore, this regulation comes to repeal an older E-Privacy Directive (Directive 95/46/EC), with the intention to achieve full integration and harmonization of implementation across the E.U. Highlighting the value of the innovation friendly design for the business sector, Despina Spanou, Director of DG CNECT, also strongly advocated for the need to empower consumers to have full control of their communication and to be asked to consent or not to sharing their data. ‘‘Consent has to be affirmative, not implicit’’, she asserted.
Responding to Mrs. Spanou, Mr. Louette, Deputy Chief Executive Officer, Orange, joked ‘‘Beware of Greeks bearing gifts’’ which although was a great ice breaker, it also made a clear-cut statement regarding his position towards the GDPR . He expressed his fears on restrictions on data use in businesses, stressing the need to balance regulation so that it does not hinder business activity. The issue of labelling almost everything as ‘‘personal data’’ was also brought up, pointing out the need to define the term more effectively. Furthermore, Mr. Louette argued that using personal data, such as people’s locations, can enable companies analyse the data and produce smarted public services where needed. Last, he revealed that Orange wants to create a data dashboard for its customers from where they could monitor the cyberspaces they had left traces of their personal data.
Boosting Growth for SME’s and Start-Ups in the Digital Single Market
Digital is not a new industry, it is the way all SME’s and Start-ups should operate, says Katarzyna Jakimowicz, Associate Director of the Lisbon Council. The biggest issues SME’s have to tackle are to sell their products internationally, and to expand their limited knowledge of digital advertising tools. In some countries like Bulgaria, online purchases account for below 30 per cent of overall purchases, which discourages companies in these countries to advertise online at all. The major issues raised in this panel were once again regulation harmonization, this time on e-commerce and work mobility, and the business responsibility to create windows of opportunity for smaller businesses to grow. Nevertheless, the most interesting points were raised by Mrs. Jakimowicz on the existing, as she calls it, ‘‘talent and soft skills gap’’ referring to SME’s difficulty to access talent and digital skills domestically making the need for EU regulation on remote work more relevant and urgent than ever. The lack of communication between SME’s and institutions when it comes to funding and support mechanisms was discussed, bringing up that the European Innovation Council (Click here) will give €2,7 billion on SME’s, and in terms of promoting and supporting growth, the EU has initiatives such as The Startup Europe Project (Click here) helping SME’s develop.
Digital Infrastructure towards Maximum Connectivity
‘‘Bad connection is like no connection at all, thus we should aim towards high speed maximum connectivity’’ says Miapetra Kumpula-Natri, MEP for S&D.
The third and last panel focused on the advent of 5G network and the issues that need to be dealt with along the way. Issues that will arise on setting up a 5G network are building the necessary infrastructure to support the regular function of the network and the urgent need to regulate in order to create a safe environment for investors and in order to protect competition and innovation. Furthermore, it was repeatedly argued that this transition will not just be a transition from 4G, as it happened from 3G to 4G, it is a new technology that would change our lives and apply in a diversity of human activities such as transport and health industries, but unfortunately further elaboration and more tangible examples as to in what ways this network would revolutionize our everyday lives were not given.
Take Away Messages
An equilibrium between citizen’s protection and business development and innovation needs to be set, and the DGPR aspires to do so.
More initiatives need to be launched at EU level in order to boost and support SME’s access to soft digital skills and funding mechanisms.
Regulation on harmonization of rules on e-commerce and remote working are urgent.
In achieving a 5G network there are still a lot of issues to be tackled, such as critical infrastructure and regulation on safety to attract investors.
Overall I found the Summit very interesting and relevant. The structure of the sessions was constructive in terms of content and interaction between the speakers. The topics discussed were all relevant to current digital affairs and analysed sufficiently; I am afraid though with the exception of the 5G topic where more tangible arguments could have been delivered by the speakers. Questions by the participants were welcomed and answered with directness and in a meticulous fashion. Furthermore, the venue was grandiose, some might argue over the top, but still interesting to see, and last the services provided, such as food and drinks were satisfactory, although perhaps wider variety of food would have left participants with impressions. For now we can only wait for the next Think Digital Summit in December next year and wonder what novelties we are to anticipate on.
Photo credit: pixabay.com
In the context of the 7th annual EuroCloud Forum, which takes place from 5-6 October in Bucharest, Romania, Elena Zvarici, executive board member of EuroCloud Europe, talks about how Europe can take advantage of cloud computing and the data economy.
In order for Europe to take full advantage of cloud computing and the data economy, we need to strike the right balance between regulation and innovation
In the digital world the balancing act between business and regulation is a delicate one. In the past year we have seen the adoption of the new European General Data Protection Regulation, the invalidation of the Safe Harbour agreement for transatlantic data transfers and problematic discussions around its replacement the Privacy Shield.
Setting these developments into the context of the many ongoing initiatives at EU level aimed at encouraging innovation and the data economy, it is clear that getting the balance right is no easy task.
Europe is leading the way in data privacy and advocates a high level of data protection worldwide. The newly adopted General Data Protection Regulation introduces a new concept of responsibility towards data ownership, as well as new legal obligations for businesses to comply. For cloud SMEs and start-ups, getting up to speed can be problematic and they will need help.
A coordinated approach is needed between data protection authorities, policy makers and industry, in order to help organizations in this transition, by providing adequate data breach reporting tools, compliance toolkits and publicising the key issues. Let’s make sure that European SMEs and start-ups, so often the drivers of growth in Europe, are well placed to comply.
While the GDPR provides a high level of data protection we must remember that we are ever more connected through digital means and cannot think solely in terms of Europe. We are global users and exporters of digital services and need to have a strong cloud computing and data economy to be competitive. International data flows will play a key part in this. To avoid regulation clashes and to create international data-driven markets, in the future we should strive towards the creation of uniform, accepted standards of personal data protection on a global basis.
The recent agreement on the Privacy Shield for EU-US data transfers did not come a moment too soon and will hopefully bring the much needed legal certainty for the approximately 4,000 businesses who made use of the safe harbour mechanism. This legal assurance is vital. Many of these companies will rely on global information exchanges. Let’s hope that the provisions in the Privacy Shield can provide a robust enough framework to encourage data flows while providing high standards of data protection.
Global data flows are vital to international trade and economic growth and the European Commission Initiative on the free flow of data, expected at the end of 2016, should aim to enable European companies, particularly in the growing cloud computing sector, to be in the forefront of the global innovation race.
The Initiative should aim to reinforce the European cloud sector, so that companies are encouraged to develop new innovative services in the cloud, sell their services cross-border and enter the global market as exporters of technology.
This can be done by providing clarity on issues such as data ownership, liability arising from data use and data localisation across Europe.
If we really want to position Europe as a global leader in the data economy we need to ensure that we get the balance right. This means ensuring high levels of privacy while fostering new business innovation in sectors that rely on data and developing trust and confidence among users, from the individual consumer to the public and private sector.
Now is the time to move forward and encourage Europe to reap the benefits of data and the cloud.
Picture credits: Roberto Sartori
The Digital Post speaks with FTC Commissioner Julie Brill about the new ‘Safe Harbour’, the implications of the EU privacy reform, and privacy issues arising from the boom of the Internet of Thing.
The Digital Post: The European Union and the United States of America have reached an agreement on a new Safe Harbour data treaty. What are in your view the main achievements of the deal? What would have been the concrete risks if an agreement weren’t signed?
Julie Brill: The main achievement of Privacy Shield is that it provides strong privacy protections for European consumers and creates a framework for more parties to engage in active supervision and stronger enforcement cooperation. With respect to commercial data practices, Privacy Shield will provide stronger privacy protections than Safe Harbor did – through beefed up onward transfer requirements, and in other ways.
Privacy Shield will also establish more active supervision of the program in practice, so that the Department of Commerce, the European Commission, European data protection authorities (DPAs), and the FTC can detect and address any issues that come up. Privacy Shield will also provide a well-defined process for consumers to complain about the data practices of Privacy Shield companies.
The FTC will remain committed to giving priority to complaint referrals from DPAs, and there will be a better process in place for following up on these complaints. And even in the absence of referrals from DPAs, the FTC will continue to aggressively look for violations of the Privacy Shield principles.
Finally, in the area of national security, the United States agreed to take the unprecedented step of designating an ombudsperson to take complaints about surveillance activities that relate to Privacy Shield. This is in addition to the significant reforms that Congress and President Obama have made to surveillance practices in the past few years.
The risks if Privacy Shield hadn’t been agreed upon would have been that consumers and businesses would have continued in the limbo in which we currently exist, where some mechanisms to transfer personal data from the EU to the U.S. are still allowed, but they are expensive, opaque, and much more difficult for the FTC to enforce.
Of course, Privacy Shield still has many steps to take before it receives approval. If it were not approved, then companies – particularly small and medium enterprises – would lose out because of the time and resources that they have to put into alternative arrangements for data transfers.
But consumers also would lose out because they would have far less transparency into which companies are handling their data, the rules governing data transfers, and where to go to complain if they believe their rights are not being respected.
TDP: According to some observers, the new agreement won’t be sufficient to meet the concerns of the European Court of Justice. What is your opinion?
JB: It’s important to remember that the CJEU’s Schrems decision did not address national security surveillance practices in the United States. Rather, the case was based on the court’s concern that the European Commission’s adequacy decision in the year 2000 did not address U.S. privacy protections relating to national security surveillance.
It is hard to say how the CJEU would have assessed a full, accurate record concerning surveillance practices and privacy protections in the United States, had those facts been before the court. In any event, the U.S. has enacted significant reforms since the Schrems case was referred to the CJEU, and the U.S. is making further commitments through Privacy Shield.
On the whole, I believe these protections meet the CJEU’s standard of “essential equivalence to the EU legal order”, but we will have to wait to see if Privacy Shield is challenged to know whether the CJEU agrees.
TDP: Is the GDPR going to widen the chasm between EU and US regulatory approaches to data protection? How the FTC is working on this issue?
JB: The GDPR incorporates several provisions that either appeared first in the United States or are by now very familiar to companies and enforcers in the U.S. Examples include a focus on reasonable data security through a continuing process of risk assessment and mitigation, a general security breach notification requirement, heightened protections for children, privacy by design, and a recognition that deidentification can reduce privacy and security risks.
There are some differences between the European and U.S. versions of these provisions, but overall they show how developments in the U.S. can influence the direction that Europe takes.
On the other hand, some provisions of the GDPR move further away from the U.S. approach. A prime example is the GDPR’s right to be forgotten article, which extends to all data controllers. This expansion is a sharp contrast to the very targeted and specific provisions of U.S. law that help individuals keep some information about themselves obscure.
Companies and regulators on both sides of the Atlantic need to start working out answers to the many questions that the GDPR raises. That’s one reason that I think it’s so important for us to move beyond the issues surrounding mechanisms for data transfers that have dominated the discussion for the past several months.
With the announcement of an agreement on Privacy Shield in the past several weeks, I hope we now can begin to discuss the GDPR and issues like big data and the Internet of Things in a more sustained and meaningful way.
TDP: The FTC has been focusing on privacy issues related to the booming sectors of Internet of Things and Big Data. What are the risks? How regulators should deal with this very sensitive issue?
JB: There are important roles for enforcement, policy development, and business and consumer guidance in the Internet of Things and Big Data ecosystems. On the policy and guidance front, the FTC has been taking a close look at the potential benefits and risks of the Internet of Things and big data.
We have hosted public workshops, taken public comments, and written key reports on the broad range of technical and economic concerns that arise from having many more connected devices, huge volumes of personal data, and rapidly improving analytics.
We heard a lot about the exciting possibilities to solve problems in health care, transportation, the environment, education, and other areas; but we also learned about significant risks. Security is a huge challenge with the Internet of Things.
Not only are many devices being offered by companies that do not have long track records with data security, but these devices are also being used in ways that collect highly sensitive information and create physical risks to consumers.
With respect to big data, we found that there is a potential for unfairness or discrimination to enter through biases in data collection and analysis. Some of these issues could get companies into trouble under fair lending, credit reporting, or other laws. Other issues arise in settings that these laws do not cover, but companies still need to be aware of them because they may be deceptive or unfair.
Enforcement also plays an important role in the FTC’s approach. We have already brought enforcement actions relating to privacy and security violations with IoT devices. We have the authority to stop unfair or deceptive practices – whether or not they involve new technologies and business practices – and we will use it in appropriate cases.