Report National Privacy Conference 2019
28 January is European Privacy Day. In this context, ECP and Privacy First jointly organised the National Privacy Conference at Nieuwspoort on 28 January 2019 and Privacy First presented the annual Dutch Privacy Awards.
The National Privacy Conference was opened by chairman of the day Tom Jessen (presenter RTL-Z and BNR), who then gave the floor to Bas Filippini (chairman Privacy First) and Marjolijn Bonthuis (deputy director ECP|Platform for the Information Society).
Bas Filippini - chairman Privacy First Foundation
Bas Filippini explains that the Privacy First Foundation has now been in existence for 10 years and that a lot has changed in those 10 years, both positively and negatively. Privacy First's slogan is 'own choices in a free environment'; that is what Privacy First stands for. Every day, Privacy First speaks to a wide privacy field on a fact-based basis and always with a positive approach. That is why Privacy First wants to raise awareness through the Dutch Privacy Awards happy to give a green card to organisations that strengthen privacy in the Netherlands. Privacy First also pursues public interest litigation, engages in political lobbying and organises events, including the Dutch Privacy Awards. Besides a national ambition, Privacy First also has the ambition to grow into an international (European) organisation. Privacy First depends on donations and volunteers and is pleased to appeal to the public to support Privacy First in its mission.
Marjolijn Bonthuis - deputy director ECP|Platform for the Information Society
ECP works on the bottlenecks the information society still faces. ECP likes to do this publicly and with all relevant parties. ECP is proud that a broad reflection of society is present at the National Privacy Conference and is proud of the unique cooperation with Privacy First and the Dutch Privacy Awards. The winner of the 2018 Dutch Privacy Awards, IRMA, won several other awards after the Privacy Awards last year. This shows that the Privacy Awards are an important support for good initiatives.
ECP does a lot, including in the field of privacy. On the privacy side, this is done on the public-private side, together with other initiatives and working groups. On the public side, there is cooperation with the Ministry of Economic Affairs and it is partly thanks to them that this day can be organised.
Aleid Wolfsen - Personal Data Authority (AP)
The Personal Data Authority has conducted a current survey that reflects well where society's concerns are when it comes to protecting privacy rights. The survey reveals surprising things: for instance, 94% of the population have some concerns about whether their privacy rights are being respected, with a third of them even having many to very many concerns. That is one in three who have serious concerns about whether privacy rights are being properly respected. This percentage is higher than initially thought; possibly due to current developments and because there have been many data breaches in the news. As a result, privacy rights have been violated violently and people have been disappointed. Damaging trust does something to people.
"The top three issues people are most concerned about are: 'copy ID', this may be because people often hear about identity fraud and how easy it is. The second thing people are concerned about is tracking online search behaviour. The Personal Data Authority receives many complaints about this. Soon, the Personal Data Authority will issue guidance on how to deal with cookies and tracking cookies. This will include what is allowed and what is not. People are seriously concerned about what data is collected when they are online. Two questions that arise are: what data is collected and what happens to all that data? This is where people don't have a clear view and no clear explanation is given. The third thing people are concerned about is location data. There is increasing coverage of cameras hanging everywhere. And about, for example, WiFi tracking, which is widely used in the Netherlands. The Personal Data Authority also recently issued a guide about this. Tracking people, that as a free citizen in a free country, you should be able to shop freely in a city, travel freely, if that is affected, people are seriously concerned about that. Because we don't want to be tracked. That is the top three concerns people have.
The Personal Data Authority also always gives tips. One of them is: check the settings of the apps on your phone. Many of those apps are furiously curious. We are unaware of the fact that you expose a lot about yourself to those apps and reveal a lot of information if you don't adjust the settings. For instance, be aware of the data trail you leave behind on the internet. And in addition: make use of your privacy rights. Many people are still unaware that you can ask organisations what data they have on you, that you can have that data deleted when it is no longer needed or have it corrected. Or you move to a new provider and want to take your data with you: this is called data portability and people still hardly know this right."
As a viewing tip, Aleid Wolfsen indicates to watch the documentary Democracy watch, on the creation of the General Data Protection Regulation. Watch the trailer here (YouTube).
In terms of work, how is the Personal Data Authority doing now since the entry into force of the AVG on 25 May until the end of December 2018? Some figures: some 10,000 complaints were received, or 10,000 potential violations of the AVG. The AP found this remarkably high; they had initially estimated this to be lower. The AP also received a lot of phone calls in 2018: the total number was around 35,000, which was five times more calls than in 2017. A large number of investigations are currently ongoing. The first enforcement activities have taken place and the first serious fine under the AVG has been imposed on a company. The first processing ban has been imposed, on the Tax Office in this case, for processing the BSN number in the VAT number of the self-employed. Penalty payments have also been imposed for the first time, on the National Police, the UWV and private companies. In the initial phase of the AVG, the AP still had an informative role, but gradually the AP will become increasingly strict. There has also been an increase in the number of reported data breaches and it is shocking to see how poorly data is sometimes secured at healthcare institutions and public authorities. The Personal Data Authority has also done a lot of research on governments and companies to get basics right there, such as "do you need a data protection officer, yes or no? Do you have your accounts in order, yes or no? Do you have a processing agreement?" Basic things like that. If this is in order, you will experience a lot of pleasure from it.
In conclusion, people are realising more and more about all things privacy and data protection. And actually they are not synonyms either, because data protection is even bigger and much more than classic privacy. Privacy includes bodily integrity, your freedom of conscience, your home rights, your communication freedoms and that you can move freely. These are all separate fundamental rights. Data privacy has now evolved through digitalisation into a kind of mother or guardian of all other fundamental rights. Like about your faith, your freedom of conscience, your physical integrity, your political activities, all that kind of information translates into data. If you violate people's data rights, you touch the foundations of the Western legal order. These have to do with the democratic rule of law, equality of people, solidarity systems like insurance and equality of people. And all these four foundations are at stake If you violate people's privacy rights. If you don't protect privacy rights, those foundations erode. To make it a little bigger: the freedom of free will, can then erode as well. That is why privacy protection is so important and its importance increases every day.
Aleid Wolfsen also answered some questions from the chairman of the day, such as about the 10,000 complaints received in 2018. This was more than initially thought and the Personal Data Authority thinks this will continue, as more and more data is collected. With the advent of PSD2, the Personal Data Authority's supervisory remit has expanded to include fintechs, which allows bank details to be shared, subject to consent. This bank data is very personal; after all, it shows where you are, what you care about, what your hobbies are and what your political affiliation is.
There is also some criticism of the AP, since it plays such a crucial role. The question is whether they can handle the workload, even though the AP has now doubled in size. To this, Aleid Wolfsen says that the Authority does need to keep growing in the coming period and perhaps even double again to cope with the increasing workload.
It is very important that on a day like today, great privacy initiatives are honoured through the Dutch Privacy Awards. Everyone looks forward to seeing the winners and the speakers before the awards ceremony are the cliffhangers to the end of the day.
Questions from the audience
How does Aleid Wolfsen see privacy violations taking place with people's own consent? That consent is an important part of the AVG and people are quick to press "OK" online, not because people are lazy, but because the texts are too extensive to go through. Or that you have to press "OK" because otherwise you won't get what you want and that in this, free consent is not actually possible.
Aleid says he largely shares those concerns. Consent is a foundation. But what you see is that there are all kinds of seduction techniques, once you are on a site, by, among other things, the colour and size of a button to give consent, other than what you might have intended. This is not a privacy by design; it is not a fair, equal choice. What we all need to do is get stricter. Make sure you start looking closely at those kinds of systems. Is it really pure, fair and incorruptible privacy by design? And secondly, trying to emancipate people in 'know what you are saying yes to'. Unfortunately, people are not yet well aware of that. By a single click, your data can be spread very easily. For example, French regulator colleagues fined Google 50 million because it was not very clear what you were consenting to. One of the things that needs to change is that you should be able to withdraw your consent as easily as you gave it.
Another question from the audience was about the strength of the fine as a signal. The questioner would actually be happy to see it once from the AP that a fine would be imposed over privacy by design. In fact, companies are still very much in compliance mode and only want to do the bare minimum to comply with legislation. While privacy by design is about proactively addressing those problems. For example, that a lawsuit is initiated from which a fine follows because the highest possible was not done.
Aleid Wolfsen replies that you could then use that as an example for the rest of the world. In doing so, he reveals a secret: the AP checked at all kinds of government institutions whether they had a Data Protection Officer (FG), also looking for one that did not have an FG. The AP could then use that one as an example for the whole of the Netherlands. But in the end it turned out (fortunately) that everyone had an FG in time.
View the presentation by Aleid Wolfsen (pdf).
Sophie in 't Veld - D66 MEP and privacy advocate
Sophie in 't Veld has been working on the subject of privacy since she was elected as MEP in 2004. Back then, privacy was still a niche subject: at best, it was an elitist topic, for the white-wine-sipping elite. However, the survey by the Personal Data Authority did show that if 94% of people care about their privacy, it really is no longer an elite subject.
We have, of course, the AVG, or the GDPR as we sometimes affectionately call it. Of the 15 years Sophie has been working on privacy, five years have gone into the GDPR. It was a long and complicated process, including 4,000 amendments. Last year, of course, we were very happy that the GDPR came into force. We were also very proud, of look at our Europe. We simply have the best privacy law in the world! But of course it shouldn't end there. It starts, of course, with the GDPR having to be properly applied and enforced. And then it strikes Sophie in 't Veld that the regulators have actually been given ridiculously few resources to do that properly. Because of course it is heartening that the Personal Data Authority has doubled, to 150 men. But with 150 men against Facebook alone, you obviously start almost nothing. Not to mention all the other companies. Not to mention the NSA or the Chinese secret services or the European secret services.
We are all talking about GDPR and everyone has forgotten that there is actually a data protection package was. There was a second leg, but it has completely disappeared from the picture. We call that one among ourselves the Police Directive, but actually he has a very long name (red: Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data). It is a directive that sets rules for the use of personal data by police, justice and sometimes secret services. And its transposition is really lousy. About eight EU member states have currently transposed it, well overdue. And that means 20 other member states have not. But this is the directive that protects us when the police, for example, exchange data with other countries. In the meantime, the European Commission and European member states are announcing new measures on police and judicial use of personal data, including across borders. While protection just lags dramatically, and that is one of the main concerns. Of course, we are all very aware of privacy, risk and data protection risks. By now, everyone knows that if you give your data to Facebook, anything and everything can be done with it. In fact, we are incredibly naive when it comes to what all the government is allowed to do with our data. And then mainly the governments under the Police Directive would fall. We apparently have blind faith in the government, and that in itself is actually good news. But Sophie lives by the motto of: "trust is good, control is better". We also simply see in practice that there are not just mistakes being made with our data by police, justice and security services, but that there is also abuse. The growth of quite authoritarian parties within Europe, parties that are now in power and that do not hesitate to use European data files for political purposes, against political opponents. Then we should really start worrying about it. We are too naive about this.
We are rightly concerned about what companies can do with our personal data and whether it is properly protected. But we are still too unaware that those companies are overwhelmingly, increasingly, non-European. Sophie recently read an alarming report by KPMG, which calculated that of all the major platforms worldwide, only 18% are European-owned. And if you convert that to value, it's only 2%. We are so used to it, even before the internet, that half our economy comes from America. That's a different story for a while: three quarters are pretty much owned by the Americans, then you have another part owned by the Chinese and a very minimal part owned by the Europeans themselves. We use those services, day in and day out. That means, then, that they not only have our data and make a lot of money with it. But they also shape our view of the world. They largely filter the information that comes to us. It becomes even more bitterly ironic when you consider that our own governments ask those companies to filter the information, for all so-called security reasons. This is extremely worrying. We were rightly on our hind legs after the revelations of Facebook and Cambridge Analytica manipulating elections. We are deeply concerned about fake news that is promoted by Russia. But the fact that all of us, every day, use these kinds of services, without considering that they are our window on the world, that is very worrying.
Within Europe, then, we have the GDPR and Sophie is hopeful that the Police Directive will soon also be properly implemented. But she sees that there are constant tensions within Europe, with the majority of the European Parliament standing for very robust privacy protection and often taking positions that are then later confirmed by the European Court of Justice. But she sees that the more conservative forces and also the governments of European member states, regardless of political affiliation, are constantly but appallingly pushing against good privacy protection. This from a number of considerations, but mainly national security. By the way, there is no definition of national security, but it is used all too often to limit privacy. There is then a cry of "privacy gets in the way of national security", and that is then enough to silence the most critical voices. There is also another aspect, in transatlantic relations in particular, that Europe exhibits an incredibly submissive attitude. This is worrisome in the light of the above, that most companies are owned by the Americans.
In Europe, a law called e-evidence. Basically a good idea, because that law says "we have a big open space in Europe without internal borders". Crooks can cooperate seamlessly across borders. International criminal organisations also use the internet, apps, mobiles and the like. So we need to be able to react quickly to that: for example, if the police in the Netherlands need digital evidence from Romania, the Dutch police should be able to request it directly. That in itself is a logical thought, only it is unfortunate that the European Commission, always under pressure from European member states, has made a proposal that is totally disproportionate. Where hardly any safeguards for citizens are built in. But what is even more worrying is that the European Commission has actually put this proposal on the table so that it can then say: we have this in Europe and now we are going to do the same with America. Then we really do have a problem. In Europe, we make the laws ourselves and can vote for our own people's representatives. But we have no influence over the United States. Point is that the United States has passed a law called the US Cloud Act. In doing so, they have given themselves the power to force companies that have a presence in the US to hand over personal data even if it is not stored in the US. Perhaps we would also find it convenient if we could do that. But surely, in a democratic state under the rule of law, we think it makes sense if there is a judge in between, to test something like that. Sophie sees an attitude among the European Commission and member states that is largely subservient to the US, instead of to the rights of Europe's own citizens. She thinks we need to make a change in that.
So, yes we should be alert to what companies do with our data, but we should be much more concerned about what governments can do with our data. And the almost unlimited powers we have created in recent years for police, justice and security services. Because certainly security services, surely there is less control on that than on other activities. Even if it is well regulated in the Netherlands, that does not mean it is well regulated in other countries. If she sees how European member states have allowed the American and British secret services to have their way completely in recent years, for example the hacking of Proximus, the Belgian telecoms provider, by British intelligence. That cannot be investigated and the truth about it will never fully emerge. But those services do break into our systems, including those of European institutions, perhaps NATO. Incidentally, this is also relevant when you consider what Brexit will all mean for data protection.
As a conclusion, Sophie in 't Veld says this really should be the next chapter. First of all, we now need to enforce that AVG very firmly and explain how it should be interpreted. As architects of the AVG, they very explicitly meant that consent or assent should be given in a context, giving people information in a very simple and accessible way. It explicitly states that, so if companies circumvent that by making it complicated, that is simply a violation and they should be penalised for it. In addition, the Police Directive be implemented. And as far as Sophie in 't Veld is concerned, and she will be pressing for this in the coming years, there will be a new proposal whereby those Police Directive is no longer a directive, but immediately becomes a regulation. Because we need firmer protection. Perhaps it is also time to talk about Eurocommissioners and Ministers having data, data use and data protection as portfolios. Not as a sideline, but a Minister for Data and a Eurocommissioner for Data. Who just looks horizontally at data protection, but of course also just at the positive use and development of personal data.
We should also look at other tools, such as competition rules, taxation and translating the economic value of personal data into a price tag. Make users of personal data pay for the use of that data. Just as they have to pay for using energy. If it costs something, you will see the use of data go down. This applies to both companies and governments, so maybe we should also look at taxing the big internet giants, not based on their profits but on their use of personal data.
Ultimately this also lies with ourselves, we absolutely need legislation to protect the individual from giants like Facebook or the NSA and the big boys, but ultimately we also need to be critical citizens. Of course, this is a development process. Just like you naturally lock your door, and think to yourself about how you move through this world.
Day chairman Tom Jessen gives a different perspective. When you search the internet for how tech companies are made, you also come across the word dopamine. Every time a message appears in your social media, when you have a notification, dopamine is released. This has an addictive effect. Now there are campaigns from the government on drinking, drugs and smoking and he asks Sophie in 't Veld if it is not time for a campaign from the government warning about the addictive effect of social media.
Sophie in 't Veld responds: suppose there are people who are not on Facebook and Instagram, but that is not enough. Even if you don't have a mobile phone, even then you are filmed everywhere you walk around, there is facial recognition, you cannot escape it. That is why it is important to regulate properly and to use all tools to protect ourselves as much as possible. She agrees with Aleid Wolfsen: it's not about privacy, maybe we should invent another term for it. After all, privacy sounds a bit like white wine and canals. And of course it is not, it has everything to do with our freedom, the quality of our democracy, our civil rights, our relationship with the government and equal treatment. So a campaign from the government to warn about the addictive effect of social media is a nice idea, but not nearly enough.
Questions from the audience
Question from the floor: if we are talking about another term for privacy, reference could be made to the book Surveillance Capitalism by Shoshana Zuboff, in which it is about a sanctuary. A home where people can be themselves, without feeling spied upon et cetera. This question is also related to this: many bodies like the Personal Data Authority say digitalisation is a fact of life. But, given the current state of technology as well as politics, how do you think about protecting the analogue environment? The free living environment of people in which they want to feel protected in terms of their personal data and the extent to which they can be spied on?
Sophie in 't Veld responds that of course there is still such a thing as an analogue world, but we already had rules. There are sometimes people who think that before GDPR there was nothing at all and that GDPR is some kind of big bang, but that is not true at all. We have had privacy laws in place for 25 years and those same principles just continue to apply. The point is that it's not just about protecting privacy, it's also about what, for example, is done with Big Data can happen. So the question is much broader than that, because let us also consider that it brings incredible good. But we must continue to protect the individual, the human being. Perhaps we should not talk about protecting personal data, but about protecting individuals.
Second question from the audience: Neelie Kroes said in 2013 following the Snowden revelations, when she was Eurocommissioner, that Europe needs a huge privacy focused company. As far as the questioner knows, there hasn't been one in the past six years. And when Europe invents something, it is adopted by Americans. The reality is that we are consumers of American and Chinese products. According to Sophie in 't Veld, what is really needed in Europe to compete with the Americans and Chinese?
Sophie responds that there are an incredible number of great new companies and start-ups are, but that when they start growing a bit, they are often bought out. And if you ask those companies: why then? Then they say they cannot grow in Europe anymore because there is no real European market. There are just 28 national markets, and the point is that those national markets are barriers. Because they have national legislation and national taxes. Those tax barriers are a tragedy, they prevent us from having our own European internet giants. And the point is that national member states invoke their national sovereignty. But it is a fictitious national sovereignty, because we just give the power away. In the digital world, talk of national sovereignty is chatter. We need to be much more competitive. We need to make sure that our European champions stay here, that they are not bought out and given the space to grow, and we need to start doing that soon, because our dependence on US companies and increasingly on Chinese companies is really very worrying.
Last question from the audience is about the monetary value of personal data. Sophie in 't Veld suggested as a measure paying for the use of data, and then the questioner is curious to know to whom that payment will be made and what Sophie imagines with that. After all, if users are paid for sharing their data, that could create additional pressure to share that data.
Sophie in 't Veld responds that she does not have a big plan for this in a drawer. But the question is: why are all these data being stored by companies? Because they make money from it. So that's an incentive and something you can use to catch them. So you could start by saying, we are going to tax companies for using personal data. So then they will be forced to think much more about whether they need all that data. Do they really make that much money from it? Because that whole story that they need it all because of advertisers, she wants to question. And whether that revenue model is right, whether they will all go under if they can no longer use that revenue model.
There are great ethical aspects to it, if, for example, you were to suggest that people were given the choice between paying with their data or paying with cash. People who are less wealthy will then still tend to pay with their data. She thinks this is an ethical issue. But there are other angles. For instance, an app has been developed that allows you to see what your value is to a company at that moment, and how your actions affect that value. That already makes people much more aware. No doubt there will be many more good ideas along these lines.
But anyway, if companies make money from data, that economic value should be used, the same goes for the government. Because how easy is it for a national legislator to decide "we need to know everything about everyone, because that's good for security." That's very easy to decide if you don't have to defend it in budgetary acts. Because if it costs nothing, because all that data is up for grabs from all those companies anyway, then it's easy. But if they really have to start paying for it and if they have to say "we're going to spend less money on healthcare because we have to spend more on data retrieval", then it becomes a different story and a political trade-off. Factoring in the economic value of personal data will then certainly lead to different behaviour.
Tijmen Schep - Privacy Label
Tijmen Schep starts with a question to the audience: what is longer, Shakespeare's play Much Ado About Nothing or the iTunes Terms of Service? The play is slightly longer at 1,000 words, but it doesn't make much difference. So no one is going to read that and everyone just clicks on I agree. But couldn't we design it better? So that we understand what data is being collected and what happens with it. And that we don't have to read such a piece of text that, let's face it, is made for lawyers. Just readable and understandable. The EU already understands that this is an issue. The AVG already states that there could be icons in the future, because they make it all easier. But those icons from the AVG, they weren't the sexiest icons. So Tijmen was asked by ECP: can't you do something with this and can't you design something better?
The first thing we realised is that we shouldn't make an icon, which is too simple and not enough. We need to create some kind of template make, where we were first inspired by the Americans, who, for example, have a system whereby banks nowadays have to answer certain questions on their websites. Just human, understandable Jip-and-Janneke questions. Like: what exactly do you do and how? And they can do that in their own house style, as long as they answer those questions. Another thing we found interesting was, for example, the packaging of a pack of chocolate sprinkles. Besides all the information on it and labels, you also have the list of ingredients and that is actually quite interesting, because it tells you a lot and is a bit vague at the same time. For instance, you know it contains most of the first ingredient, but you don't know exactly how much. Tijmen then gives a demo of the Privacy Label. The demo version is view here.
Pitches Privacy Awards
After these three inspiring presentations, the audience was treated to 7 pitches from organisations nominated for a Dutch Privacy Award. Below are all the nominees for the 2019 Dutch Privacy Awards. Click on a nominee for the respective pitch:
Private Search 2.0 (Startpage.com)
Privacy on Schoolbag
Privacy Designer (Privacy Company and SURF)
Privacy by design project (Tax Office)
Passer-by counts (municipality of Nijmegen)
Brenno de Winter - ICT researcher
We go into the jungle together. Why the jungle? Because animals realise things we don't. Some people who know Brenno de Winter know that he always thinks Aleid Wolfsen (Personal Data Authority) is kind of a giraffe. Because what does a regulator do? Such a giraffe eats the trees in Kenya and turns around and goes to Tanzania and after exactly six months he returns to exactly the same trees. Just ask the Inland Revenue, just ask the UWV, just ask Google, Facebook et cetera. That's what a supervisor does, and even though he looks oh so sweet, but in the meantime... But just a little further into that jungle, here you see a couple of zebras relaxing and drinking water. Simple question: is there no danger? There's a lion and yet they are standing relaxed drinking. This is because there are other animals on the lookout. And as soon as one finishes drinking, it alternates a guard and so they continue. This is actually what all animals in the jungle do, except for one species, homo sapiens. We don't do that, we're not going to warn each other when there's danger, we're not going to tell each other how to do something to deflect danger. And so, a bit like a narwhal, that whole jungle overwhelms us with regulations that are so scary.
And why the narwhal? The narwhal is an animal that is very good at stiffening up. Its heart rate and metabolism go down. This animal sits deathly still in the face of danger and slowly goes so deep. But then again, when you see danger, you might want to flee or fight. This animal can't do that, because it can no longer make a peak effort. Completely stiffened, it then goes to its death.
Brenno shows his cat Hiero. Hiero sees something and stiffens and a moment later Hiero stiffens a second time and it is clear what he is going to do: that mosquito is not going to survive. You can also stiffen up like this. But in ICT, we don't do that. The madness before the introduction of the AVG was, for example, in an Italian butcher's shop: "Beware, in our butcher's shop we might ask your name and remember your meat preference. If you do not agree to this, please shout very loudLY I DO NOT AGREE and from today we will pretend not to know you."
This was the madness just before the AVG went into effect and how it was handled. We thought it was terrifying. Even the website Music for Cats cannot be reached, much to Hiero's chagrin, so he will have to miss that music, much to Brenno's delight.
And still it goes on. Last week, for instance, there was this article: the AVG is harmful and restrictive, a litany about how much hassle it all is to know, for instance, what data you all have. You're constantly told: it's all too complex and inconvenient. Brenno spent a long time thinking about why that is. It is partly because we give everything very scary words, like the word cyber there. Cybersafe, cyberplatform et cetera. Ironically, Brenno says: start by making it simpler for yourself, like writing the little words in small first, then it becomes readable again. And then let's take another step and make the word cyber start deleting. Or in other words, we'll be talking about words and quantities that are simple and forget all that suds around them a bit.
Brenno juxtaposed a number of prominent data breaches in the Netherlands. They all have one thing in common and that is: not updating. Simply not doing it. In November 2018, the number of data breaches reported since the introduction of the AVG still stood at 18,000. So things are going structurally wrong, we are making the same mistakes again and again.
He becomes despondent when he hears: "it is not allowed by the AVG". Just for fun, read the AVG. The AVG contains the word 'risk' 70 times (and not once the word 'privacy'). The word 'risk' is quite complicated, but Brenno has become a lot more pragmatic in this lately, and no longer thinks in terms of risks, but of how things can go wrong. Indeed, that appears to have been the methodology long before ICT even got off the ground. Where you ask yourself: how can things go wrong and how bad is it? You can give that a standardised value. How common is it and how detectable is it when it goes wrong? He tells an anecdote about being with a client the other day who said they detected data breaches very well: "We have Twitter open and then we automatically see it come along when we have a data breach."
He gives an example of a data breach at a healthcare administration office in Singapore. On 23 August 2017, the system became infected. And as early as 11 June, system administrators received alarms that people were trying to log into the healthcare system where they should not. Those alarms repeated themselves over the following days. And at some point, the alarms kept ringing and each time it was a lot of hassle to turn them off. With at one point the notification that people were accessing medical records. It was only on 9 July that management was informed. So this is exactly what Brenno was referring to earlier with the narwhal behaviour. We get so overwhelmed and find it so weird that someone is trying to log in wrongly. Then we start looking around a bit instead of doing something. The bizarre thing is that this appears to be a very big case, with medical data stolen from Singapore ministers as well. A thick report was written on this, concluding that a little basic hygiene would have stopped the attack. Shall we agree together to do basic hygiene, to do the simple things? Nothing pompous, nothing complicated, because this is the source of misery every time.
Digital hygiene, the simple things make all the difference. And so then the AVG story is a non-complicated AVG story. Then you know what you have in place and then you know what risks you may be running. And then the regulator eats out of your hand, because you have documented everything.
Questions from the audience
The comment comes from the audience that it is sometimes difficult to make clear exactly what the damage of a data breach is, for example, for a company at this kind of risk.
Brenno de Winter responds that it is not easy to monetise this. If the medical records of Singapore's prime minister are on the street: it doesn't get more painful than that. If you have a centralised medical system, where you can access all the data. And this is not the first time, before that we also had to deal with the Wannacry virus seen something like this in the UK where they had also already centralised all systems. Actually, that means you have then said goodbye to medical confidentiality. If an organisation does not want to recognise that the data they have has any value, then we can have every project or Big Data project are going to stop right away. And if that is not appreciated, the only stick left is legal enforcement.
Jeroen Terstegge - Privacy Management Partners
Jeroen Terstegge was asked to provide an overview of responses from the business community. He has looked in his own customer base and social media, and tried to categorise people. And that narwhal of Brenno de Winter is not among them, but that is actually category number 11.
1. Hell-and-death preacher
Top of the list is the 'hell-and-death preacher'. You know them, they start every training course, every sales pitch, every course and every presentation and now so too with 'high fines are coming'. Twenty million or 4% of your global annual turnover. It feels like a lot, and so many clients asking for help with the AVG also start with 'because high fines are coming and how high will they be for me?' And Jeroen responds by saying that before the sentence about the fines, there is another sentence indicating that the fines must be proportionate. And proportional means, among other things, that it doesn't bankrupt you. Those fines are not meant for the average SME or the average football club. Still, it remains a good sales pitch for the self-proclaimed AVG experts, because there are a lot of them these days. Attached to the AVG is also the personal liability for directors, which is frequently warned about. Those AVG experts probably heard Jeroen Terstegge speak at the National Cyber Security Centre's congress on data breaches. In which he mentioned the Supreme Court's 1954 'Iron Wire Judgment', from which it follows that it is possible for a fine to be imposed personally when the executive personally directed the breach. That is settled law and it does not follow from the AVG. But it is a good sales pitch, to which many people seem to be sensitive.
2. The bullshit spreaders
At number 2 are the bullshit spreaders. He has used the word 'bullshit' the most on social media over the past two years. All sorts of Twitter posts, LinkedIn posts he reads where he can't stop himself from saying that what's in them is bullshit. Like that the bulk of the rules in the AVG are not new at all: the first data protection law in the Netherlands is from 1988, namely the Personal Data Protection Act, and that already contained almost the same thing as in the AVG. So every time it is said that there is a new law and that you can ask for inspection from now on, it is bullshit. That right of inspection is already 30 years old.
This morning Jeroen turned on the NOS news programme. From the newscaster of the news, almost every sentence she uttered this morning was legally incorrect. Including the soundbite they had made of Aleid Wolfsen. He must have had a very good story around that, but the soundbite the NOS editor picked out and showed is legally incorrect. It makes his trousers drop how much nonsense is being spread about the AVG. You don't have to ask permission for everything at all, that's not in the AVG at all. Some things are required by law, must be in performance of a contract or for a public duty. As Brenno de Winter said, the people who say "it's not allowed by the AVG" are the so-called naysayers. And as they say no more often and say no to more and more important things, other people in the organisation are going to take a bigger bow around them. So you have to make sure you say 'yes, provided...'. And then then start the conversation about how we are going to do that next.
3. The deniers
Next in line are the directors. The average director we have at the start of such an AVG workshop at an AVG project. Then Jeroen wants the director to sit at the table and within five minutes he gets the following line: 'I'm managing risks all day, how is this AVG something else'. And then, four hours later, hopefully the penny will have dropped that you have to deal with this.
4. The blinkers
In fourth place, with all due respect to IT professionals, are the blinkers. Let's stop calling everything a data breach. Not having a processor agreement with the processor is not a data breach. The downside of the introduction of the data breach hotline in 2016 is that it created the view that as long as you don't have any data breaches, that's fine. Which then meant: as long as you don't have a data breach of data that you process illegally or that you should have thrown away a long time ago in the first place. 'None of that matters because we don't have a data breach'. We encountered that behaviour a lot in the IT corner.
5. The window dressers
The 'windowdressers'. We've all been doing that for 30 years, ever since the Data Protection Act. Thus, we have had a privacy statement for a neat 30 years. The average SME, foundation or association asking to be helped with updating its privacy statement and processor agreements. When told that they have further obligations from the AVG, they say that will come later.
6. The visionless
Lots of large organisations asking 'can you help us with compliant to be under the AVG'. Once you are there then, they expect you to come and do your trick there in about four months and then move on. On that basis, Jeroen was hired by Philips in 2001, to be within a year's compliant to become involved with the Personal Data Protection Act, which was then just coming into force. He sat there for 10 years and was probably not finished implementing the Wbp at Philips at the time. After all, you are never finished. It demands that, as an organisation, you have a vision of where you are going. So the first thing he did at Philips was to look at the vision: 'how do we want to handle data?' And if you asked an average director that, you got 100 different answers, because every director wanted something different with his own department within Philips. So you have to move intelligently with such an organisation, but you have to keep them on their toes. Where do you want to go and how do you want to get there?
7. The consciously incompetent
Jeroen gives a lot of privacy training, especially the CIPP/E training. And this is probably the number one question: 'what is the difference between a processor and a processor-responsible party?' and 'when should I enter into a processor agreement with a service provider?' And when he has explained that, there is always some kind of sigh going through the room with 'gosh, then we have entered into far too many processor agreements'. There is a huge knowledge gap when it comes to knowing about the AVG. And then we all get in each other's way.
8. The activists
The people who say 'it should all be different', and that's fine, and the activists have their role too. But you shouldn't then suddenly start reading all sorts of things into the AVG that are not in it. Personal data is not your property, it is also nowhere in the AVG that it is. And you don't always have the right to be forgotten at all. Indeed, if an organisation 100% compliant is with the AVG then a request to be deleted can always be denied. We're just sitting on 30 years of overdue homework and thus mountains of data that shouldn't be there a long time ago. So then we are also going to see a lot of successful deletion requests.
9. The credible
Anyone who has been doing this business for a while has gone from privacy compliance to data ethics. You can't do this profession if you don't do it from a moral conviction. If you do it only from compliance does, then it goes hopelessly wrong
10. The evangelists
These are the people who shout from the rooftops about how things should be done. The best evangelist he knows in this field is Michelle Dennedy who Chief Privacy Officer is from Cisco. Who knows better than anyone else how to explain what this business is all about. "Data Privacy is telling a story about a person with integrity and respect." It's not that you don't process the data. If you are allowed to have personal data, you just have to process it properly. This is also simply stated in the first sentence of Article 5 of the AVG. The single most important article of the AVG is Article 5, not Article 6 which lawyers are always peering at. You cannot ask permission for something that unfair is. You cannot ask permission for something that is disproportionate. You cannot ask permission for something that is unlawful. Article 5 is the most important and it deals with exactly what Michelle says. "Telling a story about a person with integrity and respect". Jeroen hopes you will do the same, because if you only compliance then you will not be done implementing the AVG in 10 years' time.
View the whole presentation By Jeroen Terstegge (pdf).
Dutch Privacy Awards
The afternoon then ended with the presentation of the Dutch Privacy Awards. These Awards provide a podium for companies and governments that see privacy as an opportunity to distinguish themselves positively and make privacy-friendly business and innovation the norm. The winners of the Dutch Privacy Awards 2019 are... Startpage.com and Privacy Company i.s.m. SURF ! In addition, PublicSpaces received the Encouragement Award.
With Private Search 2.0, Startpage.com offers a place where anyone who experiences profiling and targeting based on online searches as stifling can breathe a little more freely again. Startpage.com's promise is that their users can have Google Search queried without fearing that every search query will be added to a permanent data shadow at Google. Moreover, Startpage.com's search results can be accessed via an anonymising proxy. Startpage.com thus fulfils a need for anyone who wants to search for information without subsequently being confronted with targeted ads about it. Think of those looking for information about help with a financial problem, a relationship problem or a health problem. And of course to those who prefer to shield themselves 'by default' from foreign data traders (Silicon Valley cum suis) in the first place. The new Startpage.com website thus offers people an important, and also very user-friendly, way to browse websites without having to constantly worry about unwanted profiling and future confrontation with their search behaviour.
Winner: Privacy Designer (Privacy Company and SURF)
Privacy Designer is a web app by Privacy Company and SURF for SMEs, associations and NGOs that helps them identify privacy risks. The app is co-funded by the SIDN Fund and can be used free of charge.
The Awards jury was very impressed with this solution. It is convenient to use, innovative, and the social impact is great because we know from research that the target group is often not or moderately aware of the privacy risks they face and how to deal with them properly. Moreover, the fact that all data is stored on one's own device and minimal use of personal data is a plus. In short, this entry has the potential to improve privacy for a large group of people in a very accessible but effective way.
All sorts of things happen on the internet that we don't see or notice (search behaviour-based advertising in particular causes us a lot of irritation). Meanwhile, we are becoming increasingly dependent on navigation, cloud storage of our documents and searching for information. It seems that with this, especially a few dominant commercial companies are getting the better of it.
PublicSpaces is a coalition of public broadcasters and cultural institutions that want to turn the internet back into a community of users. They want to work with a number of interested parties to fix the internet by offering a few alternatives in very concrete terms. Especially the inheritance of data across different platforms is a thorn in their side. With open source initiatives, but also the efforts of our previous winner IRMA, they want to contribute to the public value of privacy on the internet. The jury wholeheartedly encourages PublicSpaces' mission!
Click here for the entire jury report (pdf) with participation criteria and explanation of all nominees and winners.
The jury of the 2019 Dutch Privacy Awards consisted of independent privacy experts from various sectors:
- Bart van der Sloot, senior researcher, Tilburg University (jury chairman)
- Bas Filippini, founder and chairman Privacy First
- Paul Korremans, data protection & security professional, Comfort Information Architects (also board member Privacy First)
- Marie-José Bonthuis, owner IT's Privacy
- Esther Janssen, lawyer Information Law and Fundamental Rights, Brandeis office
- Esther Keymolen, technology philosopher, TILT, Tilburg University
- Matthijs Koot, senior security specialist, Secura BV
- Marc van Lieshout, senior researcher TNO and business director PI.lab
- Wendeline Sjouwerman, privacy specialist local government and healthcare.
After the conference, every attendee was given a copy of Jaap-Henk Hoepman's new Blue Book on privacy by design along. Click here for the digital version.
This edition of the National Privacy Conference & Awards was a great success. This calls for a sequel and plans for 2020 are in the works!