For the last almost 4 years, the bureaucrats in Brussels have been discussing the way the privacy laws in the European Union should be harmonised. December last year they finally reached agreement on the new general data protection regulation (gdpr) that will, if formally adopted, replace the 95/46/EC data protection directive and all national laws that implemented this directive in their national frameworks.
The International Association of Privacy Professionals (IAPP) organised a 2 day training session on the 22nd and 23rd of February to bring me and other privacy pros up to steam on this new opportunity for job security in the coming years.
Okay, it was half a day less then I expected. But it was a jampacked full program that left no time (except lunch and coffee breaks) to be flooded with presentations on the new European privacy laws.
Interestingly, not surprising though, there was one common theme in the entire program. All presenters stressed that as we didn’t know the final text of the document yet, all or some information given in the presentations could very well be incorrect.
(update April 2016: the final text has been released and adopted by the European Parlement, how much has changed compared to the December 2015 text remains to be seen).
Another interesting point made by various speakers stressed that although the European Union really wanted to have one privacy law to replace them all, they did not succeed. Some 50 odd points will remain that will be decided on a per country basis. Some of them dealing with criminal law are understandable, though some others could very well have been incorporated and are probably more due to EU back room diplomacy then factual differences between the member states.
The GDPR also highlights several categories of policies and measures to be taken to protect personal data, including but not limited to the use of cryptography. This much to the dismay of one of the presenters who clearly had some difficulty with this, I must agree, difficult topic.
This though quite elegantly highlighted the need for privacy professionals with a strong information security background and understanding.
The last session was formed by a panel of data protection agency representatives who had to answer some quite interesting and relevant questions. The upshot of which seemed to be that most of the agencies are understaffed and may not have the power to fully enforce the current data protection laws in their own country let alone the new laws coming from Europe as well, although they will replace their local laws for the most part. This may well lead to less high-profile cases to be lead aside in favour of high profile and media interesting once. Although an understandable choice, this, in the end, may undermine more of our fundamental human right of privacy (article 8 ECHR) then we are willing to admit now.
And finally you sometimes see things happening that make no sense whatsoever. Whilst I have my thoughts about a privacy association accepting money from companies that take our privacy not too seriously and have a recent or infamous track record to show this fact very clearly. Letting somebody from one of those companies speak at your training event and specifically on the topic of compliancy really takes the biscuit.
Though the presenter in question may have had a very good track record in the privacy field and I am the first to admit you can certainly make mistakes in your career choices. Somehow having the company name of a notorious data protection violator next to your name really doesn’t help your believability now does it?