Debating Privacy & Data Protection – CPDP in a nutshell
The Computers, Privacy & Data Protection Conference (CPDP) is a world-leading multidisciplinary conference discussing the cutting edge in legal, regulatory, and technological developments with regards to privacy and data protection. As a privacy conscious company, we find it important to attend conferences like CPDP to exchange ideas and discuss the latest emerging issues with other experts from this field.
We started the first day with a throwback to where things were a couple of decades ago. Communication technologies masking the identity of users emerged already in the ‘80s, and the ‘90s saw the proliferation of other privacy enhancing technologies. While the GDPR has been positioned as a revolutionary piece of legislation in terms of the protection of personal data, we were reminded that already the ‘95 Data Protection Directive stated that data-processing systems are designed to serve mankind.
The 21st century then revolutionized the way people communicate with each other and about themselves. The idea of being constantly connected to friends and family lured people into increasingly exposing themselves online. Most users deemed overly trusting of online platforms gladly providing personal information in exchange for a free service. The latest data scandals and misuses however changed users’ perception who are now starting to realize the pitfalls of data hungry businesses models.
However, even with users becoming more conscious and with legislations like the GDPR in place, global platforms like Facebook and Google still craft interfaces that trick users into doing things they might not want to do but which benefit the business. As the Norwegian Consumer Council highlighted, this goes against the principles of privacy by design and by default – one of the key provisions of the GDPR.
This principle is based on the idea that those who process personal data should implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. In this regard, speakers brought attention to the importance of end-to-end encryption which is key in preserving the privacy of users’ data. As was rightly pointed out, with end-to-end encryption, the encryption keys are held on the user’s device, hence, the service provider cannot have access to the data.
Later in the day, the discussion moved to evaluating the global privacy landscape. Contemplating about the state of privacy worldwide, Bruno Gencarelli, head of unit at the European Commission’s Directorate-General for Justice and Consumers, pointed to the convergence we see with countries like Japan and Brazil adopting laws similar to the GDPR. After data scandals involving tech giants even Americans are waking up and have started working on a federal data privacy law.
While these are positive developments, we also observe some worrying trends on the regulatory landscape. Several sessions discussed legislations that aim to facilitate law enforcement’s access to electronic evidence. Katitza Rodriguez from the Electronic Frontier Foundation warned of the danger of race to the bottom of privacy protection with the Cloud Act which gives broad access to US law enforcement to data stored outside the territory of the United States. What’s more, it also encompasses a risk of conflict of law as the e-evidence proposal, which many see as the EU’s reaction to the Cloud Act, is not yet in place in the EU.
In this regard, it was pointed out that the EU’s text still needs much improvement: the increase of law enforcement’s power need to come hand in hand with robust legal safeguards. To us, what gives reason to worry is that the text does not specify that end-to-end encrypted providers cannot be obliged to decrypt the data they have to hand over to law enforcement authorities. In today’s data-hungry era, it’s essential to protect tools like end-to-end encryption which is an enabler of privacy and freedom of expression, as stated by UN High Commissioner for Human Rights Zeid Ra’ad Al Hussein.
Last but not least, the thorny issue of Brexit also came up. Understandably, businesses are worried about the potential implications of Brexit on international data transfers. In the case of a “no-deal” Brexit, the UK will be considered as a third country, outside of the EEA. As a result, data transfers from the EEA to the UK will not be allowed unconditionally, unless an adequacy decision is adopted by the EU.
This is in a nutshell what was discussed during CPDP. Clearly, we are moving to a more privacy conscious world but there are still many improvements needed in terms of regulation, behaviour of market players, and consumer awareness.
We, at Tresorit, will keep contributing to the debate and raise awareness to the importance of respecting privacy online as much as offline. We look forward to the discussions to come.