Privacy Talk with Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board: What is the business benefit to work for data protection?
“This interview recorded on 20th July 2022 is talking about future data protection and cooperation”
Kohei is having great time discussing future data protection and cooperation.
This interview outline:
- How can we cooperate to fight against big tech companies?
- What is the future EDPB’s directions?
- How does the certification mechanism work in Europe?
- What is the business benefit to work for data protection?
- Why does the privacy is future investment?
- How can we cooperate to fight against big tech companies?
Isabelle: Yes, yes, you’re right. It’s a very important matter all over the place, we can realize this when we take part in the GPA meeting, the global privacy assembly, and we see that the those kind of same questions happen all around the world for those companies.
In the past, in Europe, data protection was more a matter which was subject to opinions, recommendations, etc. There were a few case laws and things changed following the GDPR with the capacity for all EU authorities to issue fines.
We can see a clear movement in which we get more legal certainty, which is also good for the business. A bit more like the area of competition law. There is already 70 years of experience in that field.
It is very interesting to see that now for data protection, it’s certainly part of the work, to also have to go to court and to defend the decision that we are taking. So that’s why we’re also taking all the measures to ensure that we take robust decisions that can stand in front of the courts.
Kohei: Awesome. So I moved to the last question, just kind of the future landscape. I’m very inspired since on the conference that many stakeholders is coming to one place there is a very important from the Japanese perspective because I have never seen like that causing any European has been discussed those kinds of issues almost being started the GDPR.
So could you share about the future directions of the EDPB?. Maybe you have some ideas such as in certifications or any other operation effectiveness studies in also the challenges and EDPB or other European stakeholders. So could you give us your or EDPB landscapes?
・What is the future EDPB’s directions?
Isabelle: For sure. At the beginning of the GDPR application, the EDPB made a lot of guidance to explain the key concepts of the GDPR and to provide a clear interpretation of the GDPR for particular sectors.
The EDPB will still continue on that but right now the focus of the EDPB has been moving on enforcement, to support of the enforcement, and also those accountability tools as you said, because the ultimate goal is compliance.
I worked myself a lot on the topic of binding corporate rules, and these are co-regulatory tools because in practice, the authorities are setting the criteria, but then the company is working on meeting the criteria and then there is a discussion and the authority is checking that everything is compliant, and then after the binding corporate rule is approved.
In the GDPR, we have those new accountability tools that have being created the codes of conduct and certification mechanism. In practice, the GDPR does not go into very much detail on how the framework should be created. So there’s a lot of margin of maneuver for the Board to further develop everything from that point.
And then the European Data Protection Board from the beginning made a lot of work on this, probably a bit less known by the public, but we created really the scheme to enable the functioning in practice of those tools, such as codes of conduct or certification.
So we published some guidance, we also reviewed all the accreditation criteria that were prepared by the authorities. They have to give accreditations to private companies that will issue the certifications or others that will monitor the respect of Codes of Conduct.
So, the regulators at national level, will have to accredit these companies and to issue the list of criteria for the accreditations of those companies. The authorities needs to send to the EDPB their draft decisions.
・How does the certification mechanism work in Europe?
We receive from all of the EU countries, the draft decision on certifications or accreditation criteria, and we ensure consistency on this matter, to ensure that the company giving certifications in one member state, will be under the same rules and same conditions than in other countries in Europe.
It is the institutional framework that was created and so were are creating the conditions or the criteria to meet by the companies to be certified (the certification scheme) or the conditions to meet for codes of conduct, as we did for the BCR.
And so we developed this framework, to enable companies to use those tools in Europe. This is for companies that are subject to the GDPR and want to get a certification, or wants to apply a code of conduct, but these tools can also be used in the context of international transfers.
The last action that we did is to publish guidance on the use of code of conduct for international transfer and very recently, we made guidance on the use of certification in the context of international transfers.
So we are shaping this, and I think that there is a huge interest from the business to make use of those tools. So when everything will be finalized it’s already starting, we will be receiving draft of Code of Conduct and certification scheme etc, that we will evaluate at the European level etc.
・What is the business benefit to work for data protection?
So there will be a lot of work on on that field, which is good because it’s always also interesting to see the interest of companies to develop their own mechanism to be compliant, to ensure that their commitments will be put in practice, with training program, complaint mechanisms, to ensure that the protection takes place in practice within the company.
Kohei: Thank you.
Isabelle: Of course at the EDPB, will will also see more binding decisions I think because, as you said, the enforcement is really ramping up. There are more and more decisions taken at national level and so even if there is only a small proportion reaching us, this is increasing. And so we will also have more binding decision coming for sure.
Kohei: Thank you. I think a lot of companies has tried to exploring what is the best practice and I think that your message just your company should focus on your own practice for the consumer protection, data protection that could be very important to companies should consider themselves what is the best practice and the sharing to the best practice to the other companies to combine in the best operations for the data protection.
That’s going to be a great actions and I’m expecting new actions from your organization. There’s going to be a great reference for the company.
Isabelle: Data protection can be definitively a competitive advantage for the business. We saw this in the past with the BCRs, binding corporate rules.
As from the moment one company in a particular business area such as pharmaceutical or a petrol company decided to adopt BCR, then all the competitors wanted to do the same because they want to show to their clients and to their consumers that they are also paying attention to data protection.
It is important because at the end of the day, you cannot make business if you don’t have the trust. Trust is key for business and also in particular in the environment when everything is digital. So it’s really important to try to be ethical and to gain trust with your consumers.
・Why does the privacy is future investment?
Kohei: Absolutely. So, could you give us the last message from your perspective because I think a lot of the companies or individuals should work for privacy and data protection in this moment because it’s a digital surge in that we should be changing the environment for the direction, so could you give us your message from insights?
Isabelle: Yes, first I would like to thank you very much Kohei, having invited me today. It’s really a pleasure also considering this, you know, the mutual adequacy decision which has been done between Europe and Japan.
This is the first mutual adequacy decision, which is really good in my point of view. So the data flows are made more simple between the countries. So that’s also very important to underline.
And I think that it’s important to underline that investing in privacy is not a lost investment. It is not only about paying attention to the risks, and looking at the price that you can pay in case of infringement if there is an authority that will catch you, but it is really to try to distinguish yourself from the others, try to avoid data breaches, and to get the trust of the consumers.
Even a very important company can quickly lose a lot of profits and income from the moment they lose the trust of their consumers. So it’s important to take this into consideration.
Kohei: So again, Thank you for having Isabelle in your precious time to give us then. It’s very exciting to collaborate to create a new thing for the protection and trust it was so good again, thank you for having this time.
Isabelle: Thank you very much. Yes, the data protection is becoming more and more global. So for sure, there will be always work in that field all over the globe.
Kohei: Thank you.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
