Privacy Talk with Romain Robert, Member of the Litigation Chamber of the Belgian DPA: Why did you start your first career as a lawyer?
“This interview recorded on 7th August 2023 is talking about data protection enforcement and litigation issues.”
Kohei is having great time discussing data protection enforcement and litigation issues.
This interview outline:
- Why did you start your first career as a lawyer?
- What is noyb and what did you work there?
Kohei: Thank you for everybody coming to the Privacy Talk. I’m so glad to invite Romain from Europe at this moment and it’s very honored to talk about data privacy and data protection topics with him.
So, thank you for coming to this moment to interview Romain.
Romain: Thank you for having me.
Kohei: First of all, I’d like to introduce his profile. Romain specializes in technology law. He worked from 2002 to 2011 in various Brussels law firms. Between 2007 and 2011, he was also a researcher at the Research Centre in Law and Society at the University of Namur. In 2011, he joined the Belgian DPA as a legal advisor.
He worked for within the Policy and Consultation Unit of the EDPS as of 2015 and then for the Secretariat of the EDPB in May 2018. In April 2020, Romain joined the ‘Non of Your Business’ (NOYB) — an NGO conducting strategic litigation to enforce digital rights, where he stayed until end July 2023.
Romain is also a member of the litigation chamber of the Belgian DPA, the organ enforcing the GDPR in Belgium.
So, thank you for joining us today.
Romain: You’re welcome.
- Why did you start your first career as a lawyer?
Kohei: Let’s move on today’s agenda. I’m so excited to have talking like this with you. Since then you are brilliant expert in the field of data protection. So could you tell us, why did you start your first career as a lawyer? And why did you choose to work in the data protection domain?
Romain: Interesting I think I decided to become a lawyer when I was 12. I must have seen some, I guess the legal movie was the courtroom and everything I didn’t know and I always remember and I liked it.
And I wanted to be this guy in front of the judge, you know, redressing and looking for justice and defending people and oppressed and I think it was nice. So I decided to become a lawyer and it happened that I had to go to law school to become a lawyer.
So it was quite easy. And during my studies, I discovered IT law because it was really the beginning of technology law and telecommunication, E-commerce and I really liked it and decided to do master in IT law after my studies.
In the research center when I just studied as well in Namur. It’s a specialized master. We did IT privacy, E-commerce, Contract law, Competition and so on.
And then I guess I have had, let’s say the best of both words and I became a lawyer in a law firm but it was like a business law firm doing E-commerce and IT law outsourcing an IP.
That is not a lot of litigation, I must say and it was a lot of advice about how you would comply with the law, but not a lot of litigation even in e-commerce and outsourcing.
And I continued with various law firms until the point where I had to give a lot of advice about monitoring of employees versus privacy law and data protection law.
And it was really a huge huge demand from the clients because they really wanted to know under which condition they could collect the evidence of the employees. In compliance with the privacy and data protection laws, I had a lot of consultancies to do for clients and this law firm.
And that’s where I really started doing a lot of data protection. I mean, more and more privacy and data protection laws, I really did a lot.
But even back then, there was the only let’s say interesting consultation to do because it was really a sanction for the employer, , collect and use evidence which is illegally collected.
That was something really concrete and you know, something enforceable for the clients, but besides that, any other advice or consultancy that we were preparing for clients in terms of data protection law.
They usually asked “what is the risk for me” back then before GDPR, at a time before GDPR in Belgium that the risk was super low. So you were just writing and you know, researching opinions for your client was a really low risk, because the DPA did not have the power to sanction or to enforce the GDPR.
Back in the days, There was no civil society like noyb, suing companies for violation of the data protection rights. So basically, it was really nice paper and nice documentation that you share with your clients, but it was nothing concrete.
(Movie: noyb.eu — #InvestInPrivacy [ENGLISH])
At the same time, back then, I think it was in 2011. The Belgium DPA organized a competition to recruit new legal advisors and I was like, Okay, let’s give it a try.
Let’s see what is it happening on the side of the DPA, let’s say, and then I joined a Belgian DPA and then of course, since then, mainly and if not only doing the protection law, and I really enjoyed it.
I really didn’t know that working for a public body would be so appealing. Since then, I am doing only data protection law.
Since then, I’m really more interested about enforcement and concrete application of the data protection law. I think it’s very important because that was different to the first years of my career, where did a lot of research and documentation with no one to enforce it.
We should all have clarity not only the consumers, but also the DPAs and the controllers, the companies. We also need fair competition in the market. We need enforcement on all actors, not only two or three, we need clear rules for everyone,.
So I hope this answer to your question. Sorry it is maybe a little bit too long, but that’s how I came to data protection enforcement from IT law almost 20 years ago.
Kohei: Thank you. That’s a very interesting story for me as well. So you have a very great careers at the data protection space, and also, you are involved in some of the important work in this space.
One of them is the noyb, I know that it plays a very important role in the European data protection space. So could you tell us about the work and the noyb and what you did there?
- What is noyb and what did you work there?
Romain: Yes, sure. And I think it’s really the continuation of what I just explained. I wanted to enforce the GDPR and I joined the DPA in Belgium back then before the GDPR. So back then there was no real real sanction by the DPA.
Therefore, I joined the EDPS because back then there was a possibility to go to the EU institution if you were working for a DPA, and at this time, the GDPR was negotiated.
So I was taking part in the negotiations of the GDPR supporting the Belgian government and after that joined the EDPS and also continued to follow the negotations.
We were directly involved in the GDPR. So we have all the versions of the GDPR in front of our eyes, it was fascinating. After the GDPR was adopted, I joined the EDPB secretariat because I thought that back then the EDPB would be involved in enforcing the GDPR.
Maybe I was not really patient because back then the EDPB Secretariat was not yet active in the enforcement, we had to prepare everything before it was fully functional.
And so it was basically doing more admin, HR, legal anlysis, procedures, you know, exchanging emails and not really working on the substance, because we had to prepare the rules or procedures like all this, you know, legal work before the EDPB was fully functional.
And still, we didn’t see anything concrete in terms of GDPR enforcement. End of 2019, it happened that Max Schrem, who just founded noyb contacted and asked me whether I would be interested to join.
And I thought it was maybe time to do something from another perspective with another hat. And since enforcement was not really a thing, I thought that maybe civil society would be a bit more active in enforcement.
And that’s why they decided to join noyb in 2020. For those who do not know noyb, noyb is NGO, non governmental organization, founded five years ago by Max Schrems.
Max Schrems is privacy lawyer and activist based in Austria, and after two major cases that he wanted a Court of Justice found noyb which stands for none of your business.
None of your business is a consumer organization, digital right organization and enforcing digital rights with a really particular focus on the GDPR. And basically, noyb, it’s finding a lot of complaints against controllers.
We are not enforcing the GDPR, but also starting court proceedings against organizations to enforce the GDPR. I really enjoy to be a lawyer and give advice to clients, but also enforcing the GDPR at the DPA and making sure organisations comply working for noyb
Noyb , as said in itsmission statement on our website, is filling the gap between theory and practice, and before noyb, there was there to try to fill this huge gap between the text as the GDPR but also the lack of enforcement and compliance..
Because DPAs do not have the resources and priorities, it’s difficult for them to agree on a priority, and they don’t always have the expertise in all sectors. noyb is maybe there like a third actor, he’s not the only one in in Europe and but I think it is the major one, pushing the DPAs to act and to enforce.
So that’s what I joined noyb in 2020 to support the legal work and to try to speed up enforcement, finding complaints, thinking strategic litigation (because you have to be strategic when you are enforcing the GDPR in the EU because you have to know where to file a complaint in which language, which data subjects which are the main argument that you would raise which are the one that should not do).
It’s not only substances but also how to enforce and how to litigate, it is really the part that I missed in my previous work. So that is basically the reasons why I joined noyb.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
