Federico Marengo is a lawyer with master in public administration (University of Buenos Aires), LLM (University of Manchester), and PhD candidate (Università Bocconi, Milano). His research deals with the potential and challenges of the General Data Protection Regulation (GDPR) to protect data subjects against the adverse effects of Artificial Intelligence. He provides consultancy services in data protection and he is also teaching assistant in a course on European Law and in a course on Legal Argumentation and Economic Analysis of Law at Università Bocconi and enthusiastically accepted to offer an exclusive interview for Dpo-NET - Data Protection Officers Network, an online publication from Romania, dedicated to privacy and data security specialists.
For a start, please tell us how your specialization in the field of data protection began. What are your professional goals?
F.M.: I started working on data protection for a while, but I felt I needed more theoretical background to make a difference in my career. So I enrolled in an LLM in Manchester and then I started a PhD in Bocconi University, Milano. My current research relates to the potential and challenges artificial intelligence poses on the data protection regulation, and how data protection impact assessments and audits should be carried out when AI-powered systems process personal data. I am currently providing limited consultancy services due to PhD commitments, but I plan in the future to expand my professional scope to include assistance in those services, in particular to AI solutions.
How was the editorial project "Data Protection Law in Charts" born? What did you intend to do by publishing this book? What is the target group to which this book is addressed and what does it bring new in the field of data protection?
F.M.: The project did not start with the intention of creating a whole e-book. Instead, as I am doing a PhD I wanted to have a more visual representation of the main provisions of the GDPR. I started drafting some charts and I found them really useful, since I am able to remember more easily concepts and ideas if they are graphically presented. I thought it could be useful for others who also share this preference to learn concepts. So I started working hard on compiling the whole GDPR. I have to admit that I underestimated the amount of work and time required to do it, but I’m really happy about the results, especially after the great feedback I received from professionals who bought it.
The work is addressed to anyone who needs a quick and visually appealing representation of the GDPR and the main data protection concepts. From students to professionals, I think all of them can profit from it, since it is not limited to the mere collection of articles and recitals, I also included relevant case law and some comments from the WP29/EDPB guidelines.
Data Protection Law in Charts (eBook)
Data protection law regulates a wide range of our daily life and also defines the borders of business models and commercial services. Yet, the legal text of the General Data Protection Regulation, with its 99 articles and 177 recitals, can be hard to apprehend.
As it is widely understood that visualisation can help the reader to easily remember and interpret intricated texts and make them more comprehensible, the main objective of these charts is to provide to those who are studying data protection law with a clear and intelligible presentation of the main legal text, explanations and case law. It complements, without replacing, the General Data Protection Regulation and the textbooks on data protection.
These are the units in the book (190 pages):
1. Context of European data protection law
2. General aspects of data protection law
3. Data protection concepts
4. Data protection principles
5. Rules of data protection law
6. Rights of the data subject
7. Controller and processor’s duties and obligations
8. International data transfers and flows of personal data
9. Supervisory authority
10. Remedies, liabilities and penalties
11. Specific processing situations
CLICK HERE FOR PREVIEW
We prepared a coupon code for dpo-net.ro readers, to get a 10% discount of the ebook (valid until 31/03/2021)
Coupon code: dponet
Almost three years has elapsed since GDPR's entry into force. In your opinion, what has changed in the course of this last three years?
There are many challenges that DPAs still face, mainly the lack of sufficient funding and how they will address international data transfers, but we have to remember that the GPDR is a game-changer regulatory scheme and it entered into force in mid-2018. While DPAs are showing muscle and a great willingness to enforce GDPR provisions, companies are abandoning, however grudgingly, old data management practices.
It is essential that individuals identify illegal data processing in order to be able to exercise their rights. How important is it to know your rights as long as you cannot identify illegal processing? What should be the focus of information campaigns for people? Who do you think should be more involved in disseminating the importance of personal data? Public Institutions, National Supervisory Authorities or Data Protection NGOs?
F.M.: In many cases the lodging of a complaint either before administrative or judicial authorities is the first step to obtain compliance from controllers or processors. And without individuals’ awareness concerning their rights, the exercise of their rights is a mere illusion. In my opinion every actor involved in this field has a portion of responsibility on it, albeit to a different degree. First and foremost, governments should invest more resources in the data protection authorities, so that they can, among other activities, devote more resources on pedagogic materials for the population in general. Some authorities are already doing it, for example the Italian data protection authority recently opened an Instagram account and it frequently posts infographs with recommendations for non-technical audience. Second, controllers and processors have a duty also to educate citizens on how to protect their personal information. I concede that this may seem utopic, but it could also be helpful that these actors also get involved in the data literacy of individuals.
Finally, some NGOs have played an important role, both in education and litigation to better protect the rights of individuals in the EU. We could mention NOYB (NGOs co-founded by Schrems, whose case invalidated both Safe Harbour and Privacy Shield), Digital Rights Ireland and Privacy International (both also obtained the invalidation of surveillance regulations)
What are the best examples of awareness-raising campaigns about the importance of personal data that you have seen recently?
F.M.: Due to language barriers, I can’t follow the activities of many data protection authorities or states. However, in my opinion, the Spanish data protection authority is doing a great job in publishing easy-understandable and reader-friendly material to catch the attention of citizens in general. Moreover, they have been very active in social networks, such as Twitter and Linkedin publishing these materials.
Do you think that fines have an important role in applying the GDPR? From your practical experience, do most operators comply with the GDPR from responsibility or the fear of fines?
F.M.: It is generally said that ‘if sanctions are to have teeth, violations must be punished’. I think that national DPAs are cracking down data protection breaches and, as a consequence, my guess is that many more GDPR fines will be issued in the future. And while I don’t think that the preventive function that fines have is the optimal way to protect the interests of individuals, they certainly disincentivize controllers or processors that otherwise would conduct their businesses in outright infraction of the regulation.
Sanctions undeniably play an important role and shape to a great extent the compliance with the regulation. Many controllers/processors know that the chances of being caught due to violations is slim. The regime imposed by the GDPR and the national legislations that were enacted on its basis impose stringent obligations on operators. This is a heavy burden especially for MSMEs.
I have the impression, though, that lately controllers and processors, be it to avoid being punished or because it is the right thing to do, request more frequently to advice on how to conduct their processing operations in compliance with the GDPR,
Do you think public institutions should be an example for the rest of the operators? We ask this question because in Romania we have preferential treatment for public institutions, the maximum fine for non-compliance with GDPR is 200,000 lei (about 42,000 euros), much lower than what private operators risk. Is this a general practice at the European level?
F.M.: To begin with, I do agree that public institutions should give the example of correct data management, since people need to trust in them. Otherwise, the effectiveness of many public services, which require the processing of personal data, may be hindered.
Whereas public institutions are not exempted from GDPR compliance, these organizations have a more lenient regime. Not only did Romania provide for lesser penalties where the controller/processor is a public institution, this stance is also followed, for example, Ireland (section 141(4) Data Protection Act 2018) or Spain (art. 77 Spanish data protection act). This certainly does not help in building trust among citizens concerning personal data handling by public authorities
How do you think an internet user should be behaving if he is aware of the risks the Internet hides? Children's access to the Internet is already normal. Should this worry us? Do you think that education on children's Internet access should be a task for parents or should the education system assume this role?
F.M.: The collection of personal information for (chiefly) marketing advertising purposes is not something new. However, the Internet and novel technologies provided a fertile ground with which data brokers and advertising companies gathered colossal amounts of information. Even though the collection of personal data is inevitable, we can take some steps to protect ourselves.
For example: using a private friendly internet browser (like Mozilla or Brave instead of Chrome), search engine (like Startpage or DuckDuckGo instead of Google), adblockers, avoid downloading unnecessary apps that collect information, and before downloading an app, check the privacy label the app developer provided to Apple -Apple Store- which you can consult even though you do not have Apple products. Furthermore, we could choose private friendly options for messaging (e.g. Signal, Telegram, Wise, instead of Whatsapp or Facebook Messenger), or videoconferencing (Jitsi instead of Zoom or Microsoft Teams)
What are the tips you can offer to a controller?
F.M.: Basically, controllers must abide by the law because it is the right thing to do. They should not make an economic analysis of compliance with the law (in short, evaluate whether the costs of compliance are higher than the costs of being fined if caught).
I would argue that the most effective and affordable tools controllers and processors have at their disposal are, first, adopting data protection training programs for their employees to increase their privacy awareness. Secondly, hire the services of a data protection officer, because, even if its designation may not be mandatory for them, it is an also a cost-effective way to get tailored data protection advice and to demonstrate compliance with data protection regulations.