GDPR STAKEHOLDER INVOLVEMENT

H O W T O E L E V A T E Y O U R P R I V A C Y P R A C T I C E S

DATA PRIVACY SURVEILL

ANCE CLIENTS GDPR

COVID19 EMPLOYEES FACEBOO

T O P I C S

MATTHIASDOBBELAERE-

WELVAERT

W H O I S T H I S G U Y ?

T W I T T E R @ D O B B E L A E R E W

P R I V A C Y- E X P E R T & A C T I V I S T Director ‘the Ministry of Privacy’

G H E N T L E G A L H A C K E R S Co-founder.

T R I U M P H A M B A S S A D O R Official Triumph Mobilty Ambassador.

L E G A L S T O R Y T E L L E R Legal Stories

D O C E N T Erasmus Hogeschool Brussel

A DIVE INTO HISTORY01.

WHAT IS PRIVACY?I T ’ S M O R E T H A N L E G I S L A T I O N

Privacy is a human right, as stated in Article 8 of

the ECHR. However, the legislation is not absolute,

restrictions are possible. Governments can impose

restrictions to ensure the safety of their citizens.

Private companies are also allowed to process

personal data if you give your permission for this,

or if they have a "legitimate" interest in doing so.

IT’S MORE.It’s essential to point out that privacy is way more than legislation. In the past months a very narrow focus

has arisen in media discussions concerning privacy. Issues are constantly being evaluated trough a very narrow

lens of articles within the GDPR, and while important legislation, privacy as a concept has to be understood

from an ethical, philosophical, sociological and even historical point of view.

While most of you are privacy experts and DPO’s, you have undoubtedly a very good understanding of the

GDPR, and the rights and obligations that are contained in the text. While essential to avoid costly fines - since

the Belgian DPA is apparently waking up from a wintersleep -, a better and deeper understanding of privacy is

important when establishing a privacy practice trough the lens of the data subject itself (whether that is an

employee, a client, an app user, a supplier, and so on).

HISTORY OF PRIVACY

“ P R I V A C Y M A Y A C T U A L L Y B E A N A N O M A L Y ” ~ V I N T O N C E R F , C O - C R E A T O R O F T H E E A R L Y I N T E R N E T P R O T O T Y P E A N D G O O G L E E X E C U T I V E .

Privacy, as it is conventionally understood, is only

about 150 years old. Most humans living

throughout history had little concept of privacy in

their tiny communities. Humans invariably choose

money, prestige or convenience when it has

conflicted with a desire for solitude. Excellent source: https://medium.com/the-ferenstein-wire/the-birth-and-

death-of-privacy-3-000-years-of-history-in-50-images-614c26059e

THE GREEKSThe Greeks displayed some preference for privacy. And, unlike their primitive ancestors, the Greeks had the

means to do something about it. University research found that the Greeks used their sophisticated

understanding of geometry to create housing with the mathematically minimum exposure to public view while

maximizing available light. However, Athenian philosophy proved far more popular than their architecture. “For

where men conceal their ways from one another in darkness rather than light, there no man will ever rightly

gain either his due honour or office or the justice that is befitting” ~ Socrates

MIDDLE AGESEarly Christian saints pioneered the modern concept of privacy: seclusion. The Bible popularized the idea

that morality was not just the outcome of an evil deed, but the intent to cause harm; this novel coupling of

intent and morality led the most devout followers (monks) to remove themselves from society and focus

obsessively on battling their inner demons free from the distractions of civilization.

EARLY RENAISSANCEThanks to the printing presses invention after the Great Counsel’s decree, personal reading supercharged

European individualism. Poets, artists, and theologians were encouraged in their pursuits of “abandoning the

world in order to turn one’s heart with greater intensity toward God”. To be sure, up until the 18th century,

public readings were still commonplace, a tradition that extended until universal book ownership. Quiet study

was an elite luxury for many centuries.

BEDS WERE… EXPENSIVE.Individual beds are a modern invention. As one of the most expensive items in the house, a single large bed

became a place for social gatherings, where guests were invited to sleep with the entire family and some

servants. However, The Black Death, alone, killed over 100 million people and this profoundly changed hygiene

attitudes, especially in hospitals, where it was once common for patients to sleep as close together as

houseguests were accustomed to.

INDUSTRIAL REVOLUTIONIn this early handwritten note on August 20th, 1770, revolutionist and future President of the United

States, John Adams, voiced his support for the concept of privacy. Privacy-conscious citizens did find more

traction with what would become perhaps America’s first privacy law, the 1710 Post Office Act, which

banned sorting through the mail by postal employees.

GILDED AGEBy the time the industrial revolution began serving up material wealth to the masses, officials began

recognizing privacy as the default setting of human life. For the poor, however, life was still very much on

display.  It was during the Gilded Age that privacy was officially acknowledged as a political right.

LATE 20TH CENTURYBy the 60's, individualized phones, rooms, and homes became the norm. 100 years earlier, when Lincoln tapped

all telegraph lines, few raised any questions. In the new century, invasive surveillance would bring down

Lincoln’s distant successor, even though his spying was far less pervasive. Upon entering office, the former Vice-

President assured the American people that their privacy was safe.

NOW.Young consumers were willing to purchase a location tracking feature that was once the stuff of 1984

nightmares. Increased urban density and skyrocketing rents in the major cities have put pressure on communal

living. At the more extreme ends, a new crop of so-called “life bloggers” publicize intimate details about their

days.

Excellent source for the history of

privacy, read more via

https://medium.com/the-ferenstein-wire/the-birth-and-death-of-privacy-3-000-years-of-history-in-50-images-614c26059e

WHAT IS IT’S FUTURE?

W I L L P R I V A C Y F A D E A G A I N ?

Will privacy fade? Most people seem perfectly

willing to trade off privacy for safety, health

(COVID-19, anyone) or simple convenience. Others

are saying that the cost of privacy is too high, an

argument repeatedly heard in the Corona

pandemic over the last few weeks.

TRACKERS, INSURERS, ETCMany of us carry around portable trackers, whether that is in the form of smart watches, smartphones, or other

accessories. Cyclists are keen to share their adventures on Strava (“Facebook post or it didn’t happen).

Some insurers are already suggesting lower fees in exchange for insights in customers health data. Or take

Carrefour Brussels as an example: they’re implementing a payment method with the fingerprints of their

customers. Immediately, customers signed up without any noticeable advantage (no coupon or cost savings).

So. Is privacy dying?

THE QUESTIOND O D A T A S U B J E C T S R E A L L Y C A R E ?

All your investments made, processes

implemented, education included, do data subjects

really care? Ask yourself: how many data requests

have you received since 25 May 2018? How many

data removals? And is that because people simply

don’t care, or they don’t know about their many

rights and possibilities within the GDPR?

ACTIVATING DATA SUBJECTSMake them care.

02.

G R R R

“I HAVE NOTHING TO HIDE”

IS IT YOUR JOB TO MAKE DATA SUBJECTS CARE?M A N Y W O U L D A R G U E , N O .

As DPO or privacy expert within your organisation,

many have experienced a certain restraint from

management or other departments. After all, data

is an incredible valuable source, and no longer

restricted to pure data companies. Every sector

and every company can thrive on data analysis.

That perhaps, is the reason for long, non-

transparent legal texts and procedures.

WHICH ROLE DO YOU WANT TO PLAY?A S K Y O U R S E L F : W H A T D O Y O U W A N T ?

An important thing to ask yourself, is how you

want your data to be handled by other companies.

As DPO’s, you have an incredible advantage over

‘regular people’, since you have extended

knowledge of privacy legislation. However, most

data subjects have no to very limited experience

when handling data rights.

HOW TO ACTIVATE?

A F E W I D E A S T O A C T I V A T E D A T A S U B J E C T S

Most amongst us are inherently ‘lazy’. This is a

simple survival instinct: the more work we need to

lay down for a result, the less interesting it will

become. Therefore, it is critical - if you care at all

about data subject involvement - that you make

steps and processes as easy and accessible as

possible. Here a few ideas:

DO YOU EVEN READ THOSE?

N O D O B YDeloitte conducted a survey of

2,000 people in the US. 91%

agreed to T & Cs without even

reading them. … A N D O N LY 3 %

The legal text of those aged

between 18 and 34 was read.

97% simply agreed.

E S S E N T I E

AVERAGE: 10 MINUTE READ.THIS WAS BEFORE THE GDPR.

E S S E N T I E

E S S E N T I E

E S S E N T I E

PEOPLE DON’T CARE ABOUT

THEIR PRIVACY! OR DO THEY?

V O X P O P U L I

TERMS OF SERVICE; DIDN’T READ

G E R M A N B A S E D I D E A

“I have read and agree to the

Terms” is the biggest lie on the

web. We aim to fix that.

O L D

Since 2012: mixed results.

As long as we persist to write privacy policies in this manner, we can forget about data subject involvement. Yes, legal is important, but it’s time to reconsider privacy as just a legal burden: make it part of your customer journey.

T O O M U C H I N F O

“

STOP NAGGING. SHOW ME THE WAY.

S O L U T I O N S , N O T P R O B L E M S

Legal design is the application of human-centered design to the world of law, to make legal systems and services more human-centered, usable, and satisfying.

L E G A L D E S I G N

“

E S S E N T I E

Source: https://www.lawbydesign.co/

LEGAL DESIGN.

I T ’ S T E A M W O R K

Legal design is not just making something very

unattractive, attractive. It’s more than simple

graphic design: it demands a cooperation between

copywriters, marketeers, graphic artists and

lawyers or DPO’s. Legal design is a spinoff of the

‘service design’-hype which stresses the

importance of teamwork across disciplines.

INVITE THE USER

R O U N D T A B L E Y O U R D A T A S U B J E C T S

Organise round tables with a selection of your

clients, suppliers and employees (separate,

though). Ask not: “how is our privacy policy?” but

rather: “do you feel your data is safe with us, and

what can we do to improve this?”.

It goes without saying a perk should be included.

S E C O N D I D E A

MAKE EVERYTHING SIMPLERE X A M P L E : D A T A R E Q U E S T S

We get it, you want to hide the data requests

because these are often a load of extra work for the

DPO’s involved. Yet, it’s an important tool for the

data subject, wether they just want a quick look or

a complete ‘deletion’ of the data involved.

Let me show you something.

T H I R D I D E A

E S S E N T I E

WHY DID WE MAKE THIS?

B E C A U S E T H E E X P E R I E N C E S U C K E D .

Yes, we did find the email address from every DPO

in *almost* every privacy policy. Hospitals were by

far the sector that scored very poorly on this, many

were not up to date with the GDPR requirements or

had “DPO@XXX.COM" as address. Almost no-one

had a form (except some operators), and certainly

no-one had a model or an example to show to data

subjects. That could be improved greatly.

KISS: KEEP IT SIMPLE, STUPID

Y O U W A N T D A T A S U B J E C T I N V O L V E M E N T ?

Make it simple. Period.

COVID-19: HOW TO BUILD TRUSTTrust will be the key component in everything you do, post COVID-19

03.

WHICH CORPORATE REALITY WE WANT?It will be exciting to take back our normal lives. Perhaps

one day we will do keynotes again in real-life, and not

like this. I would prefer it so.

Yet, are temperature scanners being implemented in

every conference room? Will cameras with software be

tracking us? Will an app or a bracelet being made

mandotory by business owners or CEO’s?

HELLThe debate concerning the COVID19 Application proves one thing: consumers and citizens are highly

unpredictable. When the government is planting our streets full with surveillance cameras and high tech

hardware, the majority couldn’t care less. When the government wants your fingerprints - even if it doesn’t do

anything for your safety - and believe me, although I might be biased, it doesn’t! - they still don’t care.

But when the government wants to put forward a relatively anonymous app (for example, with the DP3T

framework), all hell breaks loose. How is this to be explained? Why?

It’s too early to give definitive answers, but the most probable one: we are used to being afraid. For terrorists or

crime. We are not used to feel threatened by viruses or diseases. We don’t have a mask culture like China or

other Asian countries. So this is very new, smart cameras just aren’t.

COMMUNICATIONCommunication is key, certainly in moments of crisis. By far, the most heard complaint about Wilmès I, was the

lack of clear communication (remember the weird Powerpoint presentation). Communication isn’t just key if

you are a Prime Minister, but also if you’re the CEO or DPO at a company who will introduce back their

employees, customers and suppliers.

Your company will want to take measures. I expect they have already taken them, or at least have a roadmap

ready. Many will involve the processing of personal data. There is no issue with providing sanitary gel at your

entrance. There is - according to the Belgian DPA - no issue with temperature scanning - the Dutch DPA is much

more careful in her point of view, and has decided against the private use of temperature scanning -, as long as

no personal data is being stored. However, many of you have multiple cameras and surveillance implemented

at entrances. It will key to wipe that footage or disable cameras, so that positive tested visitors, employees or

suppliers cannot be linked to their result.

TEMPERATURE SCANNINGDe GBA beschouwt de loutere opname van de lichaamstemperatuur niet als een verwerking van

persoonsgegevens. Voor zover dergelijke temperatuuropname dus niet gepaard gaat met een bijkomende

registratie of verwerking van persoonsgegevens, is de AVG niet van toepassing. In het algemeen geldt hier dat

een werkgever geen maatregelen kan nemen die het bestaande arbeidsrechtelijk regelgevend kader of

instructies van bevoegde overheden te buiten gaan.

L’APD ne considère pas la simple prise de température comme un traitement de données personnelles. Si ces prises

de température ne s’accompagnent pas d’un enregistrement ou d’un traitement de données personnelles, le RGPD

n’est donc pas d’application. De manière générale, un employeur ne peut pas prendre des mesures qui sortent du

cadre du droit du travail existant ou des instructions des autorités compétentes.

WEARABLESCompanies have rushed to market with prototypes of bluetooth wearables. These - depending on their

configuration and (de)central storage of data - can be privacy-friendly or a privacy nightmare. The most privacy-

friendly one is of course the basic variant of the wearable: the bracelet checks every 20 -30 seconds via

Bluetooth signal if no other bracelet is too close-by. Others are providing employers with a bracelet

dashboard, so employers or management can intervene and step in, when an employee clearly isn’t too keen

of the social distancing measures.

My only advice: think before you buy. I understand procurement is not the DPO-departement, but I need you all

to step in. Surveilling your employees through bluetooth-wearables (when the data is centralized, at least) is an

Orwellian nightmare for your colleagues. Might as well combine them with toilet and cigarette breaks trackers

(yes, this has been suggested).

MANUAL TRACINGManual tracing seems to become a disaster. While the procedures are already in place, and positive tested

patients already receiving phone calls from tracers, the legislative framework is lagging behind - and worse,

being completely demolished by the Belgian DPA.

Criticism concerns around the centralization of data by Sciensano (the database), storage of data (up to 30

years), collection of data (too much data that isn’t strictly relevant), and so on. This is an additional concern for

building trust amongst citizens - trust, which is essential.

APPSI almost don’t dare to talk about this subject anymore. The debate is intense, with abundant levels of emotion

- I’m no different, at least in the early weeks of the debate. Sufficient to say, the Corona-apps are incredibly

sensitive in almost every country where it’s either introduced or plans to introduce.

Belgian has been lagging behind. The ‘Data Against Corona’-taskforce of Philippe De Backer investigated

multiple scenarios and applications. None seem to pass the famous ‘privacy-test’, which was more than simple

GDPR requirements. In first instance, the idea was to have multiple apps that consumers could freely install.

However, since Apple & Google have made their API available to only one official government app, this idea

was abandoned. Most likely, it will be an app from the UGent, in cooperation with several other academic

bodies and private companies.

In the legislative proposal, it’s clear that the Belgian app will have to make use of DP3T framework, of which

there is an agreement amongst most privacy specialists and activists, that this is the framework that delivers

most protection for users’ privacy.

What is also very clear in the current proposal, is that employers can never make the installation of the app

mandatory. Yet, as we all know, there are different levels of explicit or implicit coercion. We have to remain

vigilant, as DPO’s and privacy activists or specialists, that free choice does indeed mean: free. Just like the much

debated free consent in the GDPR, this is only to be assured by vigilance.

WHAT THE FUTURE WILL BRING IS HIGHLY UNCERTAIN.

U N C E R T A I N

IT’S YOU. THE DPO.You have a special job to do the coming months and weeks ahead. You will have to find ways to align safety,

health, hygiene and privacy, both in relationship to your customers, employees and suppliers. And while many

of them will agree to just about anything your company proposes, a lot of them will also be hesitant to trust

their employer or client with sensitive medical data.

Basic GDPR-hygiene is recommended (such as data minimisation). Yet, we have to realize one important thing:

the GDPR is not a holy grail in this pandemic. At the contrary, the GDPR explicitly foresees the possibility for

governments to process enormous amounts of personal sensitive data, when this is necessary to combat health

crises ( (46) and article 9, (i). So while government will have an easy job to implement COVID-19 measures,

corporate taken measures will have a much harder time to find itself in line with the GDPR (however, take a

good look at article 9, (h).

Hey you…

Thank you for having me. Any questions?

“