Jetse Sprey, CLO and co-founder of Europechain
It’s almost three years since GDPR came into effect in the EU. We talk to legal eagle Jetse Sprey in Amsterdam about the impacts of the law both within Europe and without.
What the main impacts?
Funnily enough the rules didn’t change that much from the rules that were in existence pre GDPR, but the key difference lies in the penalties attached to flaunting data protection rules.
This is a nutshell can explain why GDPR burst upon the world with such a vengeance three years, in some ways out of proportion to the new legalities. It fostered an awareness for companies who realised they needed to look after the data they held and to ensure they were GDPR compliant.
And not just here in Europe, anyone dealing with European people and their data also had to become compliant.
It’s been an earthquake.
At the same time, GDPR has become a sort of standard for international legislations, or rather an example to be followed. In California, the new data protection laws draw heavily on many of the elements of GDPR. The same can be said for new laws in India.
In this field of data protection, Europe is leading the way.
How important is the role of GDPR in privacy – the pros and cons:
I would say the way people interact with their data has been changed in a profound fashion, but not always in a straightforward manner.
It makes people more knowledgeable on their privacy and what companies can do with this data. This is an important step where people become more aware of the importance of what happens to their data. It also introduced frictions; for example, during the pandemic it has proven more difficult to exchange data on people who are vaccinated or who have results from COVID tests. This can interfere with the swift reaction to different factions within a country which makes it more of a hurdle to control the spread of the pandemic.
These issues aside, it is a definite change for the better.
What about surveillance? We know that there are more CCTVs installed than ever before, again helpful in chasing crimes but also invasive in aspects of individual lives. In the lockdown, many people now work from home, and while employers cannot install CCTVs in their workers homes, there is talk of monitoring software recording keystrokes and activities on company-owned laptops.
That is a great question. In addition to the growth of awareness of what happens to your data, the possibilities of using big data in AI backed projects makes every piece of data potentially valuable.
The good news is that counting keystrokes on your laptop is not permitted under GDPR.
It is too big an invasion of your privacy. Mostly in democratic countries, surveillance is monitored and measured. However, should you live in a country like China or other non-democratic counties, then it may be commonplace for governments to use technology to spy on the people.
We should not be smug however here in the democratic world, privacy is not just about the here and now, it’s also about the future. If you look at what recently happened in the US on the 6th of January, then you might realise how precarious our hold on our rights may be. One day you are living in a free democratic country and the next you live in a Trump-like dictatorship. If that happens, then all your privacy laws go down the plughole.
We need to safeguard our hard-earned rights.
At the core of GDPR is the right to be forgotten. Why do we need that right and how can it be balanced?
Can you remember a time before the internet? Maybe if you are young enough you might not, but once upon a time news was recorded in newspapers. Perhaps there was a record of some kind, maybe with an individual’s initials or their full name, but over time it might be forgotten. The paper is thrown out, people forget. However, now with the internet, people can key in that name and up pops the associated misdemeanour or story which the subject may not wish to still be available.
Everyone makes mistakes, does stupid stuff, but the evergreen nature of the internet can be unforgiving. The absolute right to be forgotten has to be balanced; is the public’s right to be able to find that information more important than the individual’s right to erase their actions?
There is a well-publicised example of a German man who committed a double murder back in the 80s. He served his time and the story would have gone into relative obscurity only the German paper Der Spiegel recycled his story in 1999, bringing it up again to the top of Google searches.
The man fought a successful battle wherein the article is still online and is still in the Der Spiegel archives but it has been removed from Google. This is a very good example of a balanced approach.
So in the era of blockchain and immutable databases, how does GDPR play out?
Here we come back to base tacks. We need to be very careful about the kind of data we store onchain. And that data is personal should always be encrypted.
In my opinion, sensitive data such as health care should be private whereas elements such as certificates are better placed on the blockchain; one is meant to be private the other is meant to be shared.
In addition, if sensitive data is on the blockchain then the architects of chain should impose filters – in much the same way Google currently applies them.
It’s about striking a balance.
Very interesting – so it is good timing that GDPR comes into law around the same time as immutable technologies become more popular – we have an opportunity as humans to ensure the right kind of data is saved in the appropriate formats in the first place.
Yes, that is where it all starts – with the humans.
In conversation with Jetse Sprey, February 2021.