3 GDPR TRAININGS
Christophe Boeraeve
International lawyer & Member of the Litigation Chamber of the Belgian Data Protection Authority
1. From advisory to punitive – sharing the Belgian’s supervisory Authority new role under the GDPR
Sharing experiences: from advices to sanctions - the new role of the Belgian Supervisory Authority in the context of the GDPR.
How can we avoid being a "tourist" in our interactions with a new supervisory authority with vast "brand new" powers?
Examples of the practical functioning of a Supervisory Authority and in particular the challenges & opportunities it faces when it did not previously have the power to inflict penalties applicable to infringements of the GDPR.
On what basis are audits or raids decided? What are the criteria, priorities and sectors targeted? What are the Authority's means of investigation? What, how and when can it seize, access (premises, servers, networks,...), limit, prohibit, confiscate, bring the case before the Public Prosecutor's Office... Or simply prefer to formulate warnings or initiate a mediation? Can I be questioned as a suspect or worse... charged? What are my rights? What is the range of possible remedies and sanctions?
2. First gear on a very steep and bumpy hill: Artificial Intelligence pesky interactions with GDPR
Article 5 of the GDPR lists the principles relating to processing of personal data: it must be processed in a transparent manner in relation to the data subject.
How can Artificial Intelligence technologies ensure transparency for the users as computers in watches, automated cars or domestic robots perform tasks involving a simulation of human intelligence including decision making or learning by collecting voluminous amounts of data (Big Data) ?
The European Data Protection Supervisor has identified two major concerns: companies may not want to disclose how the personal data is processed on the grounds of trade secrecy and the difficulty of explaining a prediction when the latter is based on an AI algorithm using machine or deep learning.
Moreover, can a purpose be determined prior to the processing? How to explain the ever-changing results according to the personal data collected and its volume?
Data protection regulations also hold the principle of data minimization under which only adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed personal data can be processed. However, this principle seems in contradiction with the essence of Artificial Intelligence.
How can Data privacy & protection and AI be reconciled?
3. Inductio or B-UP: an EXCLUSIVELY inductive approach to the protection of privacy and personal data
B-UP means for us either (or all): B(ottom)-UP / Belgium-UP / Best (if) UP...
BOTTOM-UP: we begin with the actual challenges your organization faces re: accountability.
We then adopt BOTH Anglo-Saxon "CASELAW" (legal) & “READ-BEFORE-THE-CLASS-THEN-HASH-OUT” (university/pedagogical) approaches.
The idea - simple - is to adopt an EXCLUSIVELY inductive approach to training in the protection of privacy and personal data.
B-UP - "Inductio" therefore.
It is our challenge - we as trainers - to expose these GDPR matters by ALWAYS articulating them between/with:
- EU & local Case law; and
- The administrative case law of the EU Data Protection Authorities (31 but particularly the 3 French-speaking countries: Belgium, Luxembourg and France for Native French speakers and the 4 DUTCH/NATIVE ENGLISH speaking ones : Belgium, Netherlands, United Kingdom & Ireland); and
- By retaining in 1 and 2 the most representative and pedagogical PRACTICAL SITUATIONS encountered by Data controllers & processors/data subjects (interactions and/or votes with participants are easy to set up for each unique single training session).
Practical Pedagogy: Participants prepare for each session by receiving both casus and readings that provide them with the theoretical basis for solving actual business cases. The sessions all begin with an in-depth discussion of the business case(s), its/their articulation with other jurisprudential decisions/Data Protection Authorities/EDPB recommendations & articles or books from legal authors. The theory and principles are therefore co-discovered and co-constructed so that participants can draw from them both the relativity of any "unique" solution & confidence in their cognitive/learning abilities applied to the GDPR subject matter. The training is a success if they leave with more questions than when they entered.