By Irvette Tempelman – VNO NCW / MKB
We spoke with Irvette Tempelman – Secretary of Policy who deals with privacy, consumer policy and the regulation of artificial intelligence.
Question 1) The VNO-NCW / MKB Nederland is an association of entrepreneurs, with branch organisations and companies as members. You represent companies of all sectors and sizes and cooperate with several governments. What are currently the main policy topics regarding the protection of personal data?
One of the main topics is the fact that the GDPR is still the number 1 regulatory burden for companies, especially for SMEs. The GDPR is a complex piece of legislation. Companies in general are more than willing to implement the GDPR but remain to have many unsolved questions as how to do it. Another important topic is the necessity of a more balanced interpretation of the GDPR. The Dutch DPA is known to interpret the GDPR more restrictively compared to other DPAs in the Union. To retain a good support base, it is necessary to take into account other fundamental rights, legitimate interests and practical implications. It is important to keep the ratio of the GDPR in mind. Another main topic is working towards a more mature supervision system. And last but not least, international data transfer. We favour a truly risk based approach when assessing risks of international data transfers. With a focus on (f)actual risks for the rights and freedoms of the relevant data subjects. Taking into account the nature, scope, context and purposes of a specific processing at hand. Assessing global surveillance and judicial redress laws is a complex and expensive task for companies large and small. A task which requires legal knowledge and/or resources for legal counsel which go far beyond those of most, if not all, SMEs. It should not become impossible for SMEs to take part in international trade and research projects due to administrative burdens they cannot overcome.
Question 2) You mentioned the complexity of the GDPR. How could the GDPR be explained in a manner that really helps companies, especially SMEs?
It is important to explain the GDPR from the angle of practical problems companies are confronted with. For instance, when a start-up starts to take on employees for the first time, what are the do’s and don’ts under the GDPR; or what are the do’s and don’ts if you wish to outsource your helpdesk to a provider outside the Union; or what are the do’s and don’ts for bakery’s, butchers, plumbers, clothing stores and such when they process client data? It would be helpful if a guideline could be published by the DPA regarding the most standard processing activities (explaining the most common used categories of personal data for specific common purposes, processing activities, retention periods, receiving parties, etc). Similar to information which was included in the former “Vrijstellingsbesluit” under the old legislation protecting personal data (the Wbp).
“It is time for the position of data protection officers to be strengthened in the Netherlands as well as stimulating codes of conduct.”
Question 3) You also mentioned a more mature supervision system, can you tell us more about this?
We also call it the ‘supervision pyramid’. Envision a pyramid with three levels: at bottom level, the data protection officers; in the middle, the codes of conduct & certification mechanisms; and at the top, the DPA. This is how the supervision of the GDPR is intended to be. It is time for the position of data protection officers (DPO) to be strengthened in the Netherlands as well as stimulating codes of conduct. After all, it is the DPO who is pre-eminently able to translate the generic privacy obligations into the specific application at organizational level. Unburdening the AP can also be achieved by stimulating codes of conduct and certification mechanisms, including complaint handling systems for handling individual (sector-specific) complaints. Codes of conduct could take flight if DPAs would no longer require costly accredited independent supervisors to monitor codes of conduct in addition to an independent auditing mechanism. With a mature supervision system in place, the DPA would be able to focus on investigating and tackling large-scale abuses and on tasks such as approving BCRs, codes of conduct and certifications, granting permits and exemptions and providing information.
Question 4) The organisation’s main objective is to safeguard the common interests of the Dutch business community at both national and international level. How exactly do you do this? Do you apply a certain approach or strategy?
We focus on subjects that are of common interest to our members. Privacy is such a common subject. To get our message across, we work together with European and international business organisations, such as Business Europe and SMEUnited. We also have an office in Brussels, whom are our eyes and ears regarding matters of the Union.
“In order to reach goals, we have to look closely at obligations.”
Question 5) Do you see important developments for the Netherlands and Europe with regard to globalisation and international cooperation?
It is important to pinpoint and strengthen important technologies and economic areas in the Netherlands and Europe to create strategic independencies. Europe must strengthen its position to prevent becoming a vassal of others. We are looking to strengthen certain areas of expertise, such as AI, to be able to remain a free and open model of society based upon the European code of values (democracy, human rights and rule of law). This is crucial, taking into account the geopolitical developments in the world. We see the same discussion taking place within the USA, on how to strengthen their position in relation to China. We are looking to ensure an open strategic autonomy. A higher level of self-sustainability in combination with dependencies, open trade and investments in the world.
“The devil is in the detail.”
Question 6) We see that the use of artificial intelligence is increasing and becoming more important in the business industry. What is your opinion about the proposed European AI Act when it comes to data protection?
We welcome the European bill on AI. We believe that the two goals of the proposed Act are very much interrelated: strengthening trust in AI systems is conditional to growth and innovation. In order to reach such goals, we do have to look very closely at the obligations to ensure that these are operable. The devil is in the detail. With regard to AI & data protection, it is important that there is alignment between the AI Act and the GDPR. The GDPR already has a provision regarding automated individual decision-making and human intervention. Alignment is also necessary, for instance, regarding the obligation under the proposed AI Act to have systems and procedures for data management, the obligation to use high-quality training, validation and testing data, the criteria for further processing, transparency obligations, incident reporting and monitoring obligations. It is important within the context of AI that special categories of personal data can be processed to monitor, detect or correct bias in AI-output.
About the author
Quirine Eijkman is deputy president research & advice at the Institute for Human Rights and Chair of the Research group Access to Justice at the Centre of Social Innovation (KSI) of the HU University of Applied Sciences Utrecht.