Interview with Cecile Schut – Dutch DPA
“To hold grip on your personal data and knowing what others know about you is crucial” – Aleid Wolfsen
The Dutch DPA is the independent supervisor in the Netherlands that guards our constitutionally enshrined protection of personal data. One of the organisation’s main tasks is to monitor companies and governments to determine whether they are complying with the applicable privacy legislation, by means of investigations. In addition to conducting supervision, the Dutch DPA advises on new laws and regulations and provides information. We spoke with Cecile Schut, Director of System Supervision, Security and Technology about the meaning of data brokering, the DPA’s perspective on this subject, how to tackle illegal data trafficking, and more.
1. We’re going to talk specifically about data brokering/trafficking, but first of all, I’m curious about your position within the Dutch DPA. You have been appointed Director of System Supervision, Security and Technology at the Dutch DPA since 2018, if I’m not mistaken. This, in view of the then new European privacy legislation that was going to come into force from May that year. Can you tell us a bit more about your career path and why you took this position?
Of course! My start at the Dutch DPA in January 2018 was closely related to the start of the new European privacy legislation. At that time, the Dutch DPA had decided to restructure its organisation in preparation for the GDPR (and for the Data Protection Directive for the police and justice sector, which also became applicable as of May 2018). At the time of my application for the job, I was Director Policy at the Dutch Statistical Office. One of the things I was working on was the implementation of the GDPR. For an organisation with the amount of data as a statistical office has, this project was taken very seriously.
Because I am originally trained as a mathematical engineer, one might not expect me to join a DPA. However, I think that my background adds a lot: I like to connect people and knowledge from different backgrounds and to try to make things clear for the widest possible audience.
In the years that I was responsible for statistics, I learned how important it is not only to know how to make reliable statistics, but also to have knowledge of what the figures are about, to understand them. And the same goes for data protection: only when you know and understand the context in which organisations work, it is possible to supervise in a meaningful way. Besides, I had learned in my work and during my executive MPA which I completed in 2014, that my mathematical thinking fitted well with how people with a legal background think. The combination of leading the technical people within the Dutch DPA and being responsible for what we call ‘ex ante’ supervision makes my job very inspiring.
2. Data brokering is one of the three key points the Dutch DPA is focussing on. What exactly does this mean?
At the end of 2019, we published the Focus of the Dutch DPA 2020-2023 which outlined three themes that we have decided to prioritize in the upcoming years. The themes are data brokering, digital government, and Artificial Intelligence and Algorithms. We chose these particular themes, because we see a lot of potential risks regarding the protection of personal data in connection to these specific topics. And if these risks occur, the consequences for the daily life of citizens can be far-reaching. Data brokering is one of the themes, because we currently live in a society where data is used to make products and services ‘smarter’, and these same products and services subsequently create even more data. This growing and constant creation of data means that even more data can be gathered, processed and sold. While this has its advantages, the dark side of data brokering is lurking: unlawful data processing and the lack of transparency for individual citizens.
We notice that citizens are losing their grip on their personal data, are unable to control where their personal data ends up and who has access to it. The Dutch DPA wants to give citizens the control of their personal data back by ensuring that they can exercise their rights effectively. Data brokers are accountable to ensure lawful, fairly and transparent use of personal data. The Dutch DPA stimulates this accountability and will take action against organisations that violate the GDPR.
“We notice that citizens are losing
their grip on their personal data.”
3. The Netherlands has about 200 data brokers. Can we say that the Dutch entrepreneur has adopted this way of doing business from abroad? Imagine that data was bought from a US broker. How does this work regarding consent, its legal basis and so on? How does the Dutch DPA view these matters?
The growth of data brokering as a business has been a consequence of several different trends in the past few decades. The creation of the Internet, increasing processing power and the declining costs of data storage have all facilitated the development of data brokering. And also, from the beginning of this era, a lot of people strongly believe in “data as the new oil”. This has encouraged a lot of entrepreneurs to collect and exploit data. Alongside the technological trend, there has also been a social and political trend of increasing importance of risk assessment and crisis prevention. Since 9/11 and the war on terror, there has been a significant interest in creating profiles of possible (future) criminals and diminishing the number of opportunities of such criminal behaviour. This all requires the gathering and processing of data. Therefore, I wouldn’t necessarily say that “the Dutch entrepreneur has adopted this way of doing business from abroad”, but rather: it is the consequence of several trends in our digitalizing society.
“More and more ‘normal’ companies are also starting to sell data that they
gather through their product or services.”
If a data brokering company wants to process data, it must be done in compliance with the GDPR. This process begins by establishing a legal basis as stated in Article 6 of the GDPR. A data broker can form its legal basis on consent, but other options are also possible. The data broker needs to determine which legal basis is most appropriate in the circumstance. Next to a legal basis, the data broker needs to ensure that the data is processed for specific purposes, is adequate, relevant and limited to what is necessary. Also, the data broker needs to ensure that the data is accurate and up to date. Another thing a data broker needs to think of is defining retention periods and ensuring proper security. In certain circumstances it also will be necessary to perform a Data Protection Impact Assessment and designate a Data Protection Officer.
If a data broker is able to comply with all the rules of the GDPR and continues to promote a culture of data minimalization, transparency and accountability, it should be possible for them to continue their work.
4. What is the definition of a data broker? When does an organsation meet the requirements to be appointed as a data broker? Are amongst these organsations also for example organsations that use payment platforms, collect information and sell this to other parties?
It is not our task to come up with a definition of a data broker. In our view, the core business of data brokers is to make use of personal data as a key ingredient for products and services that can be sold to other parties. The possibilities are endless in theory. A well-known type of data broker is for instance a company that collects and combines on – and offline personal data to be able to create a profile of a person and sell this profile to companies. These companies than can use such a profile to decide on a persons’ creditworthiness or to be able to determine which advertisement will be of interest to which person.
Besides, more and more ‘normal’ companies are also starting to sell data that they gather through their product or services.<
5. One of DCSP’s regular columnists, Hans Schnitzler, once wrote in a piece ‘data trafficking is the same as human trafficking’. Those who reveal all their data on the internet and thereby reveal themselves as human beings to data brokers will sooner or later become objects of exploitation and manipulation. The government, in a way, facilitates the way of working for data brokers. Isn’t it a task for the government to stop this?
I understand the concern that the growing amount of personal data, especially when data is combined and exploited from different sources over a long period of time, can lead to manipulation. This may threaten our personal freedom. Our task is to ensure that these practices are executed in a manner that is compliant with the GDPR. The principles of the GDPR state that personal data must be processed lawfully, fairly and transparently in relation to the natural person to whom the data relates. Revealing information about oneself, whether it is on the internet or whether it is in real life, does not mean that this information is free to be collected by companies for other goals. Besides, there are a lot of data breaches where personal data gets ‘lost’. In some cases the data comes into the hands of criminal organisations, who use the data for instance for identity fraud or phishing.
6. What bottlenecks does the Dutch DPA face during investigating and monitoring illegal data trafficking? How do you deal with this?
Currently, the main challenge that the Dutch DPA has to cope with is the budget. At this moment the budget of the Dutch DPA is not sufficient for the amount of work the Dutch DPA has to execute. We are only able to follow up a small amount of all complaints we receive from citizens. And the same goes for the data breaches that are reported to us. In 2019, we were only able to investigate and close 0,3 percent of about 27.000 reported data breaches. Besides, the amount of reported data breaches and complaints might be only the tip of the iceberg. Some data breaches are not noticed by organisations or not reported to us, and for individual persons it is often not at all clear how their personal data is used or traded.
This does not mean that we are powerless. In the last year, we have shown that despite our lack of resources, we were able to achieve great strides in the protection and promotion of personal data. We assisted and provided advice for the controversial corona-app, warned about the deficiencies in the system of the Municipal Health Services (GGDs), and investigated and confirmed cases of discrimination in the recent benefits affaire at the Dutch tax department.
7. The Dutch DPA works with supervisors of all EU countries together in the European Data Protection Board. What can the Dutch DPA learn from the other countries in terms of the supervision on data brokering? Or do you feel that the other countries can learn from the Dutch DPA? If so, can you give an example?
All supervisory authorities strive to a harmonised application of the GDPR. Therefore, there is an active cooperation between the supervisory authorities. If necessary, specific cases are discussed. Together, an approach is determined. Unfortunately, the Dutch DPA is not the only one who is understaffed. For the coming years it is key that we can develop our cooperation and grow in capacity as joint European guardians of data protection.
“individuals have to be able to gain back control on their own personal data.”
8. What is the ultimate goal for the Dutch DPA regarding data trafficking? Are there also positive sides to data trafficking. For example, can we learn something from data trafficking?
As mentioned in our Focus 2020-2023, our goal is to ensure that citizens have control over their own personal data. To achieve this goal, data brokering needs to develop in a specific way. This means that data brokers need to be fully compliant with the GDPR and citizens need to know what rights they have and how to exercise those rights. Therefore, transparency is a key issue: individuals have to be able to gain back control on their own personal data. We aim to supervise, to (where necessary) enforce the GDPR and to educate citizens on their rights. In this way, we will enhance and stimulate innovative use of data.
As far as the illegal trade of illegally collected data concerns, the ultimate goal is to ban this entirely. However, we are fully aware that that is not only in our hands: we need more attention and awareness from organisations in information security, national and international cooperations with e.g. organisations in charge of cybersecurity and organisations in the criminal justice system.
As this shows, we must not forget the citizens. If we only talk about data brokering between the closed circles of organisations, companies and governments, the citizen gets lost. In the end, the purpose of our work is to protect citizens and their personal data. They are the reason why we do what we do.
About the author
Cecile Schut Msc. MPA has been Director System Supervision, Security and Technology with the Dutch Data Protection Authority since January 2018. She is responsible for offering guidance to organisations and their data protection officers, the assessment of requests for prior consultations, codes of conduct and other GDPR instruments that stimulate organisations to become privacy-proof. In addition, her unit is responsible for high-quality and up-to-date knowledge in the field of security and technology which is necessary for the different supervisory tasks of the Dutch DPA.