Category: Uncategorized

Last week, the European Commission introduced its “Digital Omnibus” bill. The Omnibus is a proposal for a new legislative package supposedly aiming to “simplify” key EU digital regulations such as the GDPR, AI Act, and ePrivacy, with the aim of furthering the region’s innovative potential.

The proposal, along with some country positions, had already been leaked and subsequently commented on extensively by observers prior to its introduction. Prominently, 127 civil society organisations had issued a letter disparaging the Commission’s approach as “an attempt to covertly dismantle Europe’s strongest protections against digital threats.” Alarm bells have been raised, inter alia, regarding the tracking of personal devices, a new kind of legitimate interest to serve as the legal basis for using personal data for AI training, or the relativisation of the GDPR’s transparency principle.

Other voices, including from industry pressure groups, have welcomed the package as a trajectory that would expedite innovation by essentially pulling out stops from the process of making AI tools omnipresent. No surprise there in light of the still ongoing AI boom, and continued investment in the proliferation of AI solutions.

The jury still appears to be out as to whether the AI revolution will ultimately save human civilisation, or indeed destroy it. At this moment, it is easy to be either a techno-optimist or, like many including yours truly, a concerned citizen when most of the revolution is still ahead of us—we just do not know how it will play out.

And the dilemma of legislating under extreme uncertainty will render any major regulatory change in the digital space—much like in other “progressive” compliance domains such as sustainability or supply chain transparency—ultimately a gamble. For the EU, the dilemma is not simply about innovation versus fundamental rights as the debate between industry and civil society would seem to suggest—it runs deeper.

How should we Europeans define our role and identity vis-à-vis growing competition, economic polarisation and concentration of corporate power and influence across the globe? How can we be liberal enough for our companies to remain competitive, but also regulated enough so that we don’t sacrifice our “Europeanness”, and the political–economic edge (we think) it provides?

***

“Simplification” as an autonomous goal is, in my view, misguided. Our social contract is complex, our political concepts fuzzy, which, much like cookie banners, is not to everyone’s liking. But the solution to complexity is not always just to cut the Gordian Knot—it is as often to provide better operationalisation, and better explanations.

For many corporates, “simplification” will be a buzzword used to market organisational change (=downsizing) to their shareholders, or (semantically) justify it to their employees. And there are of course merits to simplifying organisation design. But policies that work well for a corporate organisation may translate very poorly to the level of societal change. Because at the end of the day, enabling corporate efficiency, as noble a goal as that is, is not a primary objective of human society.

If there was a world cup in regulatory complexity, the EU’s digital regulations would be strong contenders. But complexity is not the enemy. Instead of making it into one, legislators should be seeking to establish a better kind of complexity: one that works for the EU and addresses its innovativeness dilemma as best we can—for the moment, anyway. And then revisits it as the AI revolution progresses—or indeed devours its children.

The GDPR conceives of the ideal type for a data protection officer (DPO) as a sort of liberal intellectual . They answer only to top management, dispose over ample resources, are professionally independent, and have no managerial responsibility vis-à-vis the business plan. But is all of this compatible with holding other roles in an organisation? The GDPR’s answer (Article 38, para. 6) is “maybe”, and it all hinges on avoiding a conflict of interest.

The tension comes from the reality that corporations do not usually employ liberal intellectuals (they might occasionally engage them as consultants, but that’s beside my point here). Corporations have hierarchies, reporting matrices, and managers who are responsible for their business areas. Consequently, inclinations to integrate DPOs, along with other second-line control functions, into the organisational logic—as opposed to having them float around it—are natural and largely understandable. Certain experiments for such integration have, however, not proven successful.

Managing Director as DPO

Perhaps the shortest route to failure has been the managing director (or indeed any executive manager) as DPO—a solution which has drawn considerable focus from regulators. Probably the most expensive lesson to date comes from the Berlin Data Protection Commissioner, which in 2022 imposed a walloping €525,000 fine on a German e-commerce company whose DPO also served as the managing director of its subsidiaries.

N.B. that already in 2016 in their guidance document on DPOs (wp243), the Article 29 Working Party (the forerunner to the European Data Protection Board) very clearly cautioned against this practice:

“As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing” (p.24)

… which, of course, an exec inevitably will.

Compliance Officer as DPO

To move on from the obviously wrong to the more nuanced and clearly more prevalent: DPO roles often include other responsibilities from the compliance domain. As I also argued in my 2024 paper at ELTE Law (“A compliance-program adatkezelése” / “The Data Processing of Compliance Programmes”), this creates an issue around internal controls:

“when, in the course of the administration of records, an audit or an investigation, the compliance officer identifies a need for personal data processing, the DPO should monitor and control this […] [T]he compliance function will leave the role of the control function and become a business function; while the control function will be exercised by the DPO. If the same department or, in the case of a smaller company, perhaps the same employee, has to wear these two ‘hats’ at the same time, it is almost certain that one of these aspects will be compromised.” (p.9, translated from Hungarian)

This year has already been rich in pertinent enforcement actions:

• In March, in a cross-border case from Norway-Denmark-Sweden, the Norwegian regulator found it problematic that the DPO did not report to the highest management level, and that their tasks were mixed with those of a corporate lawyer.
• In May, Toyota Bank Polska S.A. was fined € 132,000, which at least partially had to do with their DPO being buried in their IT department, at subject matter expert-level.

Two Belgian cases, from 2020 and 2021—both of which resulted in fines by the national regulator (ADP)—also warrant a mention:

• The case of Proximus SA, where the DPO was also head of the compliance and audit department (fine: €50,000)
• And of a bank whose DPO headed up three other departments: Operational Risk Management, Information Risk Management, and the Special Investigation Unit (fine: €75,000)

What is the Way Out?

The obvious one is simple: a DPO function that does not dabble in anything else, and reports directly to the Chairperson (/CEO &c.) If resources do not allow this, or if the organisation is so keen to utilise the DPO’s transferable skills that it is willing to compromise on to-the-letter GDPR compliance, this might not be completely unfeasible. The key to this, is to remove the DPO—ideally through preventative controls—from situations in which they would oversee data processing on behalf of the controller (=the conflict of interest).

If you’re looking for inspiration (and you understand GDPR Danish), a recent podcast by the Danish Data Protection Agency (Datatilsynet) provides some worthwhile food for thought. I also have a few thoughts of my own to share after the summer break—including why you should care even if you do not see regulatory enforcement as an imminent risk. Hope to see you back here then.

I’m writing this post on 5 June—Grundlovsdag (Constitution Day) in Denmark, which marks the monarchy’s transition from absolute to constitutional. (I’m only publishing it the following Tuesday to comply with the blog’s—so strict you could call it cogens—naming principle.) Grundlovsdag is a celebration of consitutionalism and civic values, which I ‘d like to honour with a post about privacy—not just as “data protection”—but as a reflection of human dignity and the quality of democracy.

I think that there are few more important issues than politics. At the same time, the standard of what passes as “communication” in the political domain has dipped very low in many countries—with its sole purpose often limited to dominating the momentary agenda by eliciting an emotional reaction, and in no way relaying argument, world view, or policy. That’s why these days I don’t really comment on political messages, other than to my closest family or friends. For the case described in this post, I make an exception, because I think the story serves as a commentary on why privacy is, in essence, a fundamental rights issue—not “just” data protection.

The case itself unfolded a few weeks ago—and I’ve been holding off on posting on it because I had no intention of getting caught up in the ensuing political “debate”. I won’t name the (EU) country either, because I believe it could have happened anywhere—although as a true blue comparativist I would also hope that the reaction and institutional consequences would vary from one legislation to another.

What happened?

A retired army lieutenant colonel (I’ll refer to him as “Colonel Gustave”) wrote a letter to a fellow army veteran and up-and-coming opposition politician (“General Mustafa”), expressing his support for him as a person, and for his ambitions. This letter would subsequently be published on social media by the leader of General Mustafa’s party. So far—politics. But the interesting turn of events, to me, came when the Ministry of Defence (MOD) weighed in by issuing a disparaging statement of the party leader, in which they characterised Colonel Gustave as “a retiree of 14 years battling addictions.”

Enter GDPR

Following the social media spat, the head of the Data Protection Authority (DPA) made a statement to the press to the effect that information concerning one’s addictions belongs to a special category of personal data, which warrants special protection under the GDPR.

The DPA is right, of course—and I also think thart there’s much more to this. In GDPR terms, I can conceive of two—equally concerning—transgressions: (1) a breach of the principle of accuracy, or (2) a breach of the purpose limitation principle, and ultimately, of confidentiality (also: a data breach).

1. If the assertion about Gustave’s alleged addictions was factually untrue, as Gustave himself would later comment, then the MOD, Gustave’s former employer, had published (special category) personal data about him that were inaccurate.
2. If, on the other hand, the information about Gustave’s addictions was true and someone in the administration had learned about them in a work context (e.g., human resources, Gustave’s manager, or a colleague), then this someone would then have had to communicate it to others, so that at the end of the telephone game—likely also through a chain of in-house sign-offs—it would finally end up at the MOD press department for publication. As the original purpose of processing for these data (assuming that processing was legal in the first place) would clearly not have been publication and commentary, the person or persons perpetrating this on behalf of the MOD would clearly have violated the GDPR’s purpose limitation and confidentiality principles—likely also committing one, or several data breaches along the way.

While a data protection type might be content with establishing either of these scenarios, or a third one, as what happened—alongside what needs to be done to course-correct and risk-mitigate (possibly also sanction)—I don’t think the issue stops here. I imagine that most observers would agree that a line was crossed. In my opnion, it was not a line representing a technicality, but a universal moral principle.

Because what also took place alongside the violation of Colonel Gustave’s privacy was a violation of his human dignity—the detail that this violation was effected through his personal data is almost circumstantial. But to seek legal remedy for a violation of human dignity—whether through a libel case, or otherwise—is, even in the strongest of judicial systems, complicated, time-consuming, and uncertain. Not to mention potentially highly invasive to one’s privacy, or the implications—in at least certain some parts of the world—if the defendant is a government ministry.

And this, I believe, speaks to the genius of the GDPR. Incidentally, some of the people with whom I do discuss politics strongly believe that the GDPR is the opposite of genius. “Complicated,” “ineffective,” and “dream world” are just some of the characterisations that have been thrown around. Maybe there is truth to them. But the genius of the GDPR doesn’t come from it being a perfect piece of work altogether (no masterpieces are)—it comes from the ease with which it breaks down the complexity of the modern world, and of one of its incredibly important spaces: the online public sphere, for purposes of analysis and enforcement.

The genius of the GDPR lies in that it provides simple and effective tools to investigate, and to remedy, or—to borrow an important term from the social sciences—to operationalise the fundamental rights issue at play here. Whether and how the DPA makes use of these tools will by no means be a reflection on the GDPR, or the principles on which it stands.

Growing up, I wanted to be a detective, thanks mostly to the “little grey cells” of Hercule Poirot. While I enjoyed (some of) Christie’s books, my all-time favorite version of Poirot was the ITV series, in which David Suchet prolifically portrays the famous Belgian as a bundle of contradictions—at once earnest and playful, ironic and self-important, and dedicated to the good cause and—as an almost antithesis of the Streaming Era that came after—conservative, judgmental, and at times downright homophobic. But forgive the detour.

“We are not the in-house police”—and variations on this assertion, is something I come across frequently in Compliance manifestos, often with an apologetic or self-deprecating undertone. I’ll admit that I’ve also resorted to using it myself, because I find it to be a good way of breaking the ice, and of concisely relaying the message that Compliance is here as a business partner, not to breathe down your neck. It can also be a playful way of distancing oneself from any post-traumatic stress the business might be harbouring from compliance officers who came before, and who may have conceived of their own role as policing-adjacent. (Based on my own experience, which is in no way representative, such individuals are far more likely to have come from an old-fashioned, “rules-based” (rather than a risk-based or human-centred) school of legal or compliance thought, than from a law enforcement background).

But if we take a step back from personal traumas, what’s so bad about comparing Compliance to the police?

To take a source close at hand, the Danish Ministry of Justice (Justitsministeriet) defines the role of the police as “maintaining security, peace, and order – to exercise control over the observation of laws, and to step in against violations of the law through investigation and persecution. The police also carry out administrative tasks…” [Own translation and emphasis.]

This four-pronged definition lends itself neatly to a juxtaposition with the role of Compliance in a corporate setting. According to some of the most widely-recognised compliance standards, such as the COSO Framework, or the ISO/IAC 27001 Information Security Management Standard, the most important role of internal controls, is prevention, detection, and correction.

Exercising Control = Prevention

Unless you were brought up in a police state, or you regularly engage in criminal activity, this should probably be one of the first images that come to mind when you think about the police force. You may come across police officers at large public events, during visits of foreign officials, or campaigns at your local community centre, or school.

The preventative work done by the police (alongside other government agencies) is as fundamental to the governance of the state as preventative controls are to the governance of a corporation. Think annual ethics & compliance training, ad-hoc campaigns or messages on the corporate intranet, information sessions, or roadshows with management &c.

Investigation = Detection

If you like detective stories, like I do, this is your cup of tea. In fiction, it’s almost always a gruesome murder or other violent crime—a trope my family will hear me complain about all too many times. I for one find an elaborate “heist”, fraud, or conspiracy to overthrow the president, much more enthralling and intellectually stimulating than the slaughter of a fellow human, where the investigation will all too often be reduced to the question of “who dunnit.”

In corporate compliance, the crime—or, the “wrongdoing” if it happens to fall short of criminal, or if we don’t yet know if it does—is very rarely violent; however, the methods of detection, the most important of which is the internal investigation, are comparable to the investigative methods of the police. Both are, in essence, an exercise in research design and methodology, rigorously executed in pursuit of “the truth”—and ultimately, of a person or persons responsible.

Persecution = Correction

For both Compliance and the police, corrective measures will—at least partially—involve other actors with higher levels of authority: the CEO or Board of Directors; or a judge or jury. It is these actors that will ultimately decide the necessary corrective measures, whether they be sanctions against individuals, or organisations.

An interesting and relatively recent phenonemon from the crossroads of international and criminal law warrants a brief side-bar here: corporate criminal liability. This is when a corporation can be “punished” (fined), “jailed” (suspended its operation), or “executed” (closed down) for certain criminal acts perpetrated by its directors. But hopefully more on this in an upcoming post.

Administrative tasks…

Arguably one of the common threads across law enforcement (indeed almost any bureaucratic office), and corporate compliance offices, is the vast amount of daily administration. Think various records, returns or disclosures, interest declarations, gift reports, or the incredible paper trail created by an internal investigation or compliance audit.

But none of the above are intended to be an exercise in idle bureaucracy. In fact, their purpose cuts right to the core of the compliance ethos: to document the right and the wrong, and to do so with a level of rigour that, if push comes to shove, will withstand the scrutiny of a regulator, or stand up in a court of law.
It’s evidence—not pencil pushing.

So is Compliance the police after all?

Of course not. But perhaps preventing, detecting, and correcting the wrong thing in a corporation is not all that dissimilar from preventing, detecting, and correcting the consequences of crime. And perhaps Compliance shouldn’t be put in a position of apology for doing their job, or cornered into defending themselves as “not the police”.

So—in case you do harbour an aversion of the police—maybe a question to ask yourself instead is where does this aversion come from. And once you have the answer, you could talk it through with your compliance officer: they might even have something thoughtful to offer.

“I was in Lowy, a small village in the east of the country which had been home to my ancestors many generations back—until finally my great grandfather, who had worked there as a school teacher, moved away with his wife and two children (one of them being my paternal grandfather).  It was sometime in the late 1930s that they moved to the elegant Calvinist town of Krest, not far from Lowy.  Other family—including my great grandfather’s six siblings and about three dozen cousins—remained, with many of their descendants continuing to live there to this day.

Lowy tends to impress upon me something about our contemporary society […]: that we do many things.  The fact is that when in Lowy, I do very few.  Admiring this photo was one.

It was a photo which I had not seen before—of my grandfather, his older brother and their parents, taken in the mid-1930s.  As I could tell from the logotype on the back, it had been taken in one of the major cities in the east of the country—these days maybe an hour’s drive from Lowy on the motorway.  In the ‘30s, taking the journey not owning a car, as the family surely did not, would have meant combining an extensive walk with a long train ride—I do not know how long.  They would likely have spent the day in town, and probably stayed the night.  And, judging from the clothes on the children, it does not seem like they would have casually popped into the photographer’s studio.  It must have been (part of) their reason for going.

The back of the photo also gives some explanation as to (one of) the possible motivations for having it taken.  It was printed on a postcard, on which my great grandfather had written a short, affectionate message to a distant cousin who was then living in the capital.  Apparently, back then, this was how they would send each other photos.

[…]

My family, had they harnessed mobile technology to send the photo and short message, would have arguably made much less of the experience.  For one thing, I would never have learnt of their kind gesture some 80 years later; but, that aside, it is unnecessary to compare the different layers of emotions brought on by receiving a personal photo-post-card with a few hand-written lines in the snail mail, to that of receiving the same information through Messenger.  (Whether my grandfather would have enjoyed parading around town for a day in what looks like little girls’ clothes, to please a distant relative, may be a more mysterious question, albeit the blank look on baby granddad’s face does reveal a possible answer.)

[…]

Musing over this, I realized why I enjoyed writing messages on my grandfather’s vintage Erika typewriter.  Not simply because I thought it was worth the tendinitis that the neatly-disorderly script it produces is so easy on the eye

(Appallingly, it does not.)

The reason I am so fond of typing with the Erika is the same reason why I am impressed by the messaging […] as done by my late relatives.  I am drawn to them not by the efficiency or beauty of their medium, but by their earnest, playful or heroic ways of overcoming its inefficiency.”