Supporting the life of the DPO was the underlying intention of the first DPO study day organized by the Flemish Supervisory Commission (VTC) in late November. Although DPOs and supervisors have different tasks under the General Data Protection Regulation, they share a common goal: safeguarding citizens’ data protection. Almost five years after the establishment of the Flemish Supervisory Commission was, therefore, a high time for knowledge sharing and consultation.
A central theme that came under the spotlight was the question of under what conditions government agencies may process citizens’ personal data. This topic was expected to be discussed, given the VTC’s important advisory role in the context of new Flemish legislation on personal data.
The VTC assesses whether such legislation provides sufficient protection for the data being processed. With this advice, the VTC helps protect citizens from a government that looks too much like “Big Brother. The DPO also faces these regulatory frameworks, as they are confronted with the effective processing operations contained in the regulations.
Through the lecture by Prof. Dr. Franky Schram, attendees gained a better understanding of ‘public interest tasks’ and their relationship to processing based on a statutory task.
A theme not to be missed at this seminar is whether it is ‘ok’ for a Flemish (government) institution to store personal data in a non-European cloud. That question seems outdated, as the Flemish Government published its Cloud Strategy in February 2019, a month before the VTC was established.
Briefly and translated to practice, it puts the use of U.S. cloud infrastructure at one. During the study day, the VTC did put some important exclamation points on this. The first important point of attention is the technical and organizational measures provided by the provider of such an environment.
It is common knowledge that cloud environments are very well equipped with the most modern security techniques. However, it is still common to charge extra for these security measures. All too often, VTC sees these “security options” being spared when purchasing a cloud environment.
But there are other concerns.
Consider the government’s dependence on, in practice, not even a handful of companies (Microsoft, Google, Amazon). This dependency, also known as “vendor lock-in,” can mean that the dependency between customer and vendor becomes so great that moving the services to another vendor later is impossible.
A marriage for life, in other words. This can become problematic, for example, when the government no longer wishes to use non-European providers for geo-political reasons, to name just one problem.
The day’s mystery guest, Max Schrems, delved deeper into the issues. During his session, the privacy activist went deeper into the cloud issue by zooming in on U.S. regulations and practices regarding mass surveillance, among other things.
This is a practice in which the U.S. government eavesdrops on (non-U.S.) citizens for the sake of national security. According to his argument, a government’s choice to put citizens’ data in the hands of an American company is automatically a choice to expose its citizens to this kind of risk.
Techniques that governments use to combat this danger, if limited to risk assessments on paper (called Transfer Impact Assessments), have no effect at all and, according to him, are wasted effort. Only in-depth technical measures can make an effective contribution to reducing this risk.
Or, to put it in the words of Bert Gabriëls (who provided a happy note with a playful intervention): cloud means “cloud,” and clouds always leak.
The afternoon sessions featured DPOs speaking. Good practices were exchanged through workshops, and recommendations were given to the VTC. In preparation for his workshop, Prof. Marc Neyssen (VTC member) conducted a thorough study of all breaches reported to the VTC.
Among other things, he stressed the need for further translations of what should and should not be reported in the event of a breach. In addition, there should be much more external communication in the government that the government will never pay hackers who demand ransom.
In his workshop, he also referred to the relationship with suppliers and the questionnaire the VTC plans to send to the boards about this.
Hilde Nys, DPO of, among others, the city of Mechelen, had prepared a Bingo! game during her workshop and exchanged experiences with those present about the job as DPO.
David Matthys from Hulpverleningszone Meetjesland / V-ICT-OR highlighted the more technical tasks. He stressed the importance of involving the entire organization in cybersecurity.
Finally, Koen Hostyn (DPO AHOVOKS / Vlaams Datanutsbedrijf) discussed the practice of Data Protection Impact Assessments. His conclusion is nicely summarized in a LinkedIn post that you can read here.
A rich and successful ‘VTC meets DPO’ concluded with a nice chat at a subsequent reception. In any case, it was an ideal opportunity to bring supervisors and DPOs closer together.