Evangelos Ouzounis is the Head of the Unit at ENISA. See the full speaker’s profile here.
From your point of view, what are the priority challenges for data protection in the years to come?
Since the reform of the data protection rules in 2018, we have witnessed a fast evolution of technologies, processing patterns and threats. From the traditional inhouse processing and databases we have gradually switched to cloud services and third-party processing, connected devices and industry 4.0. As Europe we are currently discussing about edge computing, artificial intelligence and EU data spaces. The policy initiatives have also progressed in the meantime. Since 2016, with the adoption of the NIS Directive which was the first EU wide cybersecurity law, a number of technological and cybersecurity legal instruments have been proposed and are currently adopted or with the co-legislators.
So, we are now against a multifaceted challenge. On the one hand capitalise and transition the experience, expertise and good practices of personal data protection to emerging domains and technologies and on the other hand address the requirements of Union policy and law while supporting organisations to meet regulatory requirements and obligations.
The challenges in the years to come is to maintain the level of protection that the General Data Protection Regulation (GDPR) put in place in 2018 while continuing to timely identify and address the challenges and opportunities new technologies pose. Towards that direction, ENISA is actively analysing cybersecurity aspects of privacy and data protection following an engineering approach. Indicatively some publications in the area include peusodnymisation techniques, personal data sharing and security measure for the personal data protection.
How important is international cooperation to address these challenges and ensure data protection and privacy?
As EU we succeeded in setting the pace with GDPR on personal data protection at a global level. This is manifested not only by the impact the regulation has, still today, outside EU but also through the adequacy decisions already in place. But similar to cybersecurity, the (personal) data flows extend beyond EU and an incident is more than likely to have a cross border impact. To be able to timely and adequately address it, we need to ensure not only a high but also consistent level of data protection.
As already envisioned by the co-legislators, GDPR, under Art. 50, emphasises the importance of international cooperation to facilitate the effective enforcement, actively pursue mutual assistance at international level and promote the exchange and documentation of personal data protection legislation and practices. Through coordinated international cooperation the consistent level of personal data protection can be translated into common approaches on guidelines and enforcement.
In November 2021, ENISA published its first International Strategy to prioritise how the Agency can contribute to the Union’s efforts to cooperate with third countries and international organisations as well as within relevant international cooperation frameworks to promote international cooperation on issues related to cybersecurity.
Do you observe fundamental changes and evolutions in the domain of personal data protection and its perception?
From the engineering point of view, we notice a convergence of deploying cybersecurity technologies and techniques that can also address specific GDPR data protection principles. This does not come as a surprise since, under the GDPR, security is a principle and an obligation for all entities that process personal data. For example, we observe an increasing use of privacy-enhancing technologies (PETs), such as encryption and pseudonymisation, to protect personal data.
ENISA has been engaging with research, academia and regulators to provide analyses and guidelines of such measures and techniques in the area of privacy and data protection, in addition to specific Union law, such as NIS Directive and the eIDAS Regulation. The challenge we see ahead is to make these instruments work together and make the best possible use of the available legal provisions by deploying adequate and appropriate technical and organisational measures based on a security and data protection by design approach.
In order to better address this challenge, the Agency has also focused on strengthening the cooperation with national data protection authorities, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). By having a good understanding on the goals that each one is pursuing, we can better identify synergies, avoid overlaps and promote the results to a broader and a more diverse audience. This is the case for example with the recently signed Memorandum of Understanding (MOU) between EDPS and ENISA. It aims to promote a joint approach to cybersecurity aspects of data protection as well as the adoption of privacy enhancing technologies and strengthening the capacities and skills of the institutions, bodies, offices and agencies of the Union.
Why conferences such as the Privacy Symposium are important and how can they support data protection?
We consider that events like the Privacy Symposium play an important role in bringing together stakeholders, promoting exchange of good practises and exchanging views on emerging areas that need to be addressed. Also, on establishing and broadening communities of practitioners that face similar challenges and are interested in identifying novel approaches. ENISA has been also committed in that regard through the organisation of the Annual Privacy Forum (APF), which is established as an yearly opportunity to convergence the various actors playing a role in the privacy debate: industry, universities and research institutes, regulatory bodies and professionals.
Would you have any advice or recommendation to share with data protection professionals and/or data subjects?
We are past the point where “On the Internet, nobody knows you’re a dog” based on P. Steiner’s cartoon drawn in 1993. Our online presence and dependence to online services has drastically increased and it is essential to embrace a more proactive and inclusive approach. Not only do we need to stay up to date with emerging threats and the technological state of the art but also evolve the perception that personal data protection is a standalone element.
As EU we are taking steps towards this direction by addressing personal data protection as an indispensable component of cybersecurity policy initiatives. The recently adopted NIS 2 Directive and the Cyber Resilience Act proposal aim to enhance cybersecurity and cyber resilience while fostering protection of personal data. Provisions such as reporting of cybersecurity incidents, vulnerability disclosure and certification strengthen the level of protection in a number of sectors and products. By ensuring that appropriate safeguards are deployed and mandating the application of by design and by default principles we achieve a high level protection both in terms of cybersecurity and personal data.