The Future of Europe and Turkey through Education: Understanding how GDPR works

Understanding how GDPR works

The European Neighbourhood Council (ENC), in cooperation with the Friedrich Naumann Foundation (FNF) Turkey and the Delegation of the European Union (EU) to Turkey kicked off its new project titled “The Future of Europe & Turkey Through Education”. The online training programme builds on identified best practises of the Turkey Training and Lecture Programme 2018-2020 (TTP) and it covers the following topics: privacydisinformationmedia freedom and fundraising.

The four online sessions, which began on the 26th November, bring together a group of around 40 opinion shapers composed of members of Civil Society organisations (CSO), journalists/bloggers, students and academics across Turkey.

The second training, dedicated to Understanding how GDPR works, featured the insights of Dr. Dariusz Kloza, Researcher and founding member of the Brussels Laboratory for Data Protection and Privacy Impact Assessments at VUB, and Dr. Mihalis Kritikos, Policy Analyst and Legal Advisor at the Scientific Foresight Unit (STOA) of the European Parliament Research Service (EPRS).

Dr. Dariusz Kloza started by describing the concept of privacy and why it is important. As an example, he questioned the relevance of the way Airlines can see plane tickets, which show not only details of the flight (name, cities, time), but also the meal a person ordered and its credit card details, in order to know if there is something abnormal, which can result in a travel ban. The concept of privacy is now split into 8 categories (bodily, spatial, communicational, proprietary, intellectual, decisional, associational, and behavioral privacy), with another category overlapping with all of them: informational privacy.

Dr. Kloza listed the different ways of protecting privacy, citing legal regulations, extra-legal means (as social norms or economic tools), organization (privacy by design), using privacy-enhancing technologies (anonymization, cryptography), and changing behaviors (non-participation, non or selective disclosure).

In Europe, Dr. Kloza highlighted three levels of privacy protection. First, there is the Council of Europe, which recognizes the right to privacy at the family/home level which is in line with the European Convention on Human Rights. Secondly, at the European Union level member states recognise two separate rights: privacy and data protection. On top of that, the EU introduced the role of Data Protection Officer, who oversees how data is being processed. Finally, privacy is protected at the national level as well, specifically under the constitution of each member state.

capt2 (2)

Dr. Mihalis Kritikos first explained the role of the EPRS, which receives requests from Members of the European Parliament to perform studies on technology issues and translate technological developments into legal and ethical questions. He then analyzed a study on how GDPR fits with the concept of scientific research.

Scientific research is considered a special category of data processing, that is subject to the safeguards existing in Art. 89 of GDPR, stating that the processing of data for research, archiving or statistical purposes should be considered as compatible and lawful. Furthermore, GDPR allow Member States to implement this scientific exception into national law as well. However, it also imposes upon data processors and controllers a positive obligation to respect all rights and freedom of data subjects when relying on research exceptions, as well as it ensures the principle of data minimization and anonymization or pseudonymization of data to prevent the use of personal identifiers.

Findings of the study reveal several concerns related to the scientific exception, such as the very broad definition of scientific research, allowing commercial scientific research or private research companies to rely on the Art. 89 even when conducting non-scientific research or the fact that true anonymization of personal data is still unsure. There are also concerns on the transfer of data outside the EU and the conditions under which EU researchers can share data with US research institutes.

Finally, Dr. Kritikos explained 3 options to better prepared European research institutions to become GDPR compliant: regulatory (reconcile requirement for consent with the need for scientific research, clarify the exceptions of Art. 89), procedural (develop researcher-friendly software tools for compliance), and capacity-building for country that lacks the GDPR framework (raising awareness, data protection interventions).

capt3-_1_ (1)

The next online training will take place on the 4th of December and will cover the topic of transparency and investigative journalism.