Information & Ethics Committee on June 13th, 2017

There are two approaches in the GDPR. The first one, which I already mentioned, relates to the right not to be subject to certain decisions unless there are safeguards. The second approach relates to transparency, and here we have a lot of novelties. This is an area where data options....will be equipped with more transparent, intelligible, concise, and easily accessible information and forms. There is a clear need to use plain language. Here we have another area where children are considered in terms of transparency—I forgot to mention this earlier.

These articles on transparency do not relate specifically to processing modalities, but by reading them in a global approach, you will understand that in the case of certain processing modalities that you mentioned, transparency should be reinforced and be effective in practice. This is largely for guidance by DP. There are some provisions concerning machine-readable icons and standardized icons, but I doubt they relate to the case you mentioned.

Yes, please.

The two approaches are not opposite. Accountability is the right approach we request, and it doesn't mean that you should simply respect the law. We are asking now more, and let me speak for a second as a member of the judiciary, as I am.

Being in front of a court case where we may discuss to what extent the controller has been proactive, I would consider in a better way the case where he made mistakes but has been very operational. The question is not to have an emphasis on every kind of even minor mistake. I would like to see the big picture, but I would welcome the approach they recommended to you. We need a dissuasive approach.

Let me say that we are now bombarded from everywhere in the world, and if I am in Silicon Valley or in Africa or in South America, the first question is the same everywhere. What about fines?

We know that they are very serious.

I would now advise the legislators to clarify the interlink between administrative fines and penal law. This is another area. We have to clarify the so-called non bis in idem principle, so are we going to apply fines in all countries with regard to the same controller? In adopting the criteria to decide if a fine is to be applied, we have to consider the remedies considered by the subject, which is then he has been fair and dynamic in approaching a security breach, informing people after a violation, reducing the kinds of damages. All in all, data protection costs a lot, and every effort is to be considered when taking a decision.

So this is why I talk and I would defend this approach, a system where fines are to be applied where necessary, but not necessarily in every case. I'm not a lover of the Spanish approach. We call it tot capita, tot sententiae. If there is even a minor breach, there is no appeal, and unavoidably, the sanction is to be applied.

Let's look to the picture because otherwise we risk having fines considered as a budget line, and this leads also to an amount of fines because we need to graduate, we need to consider the position of small and medium enterprises, and we need to carefully consider the criteria in terms of the seriousness of the breach, the implications of a larger-scale approach. We cannot treat every breach in a single way. So we need a very dynamic approach where we use the carrot and the stick.

If you'll give me 20 seconds to open article 83, I think this is one of the lucky provisions where we have no excuse because we have all the opportunities to consider. I'm quoting now the relevant paragraphs:

(a) the nature, gravity and duration of the infringement taking into account the natural scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor;

Another important point relates to the degree of co-operation with the supervisory authority to mitigate the possible nefarious effect. How many data subjects have been involved? What about the categories of personal data or data subjects involved? How has a data controller been proactive in approaching the supervisory authority to confess the breach? How do they notify them of the infringement? Are they following codes of conduct? Do they consider other circumstances, for instance financial benefits they got from the infringement?

All these criteria can be applied to four categories of breaches. We cannot treat every breach in a single way. In addition to the criteria I've just mentioned, we should also consider the seriousness of different violations so we are reasonable, we are credible. Otherwise, people would not understand.

We need to avoid a system whereby the fines are simply a budget line item for a big corporation. We need to increase the amount of fines where and when dispensable, but in the end we need to consider the amount of money and the energy that the controller, in the process, has spent on the case.

Oh. Your Italian is better than my French.

Yes, we will. As I said, I'm very honoured. Tomorrow we'll appear before the Senate of this country. I hope to have the same kind of qualified audience as I noted today.

Needless to say, my office and I remain available for any specification in this case to provide accompanying documents and to satisfy any kind of curiosity as much as possible.

Thank you very much for your attention. Let me stress the high level of awareness and competence. I have long-term experience with politicians. This is not the case, so Chapeau!

Thank you. Have a good day.