It looks as if Silicon Valley giants and the European Union are converging on the same general notion of No Trust, No Digital Single Market. Which means it is now up to the Data Protection Officers to decide which side they want to be on. Will they continue to service their superiors’ interests as ‘Advisors’, or will they join the ranks of the ‘Custodians’?
As a Data Protection Officer (DPO), is it your primary job to look for ways to minimise the impact the GDPR has on your organisation? Or did the European legislator have a different task in mind when he specified the function? Currently, there seem to be two different directions in the way the role is being performed. There are the Advisors and there are Custodians.
These are the DPOs who view it as their key responsibility to keep things going along as smoothly as possible and to look for ways to minimise the impact the GDPR has on their employer’s or client’s organisation. These are the pragmatists who sometimes, consciously or not, subscribe to the idea of the ‘self-regulating business’ and justify the compromises they make by pointing out that most data subjects don’t even understand what it is they are consenting to in the first place. And in doing so, conjuring up echoes of the time when the right to vote was an elite prerogative, held by the lucky few.
DPOs in the second camp view themselves as independently operating data protection specialists. They are the gatekeepers, seeing it as their task, instructed by the European legislator and based on the GDPR, to make sure that the processing of the data subject’s personal data takes place in the best possible way. And if this is not the case, they will not hesitate to confront the ‘highest-ranking executive’ of the organisation they are working for, painting a very clear picture of the possible (personal) consequences of inappropriate action when it comes to processing these personal data.
This is exactly what the legislator had in mind when considering the importance of the Digital Single Market emergence and how its success depends on citizens’ trust in the lawful processing of their personal data.
Until recently, I would have suggested that Europe is firmly in the Custodian camp, while the United States tend to take the Advisor position. Until recently, because on Friday, February 15 of this year, I came across an article in the Dutch newspaper Het Financieele Dagblad written by Klaas Broekhuizen, who argues that for big-tech companies trust is the new great distinguisher. It is, literally, all about trust:
‘No matter how perfect your technology may be, no matter how good your product may look, you still will be nowhere without your customers’ trust, without your suppliers’ trust and without the trust of the authorities. This is the lesson finally taken to heart by the big-tech companies as well – the Silicon Valley giants.
What does this mean for us DPOs?
Ever since the 2018 ‘Cambridge Analytica’ disaster and other incidents like it, big-tech companies appear to have understood the importance of a certain degree of ‘Corporate Social Responsibility’. Either that, or they have gradually come to appreciate the GDPR for its basic merits and its intended effects. Because unless consumers can trust the way their personal data are being processed, the Digital Single (Global) Market is simply not going to happen, not for the big-tech industry either. And unless it does, the big-tech giants will not reap the benefits of additional growth.
This means two things. First, it appears that the Silicon Valley giants have joined the European Union in believing that trust is the essential precondition for emergence of the Digital Single Market. Second, and perhaps more importantly, Data Protection Officers are now faced with a crucial choice. They will have to choose sides. Either they continue to think short-term and stay in the Advisor camp, or they start thinking long-term and join the ranks of the Custodians.
Marc Vrijhof LLM CTTP CIPP/E