So this is, this is a wonderful thing here to have you back on stage. And, you know, it gives some opportunity. So I always wear boring suits, but at least I can wear this suit. The first time I bought it right in March last year and or in February, and then the pandemic started, I even had it in the laundry before, because it was hanging for 18 or more months in my, my trunk. So it's really nice to be on stage again and pleasure to meet, meet you. And so a panel topic, which is about identity privacy security, the European perspective I think is, is, is a really interesting one.
And, and so what, what I'd like to do first is maybe that you start with a quick run is really a quick introduction of where you come from and how you're involved in this privacy identity, security scene. So 30 seconds or something, let's start with ya. Copa first.
Well, I've worked first for 20 years in banks, running identity, really large multi national banks. The last one was European investment bank. And when you work with identity in a bank, you always have the privacy legislation. So I follow that through, but today my job is I work for the European union and I am one of the people who work with SF lab, the self-sovereign identity lab for the European union, which they are building
Martin
That's Myro
Martin.
You,
My name is my St. I work for a brand new name, one welcome, which is the successor of IEL company, European company, specialized in customer identity. I'm in identity for a very long time. And we've been developing all kinds of capabilities that we deem require as a requirement for the European market.
And, and the question that came up with me was why do we build all these functionalities? What is the background behind it? So that was one of the reasons to participate here.
I'm PCA.
Yep. I'm J eing and I co-chair the Danish national cybersecurity council, which is a council consisting of half part of the private industry and another half part of the, the government various path ministries and education sector.
So it's across kind of cross government cross private sector council that delivers input to the, to the government links government for, for the upcoming national cybersecurity strategy.
Okay.
So as, as with all panels, we probably could spend endless time on the themes. So try always to keep them in the, for next questions answers relatively short, so we can cover a number of topics, but I wanna first split this into privacy and cybersecurity, because I think these are also of when you compare Europe and, and for instance, us, it's, it's really different in comparison.
And so, so whom do you see in front when it comes to the cybersecurity regulations and guidelines? So, so when you take the, the recent, you ask executive order number 14, 28 on briefing, the nation side security, this is quite ambitious.
So, so what is your take from a European perspective? Are we head to head or are we trailing B? Do you wanna start?
It's a good question. I think the, I think in Europe, we have a different culture in terms of looking at what identity is and safeguarding identities. And obviously also discussing the, the privacy question. Obviously the GDPR regulation has turned many things upside down in terms of, you know, what, what people saw that data were and, and start working with that.
And, and I think now we, what we start seeing now is, is all the discussion coming on security by design. It's a different approach than what I learned from, from the us, which, which is, is a different. Yeah. So I think we have some, some interesting opportunities in Europe using kind of the, the democratic background that we have in understanding of, of the individual and, and the right of the individual in terms of privacy.
Okay.
Yeah.
Well, I think we, of course, fully agree. There is the privacy consciousness here is much bigger than in the us, but also what we've seen is in the us, the us cloud act where the us government got a lot of authority to access data of citizens. And of course, we in here in Europe, not necessarily trust the us government. So when talking about civility, we talk about personal civility, but also in our region that we keep ownership of the things that we care about and that we cannot automatically be yeah. Subject to measures of the American government.
Well, there's an, that's understood that there's big difference between us and Europe, but I think an interesting part of this is privacy and security. They are linked to each other, but they're also counterproductive because security and I think PCA would know better than I do that. You need personal data and, and validating an entity that's about security, but at the same time, it exposes information.
And I think this is a paradox that will always be going on also in the legislation, of course, and, and to a certain degree, you, it's a balancing act what's reasonable and what would be the best risk based approach to deal with private
Data and while protecting it, isn't it, maybe that we, we as Europeans tend to go somewhere over the top here. So, so I just wanna bring up three, three examples. So in the state of Martin, Rottenberg in Germany, where we lift the data protection officer of the state has forbidden schools to use Microsoft office 365 in education.
So in fact, privacy is hindering yeah, the kids and school to learn things they will need later on. And so that would be one of the examples. The other thing is we have to deadline on September 27th for shifting to new contract losses after the end of privacy shield, which is not long, not far away anymore, it causes. And I think this is the challenge behind it. It causes extra effort and more critically, it causes a lot of uncertainty to businesses. Businesses really are lost in that struggle between the EU and the us.
And I think also during the pandemic, I think if you're realistic, we've learned a lot about the conflict and it's not easy to solve, and there's not simple answer in that, but there's a conflict between data protection, privacy and other don't need such as tracking infections. And when I look at, was it Germany, how much discussions we had about the, the COVID tracking app and privacy aspects. It was a little like, like you're discussing a couple of months with the fire, works about whether they should and under track circumstances, they should start the fire, stop the fire.
So, so what is your take on that? I think it's really not easy, but I think all of you have, have your thoughts about it. Maybe we do it that way around.
Yeah, super.
I think the, it will always be, as you say, it will always be a struggle between the, the privacy and, and the come forward and, and, and the ongoing digitization. But I also think it, it's a battle that we need to take. It's a discussion that is required because it, inside this room, in that this small space, it is so important to understand that we cannot just let go and, and leave some businesses to make all the decisions.
On the other hand, obviously we need to balance out the right of
Flexibility for, for, for developing and, and actually on, on Wednesday, I'm gonna talk a little bit about the, the, the Danish approach to the, the Corona app and, and the, the infection app and this work that we've done there. And, and there's some interesting, also internal in government and internal societies discussions on, should this be a privacy first discussion, or should that be with, with interesting data on, on, on such a thing? Yeah. We ended up just very briefly.
We ended up making a very strict decision on the, on the privacy and, and that had turned out to be the right choice.
Yeah. But maybe a challenge. And that was for the next ones to answer is, yeah.
Do, do we discuss it enough? Do we discuss it broadly enough? Or is there a little bit of a one-sided thing which is happening in, in U I'm? I'm just playing a little bit of the avocado here, here in some way, but I think it's worse to think about that as well. And the other thing is, do, do we look too much also from a, from a regulator perspective on, for bidding things, instead of fostering innovation, we have a
Ton of options. I think you look at the GDPR, it's literally written there.
It's about protection of data, personal data PII, but it's also about the free flow of information that's mentioned there. And those should, that should be done. That's one of the aims to do that in a safe and secure way, privacy friendly and what I have advocated a lot in companies where I worked all those risk managers, they all have their CIA rating, confidentiality, integrity, availability of data. Why not add a P to that? Making the CIA P rating there are rating their heads off all the time. They have all these reports, they're doing it anyway.
And of course you need an expensive legal guy to advise you in that. And of course, SMEs will never be able to hire that. So that's where the big problems are. But if you would do it in a more structured way and get experienced, it could become a bit more simple.
Yeah. If you have more than one legal guy, you unfortunately have more than one opinion.
Yeah, of course. They have two S one hand. And on the other hand, a legal guy with one hand,
Well, Martin, Martin, I, I tend to disagree that GDPR is a, is blocking innovation. It is harmonizing the rules in the European union. So it's making, we are moving from country specific rules to generic rules. Then we still have the rules per industry. Yeah. For example, here in Germany with B in UF, additional rules and regulations at the same time, we also see that it's not an end state. The UK government is currently working on allowing more, the usage of personal data for innovation.
They're also working as they are no longer part of the EU on adequacy agreement with the us, which basically means that if there is an adequacy agreement between the us and the UK, that the border will no longer be in the Atlantic ocean, but it will become the border in the north sea between because then implicitly there is an inadequacy between the continent and, and the UK. Yeah. So we are constantly working on it. And I think that a law like GDPR is helping us in with
These things. Yeah. I think it's a good point saying, you know, this is at least sort of a common base for Europe still.
You know, when I look at, we talked probably 10 years ago, or so at E C, we talked about life management platforms. When we look at a lot of things which can be done today around decentralized identity, there are many options where you can combine privacy with enabling businesses, but let's say the German government, they trust picked up a few months ago, the theme of decentralized identity. And I think they, they, they started with three or four competing initiatives, which might not be the most helpful thing, given that there's also a U initiative on that.
So that is what I mean with innovation. Don't, don't the states really drive that innovation. Yeah. Far too slow to, to say, okay. And there's a vision. There's something which, which really is not just cookie consent, but that's something which enables business and I've never, or rarely heard a little bit from the U, but outside of the U I, more or less rarely heard this from governments.
Well, there is European blockchain initiative where they really hands on, started to build a real infrastructure with hardware, blockchain nodes, a lot of APIs services really where you can as a company or as an innovator, as a university, as an NGO, you can hands on work on that. Self-sovereign identity is one of the pillars. And it's explicitly done also about governance and policies for, to make the government, the member states, plus it's all European member states, plus Lichtenstein and Norway to give them hands on experience, to really build something and create a defacto standards.
Because my fear in SSI and in this type of innovation is that like in the old world for identity, we get a fragmented and scattered landscape. And in order to prevent that they have made this really building that by themselves. And I think that's quite new that they're actually building a pan-European infrastructure and invite governments and private sector to work together there. And I that's really one of the things that we need that type of thinking.
I, I, I fully agree with that is the challenge in decentralized identity is not so much the technology, but it's the adoption. And if governments gather and they well enforce, maybe even the adoption, then it can be a success it's it is solving the problem of a two sided market and solving the, the, the cross side effect. And that is the challenge with decentralized identity. And if governments pick that up or banks pick that up,
Then it has
Push it. Yeah. That's what I learned. Do we drive innovation? Yeah. Sufficiently. Okay.
I think the Danish government made initiative more than 10 years ago on a national E I D that is now linked with the, and using D AI as a leverage for also building in for the businesses. So, and I think actually we just saw the outcome of all the IDAs work by the vaccine passport, because I think when you, as a German scans, myd passport actually works, which is a phenomenal achievement done in, I don't know, half a year. Yeah.
And, and imagining that that has been possible. So, you know, I would not be sitting here if it hasn't been for the initiatives that, that you're talking about that made,
But even better, we're bridging the with self-sovereign identity for the EU. And that's why the old and in new world have to come together. So you leverage the existing footprint with the innovation. And I think that's the best thing you can do
The big innovation journalist right now that you can take a photo of your E I D card. And if you have an NFC and hold a E I D card to the phone and have the photo, you can use it.
It only took 12 or 15 years since the introduction of the E I D card. Yeah.
So, yeah, but adoption. So I'm, I'm really, really, always glad to see how I think this is probably, maybe this is the point. There's a huge opportunity.
There's a, not only with decentralized identity, but I would say it's decentralized everything, which we can get under control, where we can share data, where we can assign contracts to data and identity and, and, and decide on how long is Martin the company serving allowed to see the data I share with him, things like that. We can do all that. We just need to drive it. Unfortunately we already, at the end of our panel, there are difference between the us and the U. And I think there are, there are good reasons for what, what Europeans are doing.
Notably a lot of the us speakers follow the same, same way, but maybe one last single sentence, or even single virtual recommendations from your end to the audience when looking at privacy, Martin.
Yeah.
Well, we have GDPR. And if you look at how that has been implemented, it's only so basic implemented consent is one of the key principles and that's hardly implemented. So I would recommend everybody to implement the things that we have and also for the authorities to enforce these things. Yeah. So that it really comes to life,
Little above one word, but fine.
Well to the authorities, I would recommend, or to anyone, if you don't know what to do with your life become a privacy legal guy, because there, there are thousands of them lacking to maintain adherence.
There's
No, there's a job for, for
Children management.
Okay. I think the, the upcoming, all the needs two regulation coming for, for all the businesses, aligning all that into, into this process, the cyber certification I think is, is a required thing.
And, and, and that goes into privacy. We need, we need that to, to, to get a, a grip around what, what is good cybersecurity solution. So there's a lot of things coming, and I think it's very positive.
So we have a lot, lot of innovation coming up. We need to engage both the Europeans and the privacy and the companies and end users.
Deriv, it cuts and use and the governance to really make this work. I believe it's an opportunity for the business. If you do it right, you can create, create new business models. Go back to our life management platform, write ups from 10 years ago. Thank you very much for taking the time to be here.