Session at the European Identity & Cloud Conference 2013
May 15, 2013 11:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 15, 2013 11:30
Session at the European Identity & Cloud Conference 2013
May 15, 2013 11:30
Enforce on a national level afterwards, this is some concept that will change drastically with the regulation. We have the situation that an adoption will not be necessary and it will be working right away all over Europe, which is of course the situation where you have a harmonization reached by law already. The good news. I wanna start with that before we come to the uneasy truth for, for the businesses. The good news is for that reason that we have a single set of rules.
We have finally a harmonization that really covers that word, which works throughout the EU, no need for local implementation, which took a long time. When we look back to the directive, which is in place now, and we have no need for the company in charge to really look into every country. We have mentioned that before today, a situation where you first need to go through the plenty existing jurisdictions makes you slow and makes things difficult to implement.
We have a one stop situation with a regulation to come up, which means that the data controller will have to notify only the data protection authority in the member state in which the company seated right now, it's completely different either. You don't even have to notify if you have a data protection officer in Germany, which is a specialty in a way, not saying that data protection officers wouldn't exist in other countries, but the, the understanding that we don't even have the, the space for notification due to the officer is pretty unique.
We will have the data protection officer in all the countries. Then after 250 employees, will that be an obligation for the company, from what we know by now to implement.
But again, there will be notifications still necessary, but those I can do with a one stop shop, I can go in my own language and notify. I will not have to go through long lasting strategical action and going through from authority to authority, communicate online, offline in the different languages in order to notify that takes a lot of time and we will get rid of that. So that will be the so-called good news. I have another one, the transfer of personal data and corporate binding rules. Isn't enforced the corporate binding rules.
We were mentioning it before is one of the alternatives we are facing right now when it comes to international data flow. Of course we have the standard contractual classes, which are working on a unique level, meaning that for every single application, for any single, for every single single data flow, I will have to have a standard contractual clause between the parties where the data is moving.
But then again, for the us, at least we have the safe Harbor in place where you globally meaning that for all data flows, you can get a certification from the us side and then just receive the European data. But that's restricted geography here. The corporate binding rules have been discussed very early as a, as an alternative for safe Harbor, but they haven't really gotten, gotten up to pace. We have had some working papers in the last years, but still it's something. What takes a lot of time.
It's there is some questions of competence between the authorities, the various authorities in Europe. So this is nothing that really would work on a broader level. There's very few companies that, that have succeeded in implementing corporate binding rules, but the corporate binding rules would work as globally as safe Harbor, but not only for the us, which is a very big and important difference. And they wouldn't work as single or a single case oriented as the standard contractual classes.
So theoretically the corporate binding rules are a very, very nice option for anyone who has a big international data flow. But then again, it's hardly to, it's very hard to implement at the moment. So this is what the coming regulation wants to do. The regulation will make it Elit transfer of data outside the U if C buying corporate rules are implemented, we don't have that written in a law yet. So that's nice to have, but then, then even more, the regulation would simplify the requirements for organization that seek implementation.
So it's easier to get at the end and binding corporate rules. Having easier to get is to solve a problem, which is the international data flow, which is the core problem, or one of the core problems when it comes to the cloud services, when it comes to many of the questions we've already discussed today, of course, where there, there might be drawbacks because the easier it gets to receive an implementation of the corporate binding rules, the more likely of course is there, there is not much behind.
So again, as before, I think we are in the question of enforceability here, which is not addressed, which is putting a little trade on this particular good news of the pushing of binding corporate rules. Unfortunately, we are already arriving at the point where I have to talk about the uneasy truth. Sometimes we have some sparkling positive aspects in there, but we really do have 10 points that I found pretty worth just introducing in order to give a, a nice background for our following discussion first. And I think most important it's about consent as a general rule.
Any processing of personal data will require obtaining a specific and explicit explicit consent, which will be an opt in. If the data protection regulation itself does not explicitly allow it, that's nothing new for most of us. Either you have the law allowing something, or you have the consent of a person, which is sometimes hard to receive. If you wanna do it in illicit way, because to have some consent, some cross somewhere or some signature, maybe isn't always the deal, but to make it right, to have something valid, that's something that we're missing in many cases right now.
Unfortunately it's not really given any more information on what we should do in order to have a, a good, a worthy consent. So it's a bit the technique that I'm missing here, but then again, the European commission has pointed that below this regulation, there will be more down to earth description. Let's say some more information on how to use the new regulation and how to put it into place. So the consent is a core change.
The cloud providers, for example, will require customers to grant extensive permission and see practically in many cases, of course, people don't care for what their consent to, but if you want to do a true consent, I see that our service providers to stay in the example will have to raise their attention on how to ask for consent, because nothing is worse than to believe to have a consent and not having a consent.
Your business might be over from one day to the last, to, to the next or from one second to the next, if we are really heading towards a better enforcement and a better tracking from the side of the authorities. So if this is coming on the ground of that, then you better have a good consent because otherwise you may not use your data.
Even from a civil law perspective, you might own the data, but from a privacy perspective, you might be in the funny position to own it, but not be able to use it because the consent wasn't reached as it was supposed to be, the consent must specify the particular types of data, the specific purposes for which they may be used and, or the countries to which they may be disclosed. That's a lot, you sometimes even don't know what you will do with the data which we already have is a problem, of course, and still, you need to explain what are you going, what you're going to do with it.
And this is not supposed to be in a broad sense, but you need to be very specific. So it's all about being specific here. It's not somehow giving information that what might happen.
No, you need to be very specific on your needs and on your action. And on the geographic question, I think most of the, the corporate governance entities are pretty tasked by that they don't even, or you don't even sometimes know what kind of data you possess.
Now, you should not only know what you possess and what you may possess. Of course, you must explain what you're doing with it and what you plan on doing with it. And you should do it then of also otherwise the consent is very fragile as well. So the consent topic is I think a very important topic for the practical side of the outcomes of the regulations. Everyone, every company I work with must work on the consent structure, especially when, when you are a cloud provider, when you are providing services in the cloud, this is one of the most important needs to my understanding.
Then we have fines, we're discussing fines today already. We were discussing the 2% line of the global annual turnover of business. Also discuss the, the, the line of a million Euro, which is something, what we really don't know it, if it will be coming, the 2% is something that seems to be rather, as far as we can say that state that already something rather, yeah, obviously that really to be coming.
So the national data protection authorities noticeable, there is no international instance, but a national authority, which will take care of it will in case of severe data protection, be reaches, but only then be able to impose those fines, the data, protect data, breach, notification, something we were already mentioning before. It's something that we were seeing first in the us environment.
And later on in some European countries in Germany, for example, we do have that since a couple of years, it's only something that we have in, in few particular cases, for example, bank data or health information. And even then I've seen cases where this is wasn't even enforced, even though the idea is, is that you have two breaches. If you don't notify, you have the breach itself, and then not notifying as the second breach I've seen really in, in practice working together with authorities situations where neither the one nor the other was fined to get the link between the two points.
But there was other ways in finding an understanding that this shall not be happening again. So we are here again as discussed before and the gap between what's written in the law and what we find in real life with data breach notification. Now I see something coming up that really might be able to help us because right now, also the authorities have to follow any request of investigation for, from a, from a citizen or whoever it may be, but people don't know about it. Usually they don't know about it. At least with the notification stated in the law.
Again, we have something very understandable for the citizen. Something that you can read and everybody will know it. If your data gets lost or mistreated, then you have this right to, to notify, even if you're not part of a company, but a third party. So implement a breach notification process, enhance your incident. Management would be my advice process and incident management process. And it's also important to find out what's the detection and response capabilities.
Even if we're talking about 2016, I advise trying to breach to, to breach to now, then bring it to the authorities is really a big thing to do in practical, in real life. And then again, as discussed with Mr.
Liman before it's of course, the question is, if you wanna do it, or if you wanna do the math and find out if it's maybe clever or not to notify which the regulation of course doesn't tell, but I think we will be doing all a lot of math in the future thinking if it's really worth it to notify now or not Data protection by default and data protection by design is something else that's been in everybody's mouth in the last years now it's shall become part of the data protection regulation. Something that I rarely have seen in any regulation in Europe.
So far, the proposed regulation on the other hand requires data controls to only collect and retain personal data to the minimum extent and like this, the default settings must be always the most privacy friendly. Imagine this maybe, maybe Facebook book thinks about that. I'm sorry to go on Facebook again, but it's a very good understanding of the situation because it's a bit more difficult to prevent, to provide privacy by default than at the first glance. You might think being Facebook to, to get this again, what's the most privacy frankly setting.
I mean, you share nothing. You see nothing, and that's then the most privacy friendly setting. How will you work with a company? That's all about data. If you want to use data. And at the same time, the law tells you, please do not use data in rough words already by design. Then this is a clash of interest. This is very, very difficult for businesses that rely on data and many, many questions follow here. The minimum extent, what's the minimum extent.
If I join Facebook to stay in the picture, am I already there that I extend something more than the mini mini minimum extent, because I know it's a social network and it works with data or will I have just a very, very broke down profile where almost no information is in. And I really need to work on broad in my profile and work on being able to unfold activities in the social network. So I think there's much behind, there, again, question of enforcement as any point, if this is being enforced, I, I see problems for all kinds of software. That's being introduced.
You, you buy a software or you license the software, you want to use it. And how often are we getting told, oh, well this is not important. We're not using this.
You know, there's so many, there's so much data, but we only need this field and this data category, maybe this sometime, oh, this we used until two years ago, this is not of importance anymore. We have this in another tool now. So imagine this situation and you need to have privacy by design. Then the costs are meant you will have to change private software due to your privacy needs at the end, not to your business needs. And of course, from a business perspective, you would never care if there was more information or mostly not ever care.
If there was a bit too much information in the system, better than not enough, right? So we really have to rethink here the way we collect data. And we are now on a rise when it comes to have as much data as we want. We're discussing big data. We're discussing, being prepared with the basis for, for that. And at the same time, legislator tell us we need privacy by design in, in this sense. So this is gonna be very difficult. The second point I think we do need to go into then the very well known right to be forgotten.
That's been very discussed again with social networks, but this is everywhere. If you would ask me as a privacy lawyer, what's the most difficult thing to do in the corporate surrounding. I would always tell you, it's about getting rid of the data. It's not that I go there and I tell people, get rid of it, but they're trying, they're, they're getting there. And they're understanding that it's nothing they need in many cases.
And they shouldn't have, if you wanna live transparency on your data protection policies in the future, if you really wanna survive in maybe a changing society, understanding of privacy, then many, many clients start to realize, we need to get rid of big parts of our data. It slows us down first. It needs space, but then again, we just may not have it anymore. So this is most difficult. How are we gonna differentiate between information that we still need and may have, and information that we maybe need, but we may not even have and so on.
So the right to be forgotten is a bit more than being erased on Facebook and have a good public image. When, when a certain name is being Googled, the right to be forgotten is nothing more than handing the power over from the company to the consumer, which information is maybe being stored at this company's service, the right to be forgotten has limits.
However, the further, this is a, a quotation from the regulation. The, the further retention of the data should be allowed, where it is necessary for historical statistical and scientific research purposes for exercising the right of freedom of expression. So that's narrowing down a bit. Where is it necessary for historical statistical and scientific research purposes? Very difficult to define what's a necessity.
It's always very obvious that for me, as a company, something else is necessary then for the, for the, for the data subject, of course here, the perspective of the data subject is meant. So I need to put myself into the position of the person whose data this is, and then find out is it for this person necessary for historical reason? Maybe I wanna see my, my bills in the past. Maybe I wanna see other information that I just simply need for the, for the future handling. But beyond that, I might not, may not have that information anymore. Statistical and scientific research purposes.
That's in way a bit naive. At least if we see it that short, I mean, scientific research, should I just put it on the hat and say, this is scientific. Where is the border I'm being scientific? Am I being scientific when I try to find out what's my future prospects as a company growing on the world market is that being scientific. This is very easy for, for misuse. And we certainly will need more answers on what's meant here.
When it comes to narrowing down the right to be forgotten, we have harsh fines put that, put these limits in perspective, meaning that again, the, the situation that things are getting a bit more narrow open again, because maximum 1% of an enterprise's annual revenue are here subject to fine. That that's less than when it comes to other breaches. I don't really understand what's behind that is, is the, the legal, legal obligation of a right to be forgotten, not as important are we expecting this to happen very often an infringement of the right to be forgotten.
And then we don't want to kill companies. I don't really get it. Why this is something we mean to differentiate from the other fines, the right of data portability of course, is for the telecommunication sector, very important, but also for cloud service providers, imagine you are cloud service provider and you have this data there. You need to have the information there right away. You need to be able to hand it over.
So a strategy in topics as a data classification, retention, collection, destruction, storage, and surge, of course, I need to find the data depends on really the structure and how I keep the data and where I keep the data is a question, how will I get it out and back to the customer? So right off data portability has some tricky backgrounds for those who are affected by that, I believe. And this is of course, something that is not answered yet. Then we have the application outside the EU.
This is what we discussed in our round before, before it was a bit the strategy from my perspective, at least of the us government to impose that the privacy understandings should be obeyed in other countries too. In other part of the world, sometimes heavily enforced with high panels. If you penalties, if you wouldn't, wouldn't hand over the data, for example, in a process that was something of outrageous penalties we are discussing here. Then now we are trying from the EU side to pay that back. This is my understanding.
At least the regulation will, according to the draft of the regulation now apply to business based outside the EU. If those deliver customers inside the EU, what's delivering is the India hub, delivering to someone in ONIM is south African call center of Hansa, delivering a customer inside the EU. And so on you, you are, you all will have your own examples and you're you're in the picture. So actually, and potentially this is a worldwide legislation for on the single base cases. At least at least this is what we try and we have on the other hand, no enforcement that stands for it.
So that makes it very difficult. This is the gap we were discussing earlier today. Some maybe not major problem with the minus consent. The processing of data of individuals under the age of 13 will require parental consent. Of course you might not have customers being minors, but what if you do, and you don't know about it, will you have to ask all your customers and proof check their age in order to guarantee this, what again is a consent, which is the parent parental part that I should ask.
This is very, very expensive and very difficult because you can never be sure that you're not talking to an 11 year old, if you're online. And also we have those questions already, of course, you need to state that you're grown up and so on.
Of course, that's nice if you're grown up and you, you state that you're grown up, but if you're a minor and you state that you're grown up, I think the company will not be protected in that situation. So we need to discuss mechanisms how really, to find out the age. And then again, we are in the middle of a, another data protection discussion from the other side coming, why should I be asking how old is my customer?
Well, because of this data protection regulation. So that's a bit of a vicious circle. It's nice to have the minor protection here and it's of course necessary, but it will task us all a lot. The veto against predictive analysis, analytics, pardon me, is something that's important for big data. And of course the right not to be subject to a measure, which is based on profiling by automatic processing is an important law. You may not be like this analyzed when it comes to your performance at work, your economical situation, which already happens.
This has been cases where again, social networks have been searched for people's economic situation. And there may be you, you have a problem with your bank and not receiving more money or whatever. We have have particular cases here, the location health and personal reference and the reliability or behavior. So that's a whole bunch of situation where we may not go through nalytics analytic, move this again. Really ask for talking to the customer or the potential customer as the consent. Number one in our line, us, we need to talk to our customers.
We need to understand who are you in order to under to answer the question, what's the level of privacy you want have. So it's less terms and conditions, and it's more in individual or need for an individual discussion and handing on, on information with the customer. So we are at the last point, the impact assessments, of course, any, any bigger company at least goes through assessments. We have heard earlier today that there was no findings or no one, at least not, no findings, but no company, usually failing assessments. I think this is not what we're talking about here.
When the regulation states that we need, if impact assessments, we need a prior approval of the data protection authority for high risk as well. So you need to be more transparent to authorities at this point, and you need to understand even better yourself, what this is about. It's not like you source it out. Somebody goes through an audit and things are done.
No, you need to instruct understand, go after and repeat. So this is the last, but maybe not the least point. So I'm sure most of you have, have heard a lot about those points. I wanted to sum it up and give some further impulses for our talk. Maybe you want introduce yourself. Iki very welcome. Voki Voki I'm data protection commissioner in Poland, which is data protection authority in my country. I started my work well, I'm a lawyer by, by education. And I work in the university from the end of my studies being the head of the laboratory of legal informatics.
But I also worked in the business as a data minor first. So I started my work as a data minor. Then I worked in the, in the ministry of interior and in 2010, I was elected for the data protection commissioner. If I should go through this presentation that was given to us a while ago, I would agree that the things that were shown as strong holds strong, strong, stronger part of the, of the regulation are presented well with these weak points. I would point the same things, but I would understand them in slightly different way.
And especially, we cannot say that these are the new things that arise or that these are the things which are very European. If you can go to the point number seven in your presentation, there's a very good example of the problems, which are the genuine problems of the data protection and protection of that. And the markets themselves. How can we enforce this law outside of the European union is a very hard question that exist in many parts of the economy.
And actually it's the same question, which should be asked to the American administration and which American administration as to itself, because when federal trade commission wants to deal with a trade, which is going on in the United States, they actually explain it the same way you are bound by the American law. If your services are offered to the American citizens in America.
So it's actually very territorial and very typical way of thinking about the countries, those of you who had an opportunity to meet American legal act, which is called FATCA, and which deals with the, with the transfer of the information about the assets of the American citizens to the American tax administration found out the same thing.
There is an American legal act, which seems to be binding for all the world, seems to be binding also for Germany and for Poland, where with all due respect to United States is the same act like act of the parliament of Botana and act of the parliament of Belarus and acts of the parliament of Russia. They are generally, they are generally to, to be bound in their countries, but each and every C, including Russia, including Bru, including bots far and including Europe and including USA has a problem that they want their rules to be binding.
If they address their citizens, if they address the people on their market. So that is a problem. That's true, but this is not EU problem. And this is not the new problem. That's something that exists all the time. The same thing goes or rather the, the, the same different point of thinking goes to that portability because I'm sure that the example of the example of the cloud company is actually not good because the, the cloud company, if they want to pass the information back to the customer, they actually have to do it according to the contract.
And they have to know where the information is located. And they have to know how to monitor the information when drives through the system.
Otherwise, if they don't do that, then anytime FBI is coming to them and saying, we have the assets that are probably illegal on your service. They have to close data centers because they don't know what is the difference between the data of the user a and user B. So they have to monitor the data, but the portability is definitely the problem. Why is it the problem?
Because it would with this meaning that was given by the commission mean that each and every insurance company that made the medical researchers on you on your request and that paid for this medical researchers, because you wanted to have the offer from this company. If you refuse this offer, they would have to give the results of this researchers to you, and you can go with them to another insurance company and they will be able to use it though they didn't pay for it yet.
So that is really the problem for the business, because so far it was absolutely normal that person can agree that there are the findings like that down by the insurance company, but it had no rights to take it from the insurance company and to give it to somebody else in the market.
And unfortunately, this law, which probably would work perfect for the social networks, which probably work good for other it companies is actually not enforceable and not possible to be implemented in the companies that are basing on a very analog business, or maybe not analog business, a very classical way of business.
So there are the problems that's true, but going through all these 10 points, we can find out that in most of the cases, the, the, the problems are either not technical actually, or they are the same, although over the world, no matter which legislation you are taking into consideration. And let me, let me take another thing, which is sometime somehow we're calling the last panel when it was said about the problem of that AB notification and this assessments of the company, should they notify or should they not notify?
Of course, I agree with you totally, that this is something which goes around the world and the same assessments are done, but there are very good cases, both in the United States and in the United Kingdom, for example, where the companies who made this assessment and who found out that it's better not to notify when they finally was found guilty of the data breach, they were punished very severally, not only for making the match, but also for having as having, having this assessment. Yeah. For the way they taught. And that's a very good case of tur company.
Well, Turk is right now, even even proud of the good of the things they done when the situation happened. I mean, the way they, they went out of the problem they had. Yeah. But the problem they had was actually this, they had a data breach, they have hidden the data breach. And that was a purposes decision of the management of the company.
I, I agree with you that the sanction is a problem. I'm not going to even discuss about the, the, the level of the sanctions, because this is something that everything can happen on European level. Why the sanctions are inside the regulation, because right now you face the situation where the data protection authority in Finland has absolutely no right to give any kind of sanction to anybody. You have the countries like Poland, where there is very limited number of the situation where the data protection authority is issuing the fines.
And you have the countries like UK, like Italy and especially Spain, where sanctions is the main way of working for the data protection agency. And this is something which cannot exist on the single European market. You cannot have the situation that with exactly the same case, you have no sanctions in Finland and you are punished first before you really explain what happened in Spain. Yeah. Thank you. I'm most probably the only non legal person on this panel. So excuse me, for having a different view in terms of viewpoint.
I liked very much this view of what is happening right now, the shift from national legislation to a European, more single market driven approach. And there's need to just look into things like, you know, this conference is called cloud and it, what, what is the data owner? What is the data subject when you are putting your things on Facebook? That's we discussed that with our data protection people. And if you go into detail, that's a very complicated.
These, the terminology already becomes very complicated. Data protection is not, and never will be ready for technology. Technology is always first like whatever legislation legislation comes afterwards, that's, that's how legislation happens. There's no other way to either, hopefully it will be effective if you look into spam, spam legislation, is there, it's very clear, but it's ineffective might be maybe there's reasons to that by design has been mentioned. It's a good idea, but there's lack of definition and there's lack of experience.
I, I think we might be a little ahead in the cycle technology legislation when it comes to that while there's acute viewed as best practice as you know, imperative. But, but we have to be aware that is limited, especially when it comes to the last point, when it comes to legal consequences, legal consequences will, will have to wait until we have a clearer view on what it means. Common legislation. That's the basic idea. When will it happen and will it happen at all?
We'll see, you know, that's, we have to do the effort. It's very important, but it's a big effort to do you address the non-EU the effective, this of non-EU the who cares just to give you an example, if you go to Alibaba, which is the Amazon equivalent of China, they will do professional tax evasion by the following or custom cion you order something which costs you hundred dollars. When you received a packet, you will find their value $10. Why? So? Because then it's free for you. Don't have to pay customs. And on the invoice, you have the hundred dollars.
And so you will always have this, as you say, the math behind that. And we will have to see how that works.
And my, my fear is not that we don't get to an agreement with us. We have China, we have India, and we will have more like, you know, perhaps in future Bangladesh, because labor is there. So cheap Russia is a different case because yeah, okay. Reporting.
I, I'm not so easy that this reporting, which we see right now in, in this regulation, which we see in the security directive and everywhere, which is basically the experience which we got out of article 13, a of the telecom directive, whether this is the ultimate tool, you know, many things are focus on there. I remember hard Smith on the London cyber conference, where is at 80% is prevention. 20% is going after that. And that has implications implications on companies. As you have said, implications on what we can reach by that. If you only target to 20%, we are not in the good domain.
Perhaps we have to go into more obligations on where we can put obligations like under providers, trusted domains. If you, if you impose obligation to, to telecom or to data communication providers, to tell you where and where from and where to data goes, that would be a big improvement on data protection.
If that would be on every packet that goes on the internet, technically it's easy, DNS second does it all does it all, but there's other things which conflict like with us law, you have seen all the ATA and Papa and what, what is around that, that, that, so there's, there's a lot of technology issue we have to solve. But on the other hand, it would solve many of our spam problems. It would solve our bot, many of our botnet problems, like an eBanking, et cetera, etcetera. We have to think what can we match technology with legislation?
So there there's, there's two, two few talking these two areas together, the trusted, what is also something we are only talking the people and the, the companies, but we have intermediaries with, with lots of people in between. And perhaps we have to think about trust there, ed, to, to end up with education, I think is the, that the most important thing we have a study where 90% of kids under nine years old in Luxembourg are on Facebook.
You know, the, the minimum age is fifth is 11 years, but who cares? As I said, we, we have to educate early on. And there is a lots of chances like clouds to enhance separation. What are am I doing where I have not a single platform of many platforms, and that can even be a chance if we use appropriately E I D if you use appropriately data protection, et cetera, but I don't have want to give a talk, but just give you ask. Thank You. Thank you very much.
Is there any questions at the moment, A question for you for looking with no data protection regulation, make you more comfortable instead of uneasy and 10 different ways, Sorry. I'm I didn't hear the beginning.
Would, would no face of regulation in you make you Comfortable. It would make me feel pretty uncomfortable. And I was happy enough to, to give my thoughts on post privacy this morning and post privacy, in my opinion is a nice thought because there is a lot of people feeling that we have too much privacy. Granted my idea would be to reshape the legal borders of privacy that we have it as we have it today, because it's too complex. It's not easy to understand. People don't even know. Sometimes if they have rights companies don't know what their shell do and so on. So we need more guidance.
That's what I expect from our legislation. I think there's some guidance, some new ideas in here, or some old ideas on a new level geographically and so on.
But to, to give a clear cut answer, no, it wouldn't make me feel more comfortable. I think it is a big threat. If you have no privacy legislation, many stakeholders might just grab information. And I think it's very, very difficult to have a situation where the value of information raises and raises maybe even sometimes unnoticed from data subjects. And then at this point where you have a lack of understanding how valuable information is, and at this point go and set everything free. I think economically and legally speaking is for being for the economic part, not fair.
And for the legal part, speaking, probably even gonna lead to a chaos at the end because the current conception is my conception. The legal conception is my conception at this point is that the data belongs to the person that the data is about. Now we are having influences where people doubt that the person digging the data, making the value, giving, getting the value out of it, it should be their data.
I think it's a nice idea to also have that, but at the end, it can only be one Moza E I think we need a, a big solid part where we need the data, privacy regulation, maybe a little bit less than today, a little reshape when it comes to borders. Sometimes we have a little bit of overprotection.
I, I see where people don't even know what they should do with this data protection. Now they have it in the hand, like a hot potato and they don't, they don't use it. I think this is some regulations we need to change, but no privacy would make me personally feel very uncomfortable. You stated it was a question towards me, but I would really love to hear you. You say the Question back, would you think that making production more competitive? We should to, to end up in that situation, we should lower the minimum wages.
The notion is just why shouldn't we use data protection as a competitive asset? I find the regulation absolutely necessary, but has been pointed out in this form several times today, we have a problem about Porwal. We have a problem with regulating areas. I see there's no feasible implementation. Locally has to be done worldwide by regulation on wars. And so you have worldwide conventions control.
Well, we have to admit, we have to admit that there is no possibility to make the worldwide convention on privacy on privacy. Well, I don't know if know, what is the word for privacy in Japanese? That's the word privacy, because they don't have the word in the own language, which address this issue. So when they start to talk about privacy, they take the English word privacy, because the understanding from the culture like the Japanese culture is totally different. We can try to make the laws on the data, transfers, data, data processing, but this is not about privacy.
This is about data processing this only the part of the issue. So definitely we will never have, I guess we will never have the global rules about privacy. We may have the global rules about the data transfers and data processing. It's difficult, but it exists. And there is the, the forum that is actually working on the things like that.
That's O C, D first of all, and the guidance from O C D but also from our point of view, from the point of view of the commissions for data privacy, where our data protection, we are also meeting, and we are also trying to prepare our own actions, especially as far as the enforcement is concerned, not only on the European level, but also on the international level. And the next conference of data protection commissioners is going to be in war.
So in September, this year, and we are going to get about 70 data protection commissioners from the world, including United States where the data protection commissioner is actually for federal trade commission, although they don't apply to administration. Yeah. They don't, they, they are absolutely not dealing with administration. I'm at the same time. I'm very sorry about it has to be my last word at this conference because I have the plane in one hour and a half and otherwise I will be, I will not be able to, to catch the plane. I'm sorry. Thank you very much.
Any rebound on this question? Any further input from your side? Anyone else?
Yeah, maybe I hand over the microphone. I can just trust people. Okay. All right. And the protection Rules seem fairly clear for quality, obviously personal data. So your name, your address, and, but how does this relate to the anonymized data that can we trace back to a person due to its very think of anonymized search engine queries, where you look at a thousand queries that have been made, you can say, oh, that was actually that person. And that can very, and there are actually examples where this has gone wrong with research data. How does this legislation apply to that?
The legislation says person related data. So I, I don't see where, where your point is if it's person related and the relation can be traced, then it's subject to data protection. Right? I think it's a question of definition.
First, if you're talking about anonymized data, it's just the country of what falls under the regulation and any other data privacy law. Yes. And no same time. Which means that definitely if the data is really anonymized, then it's simply not personal data and it's not false on the ation. The problem is that sometimes we own the data which cannot be connected with a person at our sense, at our systems, we transfer this good, this asset to another company. Then we have this data which will connect certain, which was so far with the information, which is the key to the personal data.
So then we have somebody who, who owns may not own, but who operates on this asset? We are not having the personal data in our position, but if we transfer it to somebody else, we have to remember what it may have. So what we Make that, what is also true is data can be truly anonymous and not, and traceable back to any person and still with very hard probability, be relatable to a person. If I looked at your search results, have to say that you've Googled your house, you've Googled your name. You've looked at street here at those location. So that is probably you.
And you've also Googled these medicines here, probably safe. It's not person related, But it can, it is personally related from the by definition, this under defaults, all this. Okay. What we discussed. Yeah. Okay. I think we have run out of time. Anyhow. So thank you very much for your attention. Thanks for being there. Thanks for.