Equilibrium
Reding said that, while GDPR was the first step in securing data to make a digital world possible, ethical regulations of AI would be very important, in order to achieve equilibrium between protection and innovation.
Reding said that the EU’s GDPR, which came into force in May 2018, was hastened by the revelations of Edward Snowden about mass surveillance of citizens by the US Government, after which votes against the measure diminished.
Member states realised that they needed to be the standards maker, and not the standards taker, she added.
European legislation takes a lot of time, because there has to be agreement between the lawmakers, the governments and the members of the European Parliament, she said.
Third way
GDPR is a symbol of how Europe can present a third way between the very commercial US and total control of the population in China, she said.
GDPR gives a lot of rights to the individual, and as such, it is not an easy system to apply, Reding said.
“Many regulators in the beginning were learning by doing,” she noted, adding that they were not very well prepared, and that they allowed a certain tolerance period.
“I am sorry to say that they allowed the tolerance period to the big companies, and they were sometimes very hard on small organisations and small companies,” she added.
From 2019 on, the national regulators started to impose solid fines for solid misbehaving, she said.
Privacy champion
The wind has now turned on mistreating the data of individuals, Reding added, and Luxembourg has now emerged as a privacy champion, pushed on by civil society.
This puts pressure on Ireland, which has a lion’s share of Silicon Valley and Chinese companies, she said.
But the key question is whether Great Britain will have adequacy measures, given its intention to build data partnerships with Australia and South Korea that would loosen rules on data transfers to boost trade and innovation.
If the UK makes decisions which go against EU law, then there is no other solution but to take back the adequacy decision, Reding said.
“An adequacy decision could be taken back by the Commission, if the situation should change,” she said.
Privacy standards
Neither does the US have in place privacy standards which correspond to the GDPR, she said, meaning companies are in an uncomfortable position of having to choose between conflicting rules.
“EU rules recognise that every EU data subject has a fundamental right to the protection of their data, as well as a fundamental right to the confidentiality of their communication,” Reding said.
These rights are not diminished, even with US service providers.
“Geopolitical plans for transatlantic cooperation based on basic joint rules are absolutely essential, because the current data-flow system is at breaking point,” she said.
Hundreds of complaints are already on desks, and pressure is building to a potential catastrophe in transatlantic data flows, she added.
Legal challenges
There are growing legal challenges to standard contract clauses, Reding said, and the only solution is a new data deal.
“I know how difficult this is because of an unequal mentality: America thinks surveillance, Europe thinks privacy,” she said.
But there is no work being done on a US federal privacy bill, she added.
By contrast, China is now moving data privacy to the forefront, she said, mostly copying from the GDPR – though the rules concern only the private sector, with an extra-territorial effect.
“They are very, very discreet on the public sector and on the state organs, with many loopholes or, less diplomatically, a massive security cop-out.”
Algorithms that promote ideology
The only algorithms accepted are those which promote the ideology of the Chinese state, she pointed out.
China also dominates the cloud, where it is investing massively, as well as in quantum computing patterns, she said.
The 'digital Silk Road' has a growing influence in data governance, Reding said.
Strong player
The West must join forces on values and be a strong player, she said, adding that she hoped that America and the EU would get there, despite difficulties.
Reding added that the Court of Justice of the EU helped bring corrections where these were necessary, and acted as a compass.
She said the GDPR might need to be reformed by the European Parliament if it were shown not to have sufficient power to take on serious cases.