Stéphane Omnes: DPO of a crazy year

DPO in 2020, is it a good or bad situation?

“I think that’s a pretty good situation compared to the fact that this profession is new and growing. This is a new position that has become mandatory for a number of businesses since the GDPR. “

Which successes are you most proud of?

“There are two that are related to each other. First is carrying out my mission as DPO at POST. It is the largest employer in the country and also the company that manages the greatest amount of personal data (since almost the entire population of the country is concerned), or even more with cross-border workers like me. With its multiple services (postal, telecom, ICT and financial services), POST plays a universal role in Luxembourg’s economy and participates daily in the development of this economic fabric. What I also like about my job are the core values ​​of our company, summarised under the acronym MOSEL: Modernity, Openness, Simplicity, Commitment and Luxembourg. These values ​​create an environment conducive to the development of the culture of data protection with respect to privacy as a cardinal point. The fact that I received the 1st prize of the DPO of the Year last year is a recognition of the work done and also personal pride for me.”

What were the challenges associated with the COVID-19 crisis?

“They were of two distinct natures: first, to ensure the continuity of my mission (internally oriented activities). Second, to ensure the follow-up of legal exercises coming from the people concerned (clients and collaborators). It was necessary to continue to ensure responses within the legal deadlines. Strangely enough, there has been a significant increase in the number of requests with confinement. Fortunately, my work can be done quite easily from the distance. On the other hand, there were various initiatives in the fight against the pandemic involving, in particular, the use of tracing. In this context, the GDPR has offered us a valuable tool by helping us to set the ethical limits of tracing because some people tended to consider that in this exceptional situation all barriers could be lifted. However, we consider as the CNIL (which intervened in the file of the development of the famous STOP-COVID application in France) that it is necessary to set limits and it is possible to fight against the pandemic while respecting the right to privacy of citizens. In this particular context, we sometimes tend to confuse speed and haste, whereas, with a little thought upstream, we can manage to reconcile the imperatives of health emergencies and those of respect for private life.”

How has POST coped with the COVID crisis?

POST has been developing its services for decades to meet the ever-increasing demand for digital uses. Connected objects have become a daily reality that needs means of communication. With its continued investment in the future, POST’s telecom network was ready to face a sudden surge in demand for speed and data volume, as we experienced with the massive shift to telecommuting. POST also has missions in the service of the economy and the population: we have a duty to ensure business continuity. We had to deal with a sharp increase in electronic commerce, and the number of parcels to be processed by our postal services. Given the health situation, it was a real challenge that we took up.

What makes a good DPO?

The job requires skills and especially human qualities. The latter are as follows:

• Autonomy

• Pedagogy (to convey complex messages to very different audiences)

• Certain interpersonal skills (because you have to be able to talk to everyone)

In terms of skills, you need legal and IT knowledge at the same time. A background in cybersecurity is also essential to be able to implement the technical means to protect personal data.

The added value of a good DPO is being able to provide pragmatic solutions. That is to say not to be satisfied with giving opinions on what is good or bad in terms of the processing of personal data, but also to provide technical and practical solutions that guarantee the balance between the protection of privacy and the needs of the business to leverage data to achieve business goals. If you can do that, you go from being a “circle stopper” to being a “business enabler”. And that changes a lot of things.

It should also be noted that this is a very young profession, for which demand is already strong, and new courses are being developed, particularly in continuing education. DPO skills certification has been available since 2019 in France. The sector of the profession will continue to expand, and the profession will continue to unite through new professional circles.

How does Luxembourg perform in the field of data management in an international comparison?

Luxembourg is among the best performers in terms of data protection, in particular thanks to the culture of confidentiality that has been built around the financial centre. This culture has facilitated the adoption of new measures to protect personal data. The Grand Duchy has developed a real dynamic of digitalisation with leading companies like SES.

The CNPD has an important role to play. It has launched a repository initiative (CARPA) which aims to certify companies’ data protection practices. The model is not yet operational, but it is promising because it is the first certification model in this specific area. However, the CNPD must be vigilant concerning its credibility because, just like Ireland and unlike other European states, it has not yet pronounced any sanction… But the news is catching up with us with the complaints that have been filed against Imprimies Saint Paul, the University of Luxembourg, and the Spuerkees following the invalidation of the Privacy Shield (namely the mechanism that governed the transfer of data between the European Union and the United States).

Exactly this invalidation, what consequences can it have for Luxembourg companies?

Personally, I have always believed that this Privacy Shield does not offer the necessary guarantees. In its “Schrems II Judgment”, the European Court of Justice is on the same opinion. The consequence is final: any transfer of data to the USA under the Privacy Shield regime becomes illegal overnight, without a grace period or provisional measures. Therefore, there is an urgent need to find alternatives. The strong message from the European authorities is as follows: when it comes to the protection of privacy, American law is completely incompatible with our legislation. I believe that this should be seen as an opportunity by European digital players if they unite to create real alternatives to the problematic American solutions.

On August 18, 101 complaints were lodged in 30 European countries by the NOYB association. The 101 companies targeted were based on their use of specific products such as Google Analytics or Facebook’s “Single Sign-On”. As the conditions of use of these tools have not been modified since the invalidation of the Privacy Shield, the transfers of data to the United States that they generate have become illegal. The complaints have been filed against data controllers who use these tools at the same time as a complaint was filed against Google and Facebook in the United States.

For my part, I am in the process of completing the impact assessment for POST in order to take appropriate action… Anyway, by filing these 101 complaints, the target is clear: Google Analytics and Facebook Connect. It could have a snowball effect.

What advice can we give to Luxembourg companies to follow the invalidation of the Privacy Shield?

“Clearly, all contracts that refer to the Privacy Shield must be reviewed. For other services which would involve data transfers to the United States, it will be necessary to see on a case-by-case basis, considering the classification of the supplier and whether or not it falls under FISA regulations.”

How to protect the confidentiality of data in all circumstances then?

In the area of ​​personal data confidentiality, encryption is the essential technology that must be mastered to ensure a sufficient level of protection. When it comes to encryption, you have to be precise and make sure it is done end to end. We cannot just put https on the data transfer, the data must be encrypted even when it is “at rest”, on storage spaces, in the database. This is essential and this is the gap we still have to bridge. It is the database that is ultimately the receptacle of all personal data. If this database is poorly protected and leaks, the data will be readable.

Besides, there are some interesting advancements in cryptography. Including homomorphic cryptography, which allows you to perform operations on encrypted data and produce consistent data when you decrypt the result. This will allow operations to be performed on encrypted data without having to decrypt it first. Data scientists will, therefore, be able to play with data in complete safety because they will not see the data in reality, but they will be guaranteed to obtain consistent results. This is a very promising development because it is much more secure than anonymizing data.

In short, the profession of DPO still has a bright future ahead of it, and great challenges to meet.