“We will never have a situation where privacy and data are properly protected.” Wojciech Wiewiórowski is not hiding. This Polish jurist (Łęczyca, 1971), appointed in 2019 European Data Protection Supervisor (EDPS), thus begins the interview he grants to EL PAÍS taking advantage of his official visit to Madrid. It starts from the assumption that its task, to ensure that the EU guarantees the privacy of its citizens, is by definition a chimera. “New technologies change the context in which we operate very quickly. The covid has accelerated many digitization processes, and with them the potential threats to privacy ”, he adds by way of introduction.
The office of this Eurobureaucrat enjoys independence within the complex community institutional framework, but lacks executive powers. Issues reports and advises the Commission, the Council and the European Parliament. When the position was devised, back in 2004, it seemed like a relatively quiet destination. The exponential growth in the amount of data we share since then has made EDPS a key figure in Europe’s digital strategy. With a mandate until 2024, Wiewiórowski believes that the Union’s task is to ensure that European citizens can feel that their data is being treated safely.
Ask. Do you think the EU is equipped with the correct mechanisms and laws to ensure the privacy of citizens?
Answer. Laws often take years to pass. As we solve the problems we have, new ones will emerge. Artificial intelligence and other technologies open new fronts every day. In any case, I believe that the law should not be the tool to develop the solutions, but to establish the limits.
P. In spring, it will be four years since the General Data Protection Regulation (RGPD) came into force. What balance do you make of this regulation?
R. I would say the biggest challenge is getting it applied properly. I think there is no need to reform it right now. But we have to evaluate it and there are things that do not look like what we expected.
P. As which?
R. We still do not have the codes of conduct at the European level. They are being left to the companies themselves to develop because it was decided that self-regulation might be enough. That was kind of optimistic, I would say. What we still do not have after these years, and it is a disappointment, is a certification, some European seals that guarantee that a specific product or service applies our privacy regulations. I was skeptical about this from the start – quality seals work well in the hardware, but it is very difficult with him software, which is continually being updated.
P. Technology companies collect all kinds of data from Internet users by default. Wouldn’t it be more practical if they had to ask first?
R. The RGPD establishes that you have to know what the data is collected for from the moment you start to do it. That is the focus in Europe, as opposed to the US or Asia. Google representatives told me a few years ago that this is probably the biggest crime in human history because the data they capture, they argue, we will need, but we still don’t know why. I do not agree with them.
P. Tech companies can easily find out our political ideology, income level, or sexual orientation by tracing our fingerprint. How did we get here?
R. There is a legal answer: you can ask companies to tell you everything they know about you and then request that they delete information. The problem is that 90% of people don’t have the time or the knowledge to do it. That is why it is best to ensure that we know the purpose for which our data is collected. It is the same with airplanes: you do not need to build it yourself, or know how they manage to fly. We simply entrust our lives to the pilot of the plane because we are convinced that it is safe. That is what should happen with data protection.
P. What you and your team do directly affects the activity of the largest companies in the world. And governments can profile themselves if there are problems.
R. I feel comfortable talking about impossible struggles in Don Quixote’s country [se ríe]. That said, institutions are increasingly concerned about this issue and companies themselves know that they need to earn the public’s trust. We have a long way to go, but we have improved. Should we try to stop people from driving drunk? Of course. Can we achieve it with 100% effectiveness? No, and that is why we must continue campaigning and taking dissuasive measures. It is important to remember that we do not protect the data, but the people on whom that data is processed. We are talking about information about me, about you, about our children. Countries that choose not to protect the privacy of personal data can end up like China, where there is a social credit system. We are not that far from them. Many municipalities say they want to know everything their citizens do to design better services. That is the same as Beijing says.
P. Do you feel supported by the rest of the EU institutions?
R. The Commission follows our line of argument, which makes us happy. Regarding the Council and the member states, when we talk about general data protection we have good support from governments; It is not so simple when we deal with the rights of the people in front of the security forces.
P. How do you rate the work of the Spanish Data Protection Agency (AEPD)?
R. It has a very good reputation. Because of their activity and because they want to help shape what happens in Europe.
P. It is often said that Ireland, the country where Facebook, Google, Apple or Microsoft are based, acts as a bottleneck for European privacy regulations. Do you agree with that statement?
R. No. Ireland’s problem has three levels. The first is that, being a small country, it concentrates more than 60% of the large technology companies. The second, that the Irish administrative procedure is very different from that of the rest of the EU countries. They, for example, do not have a deadline in the proceedings. And the third is that the Irish data protection authority is very careful not to make errors of form because they are aware that if they are wrong in any of the cases against big tech they can throw everything to the ground.
P. Are you worried about the proliferation of facial recognition systems?
R. Our position is that remote biometric identification devices should not be used in public spaces. I can understand that there are places where it makes sense to use them, such as passport scanners, as long as the images taken of citizens are treated with the necessary safeguards. There are also places and times when, for security reasons, it may be necessary to recognize everyone, such as at the borders of the EU. But I don’t see that need in a public space. If we allow it to be used in a cafeteria we will change society because we will stop being anonymous.
P. What do you think of the metaverse?
R. I was planning to meet Nick Clegg [máximo responsable de comunicación de Meta] to talk about it, but the pandemic situation caused us to cancel the trip to the US I have nothing against technology. I’m a Facebook user, I don’t mind saying it. I’m not saying that the metaverse is a bad thing before it exists, but of course you have to look at it carefully and ask yourself what happens there and how it works from a privacy point of view.
You can follow EL PAÍS TECNOLOGÍA at Facebook Y Twitter or sign up here to receive our newsletter semanal.