Hellenic DPA successfully holds Information Day on the occasion of the 18th Data Protection Day

On the occasion of the 18^th Data Protection Day, the Hellenic Data Protection Authority organised an Information Day event entitled “Topical data protection issues – recent developments” on 30 January, at the amphitheatre of the American School of Classical Studies in Athens (Cotsen Hall).

Paying tribute to the late Professor Spiros Simitis, whose contribution to the establishment of the Hellenic DPA (HDPA) and the drafting of its founding law has been decisive, two students and former HDPA members participated in the event and delivered presentations, namely Lilian Mitrou, Professor of the University of the Aegean, Lawyer, President of the Institute for Privacy Law, Data Protection and Technology, and Vangelis Papakonstantinou, Professor at the Faculty of Law, University of Brussels (VUB).

Former Prime Minister Kostas Simitis, Minister of Justice George Floridis and the President of the HDPA Honorary President of the Council of State, Konstantinos Menoudakos, gave opening speeches at the event.

The conference was attended by Georgios Batzalexis, Deputy President of the Authority and Honorary Member of the Supreme Court, Athanasios Papaioannou, President of ASEP (Supreme Council for Civil Personnel Selection), Ioannis Politis, Vice-President of ESR (Greek National Council for Radio and Television), and Christos Geraris, former President of the HDPA and Honorary President of the Council of State.

Opening speeches

 

In his message delivered by Professor Lilian Mitrou, who was his associate and Spiros Simitis’ student, the former Prime Minister Kostas Simitis noted the following, among other things:

 “The contribution of the Hellenic Data Protection Authority to protecting the dignity and personality of citizens, has been of great significance. Its approach to the processing of personal information both by the State and private individuals (SMEs, employers, commercial companies, banks) has been balancing, with no concessions or discounts when it comes to data protection. In its almost 30-year-journey, the Hellenic Data Protection Authority has faced major conflicts in an adequate and institutionally courageous manner (e.g. the case with identity cards). That said, the Authority is constantly confronted with new issues arising mainly from the rapid development of technologies such as Artificial Intelligence. This is why the Authority should:

• Contribute to striking the right balance between harnessing innovation and protecting essential social and constitutional assets, and principles such as equality and the protection of human value;
• Preserve the autonomy of individuals by applying the law. Individuals should be able to exercise their rights without disproportionate restrictions and without being subjected to manipulation of their choices. This is a risk that is constantly growing in the context of today’s society with the continuous development of technologies”.

Minister of Justice George Floridis in his welcome address noted, among other things, that "Spiros Simitis was a pioneer. He was the one who established the right to the protection of personal data, first in Germany and then in the EU. Since the beginning of the third industrial revolution, Simitis stressed that the effort to protect personal data is a response and a reaction to the constant development of IT. We can imagine how necessary this protection is today, since it is that development that has led to the 4^th industrial revolution which is already dominated by the evolution of Artificial Intelligence. The most prevailing idea is that if humans conquered the world mainly thanks to their intelligence, what will happen with the emergence of a kind of intelligence surpassing theirs? This is a major problem that we are called upon to face today, in a relentless fight, in the era of the 4^th industrial revolution on so many levels, and above all in relation to the protection of personal data. Many people think this fight is an uneven contest. But societies have the brain power, principles, and institutions that can help them cope, so that mankind can gain from the evolution of AI the many benefits it has to offer and limit its potential negative impact.” The Minister of Justice also noted that “the Authority has a very difficult mission to accomplish, and a very challenging work to do in striking the right balance, a work that requires skill, balancing many different factors, and a kind of emotional intelligence”. In concluding his address, the Minister congratulated the Authority for its work so far and wished the Authority “to continue with courage the very significant work it has to do and is doing in Greece, especially in view of the conditions that are being shaped".

In his welcome address, the President of the HDPA Konstantinos Menoudakos mentioned that “the General Data Protection Regulation has expanded the data protection legal framework of Directive 95/46/EC, previously in force, by laying down new measures and procedures, and by tightening up the sanctioning arsenal, based on which it is possible to impose extremely high fines. We see that national data protection authorities have also applied in practice these high fines.” Taking a brief look at 2023, the President of the Authority referred, indicatively, to decisions imposing fines on banks and companies, and to the People’s Choice Award of the 45^th Global Privacy Assembly that was awarded to the Authority. President Menoudakos pointed out that "in today’s digital age of major privacy challenges, the Authority is making an intensive effort to respond to the high expectations of society and the citizens with its preventive and punitive action. However, its extremely small size is inversely proportionate to the extent of its responsibilities and the complexity of the required interventions which it is called upon to implement, but also to the demands of society and civil society. The Authority must overcome all kinds of obstacles in order to meet these expectations. To this end, the competent bodies of the State must also ensure that the Authority has the necessary means, in accordance also with the relevant provisions of the GDPR".

 

First part

In the first part of the Information Day event, the Director of the HDPA Secretariat Dr Vasileios Zorkadis, in his presentation entitled “The Digital Transformation Projects of the Data Protection Authority” focused on the Authority’s digital transformation projects that were implemented in the years 2020-2023. These projects include the initial upgrading of the Authority’s web portal and integrated information system, as well as the byDesign project, where a web-based GDPR compliance application was developed. In the context of this project, educational material and a programme were also developed in the field of “data protection by design and by default” for IT and communications professionals. This project involved also the latest extension of the Authority’s integrated information system with subsystems and applications related to the management of data breach incidents, self-assessment of controllers on the level of data security and data protection, assisting data subjects in exercising their rights, as well as in lodging complaints, managing audits, creating an information chatbot and specific information content for children. In addition, reference was made to the current byDefault project, which is going to be completed in August of next year, and in the context of which a cooperation and specific information platform has been developed for data protection professionals. Educational material and resources for pupils in the last two classes of primary school, secondary school and high school, and their teachers, were also developed using advanced augmented reality technological means. The speech was concluded with a reference to the upgrading of the Authority’s audit laboratory and future plans related to the Authority’s digital transformation.

Lilian Mitrou, Professor of the University of the Aegean, in her speech entitled “S. Simitis and 50 + years of data protection”, presented the work and contribution of the late Spiros Simitis in the creation and development of the right and law on personal data protection. Professor Mitrou referred to the key components of Professor Simitis’ approach that were already made known in the 1970s, e.g. the inclusion of personal data protection into the regulation of information flows in society and the emphasis laid on the protection of information as a prerequisite for the autonomy of individuals, and their ability to participate in communication and the diverse manifestations of private and public life. In her presentation, Professor Mitrou highlighted the pivotal role of technology in the evolution and deficit of data protection law, and stressed the value of future-proof principles and institutional safeguards, such as the safeguarding of the right by an independent authority.

Vangelis Papakonstantinou, Professor at the Faculty of Law, University of Brussels (VUB), pointed out in his speech entitled “The relationship between Convention 108+ and the General Data Protection Regulation” that “the two legal frameworks are not conflicting but are complementing each other, which, however, in legal literature results from an almost unresolved legal complexity (the relationship between the ECHR and Convention 108+, and the relationship between the EU and Convention 108+)”. He, therefore, stressed that “the 1981 rule remains in force, i.e. that Convention 108 mainly assists EU Member States only when it comes to national security processing operations, whereas, whenever the provisions of both the Regulation and Convention 108+ apply cumulatively, I would suggest that the Regulation apply exclusively as it is stricter/introduces a more effective framework”. Finally, he underlined that, “this is another case where the principle ‘quality over quantity’ applies” and that “at some point, mistakes will be made, despite our best intentions”.

Grigoris Tsolias, Lawyer, Doctor of Law, member of the Hellenic DPA, in his presentation entitled “5 years GDPR: the need for an interpretative limitation of the scope of personal data legislation or towards a ‘law of everything?” elaborated on the issue of broadening the application and interpretation of personal data legislation, which is of considerable importance even in other areas of law, in order to argue that a new universal fundamental (supreme) right has emerged. Based on the case law of the Court of Justice of the EU and of the Data Protection Authorities, Dr Tsolias explained how to deal with this issue in line with the requirements of EU law regarding the protection of the fundamental right in light of the principle of proportionality and the balancing of conflicting legitimate interests and goods.

The first part was concluded with the speech of George Kontis, Lawyer, Doctor of Law, alt. member of the Hellenic DPA, entitled “Personal data protection and civil proceedings”. The question of the processing of personal data for the purpose of taking evidence in civil proceedings was examined. The speaker stated that “it is a matter of balancing interests between the protection of personal data and the right to judicial protection”. He also noted that “the Authority always examines whether there is a link between the processing of personal data and the subject matter of the proceedings in order to agree to their being transferred further. In addition, civil courts consider that the right to the protection of personal data is not absolute and can be limited when it conflicts with contrary interests of the opposing party in the civil proceedings”. Finally, Dr Kontis stressed that “it is noteworthy that, while civil courts generally do not take evidence into account when it contains personal data obtained without the consent of the data subject under Article 19 (3) of the Constitution they have stated in many judgments that unlawfully obtained evidence will not be taken into account in a specific proceeding, as there is other softer evidence that can help the judge reach a full judicial conviction. This shows that the right to judicial protection prevails, since, on the basis of the above, it cannot be ruled out that evidence obtained unlawfully may be taken into account by the judge in the absence of other means of proof”.

 

 

Panel of first part

 

Second part

The second part of the event, coordinated by the Deputy President of the HDPA, Mr. Georgios Batzalexis, Honorary Judge of the Supreme Court of Civil and Penal Law, started with the presentation of two members of the HDPA, Christos Kalonniatis, Professor at the Department of Cultural Technology and Communication, University of the Aegean, and Konstantinos Lambrinoudakis, Professor at the Department of Digital Systems, University of Piraeus, entitled “Security and privacy by design in Artificial Intelligence Systems”. The presentation focused on the need to ensure that the requirements for Security and Privacy by Design in AI systems are met. More specifically, the speakers referred to (a) the importance and relevant standards related to meeting these requirements in the design of information systems, (b) the requirements set out in the recently adopted European Regulation on Artificial Intelligence (AI ACT) focusing on cybersecurity and its complementarity with the GDPR, and (c) an innovative methodology aiming to analyse security and privacy requirements based on the risk and GDPR requirements leading to the choice of appropriate organisational and technical measures in AI contexts.

The floor was then given to Dr Maria Alikakou, Lawyer and Special Scientist of the Authority, who gave a presentation on “Artificial Intelligence in Public Administration and the Protection of Personal Data: friends or foes?”. The speaker addressed the issue of the application of Artificial Intelligence in Public Administration and noted: “The ever-increasing use of AI in the public sector (healthcare, civil protection, research, education, justice, etc.) justifiably raises the question of whether privacy, in particular the protection of citizens’ personal data, is at risk. Can AI and personal data protection coexist? What is the risk facing citizens’ personal data and why, since research shows how useful the use of AI is in public administration?” In her presentation, Dr Alikakou sought to answer these key questions by using already existing “tools” provided for by the GDPR and the recent national provisions of Law 4961/2022, but also by raising questions about the relevant legal loopholes. Finally, the speaker sought to provide a basic account of ten bullet points for an initial approach to regulating the use of AI in Public Administration, so that AI can provide security and reliability and thus coexist in harmony with the protection of citizens’ data.

This speech was followed by the presentation entitled “Exploring the limits (?) of cryptography – The EU CSAM draft Regulation” by the HDPA Special Scientist Konstantinos Limniotis. Dr Limniotis in his speech, focused on the EU draft Regulation laying down rules to prevent and combat child sexual abuse, giving emphasis to the numerous and serious concerns expressed, including by the European Data Protection Board, according to which the proposed rules may lead to a global degradation of cryptography – and therefore the safety of communications for all users, including children – without necessarily addressing this serious issue effectively.

Then, HDPA Special Scientist, Dr George Rousopoulos, in his presentation “The cooperation of supervisory authorities of the General Data Protection Regulation in cross-border cases of strategic importance and the new draft Regulation of the European Commission” pointed out that "the draft Regulation on the cooperation between supervisory authorities in cross-border cases is currently crucial for the proper application of the GDPR in cross-border cases. Moreover, the success of the GDPR is mainly judged in cases of strategic importance. Both the supervisory authorities and the EDPB consider that the draft Regulation facilitates their cooperation. It is clear that more legal certainty is provided for their decisions, and procedures are introduced that resolve procedural issues, such as in relation to checking the admissibility of a complaint, amicable settlement procedures and the rights of the parties under investigation and the complainants. However, if no attention is paid to its provisions, it is likely that there will be greater administrative burden in simple cases. It is also noteworthy that different procedures are being put in place, with a different degree of complexity, for citizens (data subjects) and bodies (under investigation) for cross-border complaints than for purely national ones. It is therefore appropriate to examine whether and to what extent national procedures can be harmonised”. Finally, the speaker underlined that “the new procedures entail higher costs for the Authorities (e.g. more procedural steps, more time limits, more translations). Therefore, a crucial element for its success and the success of the GDPR in general is to strengthen the Authorities even further”.

Finally, HDPA Special Scientist Eleni Maragou, Lawyer, Doctor of Law, in her speech “The institution of the Data Protection Officer – Audit of the HDPA in the public sector as part of a coordinated enforcement action of the European Data Protection Board”, presented the coordinated action – investigation regarding the designation and role of Data Protection Officers in 2023 within the EDPB, in which the Hellenic Authority participated. Dr Maragou noted that "this investigation involved 25 supervisory authorities including the European Data Protection Supervisor. The investigation was carried out using the questionnaire method and each supervisory authority had the discretion to use the investigation at will. The investigation led to a report containing comprehensive statistics, drawing key conclusions and identifying issues that deserve attention and response. With this action, the HDPA also exercised the powers of formal investigation and carried out a check on public bodies, taking into account both the important role played by DPOs as intermediaries between data protection authorities, individuals and bodies, and the mandatory nature of the designation in the public sector. While the audit is ongoing, the first findings have been identified and will be followed by further investigation with a view to issuing decisions and/or recommendations/guidelines”.

 

 

Panel of second part

 

At the end of each part of the Information Day, all speakers answered several questions raised by the participants.

The event was web-streamed via DIAVLOS live web streaming service operated by the National Network for Infrastructure, Technology and Research, and is available on https://diavlos.grnet.gr/room/611?eventid=15503&vod=12817_event (in Greek).

Communications Department