I came to the data field because I always wanted to work in the field of human rights. When the opportunity arose to become a member of Luxembourg’s data protection authority, I applied and was appointed commissioner in 2014. Since then, I assumed the presidency of the collegiate body.
I started my career as a barrister and solicitor before joining the Luxembourg government administration in 2003. After two years as attaché with the Luxembourg Army Headquarters, I joined to the National Rescue Services Agency. As of 2008, I was head of its administrative, technical and medical division.
In terms of career highlights so far, apart from being the chair of the CNPD, I am representing Luxembourg at the European Data Protection Board. I am also a member of the national Judicial Oversight Authority, the national Information Commission, and am an advisory member of the Luxembourg Human Rights Consultative Commission. Finally, I am a founding member of Luxembourg’s Women Cyber Force. This organisation allows professionals with diverse backgrounds, education and nationalities to join forces with the aim of inspiring future generations and promoting the role of women in the field of cybersecurity.
Data differs from other regulatory areas in that data protection rules are not sector-specific. They should be embedded in a horizontal governance framework that sets a high level of protection for individuals, whether their personal data is processed by a bank, a major online business, a public authority or any other organisation. In addition, personal data is increasingly shared as well as seen as a reusable and convertible asset in a digital economy that, precisely because of these characteristics, naturally tends towards market and power concentration. Personal data should always be viewed through the lens of fundamental rights, as its protection is rooted in the EU Charter of Fundamental Rights, rendering it non-tradeable. As a regulator, tribute should be paid to data ethics as well.
One of the biggest challenges in the data field is the rise and development of new technologies, AI techniques and algorithms and that legislative processes do not evolve at the same pace as technology.
Fortunately, the GDPR was designed to be technologically neutral. As such, it does not impede future technological progress nor does it hinder the use of any specific technology.
Moreover, many new European legislative initiatives are taken to tackle various aspects of new technologies. Embedding these new EU initiatives into pre-existing horizontal data protection legislation and preserving the level of protection set by the EU legislator (AI Regulation, DGA, DSA, DMA, Data Act) requires special attention.
At the CNPD and the EDPB, we monitor new and emerging technologies and their potential impact on the fundamental rights and daily lives of individuals.
The EDPB has already developed guidance on recent technological developments, such as virtual voice assistants, connected vehicles, and addressed facial recognition and the use of biometric data. In addition, the EDPB has included guidelines on the use of facial recognition technology in the area of law enforcement, guidelines on blockchain and many more in its work programme for the next two years.
What comes to mind as an important aspect of data regulation that sometimes goes overlooked is that it is intrinsically linked to social justice and equality. Indeed, there is a risk of differential treatment when decisions are based on the collection and algorithmic processing of personal data. For illustration, if online content shown to children is based on assumed preferences and interests, their development is affected. Hence, it may lead to unequal opportunities. Bringing in data ethics and redressing power asymmetries, for instance by reducing knowledge gaps between tech companies and individuals, lead to informed consumer decisions which in turn may influence the market. This is the key to fostering a high level of protection.
The Amazon fine issued by the CNPD last year was the highest GDPR penalty yet. GDR asked: What are your thoughts on whether we can expect to see a trend of higher GDPR fines in the EU?
It is difficult to predict whether we can expect to see a trend of higher GDPR fines in the EU as it always depends on various factors. One of the most important factors is the worldwide turnover of an organisation for the preceding financial year. As you know, data protection authorities can impose fines of up to up to €20 million or 4% of worldwide turnover for the preceding financial year. As a result, fines could get higher every year depending on global turnover. However, the worldwide turnover is only one factor and it especially also depends on the category of the infringement(s).
In addition, the calculation schemes for setting fines for infringements of the GDPR by organisations are currently developed by each member state supervisory authority on their own, following the EDPB’s guidelines that do not include a specific calculation scheme. Despite the differences of the calculations schemes, the value of fines has exponentially increased in 2021. This is also due to the covid crisis. The pandemic has indeed contributed to increase the global turnover of digital platforms providing services.
Women professionals used to work in this area because they liked this field of law, amongst others for its strong compliance aspect and they were good at it. With the proliferation of data, financial considerations become increasingly important, attracting hence all kinds of professionals. Therefore, women working in this field do not only have to be performant, but they also need to focus on their career when facing male competition.
A piece of advice I would give aspiring data regulators and professionals is that training and exchange are essential. Be committed, read, attend conferences and listen to webinars. Keep up to date with new legislative and technological developments.