Menu

Filter by
content
PONT Data&Privacy
  • PONT home
    • mill

    0

    European cooperation and privacy regulators
    De verwerking van persoonsgegevens stopt niet bij de grens. Om het recht op de bescherming van persoonsgegevens te bewaken, werkt de Nederlandse privacytoezichthouder Autoriteit Persoonsgegevens (AP) binnen de Europese Unie (EU) intensief samen met verschillende Europese partners.

    Lisa van Ginneken (D66): "Involve Personal Data Authority earlier in legislation"

    Last January, Lisa van Ginneken took office as a member of parliament for D66. Together with colleague Hind Dekker-Abdulaziz, she is responsible for digitization, cyber security and privacy. Data&Privacyweb visited Van Ginneken for a conversation about digitization, the position of the Personal Data Authority (AP) and what it means to be in politics as an IT professional.

    Tom Reijner
    July 4, 2023

    Background articles

    Background articles
     
    She likes it, working in and around the Lower House, says Lisa van Ginneken (49) as we stand at the elevator in the Chamber building. The morning before our appointment, the D66 MP was still in the small village of Dorst in Brabant, where she was staying in a house right next to the railroad tracks. To experience how everything vibrates when trains race by at night. It turned into a sleepless night. "It's a hectic job. One appointment after another. It's part of the job. Fortunately, it's all very diverse," she says. Her portfolio includes ICT, privacy and digital security and, since a few months, infrastructure, traffic and mobility. Hence her nightly working visit. Her party colleague Hind Dekker-Abdulaziz took over digital economy from her this spring. Together they sit on the Standing Parliamentary Committee on Digital Affairs. Before Van Ginneken landed on the Chamber benches, she worked in the IT sector. She can therefore build on a considerable amount of technical expertise and experience. Something that most parliamentarians cannot say.

    You will probably hear the question more often, but with this portfolio, how important is it to have an IT background?

    "In my IT career, I worked for about 10 years as a consultant on digitalization issues within the public sector. How do we deploy technology for the public good. What trade-offs do you make? Those kinds of questions. You see those reflected one-to-one in my current work. In addition, my tech background opens doors. You speak the same language and use the same words. In short, you don't have to explain everything. Then you quickly make a connection and are "in. And, of course, I bring a network with me. That's nice too, I can tell you."

    Let's go to current events. The General Data Protection Regulation (GDPR) is on its fourth anniversary. Quite a bit of criticism was sounded around this anniversary from privacy activists. Those feel that the law is not being properly enforced. While experts say: view this young regulation with some leniency, too. According to them, 100 percent compliance - the extent to which the organization acts in the spirit of the law - can never be achieved. Where do you stand in that discussion?

    "Look, when the Avg came along, many organizations screamed blue murder. What's coming at us now? What I found strange: after all, we already had the Personal Data Protection Act, didn't we? When I put that next to the Avg, I mostly see similarities. Four years later, I notice that the initial cold feet have passed. I do see that companies sometimes have trouble achieving compliance. Even though they have to. If you work with far-reaching data, your compliance simply has to be in order. We have been used to this for years in the financial sector, for example in accountancy."

    Sounds nice, but is full compliance actually achievable?

    Van Ginneken thinks for a moment. "That would be desirable. But when I let it sink in, it's not realistic. 100 percent compliance does not exist because everything is constantly changing. New services are added, processes are redesigned. That requires tweaking and adjusting. It's never finished, and it doesn't have to be. You also always have to look at the administrative burden of regulations, for example within municipalities. It's all about customization. You have to keep talking to each other and adjust where possible. I do like the idea of organizations being held accountable if they default."

    From those municipalities you hear: we would like to do it well, but we also lack capacity and knowledge. There is already so much on our plate because of decentralization.

    "I understand the sentiment that municipalities have to do a lot more in recent years, but getting your organization in order on Avg matters doesn't have that much to do with decentralization. Because that's what it's ultimately about: making sure you comply with that privacy regulation as much as possible. Municipalities also had some time to prepare for it. The Personal Data Protection Act - the predecessor of the Avg - had been in place since 2001."

    Then there is the inevitable follow-up question: how can you make it easier for municipalities?

    "I see a task here for the Association of Netherlands Municipalities (VNG). Of course it already does all kinds of things, for example when it comes to increasing the level of knowledge around digital issues. As a sector organization, you can ensure that municipalities share knowledge among themselves. Tools help with that. You can see at a glance what the best practices are. It's efficient, and everyone can learn from it. That way the whole Avg compliance does not create too much bureaucracy." The VNG already set up a knowledge network on data and smart society, and a project is underway in which municipalities are collaborating on a blueprint for standardized open datasets, as more and more organizations transition to data-driven work. Van Ginneken: "We need these kinds of initiatives. The VNG has a facilitating role, and I would like to see that expanded."

    Another thorny issue in Avg compliance is the Personal Data Authority (AP). It complains of systematically not having enough money and clout to deal with all data breaches and Avg violations.

    "I'm a big believer in privacy by design. That you build in privacy issues on the front end. I think the AP can play a role in that. I want to involve the AP more in the legislative process anyway, preferably at the very beginning. With every law from now on, I will ask the question: what is the role of the regulator in this?"

    Can the privacy watchdog handle that? The AP seems bogged down by high workloads and lack of capacity.

    "Look, the AP was once created as the supervisor of our personal data, with a bag of money and the words: success! But in the meantime, the government has been rapidly creating all kinds of laws and regulations, all with valid reasons for the sake of protecting personal data. But the capacity of the regulator lags behind. Indeed, one could even speak of a structural erosion in recent years. There are occasional legislative proposals that involve supervisory tasks. The other day, for example, it was about the truck levy. I then asked Minister Harbers (Infrastructure and Water Management): 'have you actually calculated how much extra capacity the supervision of this requires from the regulator?' 'No,' he said with a horrified look. Well, then you must promise him in the future to do so. What we are seeing now is that the AP is being forced to set very sharp priorities indeed. And in the public's perception, these are often the wrong priorities. To me, these are all clear signals that the AP needs to be strengthened."

    With more money?

    "In any case, I am pleased that this coalition is giving the AP substantially more money. I will be careful that we do not stealthily eat into the AP again by giving it all sorts of additional oversight tasks without additional capacity."

    Big Tech is pulling the strings

    The digital world is in the hands of only a few major players. Companies like Google, Facebook, Microsoft and Amazon pull the strings, own our data. And that has major implications for our digital resilience, Van Ginneken believes. For her, this is one of the biggest challenges: Big Tech must be curbed. "Digital technology is of course super important, but it should not be the case that companies like this set the rules of the game. With their algorithms, they shape the public debate. And that is often not positive. Seditious content is given priority over nuanced content. That's really shocking."

    In late March, the government closed a deal with Google Cloud, so civil servants can continue to use Google's services. Think storage and word processing. Given the criticism of Big Tech, then, isn't it crazy that the Cabinet, which includes D66, is making a deal with this company?

    "I have to tell you honestly that I haven't really looked into that yet. My understanding is that additional agreements have been made regarding AVG compliance. Google will be more compliant with the privacy measures that apply under European law. We also made those agreements with Microsoft, for education, among other things."

    Can you really believe them on their proverbial blue eyes? The way they handle our data does not bode well.

    "You are right about that. The agreements must also be verifiable somehow. But I wouldn't say in advance that you shouldn't engage with these kinds of companies. Citizens use it too, so why shouldn't you as a government? I think that's a little crazy. Let's keep the debate realistic." In March, Van Ginneken asked questions of State Secretary for Digital Affairs (and party colleague) Alexandra van Huffelen about the cloud services of another large and market-defining tech company, Microsoft (1). She has yet to hear anything on that. "It remains quiet, but I am keeping an eye on it and will ask for another reminder," she said.

    When are you satisfied at the end of your first Chamber term?

    "I don't have any concrete goals I want to bring in. What I think is very important is more digital awareness. That our society is more digitally resilient. That citizens have more control over their own online data. Personal data has become a commodity. People who use online services have very little control over it. Their data is now a means of payment. And that endangers all kinds of public values, with the ultimate consequence of undermining the democratic rule of law. In the coming years I am committed to preventing that."

    1. https://www.tweedekamer.nl/kamerstukken/kamervragen/detail?id=2022Z04151&did=2022D08492

    Share article

    Comments

    MORE REACTIONS

    Leave a comment

    You must be logged in to post a comment.

    ARTICLES

    The mega fine for Meta, what's in it for us?

    Background articlesEXPERT

    Interview on five years of AVG: barking privacy watchdogs don't bite

    Background articlesEXPERT

    Is an app builder a data controller and is intent required for an AVG fine?

    Legal ArticlesEXPERT

    5 years of AVG - Data Protection Officer & Privacy Officer indispensable

    Background articlesEXPERT

    It will be five years since the General Data Protection Regulation (GDPR) went into effect on May 25, 2023. In a five-part series, we'll explain some of the issues that will affect our...

    AP fine for Social Insurance Bank: importance of 'risk-based' security level

    Legal Articles
    Versluis, Viviënne

    European Parliament committee not enthusiastic about new transatlantic privacy shield

    Legal ArticlesEXPERT

    Avg and international transfer: what does it mean for your organization?

    Legal ArticlesEXPERT

    Along the AVG yardstick: hospital must pay damages for inadequate protection of patient data

    Background articlesEXPERT

    Does a patient have a right to see a medical opinion?

    Legal ArticlesEXPERT
    Lora Mourcous

    Expert membership

    Expert membership

    Benefit now

    Current affairs AVG and Privacy law

    Using case law, opinions and decisions of the AP and opinions and guidelines of the EDPB, get a complete and clear picture of how further interpretation is given to the mostly open standards in the AVG and UAVG.

    Learn more

    Privacy AVG checklist: privacy policies in 57 checklists

    View book

    Privacy in the workplace

    View book

    E-course AVG

    The General Data Protection Regulation (AVG) sets standards for the processing of personal data. For every organization and company, it is important to be aware of the possibilities and limitations this law means. In this e-course, Mr. Corrie Ebbers, independent privacy lawyer, takes you through the complex yet fascinating subject of this privacy law. Using several practical examples and applications, the most important parts of the AVG and the UAVG (the Implementation of the AVG) will be discussed.

    Learn more

    Join PONT | Data & Privacy

  • Access to Knowledge Base
  • Read e-books
  • Contact with peers
  • Own news overview
    • BECOME A MEMBER

    General

    Service

    Navigate

    Berghauser Pont Media Group

    CONTACT

    𝕏

    Copyright 2025 Berghauser Pont | Website created by Buro Zero