Over the vacations, I had the opportunity to read the book The Privacy Paradox. The book holds up a critical mirror to the privacy professional about how the AVG is implemented and how privacy risks are handled. From a different angle, Martin van Staveren shed light on how risks are handled in society in an essay in the FD.
The book the Privacy Paradox, released in honor of Privacy Management Partners' 10th anniversary, contains 14 long read interviews chronicled by journalist Peter Olsthoorn with various stakeholders in the topic of privacy. The stakeholders come from academia, including Lokke Moerel (Professor and lawyer) and Beatrice de Graaf (Professor). The administration is represented by Ahmed Marcouch (Mayor) and Munish Ramlal (Ombudsman), among others. Stakeholders from the field include Chris van Dam (Chairman Research Council for Security) and Jolanda van Boven (Human Trafficking Coordination Center). The common thread in the interviews is the balancing of interests that must be made when applying the AVG. How do you, as a privacy professional, arrive at a good implementation of the AVG that does justice to the purpose of this law, the interests of the organization and of the people affected.
In his preface, the author summarizes the book as "a critical book about the implementation of the AVG." And that is true: the interviewees do not hesitate to crack critical notes about the way the AVG is sometimes applied. For that reason alone, the book is worth reading for the privacy professional. The various stakeholders hold up an instructive mirror to us.
From the interviews, the author concludes that the fear of violation mostly determines the consideration and choices for implementing the rules. Translated into my words: in implementing the AVG, people stay on the safe side and avoid any risk.
This risk reflex ignores what the AVG is: a framework law to promote information sharing and innovation with appropriate safeguards protection for people's data.
From a different angle, Martin van Staveren shows in an essay in the FD also shines his light on the phenomenon of risk. His starting point is the FD's investigation into bureaucracy within the Rijksoverheid. The conclusion is that it has grown to "rare proportions."
In his essay, he seeks an explanation for this. His thesis is that risk aversion is the cause of the unbridled growth of the civil service.
According to Van Staveren, we have a collective craving to avoid trouble. This is because, as human beings, we have a need to feel safe and have no fear. Uncertainties do not contribute to that. Therefore, they are seen as risks that need to be mitigated. One of the mechanisms to mitigate risks is control and management. Thus, we perceive uncertainties not as opportunities but as risks that must be brought into control.
The paradox is that right now we are living in a changing and complex world where uncertainties are only increasing. We therefore need to put more and more energy (and manpower) into risk management. According to Van Staveren, this explains the growth in the civil service.
The author therefore advocates a different approach to risk management. It should no longer be the time-consuming tool used to maximize risk avoidance as it is today, but as a mindset to achieve goals despite the uncertainties involved. He concludes his essay by calling for more risk to be allowed.
The calls of the interviewees in the book and the reflections in the essay, in my opinion, compel the privacy professional to take a critical look at their own actions.
The privacy professional in particular lives in a world of rapid change and many uncertainties. Technological developments are happening at lightning speed and create many issues in the privacy domain.
In response to this uncertainty, the implementation of the AVG often involves opting for optimal control and management of privacy risks. Van Staveren's essay makes clear that this is an understandable and common but debatable response to uncertainties.
The interviews from the Privacy Paradox make clear that this also ignores the purpose of the AVG: namely, to provide adequate protection for personal data in information sharing and innovation. To provide a framework so that individuals' privacy is adequately safeguarded in information sharing and innovation. The purpose of the AVG was never to eliminate all privacy risks.
Thus, when implementing the AVG, the privacy professional should not only focus on the maximum elimination of risks, but also realize the opportunities. Proper implementation of the AVG encourages innovation and information sharing with safeguards for personal data.
