Meet the expert: Mariano delli Santi to speak at PrivSec London

Live at Park Plaza, Riverbank in London on February 28 and March 1, PrivSec London gives global audiences the chance to learn more about Trust, Digital Transformation, Ethics, Data Protection, Privacy, Security and much more.

The event will also provide a unique opportunity for industry professionals to network with peers and develop business relationships.

Mariano delli Santi is Legal and Policy Officer at Open Rights Group, supporting strategic litigation and political advocacy efforts, with a focus on data protection, artificial intelligence, and EU-UK regulatory divergence. He currently works on promoting privacy in the online advertising sector and in challenging the UK Government plans to break away from European data protection law.

Mariano will appear exclusively at PrivSec London to discuss the evolution of the UK’s international data transfers landscape.

We caught up with Mariano for more on his career to date, and for an introduction to the themes on the table at his PrivSec London session.

Could you outline your professional journey so far?

I started as a law student and legal researcher with a thesis on the constitutional aspects of online anonymity and two research reports; respectively, on the protection of journalistic sources of information and the legal aspects of Brexit. I then worked as a data protection trainee for a detached EU agency in Thessaloniki, Greece, and moved to Estonia to study IT law at the University of Tartu. 

Before coming to the UK, I worked as Data Protection Officer for a political party and as legal counsel for several tech start-ups.

I am now Legal and Policy Officer at Open Rights Group, a digital rights organisation that promotes privacy and freedom of expression in the United Kingdom. My main focus is data protection, artificial intelligence and EU-UK regulatory divergence in digital regulation.

Could you give an overview of how the data transfer landscape is changing for UK organisations as the UK’s divergence from the EU continues?

As the UK’s regulatory divergence from the EU seems to deepen, organisations have much to be worried about for the future of international data transfers to and from the UK.

On the one hand, the Government are proposing changes to the UK data protection framework that would expand opportunities to conduct invasive surveillance while reducing public scrutiny, independent oversight and accountability over these practices. 

On the other hand, proposed changes to the UK data transfer regime would not ensure the presence of an effective legal remedy against unlawful access to personal data for overseas transfers. Further, the ICO Transfer Risk Assessment Tool seems to reflect these trends already, raising questions about the UK commitment to ensure adequate safeguards over international data transfers. 

Effective judicial redress, proportionality and independent oversight are at the core of the EU adequacy system. Beyond that, 30 OECD countries committed to implementing these same principles with the recent “declaration on Government access to personal data”. Our Government’s stubborn divergence from these trends carries the risk of isolating the UK internationally, which would ultimately create more friction and disruption to international data transfers.

What technical approaches should organisations use to supplement SCCs, in order to galvanise compliance?

Admittedly, ensuring security over personal data transfers can be challenging, as organisations need to assess the risk of unlawful access to personal data both domestically and in foreign jurisdictions. However, organisations are ultimately in control when choosing how personal data are processed, and can choose to ditch processors or services that expose them to additional risks due to the jurisdiction where they operate.

Technical measures can also alleviate these risks: cryptography, encryption-keys management, and other privacy-enhancing technologies can play a role in ensuring that personal data can be accessed only by the intended recipients.