What’s Wrong With the GDPR? Constructive Criticisms from Privacy Professionals

The GDPR is rightly celebrated as improving data protection rights in many areas. But the law has also been criticised—both by “big tech” lobbyists and dedicated privacy professionals. Does the GDPR impose a disproportionate burden on small businesses? Is the one-stop-shop preventing any serious enforcement? And could the GPDR’s data transfers lead to a “splinternet”? This session will take a nuanced look at some of the issues data protection professionals experience when implementing the GDPR’s requirements.

Transcription – 

Robert Bateman:

Hello, welcome back to PrivSec Focus: GDPR four years on. I’m Robert Bateman, head of content at GRC World Forums and the host for today’s event. Now, it’s been a fantastic day so far but it’s not over yet, we have one final session which should be a good one. What is wrong with the GDPR? Some constructive criticisms from privacy professionals. Before we go ahead with that, I’d just like to say a big thank you to our sponsor for this event, OneTrust who are helping us make this happen today, and remind you to please ask your questions of the panelists. It’s great to have audience interaction, you’ve asked some really good questions so far today. I’ll hand over now to our moderator for this session, Alain De Maght, who is CISO and DPO. Alain over to you.

Alain De Maght:

Good afternoon everybody. Thank you very much Robert. I’m pleased to be part of this session today and to moderate this session. Before we go to speaking with the two participant here, just to set up the context actually. Data protection law have been existing for a long time, and especially in the medical sector, it has been really part of the culture to include something about privacy and protection of the data. There is no ambiguity on the fact that the digitalization of the activity and the digital transformation effort in many sector of the industry have significantly accelerate the valuation of the data, but have also increased the risk on the usage of the data. GDPR actually has been significant and the shaping of GDPR has been a very challenging adventure for the person that were involved at the very beginning.

It started year four starting let’s say at the end of 2011 or something like this. During four years of the negotiation before it came into force in 2016, so there were four years of [inaudible 00:03:14] at the European level. Simply because data is at the earth of the economy and it’s basically touching all the sector of the industry, and it’s touching almost every single activity of the different activity of the enterprise. We are talking about GDPR about data protection. Protection is the word used for GDPR but in more general what is privacy law. What you see is beyond GDPR you start to have a lot of laws across the world. So in different part of the world, and they could be sectoral or they could be global. 

On top of GDPR so you’ve got a lot of other laws interacting and privacy is getting a clear subject of attention for all the different organization. Today we are at GDPR year plus four, and this is the time actually to evaluate or this is a good time to evaluate actually about GDPR. What are basically possibly the limitation that that have been identified? This is today why we’ve got the subject about what is wrong with GDPR. To speak about this topic we are fortunate to have on board basically two person. Natalia can you hear us?

Natalia Stenbrink:

Yes,

Alain De Maght:

Natalia so welcome on board this panel, and please could you briefly introduce yourself?

Natalia Stenbrink:

Sure. My name is Natalia Stenbrink, and I am head of the global data privacy program at Sandvik AB it’s headquarters… Sandvik is an international engineering and mining company headquartered in Stockholm, and we have over 40,000 employees worldwide. My primary responsibilities are to provide the strategic support and targeted operational support when it comes to data privacy, especially within EA where most of the action occurs. But also as we know, through the last four years throughout the globe where emerging data privacy laws have been enacted and where we do business. My scope just keeps expanding as we keep facing more disruption within the GDPR countries. I’m pleased to be here.

Alain De Maght:

Excellent, thank you for being part of this panel and we are looking forward to listen to your opinion on this matter. But we should not neglect also that we have another, a second panelist, Olumide. So please join us and so tell us who you are and what basically is your core activity?

Olumide Babalola:

Thank you very much for the invitation. I’m a private legal practitioner based in Nigeria. I’m also a researcher and an author. In 2020 I published a book, a compilation of about 144 decisions of the European courts on data protection. It’s a case book on data protection on several areas that have been litigated on data protection. Most importantly the privacy directive, not the GDPR because just recently we started having decisions on the GDPR which is still four years and we’re still struggling in terms of interpretation, in terms of enforcement, in terms of the impact it’s expected to have made. I’m pleased to be here, thank you.

Alain De Maght:

Thank you for this introduction. Going back on the subject of the GDPR, and so GDPR came into force in 2016 and is applicable as of 2018. If we practically look… Yes, this is true it’s applicable since 2018. But normally all the organization had a little bit of time between 2016 and 2018 to be compliant because the first day of the compliance, whatever could be the level, was actually on 2018. We’ve now at least four years of experience about GDPR so and really relying on GDPR doing all the compliancy effort on GDPR. Starting with you Natalia, would you maybe identified a couple of areas where GDPR is there? Maybe we could have maybe start with one area and then we will explore a little bit further with a different area as part of this conversation. What actually maybe would be better or would be wrong, or tell us a little bit your experience?

Natalia Stenbrink:

That sounds like a good plan. I want to best premise my perspective with the fact that I’ll be speaking from the business point of view, from the view of companies that are trying to achieve their business goals while still respecting personal data privacy, and also trying to comply with the GDPR. When I speak about or when I offer suggestions for improvement, please understand that’s with the implicit understanding that I still believe individuals’ personal will be reasonably protected with requirements and measures proportionate to the risk that such processing would entail. That’s implicit in all of my suggestions. That we aren’t watering down rights or obligations on a company where it’s needed to really protect the data subjects based on risks. I think I’ll start with the first area, which is a fairly easy one to speak about that I think needs a little bit of improvement, some clarification here. That is with DSARs, data subject access requests.

The requirements have created immense costs for companies, which I don’t think are proportional to the benefits received by the data subjects, at least the way it’s being interpreted it seems by the what I perceive from the regulators at this point. If you work for a company trying to comply with GDPR, you understand that it’s basically the DSAR obligation has caused companies to create a new customer service offering, and of course at no profit potential, it’s solely compliant. This customer service offering to all its stakeholders, employees and other, including customers and all stakeholders in which the company processes data as a controller, requires of course a 30 day response time. I’m not suggesting any changes in the response time, but we also know that this requirement entails very time-consuming when it comes to costs and resources, human resources, teams and different functions. 

Especially if you get into a global and wider decentralized organization, it creates a lot of manpower requirements to search for different types of personal data. In IT systems, in decentralized IT systems, unstructured such as email. Not just searching for the personal data being requested, but also to go through all this data to ensure that we are not releasing third party personal data that should not be released. This creates a lot of stress, a lot of cost, a lot of time. I think the purpose of the DSAR obligation is good, it creates the transparency the data subjects need in order to exercise their rights, so it’s very much needed. But I think how we can make it a little more balanced between the company’s burdens and benefits to the data subjects would be if we made it clear that, and we through, there are different ways to make it clear. 

It could be through regulator interpretation guidance through decisions that it is perfectly okay for companies to give sufficient summaries of the data being held, and not the actual copies of data that are being held. It doesn’t provide any more transparency to provide an actual copy, but it creates immense cost if you were to say have to go back and for example camera footage of people coming in and out, to have to go back and actually find copies of that. Where it should be enough to say yes, if you visited our offices you would’ve appeared in our camera footage with some information about how long that is kept, but it’s deleted after 24 hours, 48 hours so forth. I think that’s a fairly easy one where there’s a need for improvement and where it would be quite easy to make it more balanced.

Alain De Maght:

Before we go to another area and to have your opinion on this Olumide. Are you also facing the same challenge, or do you see the same difficulties when it comes to the processing of the request on DSAR request?

Olumide Babalola:

Because I’m not speaking from my own perspective as a business owner or business representative, I wouldn’t have such an experience. I’m a private practitioner and I honestly can’t speak to that in terms of the experience she has had. The impression I just have about the provision of the GDPR with respect to DSAR, is sometimes it makes it difficult for even the data controllers to understand their obligation. For example, it says where the subject makes a request, they must comply within a reasonable time. Reasonability sometimes is very subjective. Although at the end of the day the GDPR provides for a number of days afterwards. 

But it boils down to the fact that the data subject will ultimately have to wait for that number of days, 30 days in some cases, sometimes it depends on the exigency of that request actually. I think it sometimes makes the obligation not so clear-cut with respect to DSAR. That’s also similar to breach notification. It also says, GDPR uses the phrase reasonable time. Reasonable time most times it’s a subjective thing it is not even objective, because what is reasonable to the data subject not be reasonable to the business owner, to the controller. Sometimes these things need further clarification from the point of view of the GDPR.

Alain De Maght:

Okay so it means… Thank you very much for this direction here. But then coming back to you Natalia, what do you think and considering what you identified as let’s say in your wording might be unbalanced effort considering the size of the risk. Then what would be let’s say the guidance there? Let’s assume that you would have to rewrite the GDPR, what would you say maybe in there or how should it be maybe improved?

Natalia Stenbrink:

I think that’s a good question to bring me to the area in need of most improvement and where I would make clarifications to the GDPR. Again, there we can talk about this later but there are different ways to make these clarifications. You could amend the GDPR that would entail a lot of work at EU level and with all the member states. But there are other ways that could be more efficient, such as guidance EDPB guidance and further guidance by the member state authorities that would be in line with the EDPB guidance, as well as decisions that would follow the guidance. The area, to get to your question Alain, the area that is in need of most improvement I would say is the risk-based approach of which the GDPR was founded upon. I think this is the most concerning development going in the wrong direction in the past four years, is that authorities seem to be showing a very almost blatant willingness to discard the risk-based approach that the GDPR was founded on.

Alain De Maght:

Let me ask you, let me challenge you a little bit on what you said actually in this. Basically, there is this unproportionate effort, basically because it’s a lot of effort to go via all the different system. Then the other aspect is about basically the risk, the risk evaluation and what needs to be done. If we’re looking on the system side, let assume that you would have maybe a different data governance or maybe system would have better traceability functionalities in order to accommodate compliancy, it would be probably might be easier. The question here is it actually because the regulation at this time make it unfeasible considering the states of the technology in terms of all the traceability that is necessary for the [inaudible 00:18:09], or it’s simply totally unreasonable whatever could be the technology?

Natalia Stenbrink:

No, I don’t think the technology is the problem in the GDPR, I think it’s how it’s being interpreted by the regulators. If you look at Article 32, it’s very clear there the obligation on companies, processors and controllers. That companies should implement measures appropriate to ensure its “to ensure a level of security appropriate to the risk.” This of course means implementing appropriate technical and organizational measures that are proportional to the risks to the data subject. That’s an example of the risk-based approach, which was very much discussed during the negotiations leading up to the final version of the GDPR. That’s where you see very clear expressly showing that controllers and processors should take that into account in their security measures. I think that would take care of the systems and technology. It’s more in how it’s being… I can give further examples in a moment or when you think it’s appropriate. It’s more that regulators are not considering the risk-based approach when they’re judging whether companies are complying with the GDPR.

Alain De Maght:

I think we have only 40 minutes then actually we could have an entire session just on the DSAR. But still, I would like to pick at least one question in the audience. It says what are the most effective ways to maintain records of processing activities by maintaining to facilitate timely compliant with DSAR? Here basically they are the question about what is the most effective way to maintain record of processing activity, to maintain and facilitate timely compliance with DSAR. Based on your experience, did you organize already some, there are some build in maybe procedures or processes that are in place to ease these processes, or do you have maybe already some inventory of data so that you can already access this? What is your guidance or did you implement that?

Natalia Stenbrink:

Yeah, I can answer the question, but I will back up and say the problem of the risk-based approach being neglected right now by authorities is not just limited to DSARs. I’m looking at this as one whole aspect of improvement, area for improvement for the entire GDPR. I’ll give an example of that after I answer this question, and we might want to hear from Olumide as well. But as far as DSARs yeah, I think you have to have done your preparatory work and mapping of course in whatever way, Article 30 mapping requirements will help with this to identify what types of data you have, what types of data subjects and where it’s located. Systems such as OneTrust for example could be used for that. 

I do think you’re going to need to automate some of this. But most of the searching, and we ourselves also have a supplier that helps with the management of DSARs. The intake, how it’s received, the queue and managing the entire process from intake to responding with the requested data. The actual part of searching within our own systems, that’s still very manual and very, very time-consuming. I do understand there are suppliers that are trying to automate this, but it’s still very difficult when you deal on a decentralized company with decentralized system.

Alain De Maght:

Excellent. Olumide maybe in one minute before we go to the next topic with you Natalia, another area. Olumide what is your advice-

Olumide Babalola:

Yes, I think I will always support organizations having in whatever form they want to have their record RoPA, in whatever form they want to have their record of processing activities, whether as inventory, whether as data book, whether as data forms. The most important part is knowing the data entry points. It is very important because it helps them to even be able to answer this DSAR quickly. If you know the points from which you get data, either from your customers, from your employees, from prospective employees, from users of your platform, you are able to identify those entry points, so it is a lot easier for you to answer requests or to put the request in proper perspective when they come. I would always support having an inventory as even the first point of compliance with data management for any business, the inventory is quite important.

Alain De Maght:

Thank you for this. Natalia sorry, is there another area that you have identified that should be subject to improvement?

Natalia Stenbrink:

Yeah, I think let me dive deeper into this risk-based approach area that I feel is being ignored. I think I should give an example. There are two aspects to this problem that I consider under the risk-based approach umbrella issue. First, that the risk-based approach should also be applied by the authorities in courts when assessing liability, when assessing whether a company has complied with the GDPR and sanctions. Second, actually a lessening of certain obligations should be clearly expressed for low risk data. There actually should be some of the obligations that apply regardless of whether the data is low risk or high risk, whether the data is highly sensitive or business contact information, which a simple Google search would find, we have many of the same obligations. I think actually where it would be really beneficial to encourage innovation and business growth and jobs in the EEA would be to actually expressly lessen some obligations for low risk data. This might be more clear if I give a concrete example that happened recently. That is with the, many of you will know that there was a big decision by the Austrian Data Protection Authority regarding Google Analytics.

Alain De Maght:

Mm-hmm.

Natalia Stenbrink:

This falls very squarely under our recent Schrems II judgment, and all the disruption and follow-on guidance and requirements that have happened since then. Of course, also we could spend another hour just on that decision so I’ll try to keep it very high level. But basically there was a decision that data could not be transferred. If you look at the case, if you read the reasoning, there was no consideration about the risks to data subjects. First of all, the personal data being transferred from what I’ve seen very low risk data, and also you have what is the risk that authorities would even care for that data or even if they did care for that data, that it would cause any harm because it would be the same type of data you could find on the internet.

Alain De Maght:

On the public internet.

Natalia Stenbrink:

Yeah on the internet. Now, I’m highly summarizing that case. But the point there is that even the Austrian DPA did not even follow the very conservative EDPB guidance, the latest guidance after Schrems that allows a consideration of is there a real risk that authorities in a third country would actually care to even access that data, even if theoretically they could under the law? There was nothing of that kind of analysis. I think it’s really concerning because it causes huge disruption in business, which has follow-on consequences to other interests outside of personal data protection. As we all know, as much as this is my career and my passion, there are other interests such as innovation, encouraging international trade, to improve our society, to improve technology, for climate change, etcetera, etcetera. All of these interests should be also considered, especially when you’re restricting the international flow of personal data for no real risk of harm to data [inaudible 00:27:54]. Maybe that’s what I’m thinking.

Alain De Maght:

I’m hearing your point definitely. Olumide, about this risk-based approach and the way the risk is evaluated considering maybe the classification of the data as Natalia suggested, what is your opinion there?

Olumide Babalola:

Yes I think I agree with Natalia as far as business exigencies are concerned. Even the GDPR has decided, or I mean classified personal data in terms of the accessibilities. The obligation expected with respect to certain data is not the same, it doesn’t go across board. For example, handling of sensitive data attracts different obligations and different sanctions or different expectations on the behalf of businesses, as opposed to other kinds of personal data. This is why the organizations must be able to evaluate the risks involved in handling one part of data, one kind of data, one class of data from the other.

Alain De Maght:

Okay. In the audience there is a question that is popping up here about the disproportionate effort. The question is there is would you address disproportionate effort, who determines clarification and time for specific market practices to develop? I guess somewhere when we, the discussion about the risk and what should be done, and there is also the discussion also what is the size of the effort that you need to do to address the risk? Is there actually a definition actually of what is disproportionate effort, and do you see some variation depending on specific markets?

Olumide Babalola:

I think these are part of the shortcomings of the GDPR. You give someone an obligation and you still give the person some form of discretion or some form of latitude to determine what is convenient and what is not. It makes it very, very vague because the disproportionate effort is determined most times by the controller. It’s the controller that says oh, the effort we’re going to put or the technology we’re going to put into making available this particular kind of data is disproportionate to the interest of the data subject. Except data protection authorities, except supervisory authorities begin to set clear-cut parameters for this [inaudible 00:30:32] effort, we might continue to have this kind of situation where we have this uncertainty. I gave a similar example in the past where the regulation uses the word reasonable or unreasonable, and who determines all these things? What determines all these things? What are the parameters? What are the ramifications? I think this is one of the shortcomings of the regulation which needs to be further fine-tuned

Alain De Maght:

Natalia, do I understand that you have also this perception or does what Olumide say right now it’s reverberating for you? Do you agree with that?

Natalia Stenbrink:

Yeah, I do agree with that. Also, with the question I think the premise of the question that that is hard to define, what is disproportionate? But I think as in many legal matters there’s not a black and white answer and you have to make an assessment. But it is still difficult, and agreeing with Olumide these things could be made more clear with guidance from the authorities. They could tackle this question what is considered a disproportionate effort.

Alain De Maght:

That they would have a common understanding and a common agreement so that would be applicable and maybe customized by different markets maybe. Do you think that all the market would have the same strength or maybe the same constraint, or a different way of defining what is proportionate or not?

Natalia Stenbrink:

This discussion right now reminds me of the legitimate interest balancing test. I think that could be helpful to take that principle where we’re balancing the interest, the purpose of the actual processing in question, with the risks to the data subject. We do that in a legitimate interest balancing test. If the legitimate interests documented are very high, and the risks to data subject, if we’re talking about an international transfer of data, the Schrems case, where what’s being transferred is perhaps in a cloud service, it’s you need business contact information, email address, phone number, name, and perhaps there is just business type information associated with different individuals named. Even if that were to be inappropriately accessed, we should address those security concerns absolutely should not be watered down. But even if that were to be inappropriately accessed, what harm would that cause to an individual?

Perhaps the reason for transferring the data is that you’re sharing medical cancer research information. Or when you look at Google Analytics, I think it’s easy to say oh, well that’s just a huge US company we don’t really care about that. But Google Analytics employs a lot of people in the EU, and it also enables a lot of good business insight for businesses to understand their customers and to employ their marketing efforts in a smart way. Again, I’m not saying we water down the transparency notice requirements or consent requirements, not that at all. But when we’re restricting the transfer of such information for a very low benefit to data subjects, but very, very high cost to society and businesses, impacting the EU, because of course Google Analytics has a lot of EU subsidiaries, right? Subsidiaries in the EU that employ a lot of people. I think then it becomes unreasonable this kind of interpretation.

Alain De Maght:

Thank you very much for this input. Actually we are 10 minutes away from the session and actually already the two points have been very intense in sharing and saying experience. There is another point because the audience seems to be very concerned and attracted, I see some point there about everything just extraterritoriality. Basically it means that GDPR is a European regulation, but basically it applies to the entire world doing business with European companies. So based on your experience, because you are both in an international context, what is your perception about basically what the GDPR is creating as a requirement or call it constraint or whatever on companies from non-European companies that are doing business with European companies? Do you see then actually is it kind of a show stopper? Is it a constraint? Do you think that the communication is clear enough about what needs to be done, it’s readable enough? What is basically your experience on all this data protection is creating in international context?

Olumide Babalola:

Thank you. I think first thing that comes to mind is the practicability of these thing. Conflict of laws, application of European law in Africa for example, or application of European law to Africans or to companies based in Africa, it’s not 100% applicable. Because even if a company in Nigeria for example, offers services to citizens or residents of the European Union or within the GDPR’s catchment area, the first question that comes to mind is in what court? This is where we have issues of conflict of laws. In what court do you enforce the bridge? Is it in European court or in African court? If it is in European court, do we have issues of extraterritorial jurisdiction? It will be very interesting to see how this plays out in a decision where GDPR will be applied to a company or to a data controller outside of the European Union catchment area or the GDPR catchment area.

It’s been discussed academically, but how does it play out in practice is what nobody, not yet I haven’t seen any decision where it has actually been applied. Even part of the problems of GDPR now is that of the enforcement, the sanctions, the fines. A lot of companies have been fined, when they approach the court either the fines will be set aside or the fines will be put on hold. So far so good, how much of the fines have actually been finalized as we speak? Dealing with controllers within the region is one thing, dealing with controllers outside the region is even a bigger herculean task.

Alain De Maght:

Natalia on this point about all this extraterritoriality and all the conversation that is taking place between then the supplier and let’s say, and the customer. How do you see that from your international position?

Natalia Stenbrink:

On one hand, the GDPR extraterritorial obligations have caused a lot of countries to enhance their data privacy requirements to pass new laws themselves. That’s a positive ripple effect I believe. But sharing also Olumide’s concern about well, there’s the concern of enforcement, but also how applicable is all the GDPR protections in a third country outside the EEA, I think is a relevant question. I just have to keep coming back to the Schrems II two example because it illustrates so many of these issues. In data transfers we know that, in the Schrems II court, European Court of Justice made clear that the recipient country still has to provide essentially the same level of protection as the GDPR. But we do see in places like the US and other democratic societies with the very high level of very established level of rule of law, that there are different ways to look at data protection.

I think at sometimes, and I think this was maybe the case of what you were saying about Africa, is that I don’t think we can expect that countries have to have I think that essentially equivalent is becoming too much to be like must be almost identical, or must be… What does essentially equivalent mean? There’s an issue for more clarification. But I think it can be interpreted to putting the requirement that other countries have to have the same level of protection, not essentially equivalent, but the same level. That’s obviously not correct, how can we impose our laws on other countries? I think what we’re getting to is a fortress Europe type mentality when it comes to personal data protection.

Alain De Maght:

We still have actually four minutes to go, and I’d like to make at least a one minute closing conclusion for each of you so it leave at least a point that I still would like to mention actually. We are actually data is a key resource, is a little bit like money would be a resource. Basically you start to have a lot of regulation anyway I see there are a lot of question and we won’t be able to listen to all the question. But something that I see regularly in the list of question is like we start to accumulate a lot of laws. Even in one region of the world you start to have multiple law like GDPR, eye privacy, whistle blowing, and some specific also by sector. Then you extend that outside of Europe you’ve got multiple laws. We are not talking about data protection, but data protection as part of data privacy. Do you have then actually some possible element of guidance actually, or where do you, how do you feel about all those law that we are starting to stack up, and is it manageable or how do you see that Natalia that is for the future?

Natalia Stenbrink:

I’m not sure if I understand the question, maybe-

Alain De Maght:

The question is that we’ve got more and more laws, not only GDPR but you start to accumulate all the different law and sometime they are in conflict with each other. What type of guidance there could we have? Because I’m not sure that the regulator are going to start to minimize the number of laws. I’m not really sure that is going to be the case. It’s basically then considering this factor, what actually is the best way to do?

Natalia Stenbrink:

Do you mean laws within the EEA or also conflicting-

Alain De Maght:

Well actually if you are an international company it depends on your scope. But for the one that are truly international and covering the world, you’re starting to be challenging, right?

Natalia Stenbrink:

I’ll try to be really quick about this since I know there’s a little time. I don’t know if this will completely answer your question, but one thing that does come to mind and you mentioned this earlier was mentioned the conflicts of laws. That’s another area that I actually had on my list of what could be improved because we have sanctions laws. We know now how important or not important but prevalent that is now with the Russian war. We have Article 10 forbidding the processing of criminal data. There’s a conflict there where member states have interpreted what is criminal related data. 

Companies we face this very much so, that are trying to comply with anti-bribery laws, with sanctions, restrictions, international laws, then find attention and conflict between what the GDPR is saying is allowed in those areas of processing criminal related data. That is a problem, and that needs to be rectified. One solution is to carve out specifically that yes, for this very important societal interest of preventing, detecting anti-bribery corruption, and also to encourage the other countries to abide by certain international standards. Those are very lofty interests that there should be exceptions explicitly made for that kind of processing. So yes, there’s a lot of conflicting laws that are causing much confusion and stress for-

Alain De Maght:

Okay, Natalia considering the time I think we could have the double of the time to discuss all the point and I see a lot of question also, but 40 minutes is extremely limited to do all this thing. Maybe Olumide on your point just to conclude maybe in one minute what would you say here about…

Olumide Babalola:

Well, unfortunately the GDPR has allowed for that. There are certain provisions of the GDPR which allows member states to formulate their own laws with respect to certain provisions. For example, age of the child, age of consent, the member states are at liberty to formulate. Look at the relationship between the supervisory authorities, they also have their own level. There is the lead supervisory authority, and there is the other ones. So they also have measures of discretion and their own formulation and understanding of the GDPR. I think the law has allowed that. But the law I mean, I know there are conversations around amending the GDPR already. I think there might just be a certain point where all these laws can be harmonized into one. We don’t need several laws for electronic EE directive, electronic marketing and all those things. Everything can actually be harmonized into one. Thank you very much.

Alain De Maght:

Natalia thank you very much for being available, sharing your expertise because definitely the comment there are clearly reflecting the practical let’s say reality you have been facing over the years, and basically what are all the constraint and the limitation that they are creating. Thank you very much for the time. [Inaudible 00:46:06] thank you for sharing all this experience it was very valuable. It was a pleasure to hear from you both and we wish you then a great end of afternoon. Thank you to both of you.

Olumide Babalola:

Thank you.

Robert Bateman:

Thanks so much to all three of you. A great panel, really refreshing to hear some well founded but genuine-