Interview Gerrit-Jan Zwenne: Privacy law and the National Privacy Conference
E-law is one of the fastest growing sectors in the field of law. It owes its existence to our information society that is constantly developing and continuing to digitise. Gerrit-Jan Zwenne is Professor of Law and Digital Technologies at the eLaw Department at Leiden Law School. In 2023, he is organising the National Privacy Conference for the 15th year in a row. ‘Privacy legislation is evolving at a face pace – that’s what makes this field of law so challenging.’
The National Privacy Conference is a huge success each year. How do you explain its success?
It started as a small event with around 60 professionals from the privacy sector. After the introduction of the General Data Protection Regulation (GDPR), both e-law and the conference really took off. The last edition was even sold out a month beforehand. Over the years, it has proved to be an important conference. Now we have decided that we want to keep it relatively small with a maximum of 140 participants. After all, it is aimed at people who are working in the field of privacy and data protection law and who don’t need the basics explained to them. We're aiming for an “intimate” Dutch conference at an academic level for practising lawyers who are involved in the topic on a day-to-day basis.
What are important themes at the Conference?
I think it's important to always look at current issues: something we noticed in the past year that will become relevant in the coming year for those attending. We'll also look at complicated themes in more depth: what is personal data? When is a privacy breach the result of a data leak? How do you prove that identity fraud was caused by a data leak and not carelessness?
What was an important theme in the past year in the field of privacy law?
Class actions aimed at compensation. We’re seeing an emerging wave of legal actions against big companies such as TikTok and Facebook. These companies go very far in the use of personal data and these class actions claim damages for all users under the GDPR. We’re talking about huge amounds of money. Imagine the Netherlands has 10 million Facebook users and for each user you get between 250 to 500 euros in damages … that’s around 2.5 billion euros. With that kind of money, you can get large numbers of lawyers working to prepare a summons. Behind these class actions are big investors who are willing to spend huge amounts of money on this. Imagine if one of these actions is successful, then they will have earned back the money for all other actions many times over. This is interesting for the Privacy Conference, because participants are going to be involved in these actions in one way or another.
What attracts you personally to privacy law?
I’m fascinated most by technological developments, especially in the field of information technology. It forces us to redefine existing legal concepts. For example, we know about privacy of correspondence, but can you apply that one-to-one to an e-mail? This makes you look again at this legislation. What’s more, we want privacy legislation to be technology-neutral. You can think up a regulation for e-mail, but what about WhatsApp? Privacy law tries to get around these issues by using vague concepts and neutral technology. Privacy of correspondence, for example, becomes ‘confidential information via telecommunication’.
Doesn't this lead to problems in interpretation?
Absolutely. Vagueness leads to legal uncertainty. But that’s what makes this field of law so wonderful. It’s been around for roughly 50 years now, and it’s still changing constantly. Sometimes it’s complicated because there’s not much to guide you, but that also makes it challenging. It creates the space to formulate your own arguments and rhetoric based on case law, literature and existing legislation.
How do you see the future of this area of law?
A lot is going to happen in the next two to three years. Brussels is working on an AI regulation that will have a major impact. The GDPR will also at some point have to be redefined. I’m certain that these developments will keep us very busy in the coming years. Another factor to consider is that ICT soon becomes a transboundary issue. Everything you use is a sensor – your phone, your travel card, your smart metre … they all store information. It’s not easy to steer these technological developments. So we have to look at the parameters: the balance between the amount of data that can be stored, and the freedom you have as a person not to be constantly monitored. This will be the greatest challenge. After all, we can introduce tough regulations to steer AI in Europe, but if China and the US don’t have such legislation then their technology will have a huge impact on our lives.
On Tuesday 28 March, the sixth edition of the VPR-A Specialisation course Privacy and Data Protection Law will start. This Dutch-taught postgraduate (JPAO) course is intended for lawyers and other legal professionals with two to three years’ relevant experience.
The cost of the course now includes the latest edition of Tekst & Commentaar Privacy- en gegevensbeschermingsrecht van Kluwer ( €160) and free entrace to the National Privacy Conference 2023.
Meer informatie (in Dutch).