 Good morning everyone. Delighted to see so many people here interested in privacy, interested in GDPR. It's a very good sign and hope that today you're going to hear a number of interesting discussions. There is also a number of friends here from the wire around. So if you're interested to hear a bit more about the wire, please feel free to talk to anyone, approach anyone. So once more warm welcome and thank you on behalf of wire and our pass word to David, our host and the moderator for today. So my name is David Mayer, I just introduced myself first. I'm a journalist and writer. I write Fortune International Association of Privacy Professionals, ZDNet and some others occasionally. And I just published a book at the end of last year called Control Shift, How Technology Effects You and Your Rights. And funnily enough the book discusses the general data protection regulation, which is one of the most fundamental changes in privacy law in Europe and probably in the world. It's likely to be deeply influential because it reaches so many companies, many of whom don't realize what they're about to be hit with on the 25th of May, which is understandable because it's a fundamental law that affects so many parts of our modern digital economy. Some of those impacts may still have to reveal themselves, but hopefully all of them are taken into consideration by the law makers. And our first speaker, we're very lucky to have Jan Arnrecht, who is the daddy of the GDPR, I think will be a fair way to describe you. German Green is a member of the European Parliament who really shed a bit of the process in the law's creation. So, take it away, Jan. Thank you, David, and also thank you, Ellen, to wire because I think that it is not only the right time to get these discussions started, but also it is absolutely necessary that these discussions are done here and that we are together discussing the possibilities and also the challenges which come out of these new regulatory approaches, but also which come out of the realities which we want to regulate here because that's also, of course, a fact. It's not only a fact that we have done a regulation and that this regulation will be getting into effect on the 25th of May and that we are regulating the European markets in a new way for data protection, but it's also a fact that the world is changing rapidly and it is not only touching the question of how the world changes with digitisation, with new technologies, but also how the world is changing with global markets and actors in our lives and the interaction of society in general. So, it's huge and that is why I also would say from the beginning the general data protection regulation, yes, it is a regulation on data protection and the way our personal data in the European markets has to be treated and how individuals affected by it have to be protected, but it's much more than that. It is not only a fundamental law, I think it is a start of discussing fundamental principles of a technologised society and world which is completely different of the past. In the past we have had very basic rules like fundamental rights, catalogs, like food safety rules or competition standards which were affecting many areas of our lives and we saw very often that's it, but now something additional comes to it and that is at least data protection rules but I also see some other new areas like IT security, like kind of platform regulation in this digitalised market also maybe standards like interconnectivity in services, etc. So, you see that now there is this technology area, not anymore one area which is specifically regulated and which is separate from the rest of the world, but it becomes a new layer in everything what we do and so the laws affecting it and the regulation which we pass in this area will also be a layer which will affect all areas of our life and that is interesting when we look at the GDPR because it answers quite a lot of the questions which have been brought up by the technological developments of the recent years it's not only answering the question how do we enforce standards in a digitised environment where for example a company can just choose in which jurisdiction it sits and an individual will be faced with the fact that I have different apps on my phone I have different websites I visit and I never really know in which of these jurisdictions I have which means I don't know which rights I will have, which protection I will get, which language I have to speak if I want to address an authority or even a court where I may be needing another lawyer of another jurisdiction to learn that and to get my rights at the end but where we will see the challenge that individuals really are on a far weaker position than those who are dealing with the data and this question that needed to be answered that was the first reason why we did the GDPR to make sure that there is no forum shopping, there is no disadvantage for those who are at the end of this the individuals who have a fundamental right to data protection and privacy at least in the European Union assured by treaties and we had to do something about it the other point is that for the moment and for the last decades we didn't really decide to make it a competitive disadvantage to we didn't really get there to make it a competitive advantage to follow high data protection standards but in fact it was a disadvantage to follow them and to be forced by some regulators at least also inside the European market to follow high standards of data protection and IT security so there was a decision to be made about that and there were two possibilities to answer that question one was to say okay then we have to choose the lowest standard because otherwise nobody for example on the European market will be competitive anymore if we don't follow the standards of other markets or other regulators in the world or we choose to make sure that everybody who is acting on this common market which is not at least the biggest single common market in the world we built a common standard which is high which is trustful and where everybody really needs to accept it so one of the big steps with this regulation was to make sure while we are choosing this option of setting a high standard but enforcing that everybody has to agree with it and to follow it on this market to ensure that EU law is applied in extraterritorial extent which is a huge discussion of course calling the principle behind the market location principle a little bit like a competitive law to make sure that nobody can just away these rules by not being seated in the European market but by offering the services of products from the internet to Europeans and to make sure that everybody will feel the consequences of reaching these laws so we did not only choose to get some rules for consistent enforcement between the different authorities in the European Union but also we chose to impose heavy sanctions on those who are breaking these standard data protection rules which might in the first place look a bit odd to say yeah but it's just data protection but in the end it's just enforcement of rules and of course if you look at the sanctions it's always the question will everybody have to clear the same sanctions and that is to be honest not the case sanctions will have to be proportionate always and that is important as one of the principles which we were bringing into it it is to make sure that if somebody really thinks he or she can evade that rules that there's no way around that without severe consequences so these are the two big answers we wanted to give first of all again to make sure that individuals get their right in a digital environment and secondly that there is a level playing field an equal competitive situation for those who follow data protection rules with a high standard or those who don't want to do it or want to spare some money about it they will all be forced to the same set of standards and of course you still can go ahead you still can be more and better about it but at least if you follow these high standards you're not disadvantaged anymore then and I said that it is far more than that and that there are far more areas we will touch there's a huge bunch of rules which already anticipate debates which we're having in other areas for example transparency and information rights which we would make far more stronger and simpler for everyone whose personal data is being processed we all know that nobody reads the terms and conditions and data protection rules and we have so many examples which are so funny which I don't need to repeat because we all know it's still alive somebody clicks I have read the terms and I agree with them because Bose is wrong and that is the reason why we chose to really make it a core principle that the information which is given is really meaningful and simple to understand and that this is also one of the provisions which is in the core of what is to be sanctioned so somebody who is not making it simply understandable what's happening will be sanctioned and not like it was before where lawyers were writing pages of text you're on the safe side if that is the case in the future you will be on the safe side if it's as simple as possible understandable and I think that it's the right way to do it to be open and clear about it and that leads to the point that it even goes in the direction of making available the logic behind the processing of personal data which means also the logic behind the processing of all technology which we will have in the future because in almost all of information technology products and services in the future there will be sets of personal data involved not all the data will be personal data that's also not true you can always go for anonymized data or for data which is like the size of this room which is just not personal information but there will be very often in technology personal data involved so the standard of making available the algorithms logic at least to the individual will apply to almost all the systems and that is one of the basic regulatory answers by this GDPR this regulation another one which is also applying to all systems and which hasn't been realized until now is that we have a set of data security requirements so IT security requirements at the end until now we don't have really common minimum standards for IT security and regulatory environments but with the GDPR at least if there's personal data somewhere involved in a system or will be involved in a system you need to comply with a certain baseline standard for IT security it is quite the very baseline what we foresee there and we still have to work on it in the future and I am actually working on it in the European Parliament to create better standards for IT security but this is the first step into making sure that we go in this direction then we have the principle of privacy by design and privacy by default and that is something which is so important for the development of new products and services and new infrastructure in the future to make sure and it stands representative also for security by design or security by default to make sure that control is by nature given to those who are getting the services, getting the product to design on their own if they want to create a weakness if they want to expose themselves, if they want to go out of their comfort zone and open up for whatever risks possible out there and we all know that there might be so many risks today we are just truly aware of all of it and that is why these principles by building in security privacy right from the beginning with technology solutions and with also default approaches is a very key part of this regulation and therefore answering also similar questions in other areas not only in personal data impact assessments, to do impact assessments of what you do when developing services and products we have the whole debate about how to regulate machine learning or AI and robotics, interaction with humans the question of how to do and when to do impact assessments technology impact assessments is the core of that and it will have to be part of what we do and how we develop technology and infrastructure in the future and the data protection regulation brings that into the center of new technologies also principles and individual rights which are new like data portability or also the possibilities to declare an opt out via technical standards setting technical standards which are neutral which are applicable to many data controllers that is the start of an infrastructure which is opening up for a really eye to eye conversation between the individual and those who are offering solutions technology services, products the eye to eye level is that I'm not dependent on the one who offers me something but I have different possibilities to go in whatever direction I can like when I'm going out of the street I'm not forced to go one way I can work different ways I can go to different shops or different offers and that is what we want to achieve also in this area where the data protection regulation offers one of the solutions with data portability so you are not forced to like lose your data if you go somewhere else or with technical standards so that you are not forced to always set different environments, different standards but you can do it via a technical standard which has to be respected a discussion which we by the way also have with the e-privacy regulation when it comes to cookies for example or other tracking possibilities that there is technical standards which you can use and where you can trust that this is to be respected on the other side last but not least I think that there are also challenges ahead we haven't answered here with this data protection regulation and that is starting for example from data portability I think that one of the big questions we still need to answer and that is also discussed in the communications code on the European level that's the telecommunications regulation and in e-privacy is interconnectivity that there is really an opening up of the different silos which we have been building up throughout the last decades and which is very hard to be opened especially also when it comes to hardware questions or also encryption where the standards are completely different and it's not clear how to implement encryption and if it can be mandatory in the future to make sure we have a secure ecosystem of communication not only between individuals but maybe also between machines or individuals and machines so there is these big questions which are still on the table and I'm very happy to see what's possible to move forward to that but what the GDPR delivers for the moment and that's the very positive notion which I want to then finish with is that we have an example how we can approach these new complex technological questions and how we can approach the problem that it is more or less a global question and networks are to be global and markets will be global to answer these questions effectively not only by clicking as a user and trying to get other users to click the same way but by democratic debates and decision making and by classical way of agreeing to values and basic standards so everybody can trust on and it's not up to some people who just move us from right to left or try to trick us somehow over the table and I think that this is really a huge chance which we have and where we can see that it's not too late for regulators also to get engaged in progressive and future orientated regulation in the digital society and digital market and that this is a very good example which now even before it gets into effect on the 25th of May already is becoming the gold standard for data protection rules for personal data treatment in the global market not because the Europeans were convincing other states to follow them they are still doing that and they are quite successful with that because the big players and big companies on the digital market almost everyone is deciding to just say okay we see that this is standard which I can't just walk around so I implement it and it's just easier to implement that for all of my business rather than having a different method approach which we had until today where we have had to create solutions for very different jurisdictions again and again and we see just right now there were articles just like two days ago in the New York Times how this is happening rapidly how there is an investment going into it so this is the moment to take it as an initiative to say we all know this will be the standard so the question is only how to get this standard on the road and how to get some advantage out of it and I think the biggest advantage out of it is to gaining confidence and gaining support by consumers who see that this can be really a positive aspect of products and services in the digital market and in their digitalized life thank you very much