 And this is the English translation, so I should speak English. Welcome. The general, so one of the principles of the hacker ethic is to protect data and humans alike, but not many people stick to its value, such as secret services. The principle is, of course, to protect private data and to use public data, but what these people do is to use private data and the data that should be fabric with which secret services could be controlled are protected. The next speaker doesn't find that correct at all. He actually, within the last 42 weeks after the Snowden revelations, held a rant in front of the German chancery each week. An applause for that, please. And what does someone do professionally that for 10 months runs about data protection? Of course, he is the data protection officer at his employers, but he's also an activist. And with his channel, the Rundfunk, he fights against the publication obligations, the publication restrictions for public broadcasters because they have to delete their stuff after a certain period to not compete with private broadcasters. Now, last hall or the poop as we more better know him, we'll talk to us about the data protection regulation. It's a terrible word. I'm sure there's a lot of fun in the English translation. Well, I know the term. So what we can do with it and what that changes for us, an applause, please. Yeah, well, a very good day to you. Nice that you all came. The interesting thing is that people see data protection does enthuse people. It fills large halls as how on as the Fred Astaire of data protection. I am happy to find such broad interest. Now, the talk about the EU data protection regulation, I titled rights for people, obligation for companies opportunities for us, which is a bit strong. It could be called clickbait as well, but there is a lot of meat in that law and you will see where soon. Just briefly about me, you can see there, we can see me twice once in the real world with the tie and suit. And this is when I'm around professionally and then in the way that you know me and of course, why is this important? This is the disclaimer because everything I say, I say as a data protection activist and is not a statement by my employers or any customers I have. I am 43 years old and ultimately, what is important is that everyone that came here, everyone that came to the Congress should be pointed to two events that shaped me. One of them was the Hacker Conference in the Netherlands in 2001, Hacking at Large. Why was that important? Because the whole Hacker ethic, all those people that work on changing the world together and improving it, I got to know those events and you completely excited me and enabled me to carry on. And then at the 22nd Chaos Communication Congress, it seemed like some kind of revelation came upon me and there were two talks there that were kind of the foundation what I became and why I'm standing here now. One was a talk about the then still new freedom of information law. And I realized it's great that there are rights out there that we as citizens, as humans can use to, as they say, call for transparency and that transparency is an important cornerstone of data protection. And the second was the speech by Thomas Maus about the health card. And effectively the three hours that he was talking about that card was the initiation for me to initiation to just not just be a nerd and be an IT worker but also become active in data protection and shape that as much as I can and you as well can shape data protection. Whether it's in your company where you can call for data protection and point others to it, that's important to me. So that's why I'll start with my call to action at the very beginning. Data protection doesn't come to you in itself. You have to call for it where you are in the projects that you work. Everyone has to know who is responsible for data protection where I am and is what I'm doing compatible with the law for stop. So this is how I became the data protection officer in my company and the three important things is I like politics, I like chess and I like my fellow's people and why is that important? Politics is about understanding people. Data protection is politics and what I'm doing here is an important chess move to call for a larger budget within Germany and the EU for data protection. Okay. Now, extremely use all your freedom information live rights. Now, let's start with a small survey. Who of you knows what a self-information is in data protection law? For the stream, it's about half. Who of you has used the rights to retrieve their own information? For the stream, that's about a third. So I think there is room for improvement there for us to actively use the rights that we have. I would like us as we leave this room to be aware of the rights and to actively use them then. And the second goal of this talk is that out there there is an awareness what the sanctions are that can be imposed if data protection isn't adhered to, particularly regarding the new general protection regulation of the EU. All right, into details, let's look at the general data protection regulation. What happened so far? In Germany, we had as a framework, the German data protection law. And additionally to that in 1995, the EU passed a directive, a directive is something that is not immediately applicable. The member states have to transpose it into national law. Now, this transposing process has several ways, several, the consequence is that the 28 member states of the EU have a patchwork in data protection law. And in order to pull this patchwork together in 2012, the objective to have a general data protection regulation was announced in 2012. And that was to be via a regulation, which is a fantastic instrument because a regulation immediately applies in all member states in the same way. When Mrs. Reding on the data protection Congress in 2012 announced the plan for a general data protection regulation, the opinion in company data protection officials was mixed. We all knew we are coming from this very high level of data protection that we have in Germany. So what would the consequences be from a national interest point of view? Do we have to accept that the level of protection would be decreased? For me, that is kind of a fortunate situation because if all of here would raise the level somewhat and Germany slightly decreased it, then the whole level across overall would rise. And the goal of data protection regulation of having free data traffic within the European Union with fair and transparent data processing, that was a long fight. And there are many talks about this on the media.cccde website or YouTube channel, how it came to that point. So in May this year, that's important, the EU General Data Protection Regulation was signed. And with a latency of two years, this regulation from the 25th of May 2018 will apply in all member states to all companies slashed institutions. It will be binding. And one point that is very exciting here when in the whole cloud debate is the principle of market location. What does that mean? Companies that offer data services in Europe, in the EU to these companies, the data protection regulation does apply even if they do not have any branch in the EU. And that's a very interesting thing when you come to sanctions later on. Right. So a talk about data protection, what are most people thinking about if you talk about data protection? Sad but true. Go out there, ask people about data protection. The first people think about data protection scandals, whether it's Lidl, the German Rayways, Deutsche Bahn, or the funny confetti cannon where patients' records are distributed in carnival parades as shreds. So people are mostly aware of the absence of data protection and not its importance. So let's then come to the actual definition what it means to implement data protection. Data protection does not protect data. The most important data protection official, Princess Leia, I defend people. It protects people from the use of data. Privacy is a human right. The rights to information and self-determination says every person can decide when which of their personal data is accessible. And you see that with this definition, the requirement of the protection regulation of a fair and transparent data processing is essential, a precondition to exercise informational self-determination. Why do companies do this actually? Well, you can say, right, the most obvious reason is a legal one because it's required by law. Everyone wants to be compliant with data protection rules. But the two other reasons are more of an economic nature. Sanctions, data protection violations, sanctioned data protection regulation cost money. Sanctions, data protection violations cost money. The maximum fine currently is 300,000 euros. That is real money. Money that you have to pay is not good from an economic point of view. Depending on the situation of the company, it can be a small change, of course. But in addition to that, there is a grave second aspect and that is the loss of public image. Data protection violations damage the brand and the image. And brand or image building does cost real money too. So my recommendation to all data protection officials and companies speak with your Intermission Communications Department and let them calculate for you the kind of relationship between what you pay in millions per years for marketing and what you believe how expensive it would be if we had a real juicy data protection scandal in the press to then repair the scratched image. I have a few... A few ideas. So, regarding data protection, I am deeply convinced that data protection... We need the law not for people but for companies. Why? Data protection is normally not a primary aim that companies have. They act to make a profit. Data protection, just like everything else, is just a cost item. Now, the financial risk to not act in conformance with data protection must be sensitive. So my recommendation as a data protection official is that the financial risk has to be included in the company's risk management calculation because quantifiable risks lead to management awareness and that helps us to implement the rules that the law puts on us. So, how do we do this? Information security... There is this formula. Risk is damaged potential multiplied by the probability of it actually occurring. Now, what does this mean regarding data protection violation fines, sanctions? The maximum fine times the probability that a fine will be imposed results in the overall risk. And now, the interesting question is what will change with the AE Data Protection Regulation concerning sanctions and fines? I have said that the 300,000 is the current maximum amount and that is exactly where there is real meat in the new regulation. Every single violation can lead to a fine and the maximum one, the maximum fine is either 20 million euros or 4% of the global company turnout. Turn around. And the higher of these amounts is the one that applies. So, shock horror, you can imagine. Applauds. Low in order can become real fun here. It can really cost you. So, whether companies now set aside assets for that or whether they enter insurance policies is an open question. That's what the future will show. But I can tell you, you can remember those, people remember those 4%. Take the examples that you've seen in the previous slide that we are aware of, German railways ultimately had to pay 1.1 million for the accumulation of all the cases if you consider the current turnaround. According to Wikipedia, that's 39.2 billion. 4% of that is Zengar. So, that's one and a half billion. So, those are figures that are understood and a pattern that decision makers and companies will make this and make us and companies ask, is there something we need to do? So, I've just been told I haven't got much time left so I'm not going to talk about the second case. So, you can simply see the list of the 30 companies in the German stock index and their annual turnaround. Times 4% gives you the fine they would have to pay and you can easily see the number of digits is impressive and as a prominent example, I took our best of class, the Volkswagen company. You know that in terms of honesty and consumer protection, they have some optimization potential and what would it mean to Volkswagen if they concerning self-driving cars perhaps would press ahead and excitedly commit to something that's not compliant. With their 213 billion annual turnaround, there could be 5.8 billion fine. Still less than Volkswagen have to pay in the US for desegade right now but as you can see, consumers in Europe and Germany aren't as well protected as they are in the US and this will change in the area of data protection and these fines will be used. So, again, law and order finds what do you actually want is the question and where do the hackers and data protection activists and the concerned people come into the whole arena. Let's look back to the formula. What I've shown you is that the data protection regulation has significantly increased the risk potential. So, the first parameter has risen. Now the other question is, will parameter 2 the probability of fines actually occurring decrease and the good thing is that I can tell you actually it won't because we can shape this actively. Every one of us. The most important thing, what's the most, are the rights of the affected. The rights of those of us who are affected. That means we have the rights, the responsibilities to require this for the people that use our data and these rights that we have, we can push forward. We have the right within the basic rule. I as a nerd can use these rights. It was a topic at the latest data protection conference when people said, what can we do if people affected all data subjects now use their rights for information and that question made me think, oh, this is an exciting topic. Let's have a talk about it and maybe there's something like Frakt in Start, a German freedom information site concerning companies because Frakt in Start is about asking the state for freedom of information. At the moment, the rights of affected people can be categorized into five different categories. First, there are permission rights that these are rights where we agree that data with our information can be processed. You have these privacy statements that you agree to. The interesting thing in the data protection regulation is that these rules about transparency or the standards have been increased again and we will get more information than we did from companies. I can see time is running out, so also we have intervention rights. So everyone that has previously agreed to the use of processing of data can withdraw that agreement or consent. So we had the company in the last talk where people agreed that their genome data would be used. This kind of consent can be withdrawn and there are petition rights as well. So these are rights to complain. You can go to your data protection official and complain and the great thing about the data protection regulation is it's obligatory that in the future every data processing has to, including the information who is processing the data, which companies use these data as well, whose companies, which companies is the data shared with and what are the data protection officials within the companies and that includes contact information that has to be given to you. So it will be easily possible to ask companies about data and they are obliged to then hand these data to you in an appropriate electronic form. So it's a very nice playing ground to find a lot of information. And I will soon talk about some certain interdependencies that we can use. There are some nice things about damages, liability payments and so in overview I have another slide that I'll be jumping ahead because of time. So where are the places that we can really hurt or annoy these people? We could say great, we have a fantastic new law with new rights in them, things that we can ask about and ultimately data protection officials normally are your friends as well as the authoritative supervising authorities. So the great thing about the new regulation is you do not have to find the supervising authority anymore. You can go to your local data protection authority or any other authority in fact within the EU and the authorities then amongst each other have to cooperate and coordinate how they deal with your complaint and that's exciting because where people may have a good relationship to their own supervising authority there can now be the potential for some cross-checking whether that is conformant with the view of that other authority. So that is something where I see interesting discussions coming up because the question is who is the fine pay to? In Spain for example there's a very powerful data protection authority because they actively receive all the money from the fines into their own budget and that is quite interesting because when the European Data Protection Congress takes place every year and all the regulators come and take part the Spanish guys say ah well this is what I did this year this is the money I was able to take so there is a potential there perhaps for states with these large amounts but that's a different issue and the message is use your supervising authority so data protection authority and with the increasing tasks that these authorities gain through the data protection regulation I hope that the necessary budgets will be assigned as well because it's a sad but true thing that in my view at least the German Federal Data Protection Authority as well as those of the German Federal of the States still have room for improvement that's what I meant about law and order if the message is that we have rights and we want them then the authorities that are there to enforce those rights have to have the necessary budgets so that the probability for the fine actually occurring that appointed to is there and the interesting other thing is that we have rights that now exist about the use the potential use of data and that has to do with the kind of consent that people give what can people do process with the data and that leads to maximum storage terms and if we can ask for such data we could also check I'm sorry I was just confused by a digit somewhere so how can we use our rights to ask for our data and point to problems and ask our authorities if what company XY does compatible with the data protection law I'll stop talking about the other issue because I have to come to the end the important thing again at the end motivation it's really important to me that we all leave here and that we're motivated when we leave to actually to use our rights I want to make sure that the privacy officers and the firms are aware of this and motivate about it and that they know what level to put this in and that they receive the proper budget to use this in order to newly include data privacy in the firms so that they start next year to get the proper regulation put into their corporation I want to make sure they look at paragraph 34 and ensure that it's in their in the organization so they can really deeply understand what information other firms that they placed their own customer data or their own internal data I'd like to talk about our internal minister I actually know I want to talk about the interior ministry that the data regulation privacy that it doesn't entirely clear there's a few clauses within it so there's some passages that don't clearly explain how they're tied to the European the European states could not agree about the rules that leaves room for individual rules in the member states so the general data protection regulation is a kind of a hybrid there's the regulation part and the directive part because on the national level the negotiations are now starting up to whether push something to the left or the right everywhere where there's a clause opening up for regulation there's important things happening and ultimately what we have seen about the current draft that was leaked on netspolitik.org that we leaked you can look at the German rules that are being drafted and I must say that I am shocked that what you have there it goes far beyond the room for maneuvering that these clauses in the regulation actually created so I worry that Germany is leading with a very bad example and that we will start to in retrospect for a supposed competitive advantage will lower our standards and that will unfortunately be a role model for other countries in the EU that do not want to stand back and want to join in so that all countries that will use those opening clauses to the maximum to lower standards and that's not the objective of the data protection regulation to have the European because the objective to increase data protection levels in the EU will then be absurdly subverted so the best pupil Germany in terms of data protection is in danger of becoming the class clown we must not make more concessions than is absolutely necessary and at this point the last call it's important that we use the time in the first quarter of this year this is that is when the rule adapting German data protection law to the new regulation will be as opposed to be passed let's use this time in the first quarter to make people aware that it's not alright that Germany through the back door will lower data protection standards thank you very much okay thanks a lot from us as well from this refreshing talk unfortunately for reasons of time we cannot accept any questions neither from the internet nor in the room because we would then risk having to start our next talk early so once again a very warm applause please and thanks for listening to