Day 2 – Tuesday 4th July 2017

Privacy Laws & Business 30th Annual International Conference

Promoting Privacy with Innovation

3-5 July 2017, St. John’s College, Cambridge   

[Click on the speaker's name for their biography]

[Click on the title of the session for the slides where available]

08.00-17.30 Registration

08.15-08.45 GDPR implementation: WP29 guidelines for controllers/processors and DPA cooperation on enforcement
Isabelle Falque-Pierrotin, President, EU Art. 29 DP Working Party and President, the CNIL, France

09.00 How Germany’s Data Protection Authorities are investigating 500 companies’ transfers of personal data outside the European Economic Area
Kristin Benedikt, Head of Department Telemedia, Data Protection Authority for the Private Sector, Bavaria, Germany
Chair: Gail Crawford, Partner, Latham & Watkins, UK

  • Joint investigations by Germany’s Data Protection Authorities - how they think, how they select the companies to be investigated, how they conduct audits

  • Main issues covered by the questionnaire

  • Results of the investigation and conclusions by the DPAs

09.30 United Nations Special Rapporteur on the Right to Privacy: A Progress report
Professor Joseph Cannataci, Chair in European Information Policy & Technology Law, United Nations Special Rapporteur on the Right to Privacy, Malta/Netherlands
Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business

10.00 Transition to the EU Data Protection Regulation: Half time report
Karolina Mojzesowicz, Deputy Head, Data Protection Unit, European Commission
Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business

  • The difficulty in achieving consistency of interpretation of the current EU Data Protection Directive within the European Economic Area and the way in which it indicates challenges for consistency of interpretation for the EU Data Protection Regulation in the future

  • The wide range of legal cultures across the EEA and resulting practical problems for organisations choosing a one stop shop where they can make a good case for more than one lead DPA

  • The latest trends on bringing together data protection law, consumer law and competition law

  • Benefits and problems (if any) arising from the EU’s adhesion to the Council of Europe Convention 108

  • Future relationship with the United Kingdom after Brexit

10.30 Coffee

11.00 GDPR: A new era for data protection accountability and regulation
Helen Dixon, Data Protection Commissioner, Ireland

  • The count-down to GDPR implementation;

  • Where we've arrived at with DPA guidance;

  • What we know about national implementing measures to underpin GDPR in the different member states and what the variations in these measures may mean for companies operating across national borders;

  • How one-stop-shop is shaping up;

  • What we know about international transfers in light of GDPR and the various court actions on the existing mechanisms

11.30 Changes ahead in Spain from implementing the GDPR
Mar España Martí, Director, Agencia Española de Protección de Datos (AEPD), Spain
Chair: Christopher Millard, Professor of Privacy and Information Law, Centre for Commercial Law Studies, Queen Mary, University of London

  • The future role of the Agencia regarding the private sector across Spain, and any impact on the regional Data Protection Authorities in Catalunya, the Basque region and Galicia as far they have an impact on the private sector – for example, the Catalan DPA’s Code of Practice for the pharmaceutical sector

  • Greater flexibility in enforcement actions as a consequence of the accountability and risk based approaches set forth in the GDPR

  • Development of tools in order to support data subjects, controllers and processors in the application of the new GDPR – Developed in-house or outsourced?

  • Examples of when the Agencia will require prior notification of the processing of sensitive data or that affecting large numbers of people

  • Mutual assistance and joint operations procedures with other DPAs

12.00 The GDPR and beyond – on the road to trust and global interoperability
Olga Ganopolsky, General Counsel, Privacy and Data, Macquarie Group, Australia

  • Data protection will remain a genuinely global game with trust and global interoperability the ultimate goal, one that goes beyond mere technical compliance.

  • The implications of the GDPR beyond Europe, in particular practical implications for organisations that offer services to EU citizens, or sell goods and services in the EU, or have operations in any of the Member States.

  • 5 key reasons why the GDPR is a critical development reflected in the very objectives that drive GDPR. 

  • The session will draw on practical examples from global operations, including some well publicised data breach cases such Ashley Maddison and parallel developments in the law such as the pending introduction of  mandatory data breach reporting in Australia and the proposed Cyber Security Regulations issued by the New York State Department of  Financial Services in the USA.

  • The practical implications of the pending Brexit (if any), returning to the key proposition that that data protection will remain a genuinely global game with trust and global interoperability being key.

12.30 A practical roadmap towards the GDPR
Leena Kuusniemi, Senior Legal Counsel, Rovio, Finland
Chair: Laura Linkomies, Editor, Privacy Laws & Business Reports

  • A project to tackle GDPR, with our IT department and business, to evaluate all our products (game titles, video services etc.) programs (3rd party services and partners) and relevant eco-systems (involving 3rd and 4th parties).
      - How we planned it
      - What was challenging, what was relatively easy?
      - What is the impact on existing agreements with European vs USA-based counterparts?

13.00 Lunch

14.00 Promoting privacy with innovation within the law
Elizabeth Denham, Information Commissioner, ICO, UK
Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business


Parallel Session 1 Parallel Session 2
Chair: Elizabeth Denham, Information Commissioner, ICO, UK Chair: Annelies Moens, Deputy Managing Director,
Information Integrity Solutions, Australia

14.45 Data protection law liability and user generated content: Ways forward under the GDPR
Dr David Erdos, Lecturer in Law and the Open Society, University of Cambridge, UK
Karolina Mojzesowicz, Deputy Head, Data Protection Unit, European Commission

Reflecting its purpose of safeguarding the data subject in an evolving digital space, European data protection fixes most organisations involved in online publication activities including personal data with a wide and often quite onerous range of duties. However increasingly this data comes in the form of user-generated content which may relate not only to the user themselves but also third parties. An organisation's responsibilities in the latter case may depend not only on data protection but also on "intermediary" shield provisions in e-commerce law; it may also raise a potential conflict between data protection and freedom of expression. This presentation will explore how these different legal provisions should interact in the era of the GDPR and consider potential good practice which organisations might adopt in this tricky but vital area.

14.45 How Hong Kong’s Privacy Commission balances privacy principles with pragmatism
Catherine Ching, Legal Counsel, Privacy Commissioner for Personal Data, Hong Kong


• Project on the status of Personal Data Protection for Cross-Border Transfers

• Comparative Study on the EU General Data Protection Regulation and Hong Kong’s Personal Data (Privacy) Ordinance which may include, for example, mandatory breach notifications and how our office deals with breach notification covering loss or theft of personal data, or other breaches of the Ordinance.

• Recent significant complaints and prosecutions

• Progress in compensation claims

15.30 Tea

16.00 The transition from the EU Art. 29 Data Protection Working Party to the EU Data Protection Board and other issues at the EDPS
Giovanni Buttarelli, European Data Protection Supervisor
Chair: Richard Cumbley, Partner, Linklaters, UK

  • Other subjects may include:
    - The role of the Digital Rights Clearinghouse
    - The EDPS’s ethics initiative

16.45 New data privacy and cyber security legislation in China: Contrasts with Europe
Bryan Chan, Senior Counsel, Linklaters, China, and Richard Cumbley, Partner, Linklaters, UK

17.30 Close

18.00 Punting on the river Cam

18.45 Drinks - Sponsored by Linklaters (

19.30 Dinner in The Hall - With a cabaret by international prize winning Vocal Dimension Chorus, (Conductor: Valerie Taylor)

Day 1: Monday 3rd July
Day 3: Wednesday 5th July
Click here for PDF programme of all three days
Annual Conference details