In Sweden we mostly hear about what happens inside our own boarders or when big fines are issued in another EU country. But we never hear about the everyday work in Lithuania and how the country prepared for the new regulation and how it changed the work regarding these questions there.
In Comparison with Sweden the Republic of Lithuania is a quite new state, born again after the resolution of the Soviet Union where they in many ways had to start from scratch, building a government. In many cases this means that they had the opportunity to build it without a legacy to carry and most often, as a cause of this, you find the old Baltic states among the countries who have developed an extensive technological environment for their public offices. To learn more about this we contacted personal data protection supervisory authority of Lithuania – the State Data Protection Inspectorate (Inspectorate) and had the opportunity to ask some questions about the data regulation to their head Raimondas Andrijauskas. We spoke about how the regulation changed how the country views issues concerning personal data and, of course, the fines.
We started our interview with perhaps the standard question these days: How has the work with personal data changed since the 25th of May 2018? Raimondas Andrijauskas says that during the run-up to the General Data Protection Regulation (GDPR), there was a stir in the data protection community in Lithuania. Furthermore, he says that even before the official starting day of application of the new regulatory framework of personal data protection the society felt a significant impact from the personal data protection reform. Since then, he explains, society itself has become more self-conscious and better informed about its rights and about the potential risks that are related to their personal data processing and organizations have begun to pay more attention to data protection. As a supervisory authority, Raimondas Andrijauskas explains, we have made organizational and activity changes within the institution.
In the run-up to the reform Raimondas Andrijauskas recalls that the financial and human resources were not the strongest part of the Inspectorate. Eventually additional funding was provided for supervisory authority and it increased from EUR 729 K in 2017 to 1111 K in 2018. Furthermore, the Inspectorate faced a major challenge in the brain drain of the Inspectorate’s staff to the public and private sector. Raimondas Andrijauskas says that this was a result of the shortage of and the growing demand for personal data protection specialists that was required for filling in new data protection officer vacancies under the GDPR. However, thanks to a remaining strong core of the institution and a new staff committed to changes, the Inspectorate have been able to meet this extraordinary challenge. At the end of 2019 we received additional human resources and were able to increase the number of staff from 32 to 38 people working at the Inspectorate (there are also currently 4 unoccupied posts). Most of the employees are lawyers (23 of them), following with four IT specialists also such specialists as an accountant, HR and PR.
This year, Raimondas Andrijauskas goes on to tell, Lithuania celebrates the 30th Anniversary of the Restoration of Independence. Together with the restoration of independence, the history of human rights such as privacy and personal data protection in our country began. In 1996 the first law regulating the protection of personal data was adopted in Lithuania and the supervisory authority was set up in the same year. The approach to data protection strengthened when Lithuania became a member state candidate of the European Union because Directive 95/46/EC was implemented in Law of Republic of Lithuania on Legal Protection of Personal Data in 2003. Following the implementation of the Directive, communication and cooperation were largely carried out with the other two Baltic states – Latvia and Estonia. We organized investigations in the same sectors on the processing of personal data, Raimondas Andrijauskas recalls, and we also shared experiences, good practices. Raimondas Andrijauskas says that it must be acknowledged that the GDPR has led to closer cooperation between all the EU member states and that undoubtedly one of the biggest impacts to data protection was caused by the GDPR.
As to the question about cooperation Raimondas Andrijauskas answers that has two aspects – one national and one international. At the national level, the Inspectorate is responsible for the supervision of GDPR, except when personal data is processed for journalistic, academic, artistic or literary purposes. The supervisory tasks for these purposes belong to the Inspector of Journalist Ethics. So we also cooperate with our colleagues at the national level. Concerning the cooperation at the level of the European Union, says Raimondas Andrijauskas;
–It´s is one of our priorities. After all, he continues, that is the essence of GDPR – to achieve the most uniform regulation of the processing of personal data in the EU to ensure the proper processing of personal data across borders and to create a well-functioning single market. As the Head of Lithuanian supervisory authority, I am a member of the European Data Protection Board (EDPB), other employees of the institution participate in the activities of EDPB working groups. Also, we resolve cross-border cases if necessary, we constantly consult and exchange information with the supervisory authorities of other EU countries.
We have to know, was it hard to implement the new regulation and could you see a difference between a non-governmental organization (NGO) or a state agency?
– As it often is with new legislation, when the rules are new and the practice is evolving, there will always be some difficulties. However, in general, I believe that the goals of EU data protection reform were achieved. There were some data controllers and data processors who did not give enough attention to new data protection requirements. However, this is one of the tasks of supervisory authority – to inform data controllers and data processors about their obligations and benefits of following the rules set in the GDPR. It would be hard to generalize to whom it was harder to implement the GDPR. I believe that it depends on specific NGO or state agency, their processing operations, resources, etc.
How many complaints have you received in concern to the GDPR from both state agencies, companies and the public? How many of them have led to an investigation?
Concerning the complaints from individuals, Raimondas Andrijauskas says that under the laws of Lithuania, the Inspectorate examines all complaints. In concern to the GDPR, they have already received 1716 complaints. He says that the number of complaints has almost doubled from 2017 to 2018 and that this is the effect of the GDPR. He continues to say that it is important to note that as a supervisory authority we also carry out investigations on our own initiative. Every year we have planned investigations on certain sectors, also investigations may be carried out when we receive information from the media or individuals and organizations about possible data breaches, etc.
As a result of the regulation Raimondas Andrijauskas tells us that in 2019 the Inspectorate issued six fines and that the first significant fine (EUR 61,5k) was for breaches of the GDPR imposed on a financial services company, following a personal data breach in the payment initiation service system, which, among other things, had not been reported to the Inspectorate. The sanctions were imposed for the breaches of Articles 5, 32 and 33 of the GDPR.1
We are also curious to know if you see a larger awareness in the Lithuanian society towards handling personal data? Raimondas Andrijauskas answers that the importance and rising awareness of personal data protection can be proved by numbers of the representative public opinion survey on personal data protection. According to this survey at the end of 2019 68 % (the same numbers in 2018) of the respondents gave an affirmative answer to the question whether they were aware of or believed to be aware of their statutory rights and duties in the area of personal data protection. Compared against
35 % in 2016 this demonstrates that from 2016 to 2018 and 2019 a proportion of people aware of their rights and duties around personal data protection grew almost twofold. By the way, these numbers between representatives of small and medium-sized businesses are even higher – 90 %. Raimondas Andrijauskas continues to say that this statistical information is very important to the Inspectorate and that it also shows our contribution to raising the awareness of various stakeholders. He brings up the example of the SolPriPa project – Promoting High Standards of Data Protection as a Fundamental Right and Central Factor of Consumer Trust in Digital Economy. It is partly funded by the European Union’s Rights, Equality and Citizenship Programme (2014–2020), where they partnered up with Mykolas Romeris University in Vilnius. In the project the target audiences are Lithuanian small and medium-sized businesses, especially in health care and media industries, start-ups, also youth and older people.
When researching this I came across the Data Protection Impact Assessment (DPIA) “blacklist”, what can you tell our readers about it?Raimondas Andrijauskas says that the list means that some of the processing activities are considered to pose a high risk to the rights and freedoms of people but this list is not exhaustive. He explains that this means that even if the specific processing activity is not on this list, the data controller must assess the impact of processing operation onto the rights and freedoms of natural persons (for example, whether it could meet the Article 35(3) of the GDPR) and if such risk might be high, the DPIA must be made.2
When looking to more modern technology Raimondas Andrijauskas explains that the institution dealt with situations on processing biometric data even before GDPR came into effect. For example, one investigation was carried out in 2016– 2017, in which the Inspectorate decided that a company could not process biometric data (fingerprints) of employees based on their consent. This decision was challenged at the courts. The Supreme Administrative Court of Lithuania also stated that consent is not appropriate legal basis for employees’ biometric data processing. Even though this decision (2019) was made based on national law implementing Directive 95/46/EC, it does correspond with the rules set in the GDPR. Raimondas Andrijauskas further explains that the usage of biometric data is starting to be more and more common in fitness clubs (when entering them), and the Inspectorate decided to proceed with investigations on this matter in 2019. The investigation concluded that, yet again, it was stressed that biometric data of employees cannot be based on consent, but the consent might be used for customers’ biometric data if there is an alternative for those who are not willing to provide their biometric data. Full report was published and can be found here 3 (in Lithuanian only). They also had a few complaints regarding the use of biometric data in work.
Looking in the future, it´s always hard to know what will happen but Raimondas Andrijauskas says that looking at the trends in the private and public sector and society, as a whole, it is quite clear that digitisation and digitalisation will continue, and therefore he explains, it is important to consider the issues of personal data protection. As more and more questions arise in this area it will be essential to provide guidance to the data controllers and data processors and where necessary pass sector specific legislation. When looking at which regulation will be coming in the near future, it will probably be ePrivacy regulation as electronic communication is an inseparable part of our daily lives. And looking further along the road, he says, everyone’s eyes are on AI. It is widely discussed in society, the search to find out how to implement AI into the daily lives of private companies, how AI can help perform tasks of public institutions, law enforcement etc. So, the discussion must be had if there is a need for further regulation in this area and how it should look like. In this regard, a lot of attention should also be paid to the obligation to ensure transparency – to inform the public, etc. Raimondas Andrijauskas concludes that it is also worth mentioning that there should be discussions on how to make supervisory authorities’ supervision more effective by making case handling procedures more harmonized across all the EU. If necessary, such harmonization could be achieved by legislative measures.
Satte sin fot i ett arkiv första gången som 16- åring, det var inte kärlek vid första ögonkastet, men nästan. Numera är hon chefredaktör för Arkiv Information Teknik, arbetsmiljöombud och arkivkonsult på ArkivIT i snart tre år. Vid sidan om konsultandet har hon genom åren skrivit artiklar och haft uppdrag som moderator på olika konferenser. Inom informationshantering är hon mest intresserad av processkartläggning och verksamhetsutveckling. Hon brinner för personlig utveckling, hos andra men även hos sig själv.
Head of the State Data Protection Inspectorate of the Republic of Lithuania. Leader of changes in privacy and personal data protection, developer of a stable data protection supervision system in Lithuania, representative of Lithuania in the European Data Protection Board.