As European governments rushed to embrace technology to fight the coronavirus, a plainspoken Dutchman emerged as a thorn in their side.
Aleid Wolfsens message: Dont pretend your solutions are privacy-friendly.
“We must avoid deploying a solution that is unclear whether it actually works, with the risk that it will mainly cause other problems,” the head of the Netherlands privacy authority said in April, referring to smartphone coronavirus-tracking applications being developed in most EU countries.
In a group that normally keeps disagreements quiet, Wolfsen stands out.
A former politician and mayor of Utrecht who had no formal training in data protection when he took on his role in 2016, he has repeatedly been at odds with other watchdogs, most of whom do not share his political background.
“We were quite concerned about how anonymous location data is, so we are glad the Dutch DPA is more strict than others” — Nadia Benaissa from NGO Bits of Freedom
The use of apps and data during the coronavirus crisis has brought those disagreements out into the open.
While several regulators argued in March and April that restrictions should be relaxed in light of public health concerns — and some went so far as to pause major probes into potential breaches of the blocs privacy law, the General Data Protection Regulation (GDPR) — Wolfsen took a different path.
He criticized plans to use telecom data to track the spread of the illness, warning that such data could never truly be made “anonymous.” And he struck out against schemes to take peoples temperature to monitor for spread of the coronavirus.
That approach has not won him only friends. Critics call Wolfsens approach to data protection unorthodox, former staffers say his management style stifles debate and activists like Austrian lawyer Max Schrems point out that Wolfsen, whose office oversees Netflix and Uber among other Silicon Valley companies, has yet to issue any big-ticket fines in the two years since the GDPR came online.
And yet in recent months, the Dutchmans general approach seems to have won out in Europe. After initially embracing contact-tracing technology that centralizes health data on a server, Germany and other countries abruptly changed course and opted for a more privacy-friendly tool — one touted by Apple and Google as well as privacy advocates.
“We were quite concerned about how anonymous location data is, so we are glad the Dutch DPA is more strict than others,” said Nadia Benaissa of Dutch digital rights NGO Bits of Freedom.
In the weeks after his opinion on anonymization, Wolfsen tried to minimize tensions with other regulators.
Asked if he still disagreed with them on telecom data, Wolfsen told POLITICO at the end of April: “No I dont think so, I think its the same stance. Maybe the questions in other countries differ from the questions the Dutch authorities ask the telecom providers.”
The official in charge of Europes grouping of privacy regulators was also keen to play down any disagreements. There is “no difference in the positions” of different privacy regulators and the “Dutch case was a specific case,” Andrea Jelinek said, while a spokesperson for the group, the European Data Protection Board, added: “The legal concept of anonymization is not an absolute concept.”
Europes Data Protection Supervisor, who had OKd the Commissions use of telecoms data to track the coronavirus, said: “There is a difference between the technical impossibility of doing something to the very end, and something which we would call an effective anonymization.”
But none of that has deterred Wolfsen. In late April, he came down hard against the use of thermal cameras to find out who may be running a high temperature due to the virus, warning companies that they would be breaking the law if they ran such screenings.
People eat dinner in quarantine greenhouses in Amsterdam. The Dutch regulators tough stance during the crisis heartened some in the privacy community, others argue his approach is misguided | Robin Van Lonkhuijsen/AFP via Getty Images
That ran against the position of the EUs Data Protection Supervisor, which waved through a scheme to screen visitors temperatures at the European Parliament.
Wolfsen ultimately nuanced his position, writing that GDPR only applies when thermal data is stored. But he was hardly backing down.
“We are not familiar with situations where they dont register any information or do not use any equipment that processes information … Thats almost impossible I think,” he said.
While the Dutchmans tough stance during the crisis heartened some in the privacy community, others argue his approach is misguided.
One recurring criticism concerns Wolfsens interpretation of “legitimate interest” as a basis for collecting data under the GDPR — one of six legal grounds, along with consent, that can be used to justify handling personal data.
In guidance and decisions released over the last two years, Wolfsens authority has doubled down on the stance that pure commercial interests do not count as legitimate interests — despite indications in guidance by data protection regulators and the GDPR itself to the contrary.
“His reading of legitimate interest is contrary to GDPR, jurisprudence, and guidance from European regulators,” said Axel Arnbak, a Dutch data protection lawyer and newspaper columnist.
“It was a surprise when he was nominated, he had no background in data protection” — Sophie in t Veld, Dutch MEP
The stance has proven so controversial that it has led to splits within the authority itself, according to several people familiar with the matter.
“It is a bit of a mystery,” said one former staffer who spoke to POLITICO on a condition of anonymity. “It seems to be a misguided sense of protecting people, because if you narrow [legitimate interests] down then people need to give consent, but that leads to consent fatigue.”
Asked about his stance on legitimate interests, Wolfsen said his interpretation is in line with European and Dutch case law. “We are strict in our opinions … but since May 25 [2018, when the GDPR came into force] a Dutch judge has never corrected us on our position.”
Blame the resources
Two years ago, Wolfsens nomination as head of the Dutch data regulator came as a shock to many. His stint as mayor of Utrecht had been marred by controversy, including