Democracy and the kingfisher

As Data Protection Officer he advises the Executive Board and staff of Erasmus University Rotterdam (EUR) on privacy legislation, in particular the General Data Protection Regulation (GDPR). In addition, Domingus is chairman of the SURF Taskforce Beyond Privacy Shield, which was set up in 2020. This expert group deals with the question of how educational and research institutions can safely exchange personal data with the US, in a way that complies with EU legislation.

What does privacy mean to you personally?

"I think privacy is important, but it is not the Holy Grail. Some people go completely overboard and let privacy be the guiding principle in all decisions. But it is one of the fundamental rights you have. You have to weigh up various interests and rights.

Take proctoring, online surveillance with cameras during exams that students take at home. Given the corona situation, there was an urgent need. You have to guarantee the continuity of the educational process and you don't want to let people suffer study delays. We started talking to students about this. You see that their concerns are often of a practical nature, such as: my wifi is bad. But also: I have a very small room and when the camera is on, you're really inside my room. I explained why we were doing it and what the risks, measures and considerations were. When students see that their rights and interests have been carefully considered, many objections disappear.

What I do find worrying is the influence of big tech. The majority of my friends are on Facebook and Whatsapp, but I have been away from them for a long time. People often say: I have nothing to hide. But that's not what it's about any more. You're not only being followed, you're also slyly being manipulated. If a company like Cambridge Analytica starts to target a number of influencers, this will be adopted by a large group of other people. That affects democracies."

Why do you find it important to be active in the Taskforce Beyond Privacy Shield?

"Universities work together with suppliers in international research consortia, but sometimes we still think like a village. You can't solve puzzles like that at the level of the institution; you really have to do it together. Within the higher education sector, there are many experts in the field of privacy, security and procurement, but not necessarily at every institution. A problem often breaks down into a risk assessment and a consideration of technical, organisational, and legal measures that you can take. Institutions ultimately just want to know: what should I do now? So you have to bring the difficult legal story down to that practical level.

I like to sink my teeth into difficult, complicated problems and make them small and practical. It is very cool to be able to look at something from different perspectives with people from different backgrounds, with a common goal. For example, I myself am focused on privacy, but I don't know enough about security. The extent to which American security services can be prevented from accessing data has to do with technical protection measures, such as encryption. There is a lot going on in that area that others know all about.

Another reason for working together is that you can take a joint stand on procurement and are much stronger in negotiations. SURF represents all the institutions in the secondary and higher education sector, and that works. If it didn't, I wouldn't put so much energy into it.

Where we still need to take steps is in the area of consensus. How do we ensure that administrators of institutions, as a sector, support the values that the Task Force hopes to protect with practical advice? If we jointly agree on which risk assessments and measures are appropriate, you do not lose so much time in what I call 'the battle of opinions'. Then everyone knows what the frameworks are and you can start arranging tools for researchers, instead of them resorting to shadow IT."

Don't you think that privacy legislation makes the work of researchers unnecessarily complicated?

Sighs: "I'm afraid it does. The legislation is not so bad, but the problem is the perception of that legislation. The GDPR was devised to make it easier to share data, including with private parties. But also to protect that data. If you simply guarantee these principles, then everything will be fine.

But in practice, people all have a different perception of the risks. So they cramp up and say: you can't do that anymore. That is not true at all! You have to be able to justify why you process certain personal data. Researchers often work together with other institutions, and they sometimes have to wait up to a year for the privacy and security people from those institutions to finish ping-ponging. That inconveniences researchers a lot."

How can institutions make life easier for them?

"The framework in the background needs to be improved: when do you have a low, medium or high security risk? What concrete measures can you take? What form of encryption is appropriate? Researchers really do want to cooperate. But for compliance with the GDPR they are dependent on the employer, who provides infrastructure, software and support. If we make sure that researchers are no longer bothered by unclear interpretation of the law, we might see new forms of research. Maybe they are holding back now, while they want and are able to do much more.

Researchers must be able to collaborate easily with international partners, to work safely with data and software in the same environment, and to put partitions between those data where necessary. For example, if you work with healthcare data, you do not want the insurance companies who sometimes participate in such a project to be able to access it. The security paradigm is: the data must not leave the building. But that doesn't work for researchers, because they have to work together. So they start working in Dropbox or Google environments. This makes it easy for things to go wrong.

I think we are moving towards large data hubs, such as Lifelines in Groningen, Generation R here at Erasmus MC and Odissei, the open data infrastructure for the social sciences. In such a thematic data hub, they can upload their data and regulate who can access it. This removes the responsibility from the researchers; you simply offer the facilities. Then they can focus on research again. Such a framework should therefore also be arranged at the national level. I don't understand why we don't do this already as a sector.

You can talk for hours about big issues like privacy, democracy and science, but according to your Twitter bio you are also 'passionate about small things'. What are those small things? 

"I can really enjoy music: jazz or Mahler's 5th. I often go out with my camera and I recently managed to capture a kingfisher for the first time in years! That can occupy me for a whole day. Then I can relax, because I shouldn't always be switched on. And I love to eat. I am a bit of an epicurean. I particularly enjoy dinner parties and talking to other people.  Being surprised by other insights, really listening to someone."

Your Twitter bio also says: 'Admiring the two women in my life'.

Big smile: "My wife and my daughter! Sophie is 16. I am a workaholic, I am aware of that. They know that too; when I take a laptop on holiday, there is no longer any discussion. My work means that if there is a real issue, I have to move quickly. I do that very early and very late in the day, so they are not bothered by it, and in between I really try to be there for them. That, of course, is what it's all about. A good work-life balance and good health."

Read more about the Taskforce Beyond Privacy Shield

Text: Josje Spinhoven