2/23
CIT Data Protection Conference
The Data Protection Conference took place on 15 June 2023. Isabelle Saintilan (Eurostar and Chair of the CIV Committee) and Martin Leiter (ÖBB and Chair of the CIT Data Protection Expert Group) guided almost 50 participants through the conference with the overarching theme “Future Questions of Data Protection”.
The topic was tackled from various angles:
Speakers started by giving an overview of recent court decisions and laws. The chair of the Data Protection Expert Group, Martin Leiter (ÖBB), not only informed participants about the latest court decisions but also gave an outlook on pending cases whereby he also gave his assessment of a possible outcome. He drew particular attention to the “meta” case currently pending before the CJEU which raises the question of whether the competition authority, within the framework of its powers under the competition rules, may examine compliance with the General Data Protection Regulation (GDPR) as an incidental question.
Also during this session, the European Commission’s data strategy was presented by Blaz Pongracic (CER), who confirmed that data protection is not limited to the GDPR since within the European Union, this regulation has been joined by a number of new regulations such as the Data Governance Act, the Data Act, the Digital Services Act and the Digital Markets Act, to name but a few. These legal acts do not exclude personal data from their scope, but they focus primarily on how companies handle and use data. An important presentation was also given by Claudius Ettlinger (SBB), who explained the differences and similarities between Switzerland’s new Federal Act on Data Protection and the GDPR.
During the second session, companies gave their insights into current data protection challenges. An overview provided by Fernando de Lucas (RENFE and CIT Executive Committee member) showed that new technologies, especially surveillance with drones and smart cameras, raises data protection issues. This presentation was followed by the insight of Gaëtan Goossens for Thalys and Bianca Jonas for SNCB who explained the advantages of biometric scanning but also the problems this entails, as well as a project discussed at SNCB level which planned to use license plate recognition to ease the process. At the end of this session, Linus Klingberg from DB presented a topic that concerns the CIT product “AIV[1]” and processes that must be adapted to bring claims handling in line with the requirements of the GDPR. Here, a proposal has been elaborated on how AIV should be amended before the end of this year. In addition, it was suggested that a code of conduct could be drafted in future to define claims handling processes in relation with data protection issues at railway undertaking level.
Following a well-earned lunch break, participants kicked off the afternoon session with two presentations on cybersecurity. While Gonzalo Delgado (RENFE) showed how risk analysis can prevent attacks on data, Audrey Poelaert (NS) introduced participants to the legal framework governing cybersecurity and confirmed that privacy and cybersecurity are two sides of the same coin.
The day concluded with a presentation by Nina Scherf (CIT) with an overview of the current and future work of CIT in the field of data protection.
nina.scherf(at)cit-rail.org
[1] Agreement concerning the Relationships between Transport Undertakings in respect of International Passenger Traffic by Rail (AIV)