Episode: 1542
Title: HPR1542: Agnes is an IT Lawyer
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1542/hpr1542.mp3
Transcribed: 2025-10-18 04:49:18

---

Today on Hacker Public Radio, we will talk to an IT lawyer about the new EU regulations
regarding personal data.
In April 2014, I visited the IT Solutions Expo at the conference centre known as the
Swedish Fair in Gothenburg.
The tagline of the IT Solutions Expo was, the fair that shows you how to make money
on tomorrow's IT Solutions.
And on their web page they write, IT Solutions Expo in Gothenburg is the exhibition that
focuses 100% on entrepreneurship and business development through new technologies.
It offers visitors the opportunity to see the markets' latest solutions and listen to
when some other worlds, top entrepreneurs and innovators explain how to achieve success
through new technologies.
Do not just stand there, realise your vision, and surf on the digitisation wave that opens
doors to new markets, more sales and higher profits.
Yeah.
So just a lot of corporate propaganda and sales people, right?
And to be totally honest, I hesitated going there.
But I'm glad I did, actually.
There were some really interesting talks concerning privacy and technology that I would not
have liked to miss.
And the real highlight of the fair was a talk by Agnes Anders on Hamas Rand, a lawyer
specialised in information technology.
She covered the new laws that will come to pass in the European Union regarding how we
are allowed to handle personal data.
I was very happy that she was willing to give a short interview for Hacker Public Radio,
so I started by asking her to give us the current status.
Well, I'm working as an IT lawyer at a law firm called Seteval's and I'm here at
the East Affairs IT Solution Expo to speak about the new e-regulation regarding personal
data.
All right.
And why is that interesting?
Well, it's very interesting because what's happening now is that e-regulation has suggested
a new, totally new legislation regarding protection of personal data.
And the legislation includes a lot of news.
And it would become a much stricter regulation as regards to personal data through you.
And this is something new that they are rolling out over all the countries in EU.
It's a new thing doing it like that, isn't it?
Well, it's, I mean, there is, of course, a few other areas where you have EU legislation,
but it's new when it comes to personal data that in this case, this is legislation with
direct effect in all EU countries.
And previously, there were only EU directive with some minimum rules, regulations in all
the countries, but they could be interpreted in different ways from country to country.
But now it will be the same law, the same interpretation in all countries.
That's the intention.
All right.
And regarding this new law, how long has this been in the works?
How long have they been researching and doing stuff to change this law?
I mean, we have a lot of news about it right now, but this must have been in the pipeline
for a long time, right?
Yes.
To be honest, I'm not really sure how long they'd be working with this, but it's for years,
of course.
I mean, the first public draft was published more than two years ago.
Before that, there has been discussions for many, many years.
So of course, this is the work that's been going on for a long time.
And why do they feel the need to change these laws?
First of all, EU would like to have one single set of rules in order to facilitate trade
and facilitate cross-border transactions.
As it is now, if you are a company within EU, you need to ask lawyers in all countries
in every country you're active in, in order to see, okay, what's the interpretation
of the directive in that country?
And that's, of course, costs a lot to companies, and it's quite burdensome.
So that's the first reason.
The second reason is, of course, to ensure a strict protection to protect individuals
from having registered data about them that they don't want to have registered.
And just with the broad strokes, what does this new law entail for everyone?
Well, it's, as I said, it's one legislation that's, of course, a big news.
Then there will be much stricter sanctions, at least from a Swedish perspective,
a Swedish lawyer, that, of course, varies depending on, from country to country,
what the sanctions were in that country before.
But in general, you may have to pay liquid 80 damages in case of breach of the legislation,
which is a very strict sanction, I would say.
You could be liable up to 5% of the global turnover of a company, which is, it's quite a lot.
I mean, 5% of the annual global turnover that might be all the profit that company is making
that year.
Of course, depending on how serious breach you are, you are committing, but still, it's very tough.
So that's one important change, of course.
You also, as a company, you will only have to consider one government body, one authority.
That's called one stop shop.
So if you're a Swedish company, for example, you only have to deal with a Swedish authority
responsible for data protection.
So that's one thing as well, that's quite big.
And in addition to that, there is, of course, different rules here and there that will be changed.
A lot of the people who listen to this are creators and makers, they're programmers.
What do they have to think about if they have to, if they are going to follow these new laws?
Well, one thing I think you should be aware of is a principle called a privacy by design
and privacy by default.
And that's a rule stating that when you are designing a new IT system where you will
store person data, you need to take into consideration issues of privacy already when
designing that system.
So that's a quite interesting new rule, I would say.
You need to consider what are the default settings in the system you are creating.
For example, if personal data may not be stored for a long period, you need to have a default
setting where you can, as a company, decide that after this period, the data will automatically
be deleted and removed from the system totally.
How do you define personal data?
Well, personal data is everything that directly or indirectly could be connected to one individual.
So it could be a picture, it could be contact details, even if it's company contact details,
which is very important to remember.
It's not only you as a consumer, it could also be you as a representative for a company.
So it's everything that in any way could be connected to you as an individual.
And the reason for you being able to store these things usually are that you have a business
relationship with the customer, a company or a person.
Well, there aren't different reasons why you are allowed to store personal data.
It could be, for example, that you, of course, you are allowed to store personal data about
your employees that's explicit in the current European legislation and will, of course,
be the same in the new legislation.
It could also be a customer relationship, as you said.
It could be other reasons as well, but you need to have a legitimate ground-based
logic for why you are allowed to store the person data.
And if you're not having such a relationship in some way, as a basic rule, you need to
have consent from the person that you register.
Another group that listens to this are the people who work at companies and are perhaps
they have on their table to access these questions for the company's sake.
Do you have some final thought, a recommendation perhaps, a good advice for them?
Well, I think that companies within Europe, they need to consider this legislation good
time in advance because it will make quite a lot of changes.
And one thing that is very clear from the legislation is that the companies will have
much more responsibility to become compliant before a breach is committed.
You need to have strict rules in order to document how you actually comply with the
legislation, bigger responsibility as regards to policy documentation to actually ensure
that you comply with the legislation and be able to prove that in order to the legislation.
So now it's very much about creating awareness within the companies about the new legislation.
And if people want to know more about you, follow your work, where do they turn to?
Well, you can find me on Twitter, on the account, the Advocaten.
For example, my name is Agnes Andersen Hammastrand, and you can of course also Google me
and find me on my company website.
And I will of course put links and show notes.
Thank you very much.
Thank you.
It is interesting to see that it is not only consumers who are starting to think that
the information about us should be kept safe, it is also slowly becoming the law.
If you work in or with companies in the European Union, this is definitely a heads up, something
to take notice of.
In just a couple of years time, you must be ready to follow the new legislation.
In a talk, Agnes also mentioned that companies should have someone who is responsible for
privacy issues, perhaps it is time to go and have a chat with your CEO.
And remember, when you start a new software project, privacy by design and privacy by default.
All the relevant links will be in the show notes, where you will also find ways to send
feedback or get in touch with Agnes or me.
Please, if you have any thoughts on the subject at hand or regarding the show, go to hackerpublicradio.org
and speak your mind.
This is CT, signing off.
You have been listening to Hackerpublicradio at Hackerpublicradio.org.
We are a community podcast network that releases shows every weekday on day through Friday.
Today's show, like all our shows, was contributed by a HPR listener like yourself.
If you ever consider recording a podcast, then visit our website to find out how easy
it really is.
Hackerpublicradio was founded by the Digital.Pound and the Infonomicum Computer Club.
HPR is funded by the Binary Revolution at binref.com.
All binref projects are proudly sponsored by LinaPages.
From shared hosting to custom private clouds, go to LinaPages.com for all your hosting needs.
Unless otherwise stasis, today's show is released under a creative commons, attribution,
share a line, free those own license.