A Conversation with FPF’s Gabriela Zanfir-Fortuna


In Europe, FPF helps regulators, policymakers, and staff at data protection authorities better understand the technologies at the forefront of data protection law. FPF works with the Brussels Privacy Hub of Vrije Universiteit Brussel to provide an annual program to support practical data protection scholarship. FPF also offers the Digital Data Flows Masterclass, a year-long educational program to help officials better understand data-driven technologies such as AI and machine learning, mobility, biometrics, and uses of location data.

FPF Senior Counsel Gabriela Zanfir-Fortuna is a European privacy law scholar and coordinates FPF’s work on European privacy and data protection. Before moving to the U.S. and joining FPF, Gabriela worked for more than two years for the European Data Protection Supervisor in Brussels, both for the ‘Supervision and Enforcement’ and ‘Policy and Consultation’ Units. She obtained her PhD in law in 2013, from the University of Craiova, with her thesis “The rights of the person with regard to personal data protection.” In 2015, C. H. Beck published her book, Personal data protection. Rights of the data subject.

Could you tell us a little about your career as a data protection official in Europe?
Before I moved to the U.S. in 2016, I worked as a legal officer for the European Data Protection Supervisor. I worked there for about two and a half years, and that was precisely the period when GDPR was being negotiated. It was a very exciting period to be in Brussels, during the GDPR negotiations, the development of Privacy Shield, and negotiations on the EU-U.S. umbrella agreement. I also participated in the meetings of the Article 29 Working Party.

Prior to that, I had finalized my PhD in law and I wrote my thesis on the rights of data subjects in Romania. I dedicated years to researching how data protection law interacts with civil liability. So I had an academic and regulatory background when I moved to the U.S.

How did you get involved with FPF?
After I moved to the U.S., I participated in an event organized by FPF and the Goethe-Institut in Washington DC on Understanding EU Law, Institutions and Policymaking. The discussion helped the American audience and stakeholders understand what was coming with GDPR, how the European Court of Justice works, and the legal framework for privacy in the EU. I had a very good experience at that event, where I talked about the independent data protection authorities and the new European Data Protection Board. I appreciated the serious information that FPF was sharing. FPF understood the bigger framework and the overall legal system in the EU, as opposed to just looking narrowly at GDPR obligations.

I felt FPF could be a very good place for me, and here I am, two and a half years later, continuing to work on building a better understanding of the EU system here in the U.S, and helping to build a common language in the areas of privacy and data protection.

What has been the focus of your work at FPF?
I have been translating the European Union data protection law framework, privacy framework, and European Court of Human Rights framework to be easily understandable for our stakeholders here in the U.S. My goal is to bridge the gap between the European privacy culture and data protection culture and the U.S. privacy culture. I do that by drafting reports, organizing workshops and other events, coordinating the FPF European Council, and giving presentations and speeches.

What are some differences in the privacy cultures between the EU and the U.S.?
One big difference is that in the EU there are two different concepts – privacy and data protection – and in the U.S. we think of them both as privacy. In the EU, there is privacy protection on one hand – based on respect for private life – and data protection on the other hand. In the EU, we protect both the rights to private life and the rights to personal data protection. They are both protected as fundamental, comprehensive rights, but they are not absolute rights. Here in the U.S., the Constitutional protection of privacy is more limited. This creates challenges for developing a common understanding of the legal framework.

Also, the EU has more regulation, and this is a particularly heavily regulated area, much more than in the U.S. Here in the U.S., there is more room for interpretation of what the various privacy laws mean.

What are some of the projects you have worked on at FPF?
I worked with the Internet Privacy Engineering Network, KU Leuven, and Carnegie Mellon University to organized a workshop in November 2017 to look at privacy engineering as a common language between the American privacy framework and the European privacy and data protection frameworks. We brought together scientists, policymakers, practitioners, and industry representatives, and we had a productive conversation that led us to believe privacy engineering is a common language. Engineers look at issues in a clear, practical way, and that makes privacy engineering an area to find common ground between two quite different legal systems.

Another project I worked on is our detailed comparison between the California Consumer Privacy Act (CCPA) and GDPR, which we completed with DataGuidance. The report looks at differences and similarities between the two laws at a granular level. The two laws differ in significant ways, including their scope of applicability, the extent of collection limitations and rules concerning accountability. However, they are similar in certain definitions, the establishment of additional protections for people under age 16, and the inclusion of rights to access personal information, among other provisions. State legislatures in the U.S. are using GDPR and CCPA as models for legislation, which is one reason why it is important to understand their different approaches.

How have the European privacy and data protection frameworks affected the rest of the world?
They certainly are affecting the rest of the world. This influence was first felt as a result of how the EU regulated transfers of personal data across borders. We also see a huge impact that GDPR is having on lawmaking and policymaking around the world. Brazil adopted a law last year inspired by the GDPR framework. In India, a law is being considered that has similarities with the GDPR regime.

Convention 108 of the Council of Europe, which was modernized in 2018, is an international treaty that has the core principles of the European data protection law. It is very consistent with GDPR, and countries in other regions have signed on to it. The latest is Argentina, just a couple of months ago.

What are you looking forward to in your work with FPF?
This is a very exciting time in terms of policymaking in the U.S., with comprehensive privacy legislation being considered and state laws being adopted. I am looking forward to following those discussions and debates, and contributing with lessons learned from the European experience.

I’m also excited about FPF’s plans for an enhanced presence on the ground in Europe. That would be a big benefit for the policy debate over there, given FPF’s expertise in understanding data flows and the technical and legal aspects of processing amassed data.

FPF will host our next Privacy Book Club on April 24 at 2:00 PM EST. Join us to discuss Habeas Data: Privacy vs. the Rise of Surveillance Tech by Cyrus Farivar. Sign up for the book club here.

We hope you will join us at our 10th Anniversary Celebration on April 30. Buy your ticket here.