Privacy protector resigns after conflict
Why an independent supervisor had to leave UU
The breakup between UU and Artan Jacquet was revealed through a message posted late last year on the student's website and the Intranet. But the explanation provided didn't make readers any wiser about the departure of the Data Protection Officer (DPO).
“I regret to say that I will be leaving Utrecht University,” Jacquet wrote. “The alternative — a trial to provide clarity about what the role of DPO and their job protection entail — would be long, expensive and complex.” In the post, UU's Rector, Henk Kummeling, also expressed himself ominously about the background story.
It was, however, more than clear that there had been a considerable clash and UU had tried to fire the independent supervisor. But what happened, exactly?
Artan Jacquet, who had been previously employed by Human Resources management, was the first Data Protection Officer to independently supervise the compliance of the General Data Protection Regulation (GDPR), a law that came into force in 2018. From that year onwards, every university was legally obliged to have an officer to make sure the institution complied with the privacy legislation.
Initially, he blossomed in this role as a much valued privacy flag bearer, organising numerous informational gatherings during which hundreds of employees learned what the GDPR would mean for them.
As time went by, some administrators and directors became visibly uneasy about the DPO's advice on university projects in which the processing of personal data was at stake.
The Executive Board struggled with Jacquet's critical advice several times, especially during Covid, regarding the use of Zoom and Proctoring. But there were other tricky matters, such as the introduction of a parking system and the desire to establish a Cultural Diversity Barometer.
The fact that the DPO sent his advice to the University Council even before the Executive Board had been able to make a decision on specific projects did not go down well. Jacquet insisted on the importance of transparency in carrying out his duties and stressed that he and the university had agreed that his advice would be public. In his opinion, the fact that the University Council had access to his advice did not prevent the Executive Board from making its own assessment and deviating from that advice. But the board felt that he was hindering the decision-making process.
In short, there were frequent clashes. At the same time, it was clear to everyone that Jacquet was really knowledgeable about the complex matters surrounding privacy protection, a field not yet fully explored, especially at universities.
Moreover, a personality described by many as "amiable" made sure that the was on good terms with almost everyone in the university. His farewell drinks are illustrative: Kummeling had "only" appreciative words about the departing DPO
"Fearless" was a key term used by the rector to describe Jacquet. He was referring to the way Jacquet had taken on the challenging task of alerting an unaccustomed organisation to the importance of privacy but that probably also referred to the way he continually offered resistance to the Executive Board.
Discussion about the role of DPO
One learned to what extent things were tense at the end of last year. Four years after his appointment, the DPO was facing UU's Executive Board in front of a judge. Numerous conversations between the two had already taken place at that point, as well as a mediation trajectory.
A lot must happen before a university can legally fire an employee with an independent supervisory role. Interviews with both Rector Henk Kummeling and Artan Jacquet revealed that they had opposing views regarding the role of Data Protection Officer, and these differences kept causing irreconcilable discord until the end. The Executive Board complained about the DPO's attitude and behaviour, while the DPO criticised the lack of administrative backing for his duties. All these issues intertwined several times.
For example, in the Executive Board's view, although independent, the DPO was a UU employee tasked with improving workplace processes that were in the best interests of the organisation. Asked to comment on the matter, Kummeling states: "The DPO thought that he was a completely independent authority, looking only from the outside in, so to speak. That was a misconception. Of course, a DPO can make his own considerations about what represents the highest risk but he must also consider the university's priorities and the deadlines for providing advice on different matters."
In addition, the board expected Jacquet to teach UU's employees how to better protect privacy. Kummeling: "Most employees are not privacy experts, so they need help!"
That's not how Jacquet sees his former position, however. He agrees that, as a UU employee, a DPO is supposed to help the organisation move forward. However, in his opinion, that's exactly what he’s always done. The problem, he argues, is that the Executive Board did not do justice to his legal position as a direct and independent interlocutor of "the highest authority". When he expressed reservations about projects or policies, he was often referred by the Executive Board to directors and chairmen who, according to the board, were mandated and responsible.
He explains: "The directors referred me to their own privacy officers, of course. I then told them that the project in question was possible, just not that way as there was still a lot to be done in terms of compliance with the GDPR. So, I’m a supervisor, not a fixer. I can say 'you have a problem and this is why' but I can't say 'I'm going to fix that for you'. At that point, the privacy officer couldn’t go ahead with their plan and had to ask their manager for money, time or additional expertise. I’m sure you can imagine that nobody likes that."
Jacquet continues: "When an Executive Board acts like that, they encourage the idea of an obstructive and uncooperative DPO. The board thus created its own reality."
The former DPO concludes that the Executive Board would rather not hear from him that the institution was not compliant with privacy rules. "The fact that you’re not fully compliant is not a shame at all. Many institutions aren’t. But then you must have a story about how you want to improve things. UU wants everything at once and clashes naturally ensue."
Artan Jacquet. Photo: DUB
This situation created an impasse between a DPO who invoked his independent position, asking for support from the Executive Board, and an Executive Board that saw all kinds of projects deemed necessary for the progress of teaching and research being delayed or jeopardised, without the DPO actively helping to find a way out.
In addition, the Executive Board questioned the DPO's opinion several times. They repeatedly doubted whether his view was the only correct and possible one.
Rector Kummeling: "The GDPR is not a law in which privacy interests are absolute. There are other interests that organisations may take into account, and that a board must take into account. Moreover, there are other employees in this university who know a lot about privacy protection — those working in Legal Affairs, for example. The DPO sometimes used the law as a stick instead of a tool, while simple, pragmatic solutions were available. This led to irritation and resistance within the organisation."
To Jacquet, these arguments are a further indication of how his position was undermined. "Of course, others may have an input and the Executive Board's decision may deviate from the DPO's advice when different interests need to be considered. But it should be clear that only the DPO provides independent advice. It's not like you can choose which advice you like best," he says.
"Similarly, you can't shout out, like they did several times, that something 'is allowed at so-and-so university' as the preconditions or circumstances are often very different in these other institutions. I know that DPOs working for other universities come to similar judgements on similar issues. It is a misconception that some would be much stricter or more flexible than others."
Jacquet wasn’t planning on giving an inch. He said he felt supported by his counterparts in other universities and institutions, as well as by the Personal Data Authority. "Who would know best what a DPO should do, they or a director called on non-compliance?"
Complaints about communication
According to Kummeling, a decisive factor in the board’s desire to push for the DPO's departure was that Jacquet did not allow himself to be addressed as an employee of the university. "He was an employee as well. The DPO considerably expanded his independent position. A DPO is protected in terms of concrete task performance, of course, but if an employee does things that are not desirable, you should be able to call them on it."
According to Jacquet, the discussion about his performance escalated when the director of the Administrative Service, advised by an HR officer, sought to include a director's complaint about him in his file. The main issue was the DPO's method of communication.
"He can't do something like that at all. There was no hierarchical line," stresses Jacquet, whose position was part of the Internal Audit Department. He felt supported by his supervisor. "Moreover, I do not think it’s desirable that the DPO can be punished by someone he is supposed to supervise."
Additionally, Jacquet denies that he behaved improperly towards the director in question or other UU employees. "Before I became DPO, my assessments were always good and I never received any comments about my communication or manners. The complaints came only after people got dissatisfied with the advice I gave."
The legal battle concerning the ins and outs of the DPO position and the appropriate attitude in this particular case turned out to be a long and expensive process. In the end, both parties decided to cut their losses by discussing a departure settlement.
Jacquet says he was saddled with a problem for a long time because he was anxious to defend his views and because it's becoming "increasingly difficult for employees to take a constructively critical stance" in the university.
He adds that he’s "still ambivalent" about the situation. "I did not see this as a battle between UU and Artan Jacquet at all. To me, this was a substantive difference of opinion between a DPO and an Executive Board. Many nice colleagues expressed their support to me regularly, which I really appreciated."
He ultimately attributes the conflict to "ignorance" and "underestimation". Jacquet: "Of course, it's no fun when someone suddenly comes and tells you that you really need to chart and consider all the risks. I get that. You go through a kind of grieving process. But, in the end, it helps to work more efficiently and better, so you shouldn't shoot the messenger."
For Rector Kummeling, there’s "a certain relief". He concludes that Jacquet's departure paves the way for a better way of working. "The differences of opinion stood in the way of working towards a culture in which privacy protection is seen as something desirable and self-evident."
The latter was all the more evident, according to Kummeling, when UU worked to expand and strengthen its privacy organisation over the past year.
"At some point, a clear conclusion presented itself: we can't go on like this. That’s why we sought a respectful way to part ways. We made every reasonable effort but, in the end, we came to the conclusion that we had to go separate ways."
A new policy on privacy
Outgoing DPO Jacquet says he welcomes the document as these are exactly the two issues he had been hammering on for the past few years. However, he fundamentally disagrees with a key aspect of the new policy: the new setup separates the supervisory and advisory functions of the new university DPO. It now retrospectively judges whether the design of a project complies with all laws or whether policy initiatives are up to standards. The DPO is therefore no longer expected to offer formal advice at an early stage.
To Jacquet, this setup is not in line with what the role of a DPO should be. In his opinion, providing timely advice so that adjustments can be made at an early stage is simply part of a DPO's legal duties. "This shows that the Executive Board always wanted to keep the DPO at a distance. All that remains for my successors is the position of a bogeyman. After all, they can only disapprove things in hindsight."
According to Kummeling, other experts say that such a separation is allowed and the new way of working is an important gain in terms of efficiency. "The privacy employees are now responsible for day-to-day operations, while the DPO checks whether that's going well. In doing so, he can still ask for information at all stages but we do not agree that the DPO must always be involved in everything and know about everything from the start."