2/25
CIT Data Protection Conference 2025
CIT Data Protection Conference 2025
The CIT Data Protection Conference took place on 12 June in a hybrid format. The conference covered a wide range of topics, from the classic subject of data protection and privacy through AI and cybersecurity to the new data act. Isabelle Saintilan, Chair of the CIV Committee, guided participants through the conference's exciting programme.
The conference began with a tribute to CIT Secretary General Gilles Mugnier, who passed away unexpectedly, delivered by Erik Evtimov (CIT Deputy Secretary General). Isabelle Saintilan (Chairwoman of the CIV Committee, Eurostar) and Maria Urbańska (Deputy Chairwoman of the Executive Committee) then opened the conference.
Keynote: Beyond the hype of artificial intelligence
The conference presentations kicked off with an inspiring keynote speech by Erik Nygren (co-founder of Flock Labs), who looked “beyond the hype of artificial intelligence”. Mr Nygren provided an overview of the areas in which AI can be used effectively, both within companies and in private life, as well as highlighting its current limitations. He also provided fascinating insights into how AI is used in the railway industry, for example for network planning.
First session with a focus on the General Data Protection Regulation
The first session was dedicated to presentations on the General Data Protection Regulation (GDPR). Martin Leiter (ÖBB and Chair of the CIT Data Protection Experts Group) discussed the latest court decisions on data protection, particularly those of the Court of Justice of the European Union. Sophie Digeon (SNCF V.) then delved into a highly practical CJEU court decision that ruled SNCF's practice of collecting data related to customers' civil status (Mr or Mrs) was not objectively essential for commercial communications and therefore not in line with GDPR rules. The relevant French court will now rule in light of the CJEU's decision - a highly awaited ruling.
Claudius Ettlinger (SBB) explained how SBB deals with customers' rights to access and erasure of their personal data under the Swiss equivalent regulation to the GDPR. Veriana Ostremann (ÖBB) then illustrated the data protection challenges and evaluations related to a specific UIC technical tool, “eTCD” (Electronic Ticket Control Database). This evaluation is also important for CIT work, as eTCD will be used in future to digitise processes under the CIT Agreement on Journey Continuation (AJC).
Second session with numerous topics - AI, cybersecurity and the Data Act
The second session of the conference focused on new data regulations beyond the GDPR. María del Mar Garzón (RENFE) presented some use cases of AI at RENFE and explained the privacy-related risks of using AI. Participants also benefited from her detailed assessment of conflicts between the protection of personal data under the GDPR and the use of AI, which concluded that the GDPR might need to be amended to address AI-related challenges. Audrey Poelaert then provided some updates on cybersecurity regulations – a topic that is becoming increasingly relevant in light of the growing risk of cyberattacks.
Next, Frederique Allier from Stephenson Harwood LLP introduced the new Data Act, which is due to come into effect in September this year. The Data Act will establish a legal framework for the use of data, determining who can use what data and under what conditions. Users of connected products or related services, in particular, should have the right to receive the specific data that they generate.
Following this introduction, Isabelle Saintilan moderated a lively panel discussion on the Data Act. The speakers covered a broad spectrum of opinions, including rail passenger traffic, with Linus Klingberg (DB Fernverkehr), Martin Leiter (ÖBB), Julia Kremer (International Union of Wagon Keepers) and Frédérique Allier (Stephenson Harwood LLP).
The discussions centred on the interpretation of key terms in the Data Act. It became clear that the panelists had quite diverse views on this matter. The economic impact on the railway sector and its various stakeholders was also highlighted. A key question that remained was how the Data Act relates to the GDPR and its obligations with regard to the processing of personal data. This is a highly relevant topic for railway undertakings and companies in general.
The conference concluded with a presentation by Nina Scherf (CIT), who attempted to answer the question of whether the EU is on track for a digital future. She summarised the various regulations that the European Commission has introduced as part of its Data Strategy, emphasising that different data regulations raise questions about their relationship with each other and how they should be applied. She also provided an outlook on future EU activities related to data regulations, especially on the GDPR. It was concluded that harmonising several data regulations might be necessary to achieve greater legal clarity on how they relate to each other.
Ultimately, the conference demonstrated that the CIT is, and will need to continue to be, a centre of legal excellence, bringing transport law and data protection experts together to find practical solutions to issues relating to data and the protection of personal data in the rail sector.