“For us at the EDPS - the independent institution in charge of supervising data protection matters within the EU institutions - data protection day is, well, every day.” However, for the rest of the world, data protection is mainly celebrated on 28 January every year. This date marks the signing of Convention 108 in 1981 - a milestone in its own right - since it is the first legally binding international instrument to protect privacy in the digital age.
As is the tradition, this important day is a chance for the EDPS to connect with peers, reflect on the digital landscape, the privacy of individuals, different approaches to embracing technologies and counteracting their risks to progress in data protection, but also raising awareness amongst individuals about what we do, and why their privacy matters to us.
Building on last year’s success, we partnered once again with the Council of Europe and CPDP Conference to organise a full-day event, CPDP Data Protection Day: a new mandate for data protection, during which we welcomed more than 430 in-person participants and 500 online, to focus on exploring the current and future landscape of data protection. Given the intertwining nature of data protection with many topics, three main sessions and three side sessions were organised, to maximise the number of subjects discussed.
Starting on a high note, the first panel, “Data Protection Day: what to celebrate?”, delved into some of the major milestones in data protection over the past decade - of which there are many. As I write this blogpost, a few come to mind from the discussion, such as the adoption and enforcement of the GDPR, the modernisation of Convention 108, and the growing body of case law supporting the right to personal data protection. What do these achievements demonstrate? That data protection remains an essential pillar of democracy and societal trust, and the importance of international collaboration through frameworks like the Council of Europe, G7 and the Organisation for Economic Cooperation and Development. Taking stock of the progress made allowed panellists to highlight key priorities going forward, including the practical application of new laws like the AI Act, improving GDPR enforcement, and fostering interdisciplinary as well as cross-regulatory dialogue to inform the application of regulations to emerging technologies.
This panel set the tone for the first main session held shortly after, “Data Protection in a Changing World: what lies ahead?”, during which participants took the time to share their main updates regarding their respective work in the digital sphere, as well as upcoming priorities and main goals. Irina Moozova representing the European Commission discussed their ambition to foster innovation, breaking regulatory silos, and aligning digital policies with European values, but also alluded to its highly anticipated “Data Union Strategy”, which aims to simplify, bring clarity and coherence to the legal framework, while upholding high privacy and security standards. Speakers of the panel also briefly touched upon the Digital Fairness Act, which aims to tackle dark patterns, personalised targeting, commercial practices and social media influencers for example. The latter will be subject to consultation this spring. A representative of the Polish Presidency of the Council shared their current focus on promoting a comprehensive approach in the field of cybersecurity; creating proper conditions for the development of AI while ensuring safety; further developing external digital relations; and supporting businesses by reducing administrative burdens. In turn, First Vice Chair of the European Parliament LIBE Committee Marina Kaljurand said that they will closely follow the GDPR’s procedural regulation as well as the review of existing adequacy decisions for transfers of personal data to non-EU/EEA countries, in particular with the US and the UK. Ending the panel discussion, UK Information Commissioner John Edwards signalled that talks regarding the UK adequacy decision for transfers of personal data had reached an advanced stage. Digital Europe, on the other hand, underscored the need to both simplify regulation and to complete the internal market to ensure that business can compete effectively across the EU. Participants agreed that cross-regulatory dialogue will be essential to navigate the increasingly complex regulatory landscape.
The next main session, “Forging the future: reinventing data protection?”, was dedicated to looking to the future, and the adaptive role of data protection within an increasingly complex environment. The discussion centred on the positive impact of the GDPR to date, while also exploring the challenges ahead, with a targeted reflection on how relevant actors can contribute to this and how. Panellists discussed how data protection authorities can be more effective and how to best protect citizens, not just via complaints, but also by acting proactively and strategically. Going deeper into the topic, and taking into account the dynamic and evolving digital regulatory landscape, but also the technological sphere, panellists discussed how data protection can be as an enabler of innovation, provided that companies can benefit from legal certainty and consistent application. They also shared the view that there is no urgent or pressing need to reopen the GDPR, which will remain the cornerstone that underpins all digital acts.
As the day progressed, more technical topics took centre stage. Our main session on “What’s in your mind: neuroscience and data protection?”, of the day focused on neurotechnologies and mental privacy, a topic also explored in a recent EDPS Tech Dispatch. Introducing the topic, panellists reiterated why privacy is essential in this area. Until recently, the human brain has been for most part a “black box”. However, today, neurotechnologies, together with the development of AI, can provide significant insights and even predictions on individuals’ mental health, mental state, and emotions. While these advancements hold potential for medical breakthroughs, they raise critical concerns about mental privacy and human autonomy. Mental privacy is the most secret sphere of privacy, and neurotechnologies can lead to unprecedented possibilities of interference and intrusion. Panellists, Anna Austin (Juriconsult, European Court of Human Rights), Marcello Ienca (Professor of Ethics of AI and neuroscience, Technical University of Munich), Alessandra Pierucci (Italian Data Protection Authority), Limor Shmerling Magazanik (Member of the Data Governance Expert Group, OECD) debated whether current legal protections, such as those under the European Convention of Human Rights, are sufficient or if new “neuro rights” are needed. Issues like discrimination risks, neurodata classification, and synthetic memory creation were explored, underscoring the urgency of aligning regulations with technological progress.
The side sessions organised throughout CPDP Data Protection Day allowed for a more in-depth look into the different challenges that come with enforcing data protection law and principles amidst a rapidly expanding digital and technological landscape. So much of data protection interlaces with other topics, such as criminal justice, health, commercial, consumer or even competition law.
Part of the EDPS’ work involves supervising the agencies involved in preventing and counteracting different forms of crime in the EU. I was therefore particularly interested by the side session, “Access to data: balancing between effective law enforcement and mass surveillance”, which explored access to data by the criminal justice sector. Access to digital traces can be relevant for the investigation and prosecution of crimes, but it also raises data protection and privacy concerns. What emerged from the discussion is that there is no doubt as to the necessity of clear and harmonised data retention rules, but finding the right balance between security and fundamental rights is not an easy task. While access to data for law enforcement is a key priority, panellists also emphasised the importance of a solid impact assessment. Different approaches were discussed, taking into account the significant body of Court of Justice of the EU case law on data retention. In addition to data retention, the panel also provided an opportunity to hear about the use of augmented cameras as a complementary tool for law enforcement and citizens’ attitudes regarding safety and privacy.
In the age of social media, AI and other data-hungry technologies, it seemed crucial to direct our attention to looking at data protection beyond privacy to address broader societal concerns, such as disinformation, profiling, and algorithmic manipulation. This was the theme of the second side session, “Beyond privacy: unveiling the true stakes of data protection”. Panellists called for stronger GDPR enforcement, emphasising that data protection is not a barrier to innovation but a foundation for responsible technological growth. Cooperation between businesses and regulators was identified as a critical step in creating frameworks that balance innovation with safeguarding public interests.
Amongst the three side sessions taking place at CPDP data protection day, one was organised by the trainees of the EDPS, EDPB and the Council of Europe. This session, “Who’s watching your period?”, ventured into privacy risks associated with period tracking apps, and in particular their lack of transparency when it comes to handling sensitive reproductive health data, and the risks of misusing or abusing people’s personal data in parts of the word that have restrictive reproductive laws. Panellists called for privacy preserving, open-source apps and stronger regulatory oversight to protect user autonomy and ensure fairness.
Throughout the day, guests and participants alike had the chance to hear two keynote speeches zooming on particular aspects of data protection and how it has morphed into the values and principles that we practice today.
In the first keynote speech, Beatriz de Anchorena, Chair of the Consultative Committee of Convention 108, underscored the global relevance of Convention 108+ in navigating diverse data protection frameworks. She also highlighted achievements, like standard contractual clauses (SCCs) as one of the ways to secure the transfers of personal data to countries outside the EU/EEA. Her speech also commented on ongoing work on large language models (LLMs) and neurotechnologies, while stressing the need for deeper understanding of emerging technologies. She concluded her remarks on addressing power imbalances between developed and developing nations and ensuring ethical governance in an increasingly complex geopolitical landscape.
In the second keynote speech of the day, Irene Nicolaidou, Vice Chair of the European Data Protection Board (EDPB), reflected on the EDPB’s pivotal role in fostering cooperation amongst data protection authorities of the EU and its capacity to adapt to emerging challenges. She highlighted the EDPB’s focus on consolidating tools, collaborating under new frameworks like the Digital Markets Act, Digital Services Act, and the Artificial Intelligence Act and its implications for data protection. Ms. Nicolaidou reinforced that technological progress must align with fundamental rights; ensuring Europe’s digital future is built on trust, innovation, and respect for human dignity.
As I share with you my final thoughts on this detailed account of the second edition of CPDP Data Protection Day, I believe that it has served as a stark reminder, once again, that data protection is about protecting the people who are behind data. It also confirms that the interplay with the existing and future digital legislations will be a challenge and will require increased cross-regulatory cooperation - something I wrote more extensively about recently in the context of our proposal to pave the way for a Digital Clearinghouse 2.0. At the same time, data protection authorities must continue to be independent and politically neutral. Enforcement is something that we should be proud of when we think about the role of data protection, both at national and European level. Looking ahead, we should think about the role of our data protection community within the global community and keep in mind the importance of cooperation.
I would like to thank all participants to this event for their attendance.
You can watch or rewatch all main and side sessions via the following link.