It’s that time of the year again! On Wednesday 19 June, the EDPS and the Data Protection Officers' (DPO) network of the EU institutions, bodies, offices and agencies (EUIs) met for the first traditional bi-annual meeting of the year. On this occasion, the meeting was hosted jointly by the European Economic and Social Committee (EESC) and the Committee of the Regions (CoR), in Brussels, Belgium.
It is truly fitting that the meeting took place on the eve of the European Data Protection Summit: “Rethinking Data in a Democratic Society”, which celebrates the EDPS’ 20th anniversary, considering that the DPO network has played a crucial role in the history of the EDPS and to the extensive work on data protection undertaken by the EUIs over the past two decades. In his opening address, the Supervisor, Wojciech Wiewiórowski, looked back at the work accomplished over the past two decades and stressed the importance of the EU - and its DPO network - as a trailblazer continuing to pave the way in the field of data protection.
The network actually existed before the EDPS was established. Since then, it has actively helped shape the current data protection landscape within the EUIs. Although it may be difficult to imagine today - when privacy and technology are now on everyone’s radar - this task has not always been an easy one. Many DPOs recall how they struggled to raise awareness about data protection at a time when the topic was not a priority in their organisation, and was generally considered as additional red tape. Thankfully, we have come a long way since then and the importance of data protection and privacy is no longer questioned.
Wojciech Wiewiórowski, the Supervisor, and his predecessors, Peter Hustinx and the late Giovanni Buttarelli, have all contributed to ensuring an effective protection of personal data in the EUIs, and putting the EDPS on the global map of data protection. Thanks to their tireless efforts and the hard work of EDPS staff, from past to present day, compliance with data protection rules is now considered a priority within the EUIs.
Our work remains important and will be even more important in the future. At the DPO network meeting, we explored the challenges that lie ahead and reflected on the role that data protection should play in public administrations in a modern society. We need to learn from the past and act in the present to ensure a prosperous future!
One of the main challenges is of course the use of Artificial Intelligence. In my last blogpost, I presented the EDPS’ AI preparedness strategy, which focuses on governance, risk management and supervision. I highlighted the importance for AI governance to follow an inter-institutional approach, and that we need to work together to get the use of AI in the EU’s public administration right. In line with this idea, and following up on the sessions dedicated to AI at the previous EDPS-DPO meeting, we decided to devote a substantial part of the agenda on this crucial topic again.
During a session dedicated to the open exchange of views, DPOs were encouraged to share their ideas and reflections on the new function of the AI correspondent and the DPO’s role in this context. The EDPS emphasised that in cases where a DPO is not appointed as AI correspondent by their organisations, they should be closely involved and engage in an open communication with the AI correspondents to ensure that the fundamental rights to privacy and data protection are taken into account when discussing the development and/or use of AI systems.
This session was followed by a very interesting presentation delivered by the CNIL, the data protection authority of France, during which the organisation shared their recommendations on the development of AI systems. The presentation shared by our colleagues from the CNIL was complemented by a Q&A and a more hands-on exercise for DPOs to put into practice these recommendations. Drawing from experience and knowledge of fellow DPAs will become increasingly valuable as we navigate through the complex interplay of the different legal frameworks.
Soon after, a workshop on AI and data protection impact assessments, prepared with the DPO support group - a rotating group of voluntary DPOs that are closely involved in the preparation of the EDPS-DPO meetings each year - took place. The workshop focused on the assessment of AI systems’ compliance with the EUDPR, Regulation 2018/1725. This session allowed DPOs and the EDPS alike to initiate reflections on how to link data protection impact assessments under the EUDPR with the fundamental rights impact assessment and other data protection aspects of the AI Act.
As the day progressed, DPOs participated in another interactive workshop on data subject access requests. This is a familiar subject to most DPOs, but that nevertheless comes with its fair share of challenges and complexity. It is always constructive and enriching for DPOs to share best practices and exchange ideas on matters that are directly relevant in their daily work.
Later, other sessions were organised on recent case law, updates on the work done by the EDPS’ Supervision & Enforcement Unit, and a presentation by the EDPS’ Technology and Privacy Unit on two of the EDPS 20th anniversary initiatives: the website compliance scanning and the data breach notification awareness campaign.
As I concluded the EDPS - DPO meeting, I shared the importance of the DPOs role as key contributors to the development of the EDPS and data protection over the last 20 years. I reminded them that the discussions were to be continued at the EDPS Summit, where a session dedicated to the challenging role of the DPOs in the public sector awaited them. This session was also organised to give a unique opportunity to DPOs to engage with counterparts from all over Europe.
Once again, I want to take a moment to express my gratitude to the DPO network - the EDPS would not be what it is today without your support. Our continuous and strong cooperation, as well as our joint efforts, will help us tackle the challenges that we face now and in the future. Our collaboration is a cornerstone of the data protection culture in the EUIs and we look forward to a successful partnership in the coming decades!