The State of the Data Protection Union

Giovanni Buttarelli

Henry Kissinger, in one of perhaps the most famous quotes which were never actually uttered by the person to whom they are attributed, is alleged to have complained that when he wanted to telephone the European Union he didn’t know what number to ring.  I am often asked for my reflections on the transatlantic relationship under the new administration, and in response I have suggested that indeed it would be helpful to have a nominated points of contact for questions of privacy and data protection law. It seems now, a few days away from the review by the Commission and EU data protection authorities of the Privacy Shield, that we will have soon at least few new key nominations to the US administration including for the Privacy and Civil Liberties Oversight Board.

At the end of the summer I was able to meet leaders from the regulatory and business world at the Technology Policy Institute Aspen Forum (my panel discussion with the current Acting Chair of the Federal Trade Commission can be viewed here). I had the opportunity to explain that the EU had been through a period of reflection on how people should be treated with respect in the new digital reality, with the conclusion that data protection and privacy laws needed updating.

We are now entering the home straight for the implementation of the General Data Protection Regulation and for the finalisation of outstanding related reforms, including the revision of the regulation governing data protection in the EU institutions and my function as independent supervisory authority, and the rules on the confidentiality of electronic communications, the draft ePrivacy regulation. We are moving in the direction of more sustainable solutions for international personal data flows with the Privacy Shield an important, necessary but probably insufficient step in this direction.

Last week the President of the European Commission emphasised the need for the EU to address the gaps in digital Europe. We have to support this, and at the EDPS we will in the coming months be issuing opinions on the cybersecurity package and the proposed regulation on free flow of data within the EU.  In addition, we need to simplify the current smorgasbord of governance arrangements for the various EU databases and cooperation mechanisms in the justice and home affairs area, like Eurodac and the Schengen information system, soon to be joined by the European Public Prosecutors Office. Databases do not solve problems; people solve problems when they are aware of their precise responsibilities and cooperate with others in a spirit of mutual trust. The Commission’s drive towards ‘interoperability’ of these various systems shows that they are aware of this problem. However, in my view, the solution is not to stretch the law to breaking point, but rather to redefine standards and architecture and security measures. I intend to issue a strategic paper outlining how to meet this challenge towards the end of this year. 

Over the next 12 months my authority has three major priorities. The first priority is working with national data protection authorities to ensure the European Data Protection Board hits the ground running on 25 May 2018, with the support of a professional secretariat which EDPS will provide in accordance with the GDPR.

The second is to continue to ensure the EU institutions and bodies we supervise are fully invested in the notion of accountability at the highest level for how people’s personal information is handled.

The third is the delivery of the 2018 International Conference of Data Protection and Privacy Commissioners, which should be an event unlike any other before in Brussels, with a new, broad and inclusive community of forward-thinking experts able to engage with urgent questions of technology and respect for humans in the age of AI and potentially ubiquitous surveillance.

Data protection authorities can, if they take up the gauntlet, be in the vanguard in addressing these questions, but only we understand better the technology which drives the behaviour we are meant to oversee in the interests of the individual.

The EDPB offers a fantastic chance to make this happen.