It’s not the end of the world as we know it
Looking beyond the GDPR to imagine future scenarios for regulation of digital rights in the EU and around the world.
We are approaching ‘peak awareness’ of the General Data Protection Regulation and the supposedly fateful date of 25 May 2018 after which the regulation will be fully applicable. Hopefully it will by then be accompanied by newly adopted rules on ePrivacy and on the data processing by EU institutions themselves. Certainly, this is going to be a landmark moment. It will be the culmination of almost a decade of analyses, consultation and negotiations. Nevertheless, in reality few people will notice any big differences when we wake up on the morning of 26 May.
An EU body greater than the sum of its parts
The next time the EU legislator decides to revisit the legal framework, technology will surely have changed society in unpredictably radical ways. Earlier this year, the European Parliament, in its resolution about AI, the European Parliament wondered whether robots should have rights and obligations. Yet the great irony is that, already right now, the dominant business model for online services and connected devices in effect treats human beings as if they were robots to be worked and farmed for their attention and ideas, as well as for personal information about them. So data protection authorities have a massive challenge in the present before they even think about the future.
Hence the practical need, and not only the legal obligation, for an ethos of unity among national DPAs in the EDPB, in line with the requirement under Article 60 of the GDPR for them to cooperate ‘in an endeavour to reach consensus’. The consistency mechanism and one-stop-shop will only work if based on a trust and cooperation abiding by the spirit, as well as the letter, of the GDPR.
Moreover, Member States need to equip DPAs to act independently as centres of excellence for protecting individuals’ rights and interests. At the moment, there are major disparities in the budgets for individual authorities in proportion to the number of people they are meant to protect: from 50 EUR per 1000 population in one Member State to 7600EUR per 1000 population in another.
25 May 2018 is not going to be the end of the world as we know it; it is more like the beginning of the beginning. The intergovernmental Article 29 Working Party is not going to suddenly transmogrify into an integrated dynamic centralised super regulator. The EDPB will be an entity in its own right and potentially very powerful. But first there is a need for cultures to merge.
As we embark on this journey we might take inspiration from parallel regulatory worlds and their development. Competition enforcement, for example, in both Europe and North America grew out of the core notion that companies should never become so powerful as to threaten democracy. (See for example the OECD discussion happening on this theme.) An EU treaty then entrenched the principles, and national authorities emerged and gradually converged to the point where the most important cases are dealt with centrally. Or take the regulation of financial services – which was still very much a preserve of national competence until the financial crisis. Now there are powerful EU bodies responsible for ensuring the sustainability of the Banking Union.
There will be inevitable tension between the constitutionally-enshrined independence of action of every DPA (Article8 of the Charter of Fundamental Rights and Article 16 of the Lisbon Treaty and now fully operationalised through Article 52 of the GDPR) and the legal obligation (GDPR Article 57) for them to cooperate. This is what makes Article 65 of the GDPR, which provides for dispute resolution procedure where a lead authority has rejected the objections of another DPA, so extraordinary. Once invoked, this provision would mean a binding decision of the Board, with the Chair having the casting vote if the votes are split. Thus an independent authority would have to implement a decision which it may disagree with. You might be consider this to be a legal fiction, similar to the ‘budget sequestration’ in the US, where Congress ‘points a pistol to its own head’ to ensure it agrees the Federal Budget before devastating spending cuts automatically applied. It is, more accurately speaking, a means to push DPAs towards resolution under the general requirement to act in the interests of consensus.
So the EDPB to succeed will need to be at least as great as the sum of its parts. Currently there are altogether around 2500 people working for DPAs in the EU – not many people to supervise compliance with a complex law applicable to all companies in the world targeting services at, or monitoring, people in Europe. So cooperation is a necessity, not a luxury. It is essential to focus on the biggest problems and on promoting a culture of accountability among controllers.
Don’t forget the future
The world is racing: it has taken just a few years for smart devices to become in effect, an extension of our bodies. Phones are now more powerful than the most powerful supercomputers twenty years ago. As regulators we cannot be left behind. We have to keep the law under review, and evaluate whether it’s having the desired effects. But it has taken the best part of a decade to reform our data protection rules. The process started in 2010 with a public consultation on reform of Directive 95/46. The process won’t really end on 25 May 2018: we have a small number of implementing and delegated acts to be adopted; the EDPB will continue to issue guidelines on key parts of the GDPR; and we must expect some essential precedents and case law as a result of authorities’ attempts to enforce the law and deploy their powers.
There are growing calls for a single digital regulator, to ensure companies fulfil their obligations across a range of sectors, not only data protection and privacy, but also consumer protection and various rules on product safety and antitrust (in the case of dominant players). In Germany, for example, the national competition authority is investigating whether Facebook abuses its dominant position through imposing unfair data use policies, while the government have been considering creating a new ‘Digital Agency’ to act to prevent abuses even before establishing conclusively whether a company is dominant in a given market. Clearly, we need to find a way of harnessing existing effective tools – like antitrust – and ensuring they are used coherently with potentially effective new tools – like the enforcement of data protection and electronic privacy.
My vision is for a truly European board which is visible, credible and accessible. The GDPR and EDPB represent the EU’s business card for how to regulate big data and AI in close proximity to citizens. But it is right to look ahead already to the next reform.
I predict that at some point may be within the next 10 years or so, and following the trajectory of other areas of regulation as they mature and grow in complexity, we will begin to discuss the merits of a single digital regulator in the long-term. It would need careful consideration, because perhaps even more important than consistency and effectiveness is the proximity and responsiveness of the regulator to the individual. Such a regulator might then have an explicit obligation to act in the interest of all data subjects in the EU, a bit like the oath that Commissioners must take when they assume office.
In the meantime, we must make the EDPB a world leader in high quality and efficient data protection enforcement. The EDPS will do all we can, as a loyal member of the body and as the provider of the secretariat, to ensure that the EDPB is a success, providing legal certainty, reliability and most of all a champion for individuals whose data is powering the digital age.
Latest News from
Council agrees on emergency measures to reduce energy prices03/10/2022 16:33:00
EU energy ministers recently (30 September 2022) reached a political agreement on a proposal for a Council Regulation to address high energy prices.
Guidelines on general visa issuance in relation to Russian applicants and controls of Russian citizens at the external borders03/10/2022 15:25:00
The Commission recently (30 September 2022) presented updated guidelines to Member States on visa procedures as well as on border controls for Russian citizens at the EU's external borders.
Message of President Charles Michel on Russia's illegal annexation of Ukrainian regions03/10/2022 14:33:00
Message of President Charles Michel on Russia's illegal annexation of Ukrainian regions (30 September 2022).
Ethiopia: Statement by Commissioner Lenarčič on the humanitarian situation and International Humanitarian Law in northern Ethiopia03/10/2022 13:25:00
Ethiopia: Statement given recently (30 September 2022) by Commissioner Lenarčič on the humanitarian situation and International Humanitarian Law in northern Ethiopia.
Antitrust: Commission upgrades eLeniency tool to grant companies online access to leniency and settlement documents03/10/2022 12:10:00
The European Commission has upgraded its online platform “eLeniency” to ensure that companies who are parties to cartel and antitrust proceedings can easily and securely access documents online.
State aid: Commission approves aid to support the resolution of the Polish Getin Noble Bank S.A.03/10/2022 11:33:00
The European Commission has approved, under EU State aid rules, several support measures in the context of the resolution of the Polish Getin Noble Bank S.A.
Council and Parliament reach provisional political agreement on access to Union waters, extending the current rules for fishermen for another ten years30/09/2022 15:25:00
The Czech Presidency of the Council of the European Union and the European Parliament reached a provisional political agreement as regards the regime for access of fishing vessels to member states’ territorial waters.
Ensuring radiation protection: Commission refers LATVIA to Court to guarantee citizens' protection from ionising radiation-exposure risks30/09/2022 14:33:00
The Commission is taking legal steps to ensure the protection of citizens, workers and patients against the dangers arising from exposure to ionizing radiation.
Investor citizenship scheme: Commission refers MALTA to the Court of Justice30/09/2022 13:25:00
The European Commission yesterday decided to refer Malta to the Court of Justice of the European Union for its investor citizenship scheme, also referred to as the ‘golden passports'.
Human rights: EU increases support to the protection of human rights defenders worldwide30/09/2022 12:38:00
Human rights are increasingly under threat worldwide. Against this global backdrop, reconfirming the European Union's strong support to human rights, fundamental freedoms and democracy, and their defenders worldwide, Commissioner Jutta Urpilainen yesterday signed €30 million, a substantial increase, for the new phase of the EU Human Rights Defenders Mechanism, in the presence of civil society organisations and human rights defenders, for the period 2022–2027.