Keynote speech at the 7th Annual Data Protection and Privacy Conference Brussels, 1 December 2016 Giovanni Buttarelli
My thanks to Paul and Forum Europe for their invitation to speak to you this morning. This conference is always the last in the data protection calendar. And it is surely a tribute to the success of this conference that, in your seventh edition, you have a new, prestigious venue in The Hotel – in many ways Brussels’s answer to Trump Tower. Now this data protection calendar has become ever more congested over recent years for obvious reasons. And what a year 2016 has been. In this age of deep uncertainty, we have tried to build something to last the test of time. This year the EU adopted the GDPR, after four years of negotiation, which followed two years of policy deliberation and consultation by the Commission. We are now switching our focus from the law to action, from the legislator to the controller and the regulator. In this process, my institution has a double role to play. And in doing this we will be able to leverage 13 years’ experience of working closely with the institutions. First, our role as a member of the working party and future European Data Protection Board, the EDPS will continue to be a loyal ambassador for EU data protection, like the other independent data protection authorities. Our DNA as an independent DPA is exactly the same as for national authorities, the only difference is that we deal with the specific functions of European Union bodies and institutions. 1
I do not wish to pre-empt what Isabelle will say in her presentation, but suffice it say that next week we intend to finalise a suite of forward-looking guidance documents on essential aspects of the GDPR. This proves that the Working Party is working very hard to prepare the ground for when the GDPR becomes fully applicable. Rest assured that we will not be starting from scratch in May 2018; we will not be improvising. The second side to my role is as the secretariat to this new legal entity, the European Data Protection Board. We intend to hit the ground running. And to that end we are working constantly, in close collaboration with the group, on ensuring that the board has the right personnel, accommodation and IT facilities from day one. The role that the secretariat will play is set out in great detail in article 75 of the GDPR. It is a mix of analytical, administrative and logistical support to the Board. We are as aware as anyone else that the goal must be a new platform for modern, effective, real-time supervision of how personal information is handled in the big data world, and for modern, effective, real-time cooperation between the authorities responsible for that supervision. I am referring to practical things like ensuring easily accessible archives for documentation. We need to strike the right balance between transparency and respecting reasonable expectations of confidentiality – whether the confidentiality expected by controllers who may be under investigation, or the confidentiality of DPAs conducting the investigations. The EDPB will be comparable to the Article 29 Working Party. But expect important differences. The Working Party is a consultative body; the Board will be a legal entity taking binding decisions. This will certainly entail a change in the collective culture of DPAs. You should expect, more than ever before, professionalism and accountability. The work of the Board will be susceptible not only to criticism, but also to contestation before the courts. 2
There are 540 days between now and 25 May 2018. But there is no need to panic. Not yet. Last month I spent a few days talking to companies based on the US West Coast. It was the week after the presidential elections and just about everyone was feeling nervous about the future. Political uncertainty, big trade deals seemingly now no longer on the table, a general lack of trust in digital services I am afraid that the GDPR did not have a calming influence on this general mood. These firms are asking genuine questions - like when they will need to comply with the data protection by design provisions; questions like what will happen to data transfers following the challenges tabled against BCRs and SCCs and the Privacy Shield. They compared the situation to the amusement arcade game “Whack-a-mole”, where every time you think you knocked out a solution, another legal problem appears almost immediately. Businesses want the law to stop changing so that they can just get on with trading. We in Europe, and DPAs especially, need to understand this sentiment. It may just be fear of the new, but some of the concerns require genuine attention. Whether it is the Working Party or the EDPB, we cannot change the GDPR, but we can work to ensure that it is interpreted and implemented consistently. So my message to you here in Brussels is the same as my message last month in the Bay Area – get involved! Let’s have a debate about substance. As I said in my opinion last year before the GDPR was finalised, there is still unfinished business. Early in January we expect Commission proposals on the reform of ePrivacy rules, on the free flow of data, and on data protection rules applicable to EU institutions – including on the remit of my authority. With a GDPR of 99 articles, we actually have a very clear and detailed framework – perhaps too clear and detailed. That does not mean we rule out the Black Swan event – the unexpected consequence.
But it does mean that we need to have an open and honest debate. There is a lot of guidance to be issued. Businesses, regulators, legislators, the Commission, civil society – we all have a long task list. I repeat - 540 days between now and 25 May 2018. In fact, for those of you lucky enough to avoid work at weekends and on public holidays – there are only 373 days remaining. It seems wicked to say this in the first day of Advent, but there are no holidays for data protection. But this is also the “season to be jolly”. We are on the right track. In the words of that great British advocate of European integration, Winston Churchill, from November 1942: Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning. Everything now depends on how we translate the dead letter of the law into living practice and experience. So let’s get translating. Thank you for listening.