EDPB Chair Andrea Jelinek calls for more global convergence on data protection and closer cooperation between competition & data protection regulators

In the run up to the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Tirana, the European Data Protection Law Review (EDPL) is doing a series with interviews with commissioners from around the world. The first to answer questions by EDPL’s executive editor Nelly Stratieva is Dr Andrea Jelinek, EDPB Chair and Director of the Austrian Data Protection Authority.

NS: A bit after the 1-year “birthday” of the GDPR, could you share your impressions? Where is the Regulation succeeding and where is there more work to be done? Have there been any surprises?

AJ: The first 15 months after the General Data Protection Regulation (GDPR) entered into application have been remarkably busy for data protection authorities and data protection professionals across the European Economic Area (EEA) and beyond. There has been an unprecedented growth of the global community of data protection professionals and public awareness is at an all-time high.

From the very first day, the first cross-border cases were logged in the European Data Protection Board’s (EDPB) crossborder case register, totaling 517 today, and queries started pouring in at the national supervisory authorities (SAs). 260 of the cross-border cases have led to one-stop-shop (OSS) procedures. So far, there have been 25 final OSS outcomes.

An important take-away from the first 15 months is that the resolution of cross-border cases, is time and resource intensive: SAs need to carry out investigations, observe different procedural rules and coordinate and share information with other supervisory authorities.

Many are eagerly awaiting the first major fines, but, while we see that SAs do not hesitate to impose fines when necessary, these are only part of the story. Compliance can only be achieved through an effective combination of guidance, stakeholder engagement, and, where necessary, enforcement by the national SAs.

The EDPB offers an interesting example of a more intensive form of cooperation between regulators. Our strength lies in that we combine the knowledge and expertise of 31 regulators and the European Data Protection Supervisor (EDPS) that are close to the situation on the ground in our respective countries, with a strong drive towards harmonisation and consistency. With this in mind, since its creation, the EDPB has endorsed the 16 GDPR related Working Party 29 (WP29) guidelines and adopted 7 guidelines and a recommendation of its own. In addition, the EDPB completed its first major consistency exercise, which resulted in the adoption of 31 opinions on national data protection impact assessment (DPIA) lists.

We do not do this work in a vacuum. To make sure that all upcoming guidance achieves the double goal of enabling compliant data processing and stronger rights for individuals, the EDPB regularly engages in stakeholder consultations. So far, the EDPB has organised 2 stakeholder events and 7 public consultations, of which 3 are still ongoing.

15 months in, there is no doubt that the GDPR has transformed the data protection landscape: citizens, businesses and legislators around the world are more aware than ever of the importance of data protection rights.

While we don’t need a single tech regulator, more cooperation between the competition and data protection regulators could sometimes be necessary.

NS: The GDPR transformed privacy and data protection not just in Europe, but around the world. In your opinion, what will be the next legislative frontier that could have such disruptive power? Would it come again from Europe or perhaps from another part of the world?

AJ: I see two important developments that in my view will gain importance in the coming years.

Firstly, data protection is here to stay. The GDPR set the ball rolling, but today new legislative initiatives are being taken in many places across the globe. While there is no such thing as ‘one size fits all’ for data protection, we should still aim for a degree of global convergence. Every nation has to conceive its own data protection laws, but some measure of compatibility will greatly facilitate economic exchange and help build trust among consumers.

Secondly, we see an increasing convergence between the work of competition regulators and data protection authorities. Data represents a new type of economic resource which is fast becoming the life force of the global economy. However, the accumulation of data by a few big players has the potential to threaten the level of data protection and freedom of choice enjoyed by consumers of digital services.

As a result, the work of competition and data protection regulators is becoming increasingly more intertwined. Data protection authorities can help assess the impact that market dominance may have in terms of privacy, freedom of expression and choice. While we don’t need a single tech regulator, more cooperation between the competition and data protection regulators could sometimes be necessary.

Data protection is here to stay.

NS: What major issues do you hope will be addressed at the next ICDPPC in Tirana?

AJ: I see international conferences such as the ICDPPC as a unique opportunity to meet and talk with other regional authorities. One of the issues I’m particularly interested in discussing with colleagues from across the globe is how to achieve a degree of convergence in data protection which would strengthen data subject rights everywhere.

I’ll be moderating a panel on accountability, a concept which lies at the heart of the GDPR, but is also part of other privacy and data protection laws. The concept of accountability has shifted the burden of protecting individuals’ rights firmly to the organisations and individuals which are processing data. It is a powerful concept that can drive high standards of data protection. It can also help us bridge jurisdictional and legal differences by creating interoperability: accountability can facilitate operations in multiple jurisdictions based on mutually agreed or commonly accepted privacy and implementation standards.