It’s not the end of the world as we know it

Giovanni Buttarelli

In the last few weeks, I have been asked to look beyond the GDPR to imagine future scenarios for regulation of digital rights in the EU and around the world. 



We are approaching ‘peak awareness’ of the General Data Protection Regulation and the supposedly fateful date of 25 May 2018 after which the regulation will be fully applicable. Hopefully it will by then be accompanied by newly adopted rules on ePrivacy and on the data processing by EU institutions themselves. Certainly, this is going to be a landmark moment. It will be the culmination of almost a decade of analyses, consultation and negotiations. Nevertheless, in reality few people will notice any big differences when we wake up on the morning of 26 May.


An EU body greater than the sum of its parts

The next time the EU legislator decides to revisit the legal framework, technology will surely have changed society in unpredictably radical ways. Earlier this year, the European Parliament, in its resolution about AI, the European Parliament wondered whether robots should have rights and obligations. Yet the great irony is that, already right now, the dominant business model for online services and connected devices in effect treats human beings as if they were robots to be worked and farmed for their attention and ideas, as well as for personal information about them. So data protection authorities have a massive challenge in the present before they even think about the future.

Hence the practical need, and not only the legal obligation, for an ethos of unity among national DPAs in the EDPB, in line with the requirement under Article 60 of the GDPR for them to cooperate ‘in an endeavour to reach consensus’.  The consistency mechanism and one-stop-shop will only work if based on a trust and cooperation abiding by the spirit, as well as the letter, of the GDPR.

Moreover, Member States need to equip DPAs to act independently as centres of excellence for protecting individuals’ rights and interests.  At the moment, there are major disparities in the budgets for individual authorities in proportion to the number of people they are meant to protect: from 50 EUR per 1000 population in one Member State to 7600EUR per 1000 population in another.  

25 May 2018 is not going to be the end of the world as we know it; it is more like the beginning of the beginning.  The intergovernmental Article 29 Working Party is not going to suddenly transmogrify into an integrated dynamic centralised super regulator. The EDPB will be an entity in its own right and potentially very powerful. But first there is a need for cultures to merge.

As we embark on this journey we might take inspiration from parallel regulatory worlds and their development. Competition enforcement, for example, in both Europe and North America grew out of the core notion that companies should never become so powerful as to threaten democracy. (See for example the OECD discussion happening today on this theme.) An EU treaty then entrenched the principles, and national authorities emerged and gradually converged to the point today where the most important cases are dealt with centrally. Or take the regulation of financial services – which was still very much a preserve of national competence until the financial crisis. Now there are powerful EU bodies responsible for ensuring the sustainability of the Banking Union.

There will be inevitable tension between the constitutionally-enshrined independence of action of every DPA (Article8 of the Charter of Fundamental Rights and Article 16 of the Lisbon Treaty and now fully operationalised through Article 52 of the GDPR) and the legal obligation (GDPR Article 57) for them to cooperate.  This is what makes Article 65 of the GDPR, which provides for dispute resolution procedure where a lead authority has rejected the objections of another DPA, so extraordinary. Once invoked, this provision would mean a binding decision of the Board, with the Chair having the casting vote if the votes are split. Thus an independent authority would have to implement a decision which it may disagree with.  You might be consider this to be a legal fiction, similar to the ‘budget sequestration’ in the US, where Congress ‘points a pistol to its own head’ to ensure it agrees the Federal Budget before devastating spending cuts automatically applied. It is, more accurately speaking, a means to push DPAs towards resolution under the general requirement to act in the interests of consensus.

So the EDPB to succeed will need to be at least as great as the sum of its parts. Currently there are altogether around 2500 people working for DPAs in the EU – not many people to supervise compliance with a complex law applicable to all companies in the world targeting services at, or monitoring, people in Europe. So cooperation is a necessity, not a luxury. It is essential to focus on the biggest problems and on promoting a culture of accountability among controllers.


Don’t forget the future

The world is racing: it has taken just a few years for smart devices to become in effect, an extension of our bodies. Phones are now more powerful than the most powerful supercomputers twenty years ago.  As regulators we cannot be left behind. We have to keep the law under review, and evaluate whether it’s having the desired effects.  But it has taken the best part of a decade to reform our data protection rules. The process started in 2010 with a public consultation on reform of Directive 95/46.  The process won’t really end on 25 May 2018: we have a small number of implementing and delegated acts to be adopted; the EDPB will continue to issue guidelines on key parts of the GDPR; and we must expect some essential precedents and case law as a result of authorities’ attempts to enforce the law and deploy their powers.

There are growing calls for a single digital regulator, to ensure companies fulfil their obligations across a range of sectors, not only data protection and privacy, but also consumer protection and various rules on product safety and antitrust (in the case of dominant players).  In Germany, for example, the national competition authority is investigating whether Facebook abuses its dominant position through imposing unfair data use policies, while the government have been considering creating a new ‘Digital Agency’ to act to prevent abuses even before establishing conclusively whether a company is dominant in a given market.  Clearly, we need to find a way of harnessing existing effective tools – like antitrust – and ensuring they are used coherently with potentially effective new tools – like the enforcement of data protection and electronic privacy.

My vision is for a truly European board which is visible, credible and accessible. The GDPR and EDPB represent the EU’s business card for how to regulate big data and AI in close proximity to citizens. But it is right to look ahead already to the next reform.

I predict that at some point may be within the next 10 years or so, and following the trajectory of other areas of regulation as they mature and grow in complexity, we will begin to discuss the merits of a single digital regulator in the long-term.  It would need careful consideration, because perhaps even more important than consistency and effectiveness is the proximity and responsiveness of the regulator to the individual.  Such a regulator might then have an explicit obligation to act in the interest of all data subjects in the EU, a bit like the oath that Commissioners must take when they assume office.

In the meantime, we must make the EDPB a world leader in high quality and efficient data protection enforcement. The EDPS will do all we can, as a loyal member of the body and as the provider of the secretariat, to ensure that the EDPB is a success, providing legal certainty, reliability and most of all a champion for individuals whose data is powering the digital age.