When it comes to Brussels, it may not be love at first sight, but it grows on you. The city is, in fact, a group of 19 smaller communes, many of which have a very intriguing dichotomy. They can host both posh and very popular neighborhoods, one street can be in complete disarray while the next will be the most picturesque. Schaerbeek is one of these communes. This week, its old marketplace, Les Halles, welcomed the Computers, Privacy and Data Protection conference. CPDP has been, for many years, the gathering point for academics, civil society, regulators and, increasingly, industry representatives to debate global artificial intelligence convergence, privacy engineering, data flows and children's privacy, among other topics.
This week marks the EU General Data Protection Regulation's anniversary and epitomizes its liveliness after five years of existence. Since becoming applicable 25 May 2018, the GDPR has led to more than 1,700 enforcement actions across the EU/European Economic Area, 32 rulings by the Court of Justice of the European Union and more than 4 billion euros in administrative fines. The number of organizations that have registered data protection officials is more than 700,000. The GDPR also contributed to boosting the global privacy conversation. It may not have been the sole inspiration, but it was certainly a precursor to today's world, where more than 130 countries have a national privacy law.
This week's spotlight was also on Andrea Jelinek, as she finished her term as the first-ever chair of the European Data Protection Board and formally introduced her successor, Anu Talus. Talus was announced formally 25 May and will immediately start her five-year term. As the second chair of the EDPB, she inherits the foundational work Jelinek and her team built over the past five years, with a drive to create trust and formalize collaboration among peers.
One thing is certain: the GDPR is a living piece of legislation. Regulators will keep coming up with guidelines and landmark decisions. This week's Ireland Data Protection Commission decision and record 1.2 billion euro fine against Meta is undoubtedly the most vibrant example to date. As my colleague IAPP Editorial Director Jedidiah Bracy, CIPP, writes, the decision requires "Facebook to suspend future transfers of personal data to the U.S. within five months of the DPC's decision and to bring its processing operations into compliance 'by ceasing the unlawful processing, including storage, in the U.S. of personal data' of EU and European Economic Area users within six months of the DPC's notification to Meta." The not-so-fine print in the decision shows European regulators are serious about enforcing the GDPR and leveraging this type of high-profile decisions to serve as "a general deterrence" to all controllers out there. IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP, hosted an insightful discussion to unpack the DPC decision.
The European Commission is also expected to issue a legislative proposal to tackle some procedural aspects that have hindered regulators' ability to cooperate when applying the GDPR.
On the bright side, the privacy community keeps growing in Europe. Onward and upward!