It was hardly surprising that the impending May 25 deadline for the EU General Data Protection Regulation was top of mind among attendees this week at the IAPP Global Privacy Summit in Washington. So when the new chairwoman of the Article 29 Working Party sat down for a one-hour interview to discuss GDPR enforcement, the room filled up.
In a wide-ranging conversation with former FTC Commissioner and current Microsoft Corporate Vice President and Deputy General Counsel Julie Brill, WP29 Chairwoman Andrea Jelinek consistently stressed the importance of communication, not only between companies and data protection authorities but also among DPAs themselves. For Jelinek, the so-called one-stop-shop provision in the GDPR is "crucial." Her role moving forward will also be significant if she's going to lead the first-ever European Data Protection Board once the GDPR goes into effect. It's expected that Jelinek will garner the support from her fellow DPAs and be voted head of the EDPB this May.
"If they want me to chair the EDPB, they will have to vote, and that will be held on the 25th of May," she said.
And what about the potential enforcement actions on May 26? "Well, May 26 is a Saturday, so we will have a grace period over the weekend," she said, tongue-in-cheek. DPA humor and nervous laughter aside, Jelinek said the May 25 implementation date is an important one, but it's "a starting point" and a "milestone for a way that we'll start to work together."
A major component in what Brill referred to as "our shared journey" will be the role data protection officers will play within their organizations. "DPOs are the communications line between the company and the DPA," Jelinek explained. "It's a really important role, not only for the company but for the DPA, as well. They're like a translator [on behalf of the company]." The DPO will provide guidance to her C-suite and "provide us with information. It is a crucial role and important for us to know who it is, to know the face, if possible." That's because Jelinek believes it's often easier for parties to work together when they know each other, even if they are on "different sides of the fence."
"It's not the responsibility of the DPO if there is an enforcement action," WP29 Chairwoman Andrea Jelinek said. "It's the responsibility of management. Our enforcement action won't be against DPOs, it will be against the company. The DPO must be independent."
She also made it clear who will be liable in an enforcement action. "It's not the responsibility of the DPO if there is an enforcement action," she said. "It's the responsibility of management. Our enforcement action won't be against DPOs, it will be against the company. The DPO must be independent."
But not all the pressure will be on companies come May 25. The EDPB will have a lot on its plate in less than two months, so communication and coordination among the DPAs will play a significant role in the post-GDPR ecosystem.
Jelinek said all of the DPAs want the one-stop shop to work and that everyone can be a lead authority. "I think working on consensus is something we're going to do," she predicted. The context of each case will help determine which DPA will lead. If it's a local case, the DPA of that nation will likely take the lead, but if it's a trans-border case, DPAs will have to coordinate.
In private litigation, too, the role of the courts — both at the national and EU levels — will determine how, and if, DPAs will work together. "It will be a challenge for all of us," Jelinek warned, later saying, "I don't have to pay attention to the Spanish court, but I will talk with the Spanish DPA. At the end of the day, the Court of Justice of the EU will have the last word."
To help prepare for the post-May 25 onslaughts, Jelinek, who also heads up Austria's data protection authority, said several DPAs are conducting simulations and mock investigations. Her Austrian office invited the DPAs of Hungary and Luxembourg to conduct several simulations of potential one-stop shop scenarios. Teams conducted their work in different rooms in various roles to see how things played out.
Jelinek's Austrian office invited the DPAs of Hungary and Luxembourg to conduct several simulations of potential one-stop shop scenarios. Teams conducted their work in different rooms in various roles to see how things played out.
Did one-stop shop work in the scenarios? Brill asked. "Like a company, I won't tell the outer world," Jelinek said, once again to a room full of laughs. But more seriously, she hopes one-stop shop won't turn out to be a "paper tiger," adding, "It's quite a different thing to read and write about the GDPR than applying it."
Simulations of use cases, she pointed out, may be a helpful practice for companies, too. "If you have a DPO in your company — and you already should — maybe he or she could also simulate what will happen if there's a data breach," for example. Jelinek likened it to crisis communications. "You should do this in advance. The time [for notification] is very sharp, only 72 hours. I think to test things out like that is very helpful, and it will make you safer for what you're doing in the future."
Brill also pressed Jelinek for more guidance. "Let me encourage you, people are thirsty, the GDPR is a revolution and more guidance would be appreciated," she intoned.
"It's a question of which side of the table you're sitting on," Jelinek answered. "As a regulator, we have tasks too. You don't have to fulfill my tasks, so don't expect me to fulfill yours."
This was a notion that was echoed later in the day by Ireland Data Protection Commissioner Helen Dixon. On the one hand, Dixon said, "It's absolutely essential there's a dialogue between" DPAs and companies. "I cannot see how you can ensure effective compliance and enforcement without that kind of engagement," Dixon noted, but later, when asked about providing guidance on the ICANN WHOIS database registry, quipped, "There isn't going to be specific guidance for everything. You need to conduct your own self-assessment yourself. We're not going to tell you your legal certainty."
Dixon: It's not our job to go into your organization and do a gap analysis. #gps18
— IAPP Daily Dashboard (@DailyDashboard) March 29, 2018
Without a doubt, tension is mounting, but as Dixon repeatedly pointed out, "a technology-neutral, principles-based" law like the GDPR has enough flexibility built into it to ensure that communication between companies and DPAs will be ongoing.
"Enforcement is one of the points in the GDPR, but not the only one," Jelinek noted. "We will use all of the mechanisms under the GDPR [including Article 83 and Article 56, Section 2]. We have administrative procedures," she said. "We won't just pop in [to your company] and say, 'Now we are here.' We will talk to each other."