IAPP-GDPR Web Banners-300x250-FINAL

By Angelique Carson, CIPP/US

European Data Protection Supervisor (EDPS) Peter Hustinx’s second five-year term ends this month, and a new leader will soon be appointed. It is worth taking time to note that those who live and breathe European data protection nearly universally agree Hustinx leaves behind both a sterling reputation and an agency that’s evolved into an influential and highly respected supervisory authority since its establishment in 2004.

The independent supervisory authority position was originally created in 2001 and is responsible for ensuring all EU institutions and bodies follow the rules when it comes to processing personal data. The EDPS also acts as an advisor to member states’ data protection authorities, advises the European Parliament and European Commission on data protection legislation and responds to EU citizens who file complaints over perceived right-to-privacy violations.

Essentially, the EDPS is the “leading EU pundit on privacy and data security,” described Hogan Lovells’ Christopher Wolf.

It wasn’t always that way.

“When he took office, data protection was a minor issue,” said Dutch MEP Sophie in ‘t Veld. “Now, it’s on top of the political agenda. So on his watch, the whole issue has changed dramatically.”

Peter Hustinx (right) reflects on a career in privacy, with Christopher Kuner, before a standing-room crowd at the IAPP Data Protection Congress 2013 in Brussels.

“He’s taken a two-man body, which is what it was when it started in 2004, and he’s turned it into a real data protection authority, which you can put side-by-side with any of the national ones,” said EDPS Director Chris Docksey.

Docksey has served under Hustinx since 2010, but knew him long before, when Docksey served as a legal advisor to the European Commission on data protection legislation. At that time, their relationship had a different dynamic.

“It was sometimes my job to disagree with him,” Docksey said. “It was part of my job to say, ‘I don’t think we should do that.’ But I was quite impressed with him. He took his mandate very seriously.”

In the EDPS’ infancy, Hustinx was well suited to take on the nascent role. After he’d earned Master’s degrees in law and then comparative law, he became legal adviser to the Dutch Ministry of Justice before moving on to work at the Royal Commission on Privacy and Personal Data. After myriad jobs over a couple of decades working in government, he became president of the Dutch Data Protection Authority and then chairman of the Article 29 Data Protection Working Party.

“I think he carried over a lot of that experience into this new body; that was my perspective from the outside,” Docksey said. “He didn’t just limit himself to supervising the institutions; he also looked very seriously at advising them on policy, even advising the Court of Justice and being quite proactive about getting permission to intervene in cases and getting the data protection view to the court.”

“He brings an incredible depth of knowledge and insight, but more importantly, a real diplomat’s skill,” said Wolf. “He has definite positions, not all of which I’ve agreed with over the years, but he’s incredibly persuasive both substantively and personally. His interpersonal skills are almost as important as his substantive skills.”

Belgian Data Protection Authority Chairman Willem Debeuckelaere agrees with Wolf on Hustinx’s instinctual and unwavering ability to not only lead but persuade, and with a steady firmness as he stood by the rule of the law.  

When the Ministry of Justice first assigned Hustinx to handle privacy and data protection in the early 1970s—“an oddity at the time,” Debeuckelaere recalls—the ministry’s secretary general said what to make of the new concept and position was unknown at the time, that it would depend on the young official, Hustinx, to make something meaningful of it.

“And the young official made it work,” Debeuckelaere said.

He added that the European privacy directive would not have been what it is without Hustinx, who “built bridges between the Anglo-Saxon, German and Latin paradigms and procedures” and “created a network of global contacts, bridging the different continents.”

“Like no other he listened to the different sectors and worlds which had to apply this new privacy law … in direct marketing, personnel management, administration, police and justice, too, finally convincing them that they could, dared and wanted to cross the bridge of privacy protection,” said Debeuckelaere. “Maybe that has been his greatest achievement in terms of efficiency. He did not stay in offices or conference rooms but ventured out into the field, digging and discussing.”

Irish Data Protection Commissioner Billy Hawkes agrees that Hustinx had an innate ability to work a room.

“It can be difficult at times with 29 different data protection authorities sitting around the table with different opinions,” Hawkes said. “It can be difficult to marry those opinions on what the right course of action is. But Peter did that. His positions always took account of all the other interests and yet at the same time, significantly advanced data protection. He was always able to offer a strong opinion, which people respected, as to what the right course of action might be with a particular item on the table.”

Hustinx never needed to raise his voice or carry a gavel to get the job done, Hawkes recalled. 

“When Peter spoke, everybody listened," Hawkes said, recalling DPA meetings he’d attended. "And he spoke softly, by the way. Peter is a soft speaker. But the reason everybody listened is not because he was the European Data Protection Supervisor, because everybody has a title, but the reason people listened is because Peter just knew data protection. He knew the law; he knew what was right and what was wrong."

“He’s a real expert,” said in ‘t Veld. “He convinces people with tact, and he’s also very conciliatory and very pragmatic, always trying to find solutions rather than being a data protection activist.”

The next EDPS has some big shoes to fill, all would seem to agree. While there’s been some speculation that Hustinx’s assistant supervisor since 2009, Giovanni Buttarelli, may take a promotion, it’s too early to say who will be appointed.

Whoever the next supervisor and assistant supervisor are, they’re lucky to be inheriting the infrastructure Hustinx has built over the years and the staff of data protection experts he’s assembled, Docksey said, adding he will hand over a fully functioning tool for his successors to use, enabling them to concentrate on their own special role. 

The EDPS office now has about 50 staff, comparable to a small- to medium-sized data protection authority. Even though the EDPS is the smallest EU institution and one of the newest data protection authorities, the office has had a sizable impact on the data protection landscape. It has issued a number of wave-making opinions, such as its June 2011 report that the Data Retention Directive “fails to meet data protection requirements,” calling on the commission to consider repealing it, and its December 2011 opinion on the EU-U.S. Passenger Name Record agreement—established in 2007—which blasted the European Commission’s proposal for a new agreement on everything from its “excessive” data retention period  to its “disproportionate” list of data to be transferred to the U.S. and its lack of judicial redress rights.

“Mr. Hustinx has a deep grasp of the issues at hand,” said Greek MEP Dimitrios Droutsas. “He has the ability to explain to the most diverse of audiences the value of protecting our data, especially in today’s globalized and interconnected world.”

Droutsas said Hustinx and his team led the EDPS “though difficult and unchartered waters for data protection and in an exemplary fashion.”

Wolf says advances in technology mean Hustinx’s replacement should have a baseline technological savvy.

“I think whoever his successor is is going to have to be very conversant with the evolution of technology and the potential of technology,” Wolf said. “I think Peter has done an excellent job as a digital immigrant, but I think his successor needs to be someone even more conversant with technological developments and sensitive to the benefits it can bring to society.”

Droutsas said it’s “imperative that the choice of his successor will ensure a smooth transition and that the person to fill these difficult shoes will possess the same qualities and dedication that made the EDPS the single-most recognizable intrusion of safeguarding privacy in Europe.”

In ‘t Veld agrees.

“I hope for somebody with similar qualities,” in ‘t Veld said. “Somebody who indeed understands very well the kind of environment and political context that he or she will be working in, somebody who is able to work with all sides, somebody seen as neutral and impartial and an expert in the area but also providing the kind of practical solutions and being very pragmatic.”

Read More by Angelique Carson:
O’Connor Named CDT President and CEO
Commission Gives U.S. 13 Ways To Save Safe Harbor
Looking for Love? Try a Privacy Conference
Downstream of the Data Breach: Identity Theft Is A Messy Crime


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»