The dust is beginning to settle across the EU in regards to complying with the General Data Protection Regulation. The frenzy EU members endured while updating data protection standards and safeguards may be winding down, but it’s merely a break in the action surrounding data privacy and security.

There’s an overwhelming awareness that more work is to be done, but that work will potentially be overseen by a new European data protection supervisor. The Official Journal of the European Union published the vacancy notice for the position at the independent data authority April 11. Current EDPS Giovanni Buttarelli is in the final months of his first five-year term and has indicated that he will apply for a second term, which is the position’s limit for service time.

“In my professional life, I’ve only served in public institutions,” Buttarelli said. “I can do something else in my life, but I am going on 23 years of being engaged full time on data protection. … I think there’s a little bit of unfinished work. The GDPR has succeeded, and the [European Data Protection Board] secretariat is working well, but EDPB is still young and needs to be brought into a solid place. It needs to establish more robust channels for effective cooperation.”

The main responsibilities of the EDPS boil down to the supervising, advising and monitoring EU public-sector institutions, some 50 or 60 agencies, in matters relating to data privacy and protection. The EDPS importantly oversees the work of the national data protection authorities on the EDPB, which contributes to the consistent application of data protection rules throughout the EU. It acts as a "very senior colleague helping to bring national colleagues closer to each other," said Peter Hustinx, Buttarelli's predecessor and the EU's first EDPS back in 2004. 

The EDPS is also responsible for advising the European Commission on new legislative proposals.  Hustinx especially put an emphasis on this aspect of the role, ensuring his office was proactive with "ongoing interaction with the commission at a very early stage, and they follow the advice," he said.

"My view was that a regulator actually needs to act strategically. So you can wait until a case comes to you or a breach happens, but we were very proactive in trying to combine data protection with positive things like success and innovation. And then you need to be able to link this to the commission's agenda and, of course, be tough but also positive. And that was somewhat entrepreneurial in developing the role, but I see some DPAs doing that now exactly." 

Finally, the EDPS has the ability to bring cases before the Court of Justice of the European Union in Luxembourg, as well as to submit opinions in ongoing cases, which Hustinx said allowed the EDPS's advisory role much more effective. 

“The EDPS was [when I started] one of the youngest EU institutions,” said Buttarelli, who served as deputy EDPS during Hustinx's second term, from 2009 to 2014. “It was a good center for expertise, but Europe needed something else, meaning a reliable and knowledgeable center for gravity. Something that could be authoritative and influential without bossing.”

Hustinx, who was Dutch DPA before being appointed EDPS, did a lot toward shaping and developing the duties of the EDPS during his 10 years in the role, which began as an advisory position until Hustinx's tenure. With the evolving nature of data protection, Buttarelli saw an opportunity to continue growing the position once he assumed the role of supervisor.

EDPS Giovanni Buttarelli

Buttarelli worked with Hustinx to conduct a data protection survey of 500 stakeholders prior to taking over as EDPS. The input from the survey ended up being the framework for a five-year strategy that Buttarelli proposed 88 days into his EDPS term. The three main focuses of Buttarelli's strategy were to better apply data protection in the digital arena, forge more global partnerships, and continue the simplification and reform of EU data protection.

Buttarelli has also used his term to make strides in expanding the consideration of and discussion about data ethics, analyzing new technologies by upgrading his IT personnel, and recruiting new consultants to tackle growing issues of artificial intelligence and biometrics.

“I think he’d be an excellent person to continue as the leader of the organization,” former U.K. Information Commissioner Richard Thomas said of Buttarelli. “He’s developed the role somewhat, certainly in terms of the formalities and size of the role and the organization it oversees, but there are other areas I’m particularly pleased about.

“He’s made the organization more transparent. In the old days, there was just too much secrecy and almost elitism, which he’s opened up a lot more. Secondly, I welcome the importance he’s placed on ethics and going beyond the black-letter of the law.”

But if the appointing parties opt to move on from Buttarelli, what kind of person might they target for the vacancy? Having gone through the election process himself, Hustinx believes experience will be a focus in the search for a candidate.

“It would be quite appropriate to think of someone who is very senior in the area of data protection and has experience in data protection regulation,” Hustinx said. “A strong vision, strategy, substance and the ability to communicate well will be valued.”

“You also need to be able to work within the triangle (of Parliament, council and the European Commission), making the case for a particular piece of legislation, whether it’s to criticize or support. Then we also need good arguments to finish the discussions on ePrivacy Regulation. So you need to be a diplomat, an authority and creative. It’s an unusual combination.”

Buttarelli echoed Hustinx’s sentiments on what a possible successor needs to possess, adding that the role calls for forward-thinking and that a candidate needs to be all in.

“Don’t do it if you are simply looking for a good job,” Buttarelli said. “It’s fascinating, of course, and gives you the helicopter viewpoint, but it needs maturity, expertise, balance and the spirit of a civil servant.”

Any candidate seeking the role of EDPS will also need to consider that they are not speaking and working for themselves, but for citizens across EU nations.

“It’s got to be someone who can see what the overall European interest is,” said Christian D’Cunha, the head of Buttarelli’s private office. “The EDPS is the only one which is positioned in a way that it can look at what’s best for the EU overall. They’ll need a vision that is mindful of how data protection has evolved over the last 30 years and what direction it will be going towards.”

Good qualities are key for any EDPS candidate, but seeing the data issues that lie ahead is equally important. Among the first things that need to be addressed, according to Hustinx, is the unsettled portions of GDPR implementation.

“My first priority would be to continue the work on full implementation of GDPR. The rules have been adopted, and full application came last year, but the work is not done. It’s not perfect,” Hustinx said. “There are also international things, be it trans-Atlantic or with Asia and Africa. You’ll see words like interoperability relating to the increasing amount of national laws. You’ll have to find a way to make sure (the laws) work in a way that is safe and trustworthy.”

One of the lingering hurdles that comes with the GDPR is its provisions on consistency across nations featured in Article 63. Whether there can be a consistent application is a topic Thomas thinks the next EDPS must be mindful of and address at the onset of their term.

“The consistency mechanism is still, to a very large extent, untested territory,” Thomas said. “Already, one or two tensions have begun to become apparent, maybe not explicitly, between national authorities and the (EDPB). Everybody is in favor of the mechanism in principle until it doesn’t work out for them. We want to try and make it work sensibly so there’s a pan-European approach.”

The European Commission set a May 16 deadline for EDPS applications. Selected candidates will go through interviews with a pre-selection panel, which will draw up conclusions and recommend final candidates to the commission’s Consultative Committee on Appointments.

Photo by Finn Hackshaw on Unsplash