IAPP-GDPR Web Banners-300x250-FINAL

In January, European Data Protection Supervisor (EDPS) Peter Hustinx and his staff celebrated the EDPS’ 10th year as an institution. However, though his two-term run had expired, any boxes Hustinx had packed full of his personal effects would need to be disassembled; he had all but blown out the candles on his proverbial “Bon Voyage” cake when the European Commission said, “Not so fast.”

“The show went on,” Hustinx said from the EDPS headquarters in Brussels, where he still sits at the head of the table. That’s because the commission decided the candidates hoping to take Hustinx’s place were not up to par, and, as such, Hustinx is required by law to remain at the helm until a new EDPS is chosen.

But why? What went wrong? Reportedly, Polish Data Protection Commissioner Wojciech Rafał Wiewiórowski and Assistant EDPS Giovanni Buttarelli were among those on the list.

“We’re in some sort of political game here,” said Henriette Tielemans of Covington & Burling.

One thing is for sure: The details of the struggle to appoint a new EDPS are being kept under a very tight lid by the European Commission and those involved in the process. Meanwhile, the role of EDPS is about to become even more important, and it’s fair to say there are some nerves over who will replace someone as highly revered as the first-ever to assume it.

Will Hustinx’s replacement be tech-savvy? Have expertise on data protection? What will their politics be? No one knows.

Following the publication of a vacancy letter in July 2013, a pre-selection panel interviewed eight candidates to move on to round two. From there, five candidates were selected and sent to a third-party assessment center, where they were judged on their abilities to “inspire, lead and manage in a multinational and multicultural environment.”

It’s not an easy position to fill, for the very reason of how Hustinx (the first-ever EDPS) has written it. He’s created a very comprehensive role for the EDPS, and his successors are bound by this. That being said, there must be somebody out there trying to fill those big shoes.

Henriette Tielemans, Covington & Burling

Next, the candidates were interviewed by the Consultative Committee on Appointments, chaired by the European Commission’s secretary general and assisted by a third-party human resources expert as well as members of European Parliament and the European Council.

But that committee “did not feel that any of the candidates displayed the necessary combination of vision with the ability to ensure effective implementation,” wrote Vice President of the European Commission Maroš Šefcovic in a letter dated December 20, 2013, and addressed to the chairman of the Committee on Civil Liberties, Justice and Home Affairs. Šefcovic noted this view “was shared by the observers from the European Parliament and the Council,” adding, “I hope that you will share my view that Parliament and Council should not be presented with candidates who, in reality, would not fulfil the high standards expected.”

Tielemans said she thinks it comes down to priorities.

“I think the choice is either someone who manages the department or someone that is well-versed in data protection, and I’m obviously hoping they would take the latter—in which case it either has to be somebody from one of the data protection authorities or someone from private practice who has been handling privacy,” she said.

Slovenia Information Commissioner Nataša Pirc Musar said it’s a critical time for data protection and privacy and it’s essential that Europe uphold the premium it’s placed on the two.

“I think Europe should not become the U.S.,” she said. “We have to maintain what we’ve achieved.”

Noting the expansion the role the EDPS will take under the new data protection regulation, Tielemans said the role certainly can’t be played by just anyone.

“It’s going to be a position of some public importance,” she said. “Under the new regulation, the EDPS will be the final word on contentions between the various member states and on some important issues.”

Even without its expanded powers under the regulation, Hustinx has curated a role—charged with ensuring EU institutions respect the fundamental right to data protection and advising government on policies and legislation that affect privacy—that is highly recognized, respected and consulted. And, he’s built a two-man office—as it was in its beginnings in 2004—into a staff of nearly 50.

“It’s not an easy position to fill, for the very reason of how Hustinx (the first-ever EDPS) has written it. He’s created a very comprehensive role for the EDPS, and his successors are bound by this,” she said. “That being said, there must be somebody out there trying to fill those big shoes.”

Musar knows there are. She said she was surprised at the news that the commission wasn’t able to endorse a candidate given the resumes it had in front of it.

“I know personally all five" candidates, she said. “And all of them do possess the knowledge required” for the job. She added it’s, “Not good for the European Commission that this is going on, that they did not find a suitable candidate.”

While the European Commission was not available for comment when reached by The Privacy Advisor, a spokesperson for Šefcovic did say previous candidates are welcome to reapply for the position.

There have been some rumblings among European insiders that the commission’s refusal to further consider any of the prospective candidates is a political move, amidst rumors that Vice President for Justice Viviane Reding would herself like the job.

No one was willing to talk “on the record” about that.

Despite the delay in his departure from the post, which he held for two consecutive five-year terms, Hustinx said it’s certainly not a lame-duck position in these times.

“There’s no problem in terms of the need to act,” he said. “When we need to act, we are acting.”

In fact, the EDPS recently launched an opinion stating enforcing EU law will be essential in rebuilding trust with the U.S.

Soon, Hustinx said, “we will probably see a new procedure being launched, which means a notice in all member states with a time limit of a month or so and then new steps for selection.”

Despite the delay, “The commission has made it very clear that they want to close and move on,” he said. And that’s what he wants, too.

This time, he said, it will be essential to look back at past mistakes to ensure the second go-round is successful. That means “adequate publicity—not doing this in July when everybody is on the beach.”

The specific provision requiring that he stay on the job is the “Principle of Continuity,” or Article 46.2 of the Data Protection Regulation, and, he said, “I’ve made it known that my availability to continue under 46.2 was limited to a period—a reasonable period, to allow a successor to be selected in a possible second procedure.”

After all, he quips, “You can deliver a human being in nine months.”

Written By

Angelique Carson, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»