European Data Protection Supervisor (EDPS) Peter Hustinx’s second five-year term ends this month, and a new leader will soon be appointed. It is worth taking time to note that those who live and breathe European data protection nearly universally agree Hustinx leaves behind both a sterling reputation and an agency that’s evolved into an influential and highly respected supervisory authority since its establishment in 2004.
The independent supervisory authority position was originally created in 2001 and is responsible for ensuring all EU institutions and bodies follow the rules when it comes to processing personal data. The EDPS also acts as an advisor to member states’ data protection authorities, advises the European Parliament and European Commission on data protection legislation and responds to EU citizens who file complaints over perceived right-to-privacy violations.
Essentially, the EDPS is the “leading EU pundit on privacy and data security,” described Hogan Lovells’ Christopher Wolf.
It wasn’t always that way.
“When he took office, data protection was a minor issue,” said Dutch MEP Sophie in ‘t Veld. “Now, it’s on top of the political agenda. So on his watch, the whole issue has changed dramatically.”
“He’s taken a two-man body, which is what it was when it started in 2004, and he’s turned it into a real data protection authority, which you can put side-by-side with any of the national ones,” said EDPS Director Chris Docksey.
Docksey has served under Hustinx since 2010, but knew him long before, when Docksey served as a legal advisor to the European Commission on data protection legislation. At that time, their relationship had a different dynamic.
“It was sometimes my job to disagree with him,” Docksey said. “It was part of my job to say, ‘I don’t think we should do that.’ But I was quite impressed with him. He took his mandate very seriously.”
In the EDPS’ infancy, Hustinx was well suited to take on the nascent role. After he’d earned Master’s degrees in law and then comparative law, he became legal adviser to the Dutch Ministry of Justice before moving on to work at the Royal Commission on Privacy and Personal Data. After myriad jobs over a couple of decades working in government, he became president of the Dutch Data Protection Authority and then chairman of the Article 29 Data Protection Working Party.
“I think he carried over a lot of that experience into this new body; that was my perspective from the outside,” Docksey said. “He didn’t just limit himself to supervising the institutions; he also looked very seriously at advising them on policy, even advising the Court of Justice and being quite proactive about getting permission to intervene in cases and getting the data protection view to the court.”
“He brings an incredible depth of knowledge and insight, but more importantly, a real diplomat’s skill,” said Wolf. “He has definite positions, not all of which I’ve agreed with over the years, but he’s incredibly persuasive both substantively and personally. His interpersonal skills are almost as important as his substantive skills.”
Belgian Data Protection Authority Chairman Willem Debeuckelaere agrees with Wolf on Hustinx’s instinctual and unwavering ability to not only lead but persuade, and with a steady firmness as he stood by the rule of the law.
When the Ministry of Justice first assigned Hustinx to handle privacy and data protection in the early 1970s—“an oddity at the time,” Debeuckelaere recalls—the ministry’s secretary general said what to make of the new concept and position was unknown at the time, that it would depend on the young official, Hustinx, to make something meaningful of it.
“And the young official made it work,” Debeuckelaere said.
He added that the European privacy directive would not have been what it is without Hustinx, who “built bridges between the Anglo-Saxon, German and Latin paradigms and procedures” and “created a network of global contacts, bridging the different continents.”
“Like no other he listened to the different sectors and worlds which had to apply this new privacy law … in direct marketing, personnel management, administration, police and justice, too, finally convincing them that they could, dared and wanted to cross the bridge of privacy protection,” said Debeuckelaere. “Maybe that has been his greatest achievement in terms of efficiency. He did not stay in offices or conference rooms but ventured out into the field, digging and discussing.”
Irish Data Protection Commissioner Billy Hawkes agrees that Hustinx had an innate ability to work a room.
“It can be difficult at times with 29 different data protection authorities sitting around the table with different opinions,” Hawkes said. “It can be difficult to marry those opinions on what the right course of action is. But Peter did that. His positions always took account of all the other interests and yet at the same time, significantly advanced data protection. He was always able to offer a strong opinion, which people respected, as to what the right course of action might be with a particular item on the table.”
Hustinx never needed to raise his voice or carry a gavel to get the job done, Hawkes recalled.
“When Peter spoke, everybody listened," Hawkes said, recalling DPA meetings he’d attended. "And he spoke softly, by the way. Peter is a soft speaker. But the reason everybody listened is not because he was the European Data Protection Supervisor, because everybody has a title, but the reason people listened is because Peter just knew data protection. He knew the law; he knew what was right and what was wrong."
“He’s a real expert,” said in ‘t Veld. “He convinces people with tact, and he’s also very conciliatory and very pragmatic, always trying to find solutions rather than being a data protection activist.”
The next EDPS has some big shoes to fill, all would seem to agree. While there’s been some speculation that Hustinx’s assistant supervisor since 2009, Giovanni Buttarelli, may take a promotion, it’s too early to say who will be appointed.
Whoever the next supervisor and assistant supervisor are, they’re lucky to be inheriting the infrastructure Hustinx has built over the years and the staff of data protection experts he’s assembled, Docksey said, adding he will hand over a fully functioning tool for his successors to use, enabling them to concentrate on their own special role.
The EDPS office now has about 50 staff, comparable to a small- to medium-sized data protection authority. Even though the EDPS is the smallest EU institution and one of the newest data protection authorities, the office has had a sizable impact on the data protection landscape. It has issued a number of wave-making opinions, such as its June 2011 report that the Data Retention Directive “fails to meet data protection requirements,” calling on the commission to consider repealing it, and its December 2011 opinion on the EU-U.S. Passenger Name Record agreement—established in 2007—which blasted the European Commission’s proposal for a new agreement on everything from its “excessive” data retention period to its “disproportionate” list of data to be transferred to the U.S. and its lack of judicial redress rights.
“Mr. Hustinx has a deep grasp of the issues at hand,” said Greek MEP Dimitrios Droutsas. “He has the ability to explain to the most diverse of audiences the value of protecting our data, especially in today’s globalized and interconnected world.”
Droutsas said Hustinx and his team led the EDPS “though difficult and unchartered waters for data protection and in an exemplary fashion.”
Wolf says advances in technology mean Hustinx’s replacement should have a baseline technological savvy.
“I think whoever his successor is is going to have to be very conversant with the evolution of technology and the potential of technology,” Wolf said. “I think Peter has done an excellent job as a digital immigrant, but I think his successor needs to be someone even more conversant with technological developments and sensitive to the benefits it can bring to society.”
Droutsas said it’s “imperative that the choice of his successor will ensure a smooth transition and that the person to fill these difficult shoes will possess the same qualities and dedication that made the EDPS the single-most recognizable intrusion of safeguarding privacy in Europe.”
In ‘t Veld agrees.
“I hope for somebody with similar qualities,” in ‘t Veld said. “Somebody who indeed understands very well the kind of environment and political context that he or she will be working in, somebody who is able to work with all sides, somebody seen as neutral and impartial and an expert in the area but also providing the kind of practical solutions and being very pragmatic.”