In advance of RAID2021 (Regulation, Artificial Intelligence, Internet & Data) on 12 Oct, speaker Ventsislav Karadjov, Deputy Chair of the European Data Protection Board (EDPB) shares insights on the future of safeguarding privacy
RAID: GDPR is seen as the global gold standard in data protection legislation, leading other regions of the world to start developing similar regulations. Why do you think it has been so successful?
Ventsislav Karadjov: We recently celebrated three years of GDPR application and in this time, we’ve noticed that there has been a major shift in how people and businesses see privacy. Citizens are increasingly aware of their data protection rights and see the GDPR as legal source for protection and more privacy. Moreover, businesses not just in Europe, but also across the world are starting to see the value of being data protection compliant as a marketing strategy – bigger transparency, more trust and more clients.
Privacy and data protection are becoming a USP for many companies. Data protection is indispensable to build trust. Without consumer trust, no business enterprise is sustainable in the long run.
The GDPR has helped move data protection rights into the spotlight and has sparked the adoption of data protection legislation across the world.
While the GDPR is a source of inspiration for other countries and regions, it is important to bear in mind that it has been adopted to deal with a specifically European situation.
In Europe, the 1995 Directive led to a patchwork approach which was expensive and troublesome for companies, led to legal uncertainty and was not sufficiently transparent for citizens. The General Data Protection Regulation or GDPR introduced “common rules of the game”; it creates a level playing field and ensures that data can move easily between operators, while guaranteeing the consistent protection of individuals’ personal data. The goal was to have one set of privacy rules that are interpreted in a uniform manner throughout the European Economic Area (EEA), i.e. the European Union, Iceland, Liechtenstein and Norway.
In addition, the EEA Supervisory Authorities (SAs) cooperate much more intensely than they did prior to the GDPR via the cooperation and consistency procedures and via numerous informal daily exchanges. So far, over 1600 cross-border cases have been created in the common case register. The SAs work together on a bilateral or multilateral basis to resolve these cases. Out of these cross-border cases, over 700 one-stop-shop cases have been triggered.
The introduction of the one-stop-shop mechanism was another major improvement compared to the 1995 Data Protection Directive. Foreign companies with an establishment in the EU and doing business in different European countries no longer have to deal with different SAs. Thanks to the GDPR, those businesses now speak with one interlocutor in the country where they have their main establishment: namely the lead SAs. Data subjects also benefit from the one-stop-shop mechanism, which makes it easier for them to enforce their rights regardless of where a company or organisation is located in the EU. They can contact their national SA, which will cooperate with the lead SA and other concerned SAs to resolve the matter.
RAID: Some member authorities have a higher caseload than others – for example, Ireland has a large number of big tech companies to regulate. What is your role in helping to create a level playing field and ensuring consistent application of GDPR across member authorities?
Ventsislav Karadjov: The EDPB issues general guidance to promote a common understanding of European data protection laws, both across the European Union and around the world.
We clarify data protection provisions and provide the general public and stakeholders with our interpretation of their rights and obligations.
The EDPB guidance is also aimed at national regulators, who are obliged to adapt their own guidance about the GDPR and the Law Enforcement Directive accordingly.
Next to providing guidance, ensuring consistency in enforcement and cooperation between national authorities is a key task of the EDPB.
To that end we adopt consistency decisions and opinions in cross-border data protection cases, addressed to national SAs, to ensure consistency of the regulatory activities at national level.
Some of the guidance we have included in our work programme for the next two years is aimed at further streamlining cross-border enforcement of the GDPR.
We will also establish a coordinated enforcement framework to facilitate joint actions in a flexible but coordinated manner; ranging from joint awareness raising and information gathering to enforcement sweeps and joint investigations.
Furthermore, we are establishing a support pool of experts to provide expert support for investigations and enforcement activities of significant common interest. This will further enhance the cooperation and solidarity between all the SAs by addressing their operational needs.
RAID: What impact is Schrems II’s invalidation of the EU-US Data Protection Shield having on businesses and how is the EDPB supporting them to remain compliant?
Ventsislav Karadjov: The CJEU ruling on Schrems II naturally had a big impact on data exporters and controllers. The EDPB understands the need for organisations to have a tool that allows the lawful transfer of data to third countries and the difficulties they are faced with following Schrems II, especially if they are a small or medium-sized organisation.
As such, the EDPB immediately welcomed the CJEU’s judgment and recognised its importance. The Schrems II ruling clearly gives precedence to the fundamental right to privacy, which is something we as regulators applaud.
The EDPB discussed the Court’s ruling during its plenary session of 17 July 2020. We provided initial guidance via statements and a frequently asked questions document addressed to controllers, which was published just a few days after the CJEU decision.
Next, we created two new task forces to prepare guidance on the 101 complaints DPAs from all over Europe received following the Schrems II judgment and to provide guidance on possible supplementary measures to existing transfer tools. The latter resulted in a set of recommendations for data exporters to assist them with their duty to identify and implement appropriate supplementary measures where they are needed, which were adopted in their final form following public consultation last June.
In November 2020, the EDPB also adopted recommendations on the European Essential Guarantees for surveillance measures. These recommendations are complementary to the recommendations on supplementary measures. They provide data exporters with elements to determine if the legal framework governing public authorities’ access to data in third countries can be regarded as a justifiable interference with the rights to privacy and data protection. These elements will help exporters to assess if the third country legislation impinges on the effectiveness of the safeguards contained in the transfer tool they rely on. Exporters will thus be able to determine if they need to adopt supplementary measures to ensure that the data transferred is afforded an essentially equivalent level of protection to that guaranteed within the EU.
Finally, it is worth mentioning that in January, we also adopted two joint EDPB-EDPS opinions on the new sets of standard contractual clauses.
The so-called standard contractual clauses play and important role in making sure that transfers of personal data outside the EU/EEA comply with privacy rules.
The EDPB welcomes the work done by the Commission to align the SCCs with the GDPR and to integrate the Schrems II ruling; the draft SCCs also cover many different types of transfers, such as the transfers from processor to processor, which the business community had been waiting for a long time.
RAID: More recently, Austria’s Supreme Court has questioned the European Court of Justice on the legality of Facebook’s processing of personal data, again at Schrems’ prompting. What is the EDPB’s role and stance on this case?
Ventsislav Karadjov: While we cannot comment on ongoing procedures at the CJEU, we are following the proceedings with great interest and are looking forward to seeing how the case evolves. It is fascinating to see how data protection activism contributes to new case law and the evolution of data protection in the EU.
RAID: What other important data protection cases are currently underway and how is the EDPB involved?
Ventsislav Karadjov: Under the GDPR, enforcement is the responsibility of the national SAs. The EDPB itself is not a supervisory authority and is generally not involved in investigations at the national level. As such, we cannot comment on potential high-profile cases at the national level. The EDPB only becomes involved when the dispute resolution mechanism is triggered: in case the national authorities working together on a cross-border case fail to reach consensus, the EDPB adopts a binding decision.
The national authorities work together on several hundred cases on a daily basis and the majority of these are adopted via consensus. The dispute resolution mechanism has been used sparingly but with success so far, with two Article 65 decisions having been adopted in the past year.
RAID: What’s next for GDPR – is it set to handle the challenges of blockchain and protecting personal information such as biometrics, facial and voice recognition?
Ventsislav Karadjov: The GDPR was designed to be technologically neutral. As such, it does not stand in the way of future technological developments, nor does it hinder the use of specific technologies. The EDPB has already developed guidance on recent technological developments, such as virtual voice assistants, connected vehicles, and addressed facial recognition and the use of biometric data in its recent EDPB-EDPS joint opinion on the European Commission’s proposal for an Artificial Intelligence Act.
In addition, the EDPB has included guidelines on the use of facial recognition technology in the area of law enforcement, guidelines on blockchain, and many more in its work programme for the next two years.
The EDPB will continue to monitor new and emerging technologies and their potential impact on the fundamental rights and daily lives of individuals. We believe that data protection should work for all people, particularly in the face of processing activities presenting the greatest risks to individuals’ rights and freedoms (e.g. to prevent discrimination).
An important aspect to consider with any new technology is Art. 25 GDPR, data protection by design and default. The idea behind it is that data protection needs to be considered at an early stage. It requires the controller to consider the state of the art and thereby sets a minimum level. It requires controllers to take account of the current progress in technology that is available in the market.
The EDPB has spent ample time on this topic and in 2019 we developed guidelines that provide further orientation on the obligations set forth by Article 25 GDPR. These guidelines have recently been finalised after a public consultation with stakeholders.
The purpose of the EDPB guidelines is to put flesh on the concepts of data protection by design and default and to translate Article 25 GDPR into very practical guidance and checklists. These help all controllers, and especially SMEs, to implement the requirements in practice.