Towards a global golden standard in data protection
Tine A. Larsen, President of Luxembourg’s National Commission for Data Protection (CNPD) talks RAID through some domestic, European and international regulatory activities in a world of rapid innovation
RAID: What are the specific local challenges for Luxembourg as a regulatory zone – does the benign taxation environment create a heavier caseload for you?
Tine A. Larsen: As Data Protection Supervisory Authority, we must be ready to undertake all the necessary steps to enforce the GDPR and verify its compliance within the national territory. Hence, the number of companies established or that will establish in Luxembourg does not matter. Our government supports the CNPD’s mission, allowing the Supervisory Authority to hire diverse workforce over the last years and setting up an adequate work infrastructure.
We work impartially and ethically to provide excellent public services and keep abreast of evolving technologies. Our objective is to increase the public’s trust and confidence in how data is used and made available.
RAID: The CNPD is reportedly handing Amazon the biggest GDPR fine ever. Are you able to cast any light on why the fine has been issued, and the current status of the case – and any other big cases underway?
Tine A. Larsen: The CNPD confirms that its restricted panel issued a decision on July 15th, 2021 regarding Amazon Europe Core S.à r.l within the European cooperation and consistency mechanism as foreseen by article 60 of the GDPR.
However, the national law on data protection binds the CNPD to professional secrecy (Article 42) and prevents it from commenting on individual cases.
In addition, the full and clear publication of the decisions of the CNPD is considered as a supplementary sanction (Article 52). Therefore, it cannot publish any decision before the deadlines for appeals have expired. An appeal against the decisions of the CNPD can be made before the Administrative Tribunal, which rules on the merits of the case. The time limit for lodging an appeal is three months.
RAID: How important is support from and collaboration from the European Data Protection Board?
Tine A. Larsen: Support from and collaboration with the EDPB is incredibly important not only for Supervisory Authorities (SAs) but also for individuals and stakeholders that operate under our supervision.
The so-called cooperation and consistency mechanism ensures that data protection rules are applied in a consistent manner throughout the EU and facilitates access to regulatory remedies for individuals. It allows 31 member authorities to react to emerging phenomena and new legislative initiatives all together.
Harmonisation is also sought proactively by striving towards a consensual interpretation of key data protection concepts, published in the form of guidance, opinions or recommendations.
In addition to this, we cooperate in cross-border cases where processing affects individuals in other member states or where a data controller is established in several member states. This means that once a decision rendered by one SA has gone through the cooperation mechanism, it is backed by the entirety of the EDPB members. This sends a powerful, strong signal to the outside world and ensures legal certainty as similar matters will be dealt with in the same manner by other member authorities.
RAID: Do you see a benefit in increased communication between nations about how to share best practice in data protection – within the EU and beyond?
Tine A. Larsen: Exchange on supranational level is another important element towards the establishment of a global golden standard in data protection. When it comes to new developments such as AI, data protection safeguards need to be built in from the beginning in order to guarantee responsible, fundamental rights-oriented innovation. A fragmentation of rules could affect the level of protection worldwide as well as inhibit economic growth due to legal insecurity.
There are many networks where such exchange already takes place. In the largest global data protection and privacy community, the Global Privacy Assembly (GPA), we are part of the education working group which works on a content platform to which all SAs have access. Not only is the sharing of best practices and experience in enforcement crucial for SAs to build on the expertise of other SAs, it is also essential to keep up with the speed at which the technological environment is evolving. Networks like the AFAPDP (Association of French-speaking data protection authorities) have the same objective at a regional level.
Last but not least, the European Data Protection Board (EDPB). Engaging with the international community and creating a level-playing field is also one of the 4 pillars of the EPDB strategy.
RAID: Technology has advanced since the implementation of GDPR in 2019. How do you see data protection regulations evolving over the next two years or so?
Tine A. Larsen: Legislative processes do not evolve at the same pace as technology. As a Supervisory Authority, we must put in place tools that allow us to fulfill our mission in a world of innovative technology.
The CNPD must at all times stay current with the latest industry developments and challenges. To address this challenge, the CNPD supports innovative regulatory projects such as sandboxes, which allow for win-win exchanges of expertise between the authority's agents and companies' experts. The CNPD also aims to enhance further cooperation in research projects and looks forward to being involved in the creation and development of national strategies.