Ms Andrea Jelinek is the Chair of the European Data Protection Board and the President of the Austrian Data Protection Authority. See the full speaker’s profile here.
From your point of view, what are the priority challenges for data protection in the years to come?
The GDPR has become a worldwide standard. It is elevating data protection norms and influencing data protection legislation on a global scale. It is our collective duty to make sure the GDPR delivers, including on enforcement. Individuals expect rigorous protection of their fundamental right; businesses expect a clear set of rules; stakeholders worldwide are looking on to see if the GDPR will fulfil its promise of being the world’s most forward-thinking and ground-breaking data protection law. The scale of the DPAs’ and the EDPB’s task is such that the only way to offer a satisfactory answer is through a deep and constant cooperation between the DPAs.
In the year to come, we will at least double our efforts to enhance cooperation among DPAs at the service of the EU individuals. We will do so by building on initiatives such as the Coordinated Enforcement Framework, cases of strategic importance, and the Support Pool of Experts. In addition, the EDPB will keep developing guidance to harmonise and facilitate compliance. Furthermore, we will continue to ensure consistency of decisions by national DPAs via binding decisions. In addition, the EDPB will continue to closely monitor new and emerging technologies and their potential impact on the fundamental rights and daily lives of individuals.
A successful digital single market combines a high level of data protection with a free flow of data. The GDPR is the most efficient tool to achieve this double goal. We welcome the fact that the GDPR is at the centre of the spate of new proposals for the digital single market. What remains to be seen is how the EDPB will interact with the other authorities in charge of supervising the different new laws.
We will also continue to pay a great deal of attention to the international transfers of data. Adequacy decisions remain to date the best solution to provide transfers with a stable legal framework and data exporters with legal certainty.
How important is international cooperation to address these challenges and ensure data protection and privacy?
International cooperation is a key strategic priority for the EDPB, and included in the EDPB work programme 2023-2024. The global dimension of our work is very important to us and we invest many (human) resources in participating in international conferences to use these platforms for exchanging good practices with our colleagues worldwide. We make a continuous effort to meet and exchange, through fora such as the Global Privacy Assembly, the G7 and this Privacy Symposium.
As Chair of the EDPB, I have undertaken more than 26 speaking engagements in 2022. These speaking engagements included press briefings, presentations and panel discussions for a range of institutes, academic forums and policy agencies. During the year, I also met with European Commissioners, as well as representatives from UNESCO and the Council of the EU Working Party on Information Exchange and Data Protection, to name a few. Furthermore, I attended several seminars and summits on data protection and privacy matters.
Do you observe fundamental changes and evolutions in the domain of personal data protection and its perception?
One of the major developments we observe is that awareness is growing among individuals and businesses. To make sure our guidance reaches a wide audience and is of practical use to organisations, we also develop tools to raise awareness. This spring, we will launch an SME package to help small and medium enterprises understand and comply with data protection law. This user-friendly tool will help small and medium enterprises comply with their obligations under the GDPR.
A second development we observe is that large fines have an impact – they make headlines. In 2022, the cumulative amount of the fines handed out following a binding decision was 800 million euros. These numbers themselves are impressive, and in addition, the binding decisions contain important common interpretations of data protection law and key legal principles. While each binding decision concerns a concrete case, it can also have the value of precedent.
Another major change concerns organisations who want to do business in Europe and access its large single market. For these organisations there is no way around: they need to comply with the GDPR. The advantages of doing so are numerous. For businesses, the GDPR has not only brought legal certainty, it has reduced risks:
– Firstly, compliance with the GDPR reduces the financial and reputational risks that are the result of high fines;
– Secondly, the GDPR is a tool to protect against cybersecurity risks, meaning that GDPR compliance helps reduce the risk of a ransomware attack.
Why conferences such as the Privacy Symposium are important and how can they support data protection?
Attending international conferences such as the Privacy Symposium is an excellent way of exchanging views with many different stakeholders. This is very helpful and informative for all attendees. Attending this conference gives the EDPB the opportunity to provide insights on its experience with implementing the GDPR. The Privacy Symposium has all the ingredients for a successful Conference: interesting, high-level speakers, a good mix of panels and keynotes, and, last but not least, the beautiful city of Venice.
Would you have any advice or recommendation to share with data protection professionals and/or data subjects?
To data subjects I would say: more than ever, it is important to be vigilant, to take care of your personal data, and to know your rights. In the European Economic Area (EEA), each individual has easy access their national authority: if you have a complaint, you can address the data protection authority in your home country. They will make sure you can enforce your rights at national and cross-border level. Some cases take longer than others, but you can trust that we will do our best to support you in defending your fundamental right of data protection.
Stakeholders, if you want to do business in Europe, you have to be GDPR compliant. In the last years, it has become very clear that organisations which do not comply, face financial and reputational consequences. I am not a fan of fines but if there is a need, we will not hesitate to impose one.
Finally, read our guidance. The EDPB has been providing advice on a wide range of issues to help organisations be compliant. Being compliant is easier in the long-run.