Wojciech Wiewiórowski is the European Data Protection Supervisor.
When you’re a regulator responsible for compliance, being called a “rule breaker” doesn’t happen every day, but it did for me.
Nominated on this year’s POLITICO Tech 28 list, my profile read, “Wiewiórowski is making waves. He “broken a Brussels taboo”, “dared to ask whether the EU’s flagship general data protection regulation is up to it”.
I remember reading these words for the first time and feeling a sense of pride in the institution I have the honor to lead – and a sense of concern. If asking how best to bring practices into compliance and reporting issues in your own backyard are considered controversial, it says a lot about the state of public debate – at least when it comes to the protection of fundamental rights.
While data protection is sometimes perceived as technical and bureaucratic, the GDPR, which encapsulates European data protection and privacy rules, is probably still one of the most well-known pieces of legislation in the world, especially among EU citizens. And although data protection existed before it, the new regulation was needed to strengthen compliance across the bloc, using stronger enforcement mechanisms to ensure better protection of individual rights.
Although the application is only one tool to achieve this main objective of the GDPR, the mechanism and the means by which it is achieved remain particularly relevant. And what the last four years have shown is that where enforcement is lacking, so is an individual’s ability to enforce their rights.
In this sense, in September 2021, our plans to organize a conference on the application of the GDPR, which was to take place in Brussels in June, were signaled for the first time. At the time, the conference was described as one raising political concerns and discontent. Even the idea of naming and addressing these issues wasn’t exactly welcome, let alone talking about hypothetical solutions, such as centralizing the application.
However, if the floodgates of the discussion had been firmly closed at the time, in the following months they began to leak. The next big political stir came when Commission Vice-President Věra Jourová boldly proclaimed: “Either we will all collectively show that GDPR enforcement works, or it will have to change and. . . any potential change will go towards more centralization.
Since then, there has been a steady stream of discussions. The topic of the Regulation’s effectiveness and potential improvements has been discussed at hearings in the European Parliament, at meetings of the European Data Protection Board and at conferences, to name but a few examples.
I am glad that what was once taboo – simply acknowledging that there may be structural issues behind the malfunctioning of the GDPR – is now not only internalized, but ideas on how to address them, including potential legislative initiatives , are shared and launched by more voices and stakeholders.
But we have to recognize that the discussion is far from over — in fact, it hasn’t really even begun.
We need a real debate about whether current data protection legislation – proposed 10 years ago, passed six years ago and enforced for four years – is actually serving people in the way it was designed. If he protects everyone equally and sufficiently; whether the underlying intention has been fulfilled.
I sincerely hope that we are now ready for such a conversation. A debate in which what really counts are the individuals, not the political interest of the stakeholders. Defending the status quo should never be a principle in itself. We owe it to EU citizens to constantly assess where we are and where we should be going. This is how the block grew and achieved so much afterwards.
Much remains to be done by the data protection community and by the European Data Protection Supervisor (EDPS) himself. May our next conference be the next chapter in this story. And if creating a public platform for honest discussion and dialogue about the future of data protection is seen as a violation of the rules, then so be it.
It is time that a culture of protection of fundamental rights is no longer a radical dream, but an obvious reality.