Jersey, Channel Islands, 30 October 2024
“Check against delivery”
Dear Paul,
Dear Josefina,
Ladies and Gentlemen,
Good evening.
It’s real pleasure to be with you tonight. I know this conference is all about the power of “I”. Let me then add one “I”: the “I” of island.
In the words of the famous French author Victor Hugo, Jersey is “an island of beauty, happiness and independence”. As you probably know, Victor Hugo spent three years here fleeing the regime of Napoleon the Third after a first stop in Brussels (an interesting connection!).
In a certain sense, privacy is also an island – an island of personal autonomy where each of us is free to think, develop ones’ own ideas, experiment and pursue our life as we deem fit.
That’s why privacy and data protection are at the core of human dignity, self-determination and ultimately freedom, as the Global Privacy Assembly (GPA) has recalled us in numerous occasions.
At the same time, as the famous say goes, “no man is an island”.
This is also true for privacy – across borders and across regulatory frameworks.
One of the key resolutions that the GPA will adopt this week – and I understand it was already a topic of several discussions today and yesterday – is about “Data Free Flow with Trust”.
In a few years, our collective efforts have turned this interesting concept into an increasing reality.
And the GPA made and continues to make a key contribution to that story.
In the EU, we have answered to that call by expanding our transfer mechanisms to new forms of engagement and collaboration such as, just to mention two examples amongst many others, mutual adequacy arrangements – like the ones we are currently negotiating with Brazil and Kenya – or developing bridges between sets of model contractual clauses adopted in different regions, as we did with ASEAN and we will soon do with the Ibero-American Network.
In my view, this type of solutions are particularly well suited to the reality of the digital economy: data often flow to multiple destinations, simultaneously, consecutively and/or back and forth.
That’s also why I launched earlier this year an “adequacy network” to work towards connecting different transfer mechanisms and, in this way, develop a multiplier effect in terms of safe data flows.
Facilitating data flows with countries that are candidates to join the EU is another area in which we want to intensify our cooperation.
I also very much believe in the potential of regional networks of data protection authorities to join forces and foster convergence “on the ground” through concrete, pragmatic solutions – whether it is through cooperation on guidance documents when interpreting similar concepts, developing common compliance tools, or strengthening enforcement cooperation.
This is why I very much welcome the first meeting, that took place in Morocco in September, between the European Data Protection Board, the African Network of Data Protection Authorities and the Ibero-American Network. We were also present, together with other international organisations (such as the African Union). I hope additional regional networks and organisation will join at the next meeting.
All these different initiatives have led us to work at the European Commission on privacy and data flows with many more countries and organisations than in the past – which I find extremely positive.
Certainly, more can be done and will be done.
But one thing is clear: individuals and their rights should remain at the centre of our common approach to data flows.
Formal, check-the-box, non-right-based transfers tools do no longer work. They deliver neither the protection individuals are entitled to, nor the predictability and legal certainty businesses so rightly expect.
I know the GPA shares the same vision and that’s why I very much count on our collective engagement and creativity to bring forward our common agenda on “Data Free Flow with Trust”.
The need for bridges has never been as important as it is today.
This is true geographically. But it is also true from a governance and regulatory point of view.
Compared to when data protection and privacy authorities first met at global level in 1979, their environment has profoundly changed and become increasingly more complex.
And the last years have seen a clear acceleration of that trend, domestically and internationally.
Data protection is a key foundation of the expanding digital regulatory framework – whether it’s about AI, fair competition on digital markets, access to and sharing of public sector data, or the protection of consumer rights.
But that also means that more frequently different authorities, within their own regulatory framework and under their own balancing act between various rights, will handle data or privacy-related matters.
In some way, privacy is and will remain central while data protection authorities will, if I may say, lose some of their “natural monopoly” over privacy. They will increasingly be part of broader decision-making processes.
Less of an island and more about other “Is” such as interplay, interaction and interconnection.
This puts a significant responsibility on data protection authorities in terms of ensuring that privacy rights continue to be effectively protected in an increasingly diversified regulatory landscape, and that data protection rules are interpreted and enforced in a consistent manner under different legal regimes.
It inevitably requires innovative thinking, multidisciplinary solutions and forms of cooperation between data protection authorities and other regulatory authorities.
In Europe, this will be a central focus of our work in the next years on the implementation of the different digital acts we recently adopted.
That work has started for example on the interplay between the GDPR and the Digital Markets Act or the AI Act – and I want to pay tribute to the important contribution of the European Data Protection Board and its members.
But, of course, these challenges – which can also be opportunities – are not limited to one region. They concern all of us.
And here as well, the GPA, that has been a precursor in putting these issues on its agenda many years ago, can play a central role in promoting exchange of knowledge, sharing of experience and identifying best practices to make cross-regulatory cooperation a reality.
In fact, the GPA has often been ahead of its time.
If we look back at its more than four decades of existence, many of the very first documents on, for instance, the use of data in telecoms, biometrics in passports, or privacy in the context of connected of vehicles were developed by the GPA.
More than any other international forum, it symbolises the joined-up, collaborative thinking we need to protect privacy in a fast-evolving world.
This is why it is very comforting to see that new members join every year and that its annual meetings gather such a broad and diverse range of participants.
This is also true this year – from data protection and privacy authorities to government representatives, from civil society organisations to businesses, from parliamentarians to athletes, etc etc.
But let me conclude: this long list of members, participants and speakers shows that if the power of ‘I’ is an essential part of privacy, it is the power of ‘us‘, of ‘bringing us together’ that can make a difference. This is precisely what the GPA is about.
Thank you and please join me in raising my glass to our hosts!
Source – EU Commission