Opening Speech by Commissioner Didier Reynders at the International Association of Privacy Professionals (IAPP) Europe Data Protection Congress 2024
“Check against delivery”
Introduction
Good morning everyone.
It is always a pleasure to speak at this conference, thanks for having me back again! It is important to bring everyone together in this way, as the IAAP does every year, because of how rapidly the digital economy and its regulation are growing.
I read on the conference website that this Congress is “Europe’s must-attend data protection event”. And we can all see that the interest is there – I’m told there are more than 3000 participants. But, if I may, it’s more than a “data protection event” – a large part of this year’s program is dedicated to AI governance.
I believe that this is a very good reflection of where privacy stands today, of what has been achieved in the past years and what lies ahead of us.
Data Protection as foundation of the EU digital rulebook and cross-regulatory cooperation
The need for privacy policymakers, regulators and practitioners to think broader is clear to all so us. As I stressed at the Global Privacy Assembly a few weeks ago, privacy is, so to say, less a less of an island.
By that I mean that data protection is and will remain a key foundation of the expanding digital regulatory framework – whether it’s about AI, fair competition on digital markets, or a safer on-line environment.
At the same time, data and privacy-related issues will increasingly be part of broader decision-making and enforcement processes. This puts a significant responsibility on privacy regulators: ensuring, on the one hand, that privacy rights continue to be effectively protected in a more complex regulatory landscape, and, on the other hand, that data protection rules are interpreted and enforced in a consistent manner under different legal regimes.
It also requires from entities processing data that they proactively address privacy compliance matters earlier on and take into consideration a broader range of situations.
Current questions around compliance with GDPR requirements in the context of training of AI models are just one example of this. All this inevitably requires innovative thinking, multidisciplinary solutions and novel forms of cross-regulatory cooperation.
I’m convinced that this will be a central focus of our work in the next years on the implementation of the different digital acts we recently adopted. That work has started, for example, between the Commission and the European Data Protection Board on developing guidance on the interplay between the GDPR and the Digital Markets Act.
Strengthening enforcement
When considering cross-regulatory cooperation, enforcement is an area where there are still major differences between various legal regimes.
But at the Commission, we are working on addressing these gaps. This is true for consumer protection where we are exploring different options, including a possible legislative initiative to strengthen the Commission’s role in situations that affect consumers throughout the Union and further improve enforcement cooperation among national consumers authorities.
It is also true for data protection: two weeks ago, I launched the trilogues with the Council and the Parliament on our proposed “GDPR Procedural Regulation” to facilitate enforcement cooperation between national data protection authorities on cross-border cases.
This Regulation does not affect the fundamental principles of the GDPR, and fully supports the GDPR’s “One-Stop-Shop” enforcement system. But it answers a clear request, in particular from data protection authorities, to address problems that have arisen from conflicting national procedural rules.
We have also heard the many calls for more consistency, and less fragmentation, in the implementation of the GDPR. This is why this Regulation will harmonise certain procedural aspects.
For example, we want to clarify what an individual with a complaint needs to submit when making a complaint and ensure that he or she is appropriately involved in the process.
For businesses subject to an investigation, the new rules will clarify what their due process rights are when a data protection authority investigates a potential breach of the GDPR.
What we want to see is a swifter resolution of cases, quicker remedies for individuals and more legal certainty for businesses. I very much welcome that the Parliament and the Council have given priority to this file and that work is progressing as we speak.
But needs on enforcement cooperation obviously do not stop at the borders of one region. This is why, as announced in the second report on the application of the GDPR that we published this summer, the European Commission will seek a mandate from the EU’s Member States to negotiate enforcement cooperation and mutual assistance agreements in the area of privacy with non-EU countries.
It is time for privacy enforcers to be equipped with tools similar to those that exist for cooperation in other regulatory fields – such as competition, product safety or financial supervision.
International data flows
That brings me to the international dimension of our work.
Whether it is on privacy, AI or digital trade, in the past five years we have been working with many more countries and international or regional organisations than in the past – which I find extremely positive.
In the area of data flows, this has involved developing new forms of engagement and collaboration such as, just to mention two examples amongst many others, mutual adequacy arrangements – like the ones we are currently negotiating with Brazil and Kenya – or developing bridges between sets of model contractual clauses adopted in different regions, as we did with ASEAN and we will soon do with Latin American countries
Also, for the first time ever, we are developing adequacy findings with international organisations, such as the European Patent Organisation. With this work, we want to contribute to the work of innovators across the continent and globally as they rely on patents to bring new ideas, goods and services to the market.
And, to match the diversity of data flows, we need to continue to be creative. That’s why I launched earlier this year an “adequacy network”. I hope this will connect different transfer mechanisms and, in this way, develop a multiplier effect in terms of safe data flows. Facilitating data flows with countries that are candidates to join the EU is another area in which we want to intensify our cooperation.
I also very much believe in the potential of regional networks of data protection authorities to join forces and foster convergence “on the ground” through concrete, pragmatic solutions – whether it is through cooperation on guidance documents when interpreting similar concepts, developing common compliance tools, or strengthening enforcement cooperation.
This is why I very much welcome the first meeting, that took place in Morocco in September, between the European Data Protection Board, the African Network of Data Protection Authorities and the Ibero-American Network.
We were also present, and I hope additional regional networks will join this important initiative.
Digital developments and impact on other sectors
Preserving the centrality of the individual in the digital transition is what brings together these different workstreams, both within the EU and globally. This values-driven approach means we must always look in two directions. At how we regulate certain areas in line with our values.
But also at the impact of new technology on our rights and values – from democracy to consumer protection. To just mention the latter, a new Digital Fairness Act to be developed by the Commission in the coming months will pick up on the studies we have carried out that show how addictive design elements, social media influencers and dark patterns push consumers into making choices they didn’t necessarily intend to make.
There is clearly a growing gap in power and information between businesses and consumers which has revealed many vulnerabilities, including for young people, that will need to be addressed. This fairness, whether it is in the freedom to make choices about what you buy or access independent, pluralist media, is a fundamental part of how the EU views the digital transition.
Prior to this year’s European elections, we saw disinformation spreading and sophisticated manipulative methods being used, sometimes using AI. The fact that there were no major disruptions to the conduct of these elections was remarkable. But that did not happen by chance.
It is the result of constant work in recent years to protect democratic frameworks in many ways, from pushing for more transparency in the funding of political parties, to nurturing the civic space in Europe.
But protecting fundamental values – including democracy – is constant work in progress.
And in the coming years, one of the major challenges will be to harness digitalisation for positive developments in this regard while we prevent it being used to harm our foundations.
Conclusion
I am sure that the expertise and experience the IAPP brings together can give an important contribution on all these crucial questions. Thank you very much for your attention. I wish you a productive Congress and… a pleasant stay in Brussels!
Source – EU Commission