Wojciech Wiewiórowski is the European Data Protection Supervisor.
When you’re a regulatory authority responsible for compliance, being called a “rulebreaker” doesn’t happen every day — but it’s what happened to me.
Nominated to this year’s POLITICO Tech 28 list, my profile read, “Wiewiórowski is making waves.” He’s “broken a Brussels taboo,” “daring to question whether the EU’s flagship General Data Protection Regulation is up to scratch.”
I remember reading these words for the first time and feeling a sense of pride in the institution I have the honor to lead — and a sense of worry. If questioning how to better bring practices into compliance and pointing out problems in your own backyard are seen as controversial, this says something about the state of public debate — at least with respect to the protection of fundamental rights.
While data protection is sometimes perceived as technical and bureaucratic, the GDPR, which encapsulates Europe’s rules for data protection and privacy, probably remains one of the most well-known pieces of legislation in the world — particularly among EU citizens. And though data protection existed before it, the new regulation was needed to step up compliance across the bloc, using stronger enforcement mechanisms to ensure greater protection of individual rights.
Though enforcement is only a tool for accomplishing this primary objective of the GDPR, the mechanism and means through which it’s achieved remain prominently relevant. And what the last four years have shown is that where enforcement lacks, so does an individual’s ability to have their rights realized.
Along these lines, in September 2021, our plans to organize a conference on GDPR enforcement, scheduled to take place in Brussels this June, were first reported. Back then, the conference was described as one raising political concerns and dissatisfaction. Even just the idea of naming and addressing such issues wasn’t exactly welcome, let alone speaking about hypothetical solutions, such as centralizing enforcement.
However, if the floodgates of discussion had been firmly closed back then, in the following months, they began to leak. The next big political stir came when Commission Vice President Věra Jourová boldly proclaimed: “Either we will all collectively show that GDPR enforcement is effective or it will have to change and . . . any potential changes will go towards more centralization.”
Since then, there’s been a steady stream of discussion. The topic of the regulation’s efficacy and potential improvement has been debated at hearings at the European Parliament, at meetings of the European Data Protection Board and at conferences, to name only a few examples.
I’m glad that what was once taboo — merely acknowledging there may be structural issues behind the malfunctioning of the GDPR — is now not only being internalized, but ideas of how to address them, including potential legislative initiatives, are being shared and floated by more voices and stakeholders.
But we must acknowledge that the discussion is far from over — in fact, it hasn’t even really begun.
We need genuine debate on whether current data protection legislation — proposed 10 years ago, adopted six years ago, and in application for the last four years — is actually serving people in the way it was designed to. Whether it protects everyone equally and sufficiently; whether the intention behind it has been fulfilled.
I sincerely hope we’re now ready for such a conversation. A debate in which what actually matters is the individuals, not the political interest of stakeholders. Defending the status quo should never be a principle on its own.We owe it to EU citizens to continuously evaluate where we are and where we should go. This is how the bloc has developed, and how it has subsequently achieved so much.
There’s still much to be done by the data protection community and by the European Data Protection Supervisor (EDPS) itself. Let our upcoming conference be the next chapter in this story. And if creating a public platform for honest discussion and dialogue about the future of data protection is seen as breaking the rules, then so be it.
It’s time a culture of protection of fundamental rights is no longer a radical dream, but an obvious reality.