A senior European Commission official warned today that the bloc’s privacy rules may have to change to put more power in the hands of EU institutions, wading into a debate that has plagued the GDPR almost since its inception.
Breaking with the orthodoxy of Europe’s privacy rulebook, the General Data Protection Regulation, Commission Vice President Věra Jourová said: „Either we will all collectively show that GDPR enforcement is effective or it will have to change and … any potential changes will go towards more centralization.“
The changes would most likely put more powers into the hands of the EU executive or the Europe’s network of privacy regulators, the European Data Protection Board (EDPB), she told delegates at a conference in Brussels.
The comments will weigh heavily into a debate on who should have the right to enforce the bloc’s privacy rules between member countries where Big Tech companies have established their headquarters — namely Ireland and Luxembourg — and major institutions like the European Commission, the European Data Protection Supervisor’s (EDPS) office, in charge of policing EU institutions, and the EDPB.
EDPS chief Wojciech Wiewiórowski is among those who have been leaning toward reform of the GDPR system.
His office is putting on a conference next summer to discuss “alternative models of enforcement of the GDPR, including a more centralized approach.“
“This is something that we take into consideration as one of the possible outcomes,” he said when asked by POLITICO whether the bloc’s privacy rulebook, the GDPR, would benefit from a more centralized enforcement model.
But the chair of Europe’s network of privacy regulators, Andrea Jelinek, is not calling for immediate changes.
In an interview with POLITICO, the Austrian said she doesn’t “see the need” to centralize enforcement. “It’s too early to say that anything is bad or horrifying. I think it isn’t perfect, but no system is perfect. And the improvement that we have made in the last three years and a half is quite well-done.”
The EDPS‘ conference would be useful in talking about how to improve enforcement “within the framework of the GDPR,” she stressed. Read: No changes to the law please.
The split goes to the heart of the debate around GDPR enforcement: the “one-stop-shop” mechanism, which requires that companies are regulated by the country in which they are legally established. That system has led to criticism that countries like Ireland and Luxembourg, which host almost all the big tech companies in Europe, are acting as an enforcement bottleneck.
The establishment of a pan-European authority has been floated to bolster EU enforcement in major cross-border cases involving companies like Facebook and Google, which affect citizens across the 27-member bloc.
The EU already has similar systems in place in areas like competition and anti-money laundering law, and is mulling a more centralized enforcement model for its draft online content moderation law as a direct consequence of gripes around limp and slow GDPR enforcement.
What such a system might look like is what Wiewiórowski wants to explore in his conference next year.
“I’m not ashamed that I don’t know the answer. I’m ashamed that we don’t ask the question. And this is why we organized the conference,” the Pole said of whether the enforcement model needed changing.
A revamped system could have Wiewiórowski’s EDPS at its heart.
Asked whether his office would accept more powers under a different enforcement model, Wiewiórowski gave a cryptic answer. “I only can answer that we are accepting more powers every year,” he said, noting that in a hypothetical new GDPR enforcement model, EU treaties seemingly barred the European Commission from taking on the role of an EU-wide data protection authority, as it does in competition law.
For now, reform of the EU’s privacy enforcement mechanism is unlikely, with lawmakers unwilling to open up one of the bloc’s flagship laws to another round of intense lobbying. But in private, EU officials say changes are not out of the question longer term if Europe’s privacy regulators continue to misfire.
Even Helen Dixon, whose office the Irish Data Protection Commission has been the focus of much criticism over slow enforcement, does not rule out the possibility of tweaking the rules.
“I don’t think it’s the time to be thinking about should the GDPR be amended … but I think we need to be having the conversation, to look at what’s working and what’s not working and learning now so that in the future and [potential changes to Europe’s privacy rules] can be looked at,” she said.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.