Delivering the opening keynote address at the IAPP Data Protection Congress 2024, outgoing European Commissioner for Justice Didier Reynders said as artificial intelligence technology and AI governance practices come into sharper focus, the conversations surrounding them represent a "very good reflection of where privacy stands today, what has been achieved in the past years and what lies ahead of us" with respect to digital regulation in the EU.
"The need for privacy policymakers, regulators and practitioners to think broader is clear to all problem solvers," Reynders said in his speech. Throughout his term on the European Commission, one of Reynders' key responsibilities was ensuring the full implementation of the EU General Data Protection Regulation throughout the bloc.
"Privacy is less and less of an island," he continued. "By that I mean that data protection is, and will remain, a key foundation of the expanding digital regulatory framework, whether it's about AI, fair competition on digital markets or a safer online environment. Data and privacy related issue will increasingly be part of broader decision-making and enforcement processes."
Harmonized enforcement in focus
Reynders said to tackle the new data protection challenges emerging AI technologies will ultimately pose, regulators must be up to the task. He advocated for regulators at both the EU-level and within member states to enforce and interpret data protection rules in a "consistent manner under fundamental regimes," while calling on data processors to account for privacy compliance at earlier stages in their product development.
"All this inevitably requires innovative thinking, multidisciplinary solutions and modern forms of cross regulatory cooperation," Reynders said. "I'm convinced that this will be a central focus of our work in the next years — the implementation of the different digital (regulations)."
The emphasis on harmonization comes as EU institutions are in the midst of trilogue negotiations to finalize legislation to require and streamline alignment among data protection authorities. Czech Member of European Parliament Markéta Gregorová previously characterized the MEPs' goals to create a "coherent and effective framework" for GDPR enforcement that will raise "clearer processes for complainants" and "improve access to justice."
Using the example of competition policy and regulation, Renders said, once passed, the regulation to harmonize cross-border enforcement rules will ultimately help regulators determine the most appropriate and efficient enforcement body to clarify the procedural steps for the individual citizen lodging a complaint and providing regulatory certainty to organizations subject to an investigation.
"This regulation (would) not affect the fundamental principles of the GDPR and fully supports the GDPR’s one-stop-shop enforcement system," Reynders said. "It answers a clear request, in particular from data protection authorities themselves, to address problems that have arisen from conflicting national procedural rules."
Growing adequacy network
When the second report on the application of the GDPR was published, Reynders said the Commission sought a mandate from member states to negotiate cross-jurisdictional privacy enforcement actions with other international partners.
Accomplishing cross-border enforcement harmonization may allow EU regulators to look beyond their borders and thrust the issue of data privacy to be a key point of cooperation with non-EU jurisdictions. Reynders compared this work to how regulatory issues such as economic competition, product safety and financial supervision are treated by the EU and its international partners.
Securing an enhanced level of global cooperation for data privacy enforcement with allies, such as Canada, India, Japan, South Korea and the U.S., will likely prove critical for upholding data privacy rights in the democratic world, according to Reynders. He added the European Commission is in the middle of ongoing adequacy negotiations with Brazil and Kenya while alluding to preliminary discussions with other Latin American countries.
"The needs of enforcement cooperation obviously do not stop at the borders of one region," he said. "It's time for privacy enforcement to be equipped with tools similar to those that exist for cooperation in all regulatory fields."
Alex LaCasse is a staff writer for the IAPP.
