IAPP Europe Data Protection Congress, Paris – Day 2 – Summary of Peter Hustinx’ keynote address

In his address, Mr. Hustinx offered an opinion on where he thinks the revision of the European data protection framework is headed. Basing his remarks on a Stanford Law review article, "Privacy in the books and privacy on the ground," he advocated the revision of the European data protection framework which would provide innovative and efficient means to deliver privacy on the ground, by empowering data subjects and data protection authorities, as well as providing greater legal certainty for data controllers.

For the European Data Protection Supervisor, increased continuity of principles is to be expected from the revised framework , but it is thought that it will aim for innovation in the implementation of practices. This will, in all likelihood, lead to stronger roles for  data controllers, data subjects and data protection authorities.

What it will mean for controllers, he continued, is that there will be a boost in responsibility as a result of the accountability principle. This new principle will certainly require the creation of internal roles, the implementation of internal procedures and independent audits, and the publication of those results. In this respect, Mr. Hustinx believes that privacy by design will be a feature of the new legislation and that general data breach notifications will form part of the project.

On the other hand, he stated that it seems logical and appropriate for there to be a "loosening" of the ex-ante controls by authorities.

On the data subjects’ side, we should be expecting greater empowerment in the exercise of rights already granted and potentially the granting of "a few more rights."

For the authorities, he believes that the new framework should result in more effective supervision through uniform standards on independence and enforcement powers and topic selections. In this respect, the Article 29 Working Party (expect a name change!) will play a crucial role, providing greater transparency in its analyses.

Finally, he emphasised the importance of global cooperation and convergence in privacy standards and enforcement practices.

Answering questions from the audience, the EDPS stressed that, Privacy by Design would be happening and that data controllers should not ask themselves "What should I do?" but rather "do it and prove what [they] have done!". However, the concept of Privacy by Design will not be defined specifically or in any detail in the new legislation.

He also addressed questions regarding the role of data protection officers which he believes is bound to increase and become more and more strategic in order to evidence compliance with the accountability principle.

Authored by Lionel de Souza