Dr. Anu Talus is the Chair of the European Data Protection Board (EDPB) and Finnish Information Commissioner. See the full speaker profile here.
From your point of view, what are the priority challenges for data protection & compliance in the years to come?
This spring, the EDPB will adopt its new strategy, the very first since I became EDPB Chair. The strategy sets out the EDPB’s priorities for the next 4 years and charts the direction the EDPB will take.
Enforcement and boosting enforcement cooperation will remain a top priority for the EDPB in the years to come. DPAs are using the enforcement capacities granted to them by the GDPR to their full extent, both at national and cross-border level. The EDPB’s focus today is on delivering results within the current legislative framework. In addition to cooperation as prescribed in the GDPR, we are continuously seeking ways to further streamline enforcement, to make sure we can be even more effective in delivering results.
In addition, the EDPB will continue to monitor new and emerging technologies and their potential impact on the fundamental rights and daily lives of individuals. New technologies, such as AI can bring numerous benefits to our society. However, the risks to the rights of individuals are very real and can have a negative impact on our democracies. The EDPB will continue to attract the right expertise, through its staff and via the Support Pool of Experts, to be able to tackle these challenges head-on. In addition, the EDPB and DPAs will engage on these issues with the international community to promote high legal standards and cooperation amongst regulators globally.
The European Union continues to pioneer the regulation of technology with a cluster of new laws like the DMA, the DSA and the AI Act. These three pieces of legislation build on the acquis of the GDPR. It is crucial to solidly embed the GDPR and data protection authorities in the overall regulatory architecture that is being developed for the digital markets. The EDPB will also enhance cooperation with other regulatory authorities, such as consumer and competition authorities, on matters which have an impact on data protection.
Furthermore, the EDPB will continue to promote compliance with data protection law by developing clear, concise and practical guidance on important topics. The EDPB will also develop more tools for a wider audience, such as its data protection guide for small business, with content that is accessible and easy to understand for non-experts. Among others, the EDPB will look into developing a tool dedicated to children.
How important is international cooperation to address these challenges and ensure data protection and privacy?
International cooperation is a key strategic priority for the EDPB, and will form one of the pillars in our new strategy. The global dimension of our work is very important to us and we invest many (human) resources in participating in international conferences to use these platforms for exchanging good practices with our colleagues worldwide. We make a continuous effort to meet and exchange, through fora such as the Global Privacy Assembly, the G7 and this Privacy Symposium.
Do you observe fundamental changes and evolutions in the domain of personal data protection and its perception?
Data protection has evolved to a high stakes area of law since the entry into application of the GDPR. In addition, data protection has become somewhat of a global phenomenon in the last 6 years. Legislators from all over the world are working on their own data protection rules, and interest among both governments and the public is at an all-time high. This shows how important data protection has become.
As Finnish Commissioner and EDPB Chair, I notice every day that there is greater awareness among individuals about their rights – organisations receive requests to exercise individuals’ rights and DPAs receive more complaints than in 2018. We can also see this from the public debate on new technologies, such as ChatGPT, and its implications for data subject rights.
In addition, we observe that large fines have an impact. Not only do they make headlines, they also work as a deterrent to malpractices by controllers. They show that there is no way around the GDPR and that if you want to do business in Europe, you need to play by the rules. At the same time, the GDPR has also shown that there are great benefits to compliance, from reducing security risks to increasing consumer trust.
Why are conferences such as the Privacy Symposium important and how can they support data protection and compliance?
Attending international conferences such as the Privacy Symposium is an excellent way of exchanging views with stakeholders from different sectors and backgrounds. It also gives the EDPB the opportunity to provide insights on its experience with the GDPR. The Privacy Symposium has all the ingredients for a successful Conference: interesting, high-level speakers, a good mix of panels and keynotes, and, last but not least, the beautiful city of Venice.
Would you have any advice or recommendation to share with data protection professionals and/or data subjects?
To data subjects I would say to stay alert and to continue exercising your rights. Each individual in the European Economic Area has the right to address their grievances to their national DPA and to have their rights enforced, even at a cross-border level. We do our best to support you in defending your fundamental right of data protection.
To controllers and processors I would say: be compliant! If you want to do business in Europe, you will need to comply with the GDPR. In the last years, it has become very clear that organisations which do not comply, face financial and reputational consequences.
Lastly, for smaller companies and for people starting up new businesses, I would recommend you to consult the EDPB Data Protection Guide for small business. An online guide to data protection with lots of practical tools and handy materials, such as videos and infographics.
