Leonardo Cervera Navas – pre-conference interview

Leonardo Cervera Navas is the Secretary-General of the European Data Protection Supervisor. See the full speaker profile here.

From your point of view, what are the priority challenges for data protection in the years to come? 

In my opinion, one of the priority challenges when it comes to data protection is effective supervision and enforcement. The digital ecosystem is ever expanding, the use of new and often unprecedented technologies is progressively becoming the norm, and data protection authorities must live up to the challenge.  

In particular, the extensive use of AI technology, often integrated on larger solutions, bears legal risks and ethical concerns. These risks and concerns are the mainspring of the Commission’s first EU regulatory framework for AI, and as the text has been finalised, discussions on the AI Act are shifting from the ‘what’ to the ‘how’. It is, therefore, now that the number one priority for policymakers should be ensuring that the relevant authorities are equipped with adequate technical, financial and human resources and infrastructure to fulfil their tasks effectively. On the other hand, authorities vested with the competences to supervise compliance with the AI Act will need to invest in establishing effective cooperation with market surveillance authorities, sectoral regulators and data protection authorities. 

Authorities in our field are very aware of individuals’ expectations that their complaints are handled and their rights are enforced swiftly and in a consistent manner across the EU. That is why the EDPS very much welcomes the intention of the EU co-legislators to approve a Regulation to improve key procedural aspects of GDPR enforcement. Data protection authorities have provided concrete suggestions on how to make sure the Proposal is fit for purpose and will closely follow the next steps of the legislative procedure. 

Finally, directly linked to the fundamental rights of privacy and data protection, is the challenge of developing and employing human-centric technology. We need to embrace a new form of humanism, the so-called digital humanism that calls for designing a digital future with respect to human needs, while keeping values, such as dignity and autonomy, in mind.  

In response to the unchecked power of digital platforms and unprecedented advancements of technology, ethics should be embedded into the technology design process and into standards and norms. The EDPS has long been an advocate of digital humanism and digital ethics. 

How important is international cooperation to address these challenges and ensure data protection and privacy? 

Whilst there is no United Nations’ Universal Binding Declaration or Convention on data protection, the challenges that we are facing in this remit are international, if not global. We need global standards. The General Data Protection (GDPR) often serves as an inspirational model for many countries outside the EU/EEA. The GDPR has the potential to play an influential role in defining global standards in the field, together with the Modernised Convention 108 of the Council of Europe, which also plays a decisive role. But, for this to be achieved, we need continued, international cooperation. Discussions in international fora are all the more special, and conducive to elevating data protection standards according to shared values and rights. 

One of the ways to build stronger convergence of data protection standards with different countries from around the world is through the cooperation of DPAs. I can witness that such cooperation is happening on a daily basis- first and foremost within the EU in the framework of the EDPB but also at a broader level for instance within the framework of the Spring Conference, the Global Privacy Assembly, the G7 DPAs Roundtable, the Council of Europe, the OECD, etc.  

International cooperation is no longer an option, it is essential, if not vital, to move forward in this field. 

Do you observe fundamental changes and evolutions in the domain of personal data protection and its perception? 

Personal data protection is not a new right; however, the development of computer technology and the internet in the late 20th and early 21st centuries led to a greater awareness around it, as well as a greater need for its protection. This is perfectly reflected in the EU’s General Data Protection Regulation (GDPR) that came into force in 2018, which constitutes an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. The GDPR aims to enhance individual’s control over their personal data and grants them rights that empower them. 

In addition to legislation, there is a greater awareness within companies about the handling of personal data and data protection obligations, as well as in society as a whole, as we have seen from the growing number of complaints received by data protection authorities and the increasing number of data protection cases that end up in court. 

Why conferences such as the Privacy Symposium are important and how can they support data protection? 

International conferences on data protection are essential fora that foster international and multi-stakeholder dialogue, they provide platforms for cooperation and knowledge sharing on various topical data protection issues, inform of emerging technologies and research, and help shape, in a way, the data protection world.  

The Privacy Symposium is doing great work in this regard, bringing together every year hundreds of experts in the field but also from various backgrounds, fostering an international community of  professionals that can learn from each other and grow professionally. 

Would you have any advice or recommendation to share with data protection professionals and/or data subjects?

I would urge fellow data protection professionals to stay up-to-date with the developments in the field and keep expanding their knowledge and expertise, but when in doubt, remember to get back to the basic principles of data protection. 

My advice to data subjects is simple: know your rights and exercise them!