Privacy 2030 in 2020

Woman framing the

The beginning of a new decade is perhaps an opportune time to reflect on the past and plan for the future. A lot has happened in the international privacy community in the last ten years, largely thanks to European leadership. The General Data Protection Regulation (GDPR) is the hallmark of the 2010s. We look forward to the 2020s with Giovanni Buttarelli’s report Privacy 2030: A New Vision for Europe, which was published posthumously and reflects the former European Data Protection Supervisor’s (EDPS),  vision for the next decade.

In the international privacy community, the last ten years have constituted a long, arduous journey to the century’s most important privacy regulation, the GDPR, which went into effect on May 25, 2018. The journey was sparked, if we take a long view back, by the 2009 Lisbon Treaty which introduced Article 16 on the right to the protection of personal data. It continued with the European Commission’s research into the deficiencies of the Directive 95/46/EC and a proposal for a new regulation. The journey had ups and downs during the years-long trilogue negotiations, not to mention corporate lobbying, and finally concluded with ratification in 2016. The journey is not over, of course, as GDPR enforcement ensues, following a modest fine against Google about this time last year. The GDPR will be one of those statutes that marks time in the privacy and technology community as before or after GDPR. Its impact much broader than European itself, the GDPR has become the de facto international privacy standard with GDPR “clones” proliferating across the globe, reaching even the shores of a privacy-stubborn United States, with the passage of the California Consumer Privacy Act which took effect on New Year’s Day. The 2020s will tell just how effective the GDPR will be in protecting personal data in Europe and abroad, but with lightning-speed advances in technological innovation, data protection, as Buttarelli’s report shows, is not the only thing at stake; at heart it’s about human dignity.

In Privacy 2030: A New Vision for Europe, Christina D’Cunha completes Buttarelli’s work on defining a vision for European privacy in the new decade. That vision goes far beyond personal data and EU borders. Buttarelli focused on human dignity and ethics as it relates to multiple spheres of life – economy, society, and environment. Buttarelli claimed we need to not only protect the fundamental human right of privacy through legislation like the GDPR, but we also need to level the playing field so that people can effectively exercise their rights. Moreover, we need to create an environment where everyone can live a dignified life without being forced to reach for legal recourse through a variety of costly, piecemeal mechanisms. A privacy-friendly context would redistribute digital power from the very few global technologies companies to more stakeholders, especially consumers, by giving them true ownership over their data and the freedom to control their digital identities. Competition law and antitrust will be important tools toward this end. This environment will also be one where the average person, but especially vulnerable and underserved communities like those in rural areas, children, people of color, migrants, and refugees, are able to share in the benefits of technology. Ethical leadership will be central to designing rules of the game for modern technologies like AI and facial recognition to curb corporate and state surveillance so citizens can preserve their freedom of speech, thought, conscience, association, assembly, and movement. Finally, technology’s carbon footprint will have to be reduced if we are to secure a sustainable future. Buttarelli had faith that Europe can deliver on this vision, recognizing that it will need to partner closely with foreign digital competitors (US and Chinese governments and companies alike) to have impact beyond its borders. Our fates in this interconnected and globalized world, whether we like it or not, are intertwined.

That is a far-sighted and expansive vision and an ambitious call to actionfor global privacy policy leaders gathered at the IAPP Data Protection Congress in Brussels in November, 2019. On the heels of the conference came Wojciech Wiewiórowski’s appointment to succeed Buttarelli as the EDPS. Having served in the Polish Data Protection Authority (DPA) and as Assistant Supervisor to Buttarelli, he is well positioned to take the helm and try to deliver on his former leader’s vision. Wiewiórowski’s 2019-2024 mandate extends to the protection of personal data in EU institutions, essentially serving as the EU’s DPA. The EDPS is already underway investigating Microsoft’s data practices as they relate to its online products and services, as the company is a key technology provider to EU institutions, and the European Parliament for outsourcing data processing to a US company, called NationBuilder, for its 2019 election campaign activities. But the EDPS’s influence doesn’t stop there. The EDPS is a member of the European Data Protection Board (EDPB), like all national European DPAs, and provides its secretariat. The EDPS is also responsible for consulting with European partner organizations, like Europol, and developing global partnerships. Wiewiórowski is expected to publish a strategy document in his first 100 days in office. While expected to follow in Buttarelli’s footsteps, encapsulating privacy within the whole of human dignity, it remains to be seen how exactly Wiewiórowski’s vision of European privacy in the new decade will unfold.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: