The Baffling Case of the Headless EDPS
After working in Brussels for the last 15 years, I have become accustomed to the byzantine machinations of European politics. But the spectacle that is currently unfolding concerning appointment of a new European Data Protection Supervisor (EDPS) and Assistant Supervisor paints a particularly dismal picture of how data protection in the EU can become a political football.
The office of the EDPS, which includes approximately 50 officials, is responsible for ensuring that the EU institutions respect the right to privacy when processing personal data and also advises them on the adoption of new legislation, among other tasks. The Supervisor is the most important official at the European level dealing specifically with data protection, and the EDPS has gained worldwide respect since it was established 10 years ago.
The terms of current Supervisor Peter Hustinx and Assistant Supervisor Giovanni Buttarelli expired on January 16, and a process to select their successors has been underway since July 2013. Appointment is made by common accord of the European Parliament and of the Council (representing the Member States), based on a list drawn up by the European Commission following a public call for candidates.
Given that the EU is currently engaged in a complex reform of its data protection framework and has to deal with many other controversial and important data protection issues as well—such as surveillance by the intelligence services—one would think that the EU institutions would do everything possible to ensure the timely selection of a new Supervisor and Assistant Supervisor.
In fact, the opposite seems to be the case. The institutions had already dragged out the selection process, and Peter Hustinx sent a letter to various EU officials in early January expressing his concern about the negative effect this delay is having both on the EDPS as an institution and on data protection in the EU. The European Commission then suddenly stated to the press in mid-January that according to an inter-institutional EU “selection board,” none of the candidates are “sufficiently qualified”, so that the entire process has to start over.
Without naming any names, I know that the candidates included several current and former data protection commissioners and officials with extensive experience for whom I have the highest regard. The European public is owed an explanation of why none of these eminent individuals is a suitable candidate, and why the selection process has been handled in a way that will result in appointment being substantially delayed.
It is hard to know what is going on here. Are the Commission and the Council concerned about having a Supervisor experienced in data protection law who is too strong-willed? Are they planning to try to parachute a politician into the job? And what has been the role of the European Parliament (if any) in all this? These questions must be asked, but as an outside observer, I have no answers to them.
One can also raise a number of awkward questions about the transparency of the selection process. For example, who are the members of the selection board, what are their qualifications and on what basis did they decide that none of the applicants are suitable? Will the board’s determination be subject to public scrutiny? And why was the decision that there are no suitable candidates made public via the press just a few days before the incumbents’ terms ended?
We sorely need a strong EDPS, particularly since the proposed EU Data Protection Regulation would greatly increase its responsibilities. As a scholar of EU data protection law, I am baffled that extensive experience as a data protection commissioner seems to disqualify one for the job of what is in essence the EU’s data protection commissioner, and as a European citizen I am alarmed that we may now have to wait months before a new Supervisor and Assistant Supervisor are permanently appointed. I very much hope that this situation is resolved as soon as possible in a way that furthers the interest of data protection.
About the Author
Christopher Kuner is Senior of Counsel in the Brussels office of Wilson, Sonsini, Goodrich & Rosati and is Honorary Fellow of the Centre for European Legal Studies, University of Cambridge, where he also teaches. His books European Data Protection Law: Corporate Compliance and Regulation (2007) and Transborder Data Flows and Data Privacy Law (2013) are both published by Oxford University Press. He is editor-in-chief of the journal International Data Privacy Law and co-chair of the Task Force on Privacy and Data Protection of the International Chamber of Commerce and has 20 years’ experience working in EU data protection law. He holds a PhD in data protection law from Tilburg University (the Netherlands), and law degrees from New York University and Notre Dame Law School.