The EDPS plays a specific role as the supervisory data protection authority of the EU institutions, bodies, offices and agencies (EUIs). In recent years, crucial issues related to the role of the state have emerged, and the importance data plays in this regard. Against this background, the EDPS wants to use its 20th anniversary as an opportunity to bring more prominently to the public debate questions about the role of a state in the times of ever-growing collection of information about citizens, be it by private or public entities, and the place of data protection in modern democracies.
The debate will touch upon the role of data protection, its possibilities and limitations, its successes and missed opportunities, in contributing to the development of the fundaments of democratic society. It will gather minds who - while sharing a broad commitment to the protection of humans’ privacy - can look critically at the meaning of fundamental rights to privacy and to data protection in modern reality. Participants will answer the following five key questions (panels’ abstracts at the same time) around which the conversations taking place at the Summit will be organised.
Q1- What is ‘data protection’ protecting?
For some, data protection is a proud export product of the EU. For others, it is a technical and bureaucratic burden nobody needs. It has been several decades since the first data protection laws were adopted; the debate is mostly centred around specific legal provisions and their interpretations. However, what objectives does data protection serve as a fundamental right of both procedural and substantial nature? Are we on the right track to meet them? In simple words, what is the point of data protection, and what is the state of it?
To identify the ultimate goals of data protection, we will debate here, among others, the following questions. Why do we need data protection? Is data protection an answer to the societal challenges of the digital world? If so, to which ones? What is data protection protecting that cannot be secured through other means?
We will then move to the implementation of data protection laws in practice. Are there some limitations to data protection that stops from achieving its perceived objectives? Are there misconceptions about the aims of data protection, and who is prone to them? Is there unused potential in data protection? What is it that data protection offers that is still to be fulfilled?
Q2- Is data protection law suitable for public authorities?
Given the theme of the Summit and the specific role of the EDPS, we would like to continue these reflections in a more specific context of the role of data protection in relation to the State.
The EU’s legal order insists that public authorities are subject to similar, if not identical, rules concerning data processing as private entities. Moreover, such a framework applies to law enforcement authorities. The principle behind such an approach is that the State is no less capable of intrusion into the privacy of individuals (historically, it is the State’s powers that triggered the need for data protection laws), and therefore, no differentiation should be made on the level of data protection principles and obligations.
What are the lessons learned from this approach? Indeed, is data protection serving its function of limiting the State’s appetite for data? Are the powers of States, as well as its functions and societal needs it is expected to meet, something that data protection laws govern sufficiently well? Lastly, are the recent developments e.g. in terms of interoperability of databases, both within Member States and among them, a process that data protection laws capture efficiently?
Q3- Zooming out onto democracy and rule of law. How to build a functioning democratic oversight?
When discussing public authorities’ impact on individuals’ privacy, specific attention should be paid to the area of law enforcement and, more broadly, the States’ functions in the field of national security.
Being outside of the scope of EU law, national security poses not only a number of legal questions - i.a. the interplay with police and law enforcement area; data retention; government access to data; the applicability of the CJEU jurisprudence - but also shows that data protection alone may not be sufficient when prescribing to the set of safeguards in terms of data processing for national security purposes.
Considering the ever-growing amount of data created by our digital society coupled with the use of new technologies used both by criminals and against the criminals, data protection may need to be seen in the broader context of democratic oversight. What is it that may make data protection not enough to achieve in terms of mature reflection on the position of the individual in times of threats to national security? Equally, what can data protection bring when building a complex and efficient democratic oversight?
Q4 -In the trap of reactiveness. Can data protection be in the driving seat?
Our discussion started with general questions about the nature of data protection and its ultimate objectives. We focused then on the specific context of the role of data protection when it comes to the position and functions of the State, including in the law enforcement area.
With these reflections, we are now ready to move to the conversation on the application of data protection in practice. We would like to assess its design (seeing the GDPR as a model) in terms of the effectiveness potential - fulfilled or not fulfilled.
A critical look at the underlying philosophy of the functioning of the GDPR will be guided by the following questions: is there something about data protection (i.e. its individual centric character?) that makes it somewhat reactive, including on the enforcement level? Can data protection be conceptualized, implemented and developed in a way that encourages more pro-activeness? Can it be a tool for policy-makers and regulators that helps them determine and shape the future?
Q5- Fit for ‘44. How to turn wishes into proposals?
Having debated what data protection is developed for, what it should be and what it could one day become, we would like to conclude the Summit with an attempt to turn these reflections into practical proposals.
Data protection is not only an objective in itself, but an important element of modern democracies. One is largely linked to another. How can then data protection make itself useful for democracy? And what can democracy do for data protection? In other words, what measures need to be undertaken to build democracies that effectively protect their citizens and their fundamental rights when it comes to the use of data?
Twenty years after the office of the European Data Protection Supervisor was created, we invite the Summit participants to write a roadmap for the EU so that the next 20 years bring even more profound progress in terms of protection of individuals.