Given the theme of the Summit and the specific role of the EDPS, we would like to continue these reflections in a more specific context of the role of data protection in relation to the State.

The EU’s legal order insists that public authorities are subject to similar, if not identical, rules concerning data processing as private entities. Moreover, such a framework applies to law enforcement authorities. The principle behind such an approach is that the State is no less capable of intrusion into the privacy of individuals (historically, it is the State’s powers that triggered the need for data protection laws), and therefore, no differentiation should be made on the level of data protection principles and obligations.

What are the lessons learned from this approach? Indeed, is data protection serving its function of limiting the State’s appetite for data? Are the powers of States, as well as its functions and societal needs it is expected to meet, something that data protection laws govern sufficiently well? Lastly, are the recent developments e.g. in terms of interoperability of databases, both within Member States and among them, a process that data protection laws capture efficiently?