Privacy Talk with Leonardo Cervera Navas, Director of the EDPS: What is the history of GDPR?
This interview is talking about future data protection and human dignity.
Kohei is having great time discussing with human dignity and privacy with Leonardo Cervera Navas.
This interview outline:
- Introduction
- Why did you start to work at privacy field?
- What is your motivation to work for data protection?
- What is your role at EDPS?
- What is the history of GDPR?
Kohei: So everybody, this time I’m quite honored to invite Leonardo Cervera from the EDPS, located in Brussels . I’m very happy to explore with him the future trend of the privacy and data protection. Then what we can do together. So, thank you, Leonardo. I’m honored having a conversation with you.
Leonardo: Thank you very much. It is me who is honored for your very kind invitation.
Kohei: Thank you. So first of all, I would like to present his profile.
- Introduction
He’s the Director of the EDPS, the Data Protection Authority of the European Union Institutions. Law graduate of the University of Málaga. Master’s degree in European Law from the University of Granada.
Fellow at Duke University in North Carolina as part of the EU Fellowship Programme of the European Commission. Post-graduate diploma in HR management by Kingston University.
Member of the Málaga Academy of Sciences (correspondent in Brussels). Working in Data Protection in the EU institutions since 1999, in the European Commission and in 2010 he joined the EDPS as Head of HR, Budget and Administration. In 2018 he was appointed Director, and he is responsible for the coordination and implementation of strategies and policies of the institution.
It’s great to be honored to have a conversation with you.
Leonardo: Thank you.
Kohei: Thank you. So let me start with today’s agenda. I’m very interested in why you came to the privacy and data protection field. So could you tell us why did you start to work at the data privacy field?
- Why did you start to work at privacy field?
Leonardo: Thank you. Actually, it happened totally by chance as many things in life. I started my career as a practicing lawyer in my home city, Malaga, in the south of Spain. And I decided to study European law in the 90s. It was a very exotic topic at the time.
Spain had recently joined the European Union and studying European law was like studying I don’t know, aeronautics or something really, really weird. But it turned out that I passed a competition to be an EU official in the European Commission. And the first job I was offered, was working in the Data Protection Unit of the European Commission that at the time was a very small team and the topic was not so important as it is today.
So I had the privilege and honor to work on data protection when this was very unknown and to contribute to the growth of this discipline, so totally by chance, but I got really, really lucky at the time.
Kohei: I see, What is the motivation to keep working on the data protection? I’m very inspired from some of the interviews and your stances to take a balance between the protection and the innovation. So I’m personally interested in what do you think about it? How do you keep it?
- What is your motivation to work for data protection?
Leonardo: Yes, actually, in the European Commission, where I started working, they have a rotation policy. So after some years, you’re supposed to move from one topic to another one. I was in the internal market department of the European Commission. Then I was offered to move to the copyright unit. And then when I was there for some months, I realised I didn’t like it. It was too mercantilist, too money oriented.
So as soon as I had the opportunity to go back to human rights and data protection I did it. My opportunity came when the European Data Protection Supervisor was created and the first European Data Protection Supervisor Peter Hustinx and the deputy at the time, Giovanni Buttarelli, really knew that I was not happy in copyright, so they called me and they said “come over to the Data Protection Authority” and since then I am there.
I’m being devoted to data protection because it is almost social engineering and it goes beyond the law. It’s a way of shaping our future as human-beings, giving dignity to the people besides the machines, so I find it a fascinating job and that’s why I’m sticking to the data protection probably until I retire.
Kohei: I see, yeah, that is very interestingfor me. So in terms of the law of the EDPS, you’re the Director of this institution. So what is the role of the EDPS? What are you in charge of there?
- What is your role at EDPS?
Leonardo: In the EU institutions, the EDPS is one of them. So in the European Union there are some topics that are kind of centralised in Brussels, let’s say federal topics, and then many topics that are still competence of the Member States: France, Germany, Spain, etc.
So the EDPS is one of those, let’s say, federal institutions based in Brussels, and we have a politically appointed Supervisor, Mr Wiewiórowski, who is with us for a term of five years.
So far we have had three Supervisors appointed: Mr Hustinx, Mr Buttarelli and now, Mr Wiewiórowski. Below these politically appointed members, we have staff, EU officials, fully independent and I am the Chief of Staff of these colleagues.
We are at the moment around 120 colleagues. So my function is both administrative, as the boss of these people, but also the closest person to the Supervisor, advising him on the policies and coordinating the necessary in the house to achieve his vision.
Kohei: Thank you. That is a quite important role in data protection in Europe. I suppose it. My next question is about your speech at the Duke University. I watched a movie in 2019 which was a very interesting topic for me as well.
So my next question is about the GDPR. What is the origin to establish the GDPR as well as what is the strategy, from your perspective, for the next GDPR?
- What is the history of GDPR?
Leonardo: Okay, so, data protection for the European Union is something with such a long history now. History of several decades. The things started in the 80s, where some countries like France created the first data protection authorities.
And at the time, there was a risk that having different data protection laws may create problems for the transfer of personal data between European countries. And in order to avoid that, a Directive, a European law was adopted in 1995, the Data Protection Directive .It was precisely because of the entry into force of that directive that I was recruited.
So they needed someone to take care of the transposition of the directive in the Member States (e.g. Spain, Portugal, Greece), and that’s why they recruited officials like me. So this directive was very helpful in harmonizing the situation, but it was adopted in the 90s.
The Directive was not fully grasping the technical evolution of internet. Internet was kind of there, but still in its infancy, so after several years, it was found that it was necessary to update the law, and that’s why in 2012 the European Commission, made this proposal for the GDPR, that was finally adopted in 2016, and only entered into force in 2018.
So it’s going to be four years since the GDPR entered into force. The idea was to update the law to catch up with the new technologies and to give data protection authorities more powers, so they can be more effective.
And it was also to further harmonize the law, because a directive gives some margin of maneuver to the member states to take their own decisions. Our regulation is directly applicable. So it is impossible to change from the text of the regulation.
So this is what it is referred as “the Brussels effect”: we put out there a leading proposal on human rights, and then we hope that all the countries jump on it. Like that, we will be able to set up an international standard de facto.
I think this is what the GDPR achieved but of course, talking about the future strategy, the game is not over. It’s far from being over. We need to continue working, because technology is continuously evolving.
And the data protection legislation needs to mirror this technological development. We need some provisions of the GDPR to be further clarified. I’m pretty sure in Japan, you will have the same issues, you have your own GDPR, so to say, and I’m sure the Japanese Data Protection Authority will be helping to clarify some provisions.
In Europe we are also now completing the picture with a new generation of specific targeted regulations. So we are in the process of adopting the Digital Services Act, the Digital Markets Act and the Data Governance Act. So you see, these are all regulations for the digital world that complement the GDPR and most importantly, we have come to a moment where we have to move from words to action.
But we need to make sure that there is a more efficient, effective enforcement of the law and in order to have a discussion about it, we are organizing a high level international conference in Brussels ,on the 16 and 17 of June this year 2022.
The idea is to explore how enforcement is done not only in Europe, but also in other jurisdictions to be able to have more robust and effective enforcement of the law. We also have some long term challenges and we need to find solutions. A good example is the issue of transfers of personal data to the United States.
This is a big problem because there is a strong relationship between Europe and the United States and the fact that we don’t have a long standing, permanent, sustainable solution for these data transfers is an issue we need to work on very seriously.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
