DPAs Talk Enforcement Approaches at IAPP Conference
BRUSSELS -- It has taken time for DPAs to get up to speed on what the GDPR means in practice and how to carry out fast, objectively fair enforcement actions, Irish Data Protection Commissioner Dale Sunderland said Wednesday at the IAPP Data Protection Europe Congress.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The Irish watchdog has imposed fines worth billions of euros, but its penalties have also included corrective actions, which have a bigger impact on behavioral change, Sunderland added.
There's increasing pressure on DPAs as the number of privacy complaints rises, so regulators must be led by cases that are high-risk, carry systemic risks and pose the greatest harms to individuals, Sunderland argued. The challenge is to regulate in real time on issues that have systemic impact, he said.
The Irish agency is learning how to operate more quickly, handle investigations soundly and merge technological and legal skills, Sunderland said. It needs to be able to take a more proactive approach that looks toward preventing data protection breaches rather than simply reacting to them after they happen, he added.
The European Data Protection Board continues to look for effective ways to build more cooperation among national DPAs, said Chair Anu Talus. The EU Council this week harmonized rules for cross-border enforcement (see 2511170001), and the board is preparing to implement them on a practical level, she said.
As the complexity of EU laws has increased, the EDPB has found cross-border cooperation to be important, Talus said. With the European Commission, it has already adopted guidelines on the intersection of the GDPR with the Digital Services Act and Digital Markets Act, and it's now crafting guidance on the nexus between the GDPR and AI Act, she noted. Meanwhile, European Data Protection Supervisor Wojciech Wiewiorowski said his office has launched a digital clearinghouse to provide a more flexible way to follow the interactions among all the digital laws.
With regard to the EC's digital omnibus package (see 2511190005), Talus said the EDPB approached the debate on data protection versus innovation "with very open minds." Rules can be eased only if core data protection principles remain untouched, she said.
Asked whether Ireland's watchdog has the bandwidth to work on growth, innovation and simplification alongside its privacy duties, Sunderland said his focus is on ensuring that its supervisory work guarantees that what companies deliver into EU markets meets European requirements.
Data protection rules and new technologies must work together, Sunderland said, because if they don't, then innovation will go outside privacy guardrails.
DPAs can lead in making the law clear to companies, Sunderland said. They must investigate where they need to but can do much more at the preventative stage, he added.