🔥JOIN THE CALL: Open letter to EU institutions to safeguard EDPS’ independence
On Data Protection Day, Digihumanism, together with other experts in the field of data protection, artificial intelligence, EU law, fundamental rights, democracy and the rule of law, are calling EU institutions to safeguard the independence of the European Data Protection Supervisor (EDPS), in the framework of the appointment of a new Supervisor.
TO ADD YOUR NAME TO THE LIST OF SIGNATORIES, PLEASE CLICK HERE.
To:
Mr Adam BODNAR
Presidency of the Council of the European Union - Polish Ministry of Justice
Ms Roberta METSOLA
President - European Parliament
Ms Ursula von der Leyen
President - European Commission
cc:
Ms Thérèse BLANCHET, Secretary-General – Council of the European Union; Mr Alessandro CHIOCCHETTI, Secretary-General – European Parliament; Ms Ilze JUHANSONE, Secretary-General – European Commission;
Mr Javier ZARZALEJOS, Chair – LIBE Committee – European Parliament
Subject: Appointment of the European Data Protection Supervisor
Dear Presidents and Minister,
We, the undersigned, would like to bring to your attention the existence of a serious risk that the European Data Protection Supervisor (EDPS) may no longer be in a position to fulfil properly their mission to supervise the compliance of EU institutions with the EU personal data protection legal regime.
The appointment as European Data Protection Supervisor of a candidate who has spent “12 years working in managerial roles in the area of data protection”[1] at the European Commission, an institution EDPS is supposed to monitor, would raise a clear case of conflict of interest and undermine EDPS’ mission and legitimacy.
This would be a violation of the constitutionally protected complete independence of EDPS[2] and of the principle of good administration. This would also undermine the European system of checks and balances, in favour of the Commission.
On Data Protection Day, we would like to recall that data protection is an expression in the digital age of our fundamental values and an essential safeguard for our rights and freedoms. Independent supervision and enforcement is indispensable to ensure that our rights, and corresponding obligations, are a practical reality.
We thus urge you to appoint as European Data Protection Supervisor a candidate whose independence is beyond doubt.
Thank you for your attention and swift action,
Please find in annex:
- State of EDPS appointment procedure
- Legal requirement_EDPS independence
- Examples of files illustrating conflict of interests EDPS / European Commission
Yours sincerely,
Dr. Karine Caunes, Executive Director, Digihumanism – Centre for AI and Digital Humanism
Emilio De Capitani, Scuola Superiore Sant’Anna
Prof. Douwe Korff (emeritus), London Metropolitan University
Prof. Carissa Veliz, University of Oxford
Prof. Virginia Dignum, Umea University
Prof. Joanna Bryson, Hertie School of Governance
Prof. Lee A. Bygrave, University of Oslo
Prof. Francesca Palmiotto, IE University
Prof. Yves Poullet (emeritus), University of Namur
Cigdem Akin, Centre for AI and Digital Humanism
Prof. Niovi Vavoula, University of Luxembourg
Monique Munarini, University of Pisa
Prof. Eleni Kosta, Tilburg University
Prof. Herwig C. Hofmann, University of Luxembourg
Marco Giufre, The Good Lobby
Prof. Giovanni Sartor, University of Bologna, European University Institute
Prof. Petra Bard, Radboud University
Prof. Simona Demkova, Leiden University
Prof. Pier Giorgio Chiara, University of Bologna
Emmanouil Roussos, Tilburg University
Sabire Sanem Yilmaz, Scuola Superiore Sant’Anna
Prof. Laura Drechsler, KU Leuven
Veronica Cretu, Independent expert in data governance and AI policy
Dr. Alicia Takaoka, Erasmus University Rotterdam
Prof. Maria Bergström, Uppsala University
André Rebentisch, OpenTechSummit
Prof. Elspeth Guild, University of Liverpool
Aimen Taimur, Tilburg University
Prof. Maciej Bernatt, University of Warsaw
Konstantina Pezou, Fairphone
Dr. Giovana Lopes, Tilburg University
Maria Maggiore, Investigate Europe
Giorgio Guglielmetti, University of Amsterdam
Yasemin Kuleyin, EkoAvrasya Foundation
Dr. Alessandra Chirico, Chirico Consulting
Prof. Simonetta Vezzoso, Trento University
Caroline Friedman Levy, Center for AI and Digital Policy
Prof. Andreas Kotsios, Uppsala University
Ulrika Wennberg, Adducam AB
Amit Dev, Independent expert
Dr. Marta Bienkiewicz, Independent expert in digital policy and governance
Leyla Gayibova, The Hague University of Applied Sciences
Dr. Huma Shah, Coventry University
Fernando Fernandez, NUM3RUS Gmbh
Dr. Chiara Gallese, University of Turin
Valentina Pinna, EISMEA
Prof. Lisette Mustert, Utrecht University
Frank Spaeing, Deutsche Vereinigung für Datenschutz e.V.
Giuliana Bongiorno
Prof. Johanna Chamberlain, Uppsala University
Prof. Sophie Stalla-Bourdillon, Brussels Privacy Hub, VUB
Prof. Olivier Blazy, Ecole Polytchnique
Elena Dartigues
Prof. Ian Brown, Fundaçao Getulia Vergas Law School
Pat Walshe, PrivacyMatters
Andrea Dartigues, EU citizen
Mario Guglielmetti, Scuola Superiore Studi Universitari e di Perfezionamento S.Anna
Prof. Colette Cuijpers, Tilburg University
Dr. Aida Ponce del Castillo, European Trade Union Institute
Mike O’Neill, Baycloud Systems
Dr. Carlos Lemos, University of Lisbon
Prof. Ingrid Schneider, University of Hamburg
Joel Loven, Piratpartiet
Pia Tesdorf, Data protection, Infosec Advisor
Prof. Dimitry Kochenov, CEU Democracy Institute
Adri Brink
Aleksandr Popov, Atticus Finch OÜ
Ronni K. Gothard Christiansen, AesirX.io
Susanne Henriksen
Kim Bjørn Jensen, DPO
Bo Voigt Zendata
Torben Hedegaard Hansen
Pernille Tranberg, Dataethics.eu
Tony Albers, Danish citizen
Juan Sierra Pons
Massimiliano Spiga, Ecoristrutturiamo srl
Dr. Elora Fernandes, KU Leuven
Niels E. Anqvist, Zafehouze
Daniel Melin, Safespring AB
Tara Bassirian, Datarainbow
Iben Ulbeck, CFO
Anders Dyrholm, Orbit Online A/S
Louise Mehl, Implement Consulting Group
Claus Bobjerg Juul, EU citizen
Sabine Haselbeck, Datenschutznet.de
Prof. Nora Ni Loideain, University of London
Dr. Giulia Schneider, SAnt'Anna School of Advanced Studies
TO ADD YOUR NAME TO THE LIST OF SIGNATORIES, PLEASE CLICK HERE.
ANNEX
State of EDPS appointment procedure
According to Article 53 (1) of Regulation (EU) 2018/17251,[3] the European Parliament and
the Council appoint, by common accord, the European Data Protection Supervisor for a
term of five years on the basis of a list drawn up by the Commission following a public call for candidates.
The Commission decided on 13 November 2024 to adopt the following list of candidates, in alphabetical order, in view of the final decision to be taken by the European Parliament and the Council of the European Union.
• Mr Bruno GENCARELLI
• Mr François PELLEGRINI
• Ms Ana POULIOU
• Mr Wojciech WIEWIÓROWSKI
On 16 January 2024, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) hosted hearings for the four candidates seeking appointment as the next European Data Protection Supervisor, followed by a vote.
Accordingly, the LIBE Committee ranked the candidates as follows:
• Mr Bruno GENCARELLI (32 votes)
• Mr François PELLEGRINI (30 votes)
• Mr Wojciech WIEWIÓROWSKI (26 votes)
• Ms Ana POULIOU (11 votes)
On 17 January 2024, the Committee of the Permanent Representatives of the Governments of the Member States to the European Union voted and ranked the four candidates in the following order:
• Mr Wojciech WIEWIÓROWSKI (81)
• Mr Bruno GENCARELLI (57)
• Mr François PELLEGRINI (42)
• Ms Ana POULIOU (33)
It is now up to the European Parliament and the Council to come to an agreement.
Should this not be the case, it will be up to the Member States to decide the next procedural steps before a new vote is held.
The Presidency of the Council of the European Union will inform the Council’s Working Party on Data Protection on the EDPS appointment at its meeting on January 29.
Legal requirement_ EDPS independence
Article 16 of the Treaty on the Functioning of the European Union:
“1. Everyone has the right to the protection of personal data concerning them.
2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.”
Article 8 of the EU Charter of Fundamental Rights - Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”
Article 53 (2) of Regulation (EU) 2018/17251:
“The list of candidates (…) shall be made up of persons whose independence is beyond doubt.”
Recital 72 of Regulation (EU) 2018/17251:
“The establishment (…) of the European Data Protection Supervisor, who is empowered to perform his or her tasks and exercise his or her powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. (…) The European Data Protection Supervisor should be a person whose independence is beyond doubt and who is acknowledged as having the experience and skills required to perform the duties of European Data Protection Supervisor, for example because he or she has belonged to one of the supervisory authorities established under Article 51 of Regulation (EU) 2016/679.”
The European Court of Justice has repetitively asserted that complete independence is “an essential component of the protection of individuals.”[4]
Supervisory authorities “must enjoy an independence allowing them to perform their duties free from external influence. That independence precludes inter alia any directions or any other external influence in whatever form, whether direct or indirect, which may have an effect on their decisions and which could call into question the performance by those authorities of their task”[5]
“[T]heir decisions — and, therefore, the authorities themselves — [shall] remain above all suspicion of partiality.”[6]
Examples of files illustrating conflict of interests EDPS / European Commission
The list of candidates includes the European Commission’s DG JUST Head of Unit on International Affairs and Data Flows.
1/ See Action brought before the European Court of Justice on 17 May 2024, Case T-262/24 Commission v. EDPS concerning among others transfers of personal data to third countries, with regard to the use of Microsoft 365 by the Commission.[7]
In this case, the European Commission seeks the annulment of the decision of 8 March 2024 of the European Data Protection Supervisor concerning his investigation into the use of Microsoft 365 by the European Commission in Case 2021-0518.[8]
2/ See EU/US personal data transfer agreements saga whose last iteration, prepared by the European Commission, is currently before the European Court of Justice.
See famously, Giovanni Buttarelli, late European Data Protection Supervisor:
"I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue."
Context: In his capacity as an independent supervisor of the EU institutions and advisor to the EU legislator, the European Data Protection Supervisor (EDPS) published his Opinion on the EU-U.S. Privacy Shield in which he offered practical solutions to address some of the concerns the proposal raises.” [9]
[1] European Parliament, Committee on Civil Liberties, Justice and Home Affairs, Appointment of the European Data Protection Supervisor for the term 2024-2029, Hearing of the candidates on 16 January at the European Parliament, Replies of candidate Mr Bruno Gencarelli, https://www.europarl.europa.eu/cmsdata/292347/1311200EN.docx.
[2] Article 16 of the Treaty on the Functioning of the European Union, Article 8 of the EU Charter of Fundamental Rights, Article 53 (2) of Regulation (EU) 2018/17251 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) 45/2001 and Decision 1247/2002/EC, and the case law of the Court of Justice of the European Union.
[3] Regulation (EU) 2018/1725, op. cit.
[4] Case Commission v Hungary (Grand Chamber) EU:C:2014:237 Paragraph. 48 ; Case C‑518/07 Commission v Germany EU:C:2010:125, Paragraph 23, and Case C‑614/10 Commission v Austria EU:C:2012:631, Paragraph 37.
[5] Commission v Hungary (Grand Chamber) EU:C:2014:237 Paragraph 51 ; Commission v Germany EU:C:2010:125, paragraph 30 ; and Commission v Austria EU:C:2012:631, paragraphs 41 and 43
[6] Case Commission v Hungary (Grand Chamber) EU:C:2014:237, Paragraph 53 ; Commission v Germany EU:C:2010:125, Paragraph 36, and Commission v Austria EU:C:2012:631, paragraph 52
[7] Case T-262/24: Action brought on 17 May 2024, Commission v EDPS
OJ C, C/2024/3925, 1.7.2024, ELI: http://data.europa.eu/eli/C/2024/3925/oj.
[8] EDPS decision on the investigation into the European Commission's use of Microsoft 365, 8 March 2024, https://www.edps.europa.eu/data-protection/our-work/publications/investigations/2024-03-08-edps-investigation-european-commissions-use-microsoft-365_en.
[9] European Data Protection Supervisor, Privacy Shield: more robust and sustainable solution needed, 30 May 2016, https://www.edps.europa.eu/press-publications/press-news/press-releases/2016/privacy-shield-more-robust-and-sustainable_en.