Data Protection Day 2024

Data Protection Day presents an opportunity to reflect on the current state of play and to consider what’s approaching. In this context, the European Commission’s press release on 26 January and the EDPB’s recently published report on the Designation and Position of Data Protection Officers provide useful indicators.

Firstly, in a joint statement Vice-President Jourová and Commissioner Reynders said:

“This year the General Data Protection Regulation (GDPR) will celebrate its 6th anniversary as the EU flagship data protection law and a global benchmark for privacy regulation. It is delivering for citizens and businesses. Continuing to ensure its full implementation and robust enforcement remains our top priority. Therefore, last July we presented new rules to improve the cooperation of national data protection authorities in cross-border cases. This is relevant in particular to ensure compliance of the big tech multinationals. This year, we will issue the second report on the application of the GDPR.”

The handling of cross-border cases continues to be one of the most topical and contentious issues in respect of the implementation of the GDPR. It remains to be seen whether the Commission’s proposed new procedural rules will iron out the kinks that have been widely apparent in the application of the one-stop shop regime to date.

Meanwhile, the EDPB’s recently published report on the designations and position of DPOs sets out useful recommendations and observations on the role of the DPO. Among these, there is a recognition of the rapid evolution of this role, even though it is a recently established concept at an EU level. The EDPB commented that:

“At a time when a number of EU legislations in the digital field are being developed or have recently entered into force, the role of the DPOs seems to be changing. In practice, and to name just a few, it seems that DPOs of some organisations are internally picking up key roles under these legislations, such as the AI Act, the Digital Services Act, the Digital Market Act or the Data Act, and, more and more, are being tasked with new roles that are related to AI, ethics, data governance and data spaces. These new roles may reinforce some of the concerns identified above, such as the risk of conflicts of interests or the insufficient resources at the disposal of the DPOs. It is therefore vital that all stakeholders seriously consider how DPOs are being tasked, utilised and supported, to ensure that they can provide the best added value for everybody involved.”

While this commentary focuses specifically on the role of a DPO, it could apply equally to privacy or data protection functions generally (whether they are labelled a DPO function or otherwise). It is a challenge for those working in this field to remain on top of the latest developments specifically in the rapidly evolving area of data protection law and to address their core data protection responsibilities within their respective organisations.  However many are also expected/required to broaden their remit to address the wave of new regulation of the digital economy that is emerging. 

It is a legal requirement under the GDPR that a DPO has expert knowledge of data protection law and practices and the ability to fulfil the tasks specified in Article 39. Increasingly, it is a practical requirement that DPOs and their equivalents also have at least a strong working knowledge of current and new related laws.

We look forward to continuing to help our clients navigate these issues in the year ahead.  

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.