January 2022 marked the ten year anniversary of the emergence of the first draft of the General Data Protection Regulation (GDPR). A decade later, and almost four years after the GDPR’s entry into application, the EDPS believes it is time to reflect on the functioning and efficiency of the Regulation. This is why, on 16 and 17 June 2022, the EDPS will host a conference in Brussels bringing together global stakeholders from the digital regulatory sphere to reflect on and discuss current approaches to enforcement models. 

The conference, titled “The future of data protection: effective enforcement in the digital world”, was born out of the EDPS 2020-2024 Strategy, where the wheels were set in motion for the EDPS to host “a conference on how to safeguard individuals’ rights in a world that will, hopefully, be recovering from this current crisis”. 

With this conference, the EDPS seeks to acknowledge that there is scope for discussion on and potential improvement of the way current governance models are implemented in practice. The EDPS therefore plans to create a platform to bring the world’s best practices together, and steer meaningful discussions about the digital regulatory sphere. 

At the time of the Conference on the Future of Europe, the EDPS believes that such a discussion on the future of privacy and data protection can also serve to reinforce the role of the EU as being at the centre of this debate. Under the umbrella term of “discussions about the digital regulatory sphere”, the EDPS envisions a dialogue on regulations pertaining to data protection, competition, digital markets and services, and artificial intelligence - both in the EU and beyond. In particular, we aspire to encourage a discussion on the different approaches to enforcement action, and facilitate the sharing of experiences on best practices and systemic challenges in enforcement. 

The first years of the GDPR’s operation revealed much progress in the way personal data is protected across the digital domain. However, some shortcomings were also brought to light. In cases involving cross-border processing of personal data, enforcement of the GDPR hinges upon the effectiveness of the One-Stop-Shop mechanism (OSS). 

The OSS stipulates that companies with a main establishment in the EU shall, in principle, only have one interlocutor, namely the authority of the EU Member State where their main establishment is located. At the same time, the GDPR also puts in place a cooperation and consistency mechanism that provides for the involvement of the supervisory authorities of other EU Member States. Despite the important efforts to enhance enforcement and cooperation, critics continue to question the efficiency and long-term viability of this enforcement model. 

Therefore, the conference will seek to explore both constructive improvements that exist within the current framework, but also alternative models of enforcement of the GDPR, including a more centralised approach. Foresight – that we define as a disciplined exploration of alternative futures – is key to reach tangible and actionable outputs. The EDPS therefore aims to bring together leading minds that can collectively provide suggestions for optimal approaches to enforcement.