Six months after the mandate of the privacy watchdog of the EU institutions – the European Data Protection Supervisor (EDPS) – expired, EU lawmakers and national governments still can't agree on who will lead the authority.
And the decision on who will take over from the current EDPS, Poland’s Wojciech Wiewiórowski, is no closer to being taken, according to people familiar with the matter.
The selection process has been plagued by delays. Hearings, which were due before 5 December, when Wiewiórowski’s mandate ended, were pushed back by the Commission to January because of delays with approving a shortlist of candidates.
After that, politicians failed to agree on a successor, with both the European Parliament and the member states backing different candidates from the four contenders picked by the Commission following hearings in January.
A special working group with representatives from both institutions was set up, which met a few times, but those meetings were inconclusive, and no further meeting has been convened on the issue.
The Parliament’s Civil Liberties, Justice and Home Affairs Committee, LIBE, voted to appoint long-time Commission official Bruno Gencarelli, from Italy, while the member states are backing Wiewiórowski to stay on for another mandate.
In March, think tank Centre for AI & Digital Humanism and a group of privacy academics wrote to the Parliament and Commission presidents, signalling Gencarelli ought to be conflicted from the role.
Appointing him would be “a violation of the constitutionally protected complete independence of EDPS and of the principle of good administration. This would also undermine the European system of checks and balances, in favour of the Commission,” the letter said, adding that the next privacy chief should be a “candidate whose independence is beyond doubt.”
The EDPS job has never been held by a former Commission official: Wiewiórowski, as well as his predecessors Peter Hustinx (2004-2009 and 2009-2014) and Giovanni Buttarelli (2014 -2019) all previously worked at national supervisory authorities.
Opinions
Established in 2004, the EDPS is unable to fine tech giants for breaches of EU privacy rules — that's a competence of the national data protection authorities — it publishes opinions on legislative proposals and weighs in on upcoming digital legislation.
In the absence of a new head of the watchdog, Wiewiórowski is continuing his work.
For example, earlier this month the EDPS office published an opinion on rules proposed by the Commission to establish a common system for the return of third-country nationals staying illegally in the EU.
His advice was to carry out an in-depth fundamental rights impact assessment “to better identify and mitigate potential risks."
Isabelle Roccia, Managing Director, Europe of privacy professional’s organisation IAPP, told Euronews that the role of the EDPS has developed much more than was anticipated when it created 20 years ago.
“It [now] oversees compliance for close to 80 EU entities and has built a significant role in EU policymaking over time,” Roccia said.
“Understandably, MEPs and member states are carefully gauging how the next Supervisor could navigate data protection vis-à-vis other areas of law, new technology, security and geopolitics, at a time when the Commission is focused on competitiveness and simplification,” she added.
The Commission did not reply before publication to a request for a comment.
