In January, European Data Protection Supervisor (EDPS) Peter Hustinx and his staff celebrated the EDPS’ 10th year as an institution. However, though his two-term run had expired, any boxes Hustinx had packed full of his personal effects would need to be disassembled; he had all but blown out the candles on his proverbial “Bon Voyage” cake when the European Commission said, “Not so fast.”
“The show went on,” Hustinx said from the EDPS headquarters in Brussels, where he still sits at the head of the table. That’s because the commission decided the candidates hoping to take Hustinx’s place were not up to par, and, as such, Hustinx is required by law to remain at the helm until a new EDPS is chosen.
But why? What went wrong? Reportedly, Polish Data Protection Commissioner Wojciech Rafał Wiewiórowski and Assistant EDPS Giovanni Buttarelli were among those on the list.
“We’re in some sort of political game here,” said Henriette Tielemans of Covington & Burling.
One thing is for sure: The details of the struggle to appoint a new EDPS are being kept under a very tight lid by the European Commission and those involved in the process. Meanwhile, the role of EDPS is about to become even more important, and it’s fair to say there are some nerves over who will replace someone as highly revered as the first-ever to assume it.
Will Hustinx’s replacement be tech-savvy? Have expertise on data protection? What will their politics be? No one knows.
Following the publication of a vacancy letter in July 2013, a pre-selection panel interviewed eight candidates to move on to round two. From there, five candidates were selected and sent to a third-party assessment center, where they were judged on their abilities to “inspire, lead and manage in a multinational and multicultural environment.”
It’s not an easy position to fill, for the very reason of how Hustinx (the first-ever EDPS) has written it. He’s created a very comprehensive role for the EDPS, and his successors are bound by this. That being said, there must be somebody out there trying to fill those big shoes.Henriette Tielemans, Covington & Burling
Next, the candidates were interviewed by the Consultative Committee on Appointments, chaired by the European Commission’s secretary general and assisted by a third-party human resources expert as well as members of European Parliament and the European Council.
But that committee “did not feel that any of the candidates displayed the necessary combination of vision with the ability to ensure effective implementation,” wrote Vice President of the European Commission Maroš Šefcovic in a letter dated December 20, 2013, and addressed to the chairman of the Committee on Civil Liberties, Justice and Home Affairs. Šefcovic noted this view “was shared by the observers from the European Parliament and the Council,” adding, “I hope that you will share my view that Parliament and Council should not be presented with candidates who, in reality, would not fulfil the high standards expected.”
Tielemans said she thinks it comes down to priorities.
“I think the choice is either someone who manages the department or someone that is well-versed in data protection, and I’m obviously hoping they would take the latter—in which case it either has to be somebody from one of the data protection authorities or someone from private practice who has been handling privacy,” she said.
Slovenia Information Commissioner Nataša Pirc Musar said it’s a critical time for data protection and privacy and it’s essential that Europe uphold the premium it’s placed on the two.
“I think Europe should not become the U.S.,” she said. “We have to maintain what we’ve achieved.”
Noting the expansion the role the EDPS will take under the new data protection regulation, Tielemans said the role certainly can’t be played by just anyone.
“It’s going to be a position of some public importance,” she said. “Under the new regulation, the EDPS will be the final word on contentions between the various member states and on some important issues.”
Even without its expanded powers under the regulation, Hustinx has curated a role—charged with ensuring EU institutions respect the fundamental right to data protection and advising government on policies and legislation that affect privacy—that is highly recognized, respected and consulted. And, he’s built a two-man office—as it was in its beginnings in 2004—into a staff of nearly 50.
“It’s not an easy position to fill, for the very reason of how Hustinx (the first-ever EDPS) has written it. He’s created a very comprehensive role for the EDPS, and his successors are bound by this,” she said. “That being said, there must be somebody out there trying to fill those big shoes.”
Musar knows there are. She said she was surprised at the news that the commission wasn’t able to endorse a candidate given the resumes it had in front of it.
“I know personally all five" candidates, she said. “And all of them do possess the knowledge required” for the job. She added it’s, “Not good for the European Commission that this is going on, that they did not find a suitable candidate.”
While the European Commission was not available for comment when reached by The Privacy Advisor, a spokesperson for Šefcovic did say previous candidates are welcome to reapply for the position.
There have been some rumblings among European insiders that the commission’s refusal to further consider any of the prospective candidates is a political move, amidst rumors that Vice President for Justice Viviane Reding would herself like the job.
No one was willing to talk “on the record” about that.
Despite the delay in his departure from the post, which he held for two consecutive five-year terms, Hustinx said it’s certainly not a lame-duck position in these times.
“There’s no problem in terms of the need to act,” he said. “When we need to act, we are acting.”
In fact, the EDPS recently launched an opinion stating enforcing EU law will be essential in rebuilding trust with the U.S.
Soon, Hustinx said, “we will probably see a new procedure being launched, which means a notice in all member states with a time limit of a month or so and then new steps for selection.”
Despite the delay, “The commission has made it very clear that they want to close and move on,” he said. And that’s what he wants, too.
This time, he said, it will be essential to look back at past mistakes to ensure the second go-round is successful. That means “adequate publicity—not doing this in July when everybody is on the beach.”
The specific provision requiring that he stay on the job is the “Principle of Continuity,” or Article 46.2 of the Data Protection Regulation, and, he said, “I’ve made it known that my availability to continue under 46.2 was limited to a period—a reasonable period, to allow a successor to be selected in a possible second procedure.”
After all, he quips, “You can deliver a human being in nine months.”