Top jobs at EU’s privacy watchdogs increasingly caught up in politics

Data protection authorities across the EU seem to be increasingly troubled by political motives that delay the appointments of their top officials.

The Spanish regulator is still caught in an ongoing dispute, and in several authorities around Germany, political parties are also intervening in the appointment processes.

The question remains whether companies will see the effects of these lengthy processes in the watchdog’s day-to-day work.

The latest case came last month, when Stefan Brink, the head of the DPA in the German state of Baden-Württemberg, said he wouldn't be available for a second term.

Local media reported that he would not continue in the role — after almost six years on the job — because he disagreed with the government’s appointment to further develop this authority. The coalition between the Greens and the Social Democrat parties would allegedly not be prepared to make more financial and human resources available to the watchdog. Brink confirmed his departure to MLex, but did not specify his exact reasons.

He has been among the most outspoken chairs of the 18 authorities in Germany. For example, Brink persuaded the regional public administrations to move away from US-owned social media platforms, and began investigating state officials for violating the EU’s privacy rules.

Interpretation

Although the General Data Protection Regulation, or GDPR, has been applicable across the EU since 2018, the head of a national authority can still leave his or her mark.

This is because rulebooks often leave room for interpretation. It can show in guidance to companies, where even in a country such as Germany, the various regulators often take different stances. For example when it comes to key articles including standard contractual clauses, which companies use to ensure transfers of personal data are legal.

The new head of the Baden-Württemberg authority will have to start in early 2023. The ball is now in the court of the local government, which will propose candidates, and the parliament, whose members will vote.

The Berlin DPA is also still lacking a formal replacement for a departed head. Maja Smoltczyk left in 2021 when her five-year term in office ended, and the parties have yet to agree on a candidate. Smoltczyk’s deputy Volker Brozio has taken over her tasks in the meantime.

Berlin's legislature had hoped to decide before the summer recess, but failed to do so.

Spain

Spain has been plagued by a long-standing dispute as well. The country’s Supreme Court in March suspended the appointment process for top positions at the authority, as requested by two of the shortlisted candidates.

The court said the selection was not in line with national rules, because the names had been decided upon before the formal selection process had started.

In October, the governing Spanish Socialist Workers' Party and the opposition conservative People's Party had put forward names to replace Mar España Martí, who has held the job since July 2015. This quickly sparked questions about independence.

But Spanish legal experts say that the ongoing dispute does not pose a problem for issuing fines, nor have any delays or disruptions been noticed. The Spanish data protection authority is one of the most active across Europe, with more than 520 fines since the entry into force of the GDPR in 2018, according to MLex data.*

Belgium

In Belgium, disputes at the helm of the authority did lead to questions about independence and even the loss of two of its five directors last month; the national Parliament decided to fire David Stevens and Charlotte Dereppe.

In March of last year, European Commissioner for Justice, Didier Reynders, expressed concern in a letter to the Belgian government that the watchdog would not be independent, as some of its members “cannot be considered free from outside influence”.

Of the three remaining directors, the recently appointed Cédrine Morlière will take over as president. It remains to be seen if the new head of the authority will take a very different approach to run the operations at the watchdog compared to Stevens.

Stevens told MLex in an interview in May that he wanted to become a more “proactive investigator,” meaning that the office should be able to quickly respond to questionable data-protection situations spotted in the news.

“We will act, and more than we did in the past," he said. "Since the EU’s data protection regulation entered into force some years ago, it’s a good development that we are more and more determining our own agenda”.

With Morlière in office, Belgian companies will have to wait and see what she will prioritize.

* MLex GDPR Fines, Penalties & Enforcement Tracker.