Despite US Actions, Irish Commissioner Upbeat About Data Privacy Framework
The EU-U.S. Data Privacy Framework (DPF) appears to be holding despite Trump administration actions in connection with the FTC and Privacy and Civil Liberties Oversight Board (PCLOB), Irish Data Protection Commissioner Dale Sunderland said during a May 14 interview at the IAPP AI Governance Global Europe conference in Dublin.
Sign up for a free preview to unlock the rest of this article
In January, President Trump "terminated" the three Democratic members of the PCLOB (see 2501280044). In March, he fired the two Democratic members of the FTC (see 2503190049).
Sunderland noted that he and DPC Chairperson Des Hogan met with stakeholders across the Trump administration at the April IAPP Global Privacy Summit in Washington. While there were divergent views on topics such as protecting children online, "there was huge commonality and common ground on issues."
DPC officials also engaged with key individuals involved in DPF-related work, such as the PCLOB, various civil liberties and oversight boards in offices within the national security apparatus and the FTC, Sunderland said.
While there have been personnel changes, he said, "What we heard, very loud and clear from all of these people we met, was that they can continue to do their job and the whole architecture that was put in place is continuing to work."
The DPC is the lead supervisory authority for nine of the 10 global tech companies because their European headquarters are in Dublin, Sunderland noted. Most are American businesses, but some are from elsewhere. The DPC, for example, recently fined TikTok $600 million for GDPR breaches (see Ref:2505020001]). DPC oversight isn't driven by country of origin but by the nature of the business headquartered in Ireland, he said.
The tech companies "are in a very personal data-intensive space," which is a fundamental part of their business models, Sunderland said. It's "inevitable" that they'll have more engagement with DPAs than global companies in other sectors. U.S. companies "are in the spotlight with us because of the nature of the data in their business model, the volume of personal data being processed and the quite intensive and sometimes invasive processing of personal data."
Asked whether the office feels pressured by the Trump administration to back off U.S. Big Tech, Sunderland said that while the DPC is aware of geopolitics, its work is "business as usual."
The office "is always going to find itself in a place where it will have buffeting winds" because the environment in which it exists is linked to so many other geopolitical issues, he said.
"For us, it's important that we continue to do our job fairly, proportionately, in a professional manner, and to be issues-based." The office’s focus is on where the greatest harm to individuals arises; what needs to be done to ensure that individual rights are protected; and how to facilitate responsible and safe use of data and innovation that aligns with good data protection practices.
Ultimately, Sunderland said, the DPC's greatest defense against criticism is to be able to say it's focused on the issues.
The DPC, in principle, is in favor of an expected European Commission proposal to amend the General Data Protection Regulation (GDPR) that will extend reporting requirements exemptions to organizations with fewer than 500 employees, Sunderland said.
"I think where the DPC would stand is that the GDPR is good law," he said. The office would be open to considering further tweaks as long as they maintain the essence of the law and the proper protections.
In January, the EU General Court ruled that the DPC acted unlawfully when it refused to investigate a complaint from Noyb, the Austrian privacy organization (See 2501290016).
The issue was whether the European Data Protection Board (EDPB) had the authority to order the DPC to launch investigations into companies' processing operations after it had cleared them of GDPR breaches. The DPC argued it lacked the power; the General Court disagreed.
The DPC decided not to appeal that decision to the European Court of Justice (ECJ), Sunderland said. The case was taken up to deliver more clarity on the respective roles of the EDPB and national DPAs, which the General Court has now done.
Is Sunderland optimistic or pessimistic about the future of privacy and data protection?
"I'm positive." This is a time of "reflection points." One is the focus on AI technology and how that has changed things from a data protection point of view; another is what's happening in global geopolitics.
Nevertheless, "the fundamentals haven't changed, in that every organization needs to know what personal data they're processing, why they're processing it, and how to do it in the right way. At the heart of it is trust -- consumer trust, societal trust."
"We need to continue to focus our narrative around data protection not being an inhibitor." DPAs should help industries understand what regulators want and that they won't just use their power for enforcement but can also help raise standards.
It's important to get this right "because we're now embedding the next era of technology and the fundamentals haven't changed," Sunderland added. "If the fundamentals aren't sound, I think that would be a very difficult scenario over the years ahead."