ADVERTISEMENTLawmakers of the Parliament’s Civil Liberties, Justice and Home Affairs Committee, LIBE, will tomorrow hear four candidates that are hoping to become the next European Data Protection Supervisor (EDPS) – the privacy watchdog of the EU institutions.
The hearings were due last November but were delayed because the European Commission failed to draw up the shortlist before the mandate of the current EDPS, Wojciech Wiewiórowski, expired on 5 December.
Although the EDPS is not able to fine Big Tech companies for a privacy breach — that’s a competence of the national data protection authorities — its role as an advisor to those watchdogs is significant.
Later this year, the AI Act will start to apply, and national privacy watchdogs will see their privacy work more and more intertwined with AI, which will enable the new EDPS to take an agenda setting role.
These four are vying to take on the role for the next mandate.
Wojciech Wiewiórowski
Wiewiórowski has been the EDPS since 2019. Before that, he was an Assistant European Data Protection Supervisor, working with the late Giovanni Butarelli, the Italian former EDPS. He also has experience in his native Poland as Inspector General at the Polish Data Protection Authority, and Vice Chair of the Working Party Article 29 Group.
In 2024, as the EDPS, he probed the use of cloud providers by border control agency Frontexprovided advice on the AI liability rules and delivered an opinion on the AI Act, which possibly puts him at an advantage compared to the other three contestants.
In written answers to the LIBE committee, he said that he “will prioritise the discussion on the Artificial Intelligence.”
“I am sure that EU institutions need in the nearest future guidelines on how Europe can play a leading role in ensuring the safe deployment of AI across a variety of sectors,” he added.
Francois Pellegrini
Computer scientist François Pellegrini is a professor at the University of Bordeaux and researcher at the Bordeaux Computer Science Research Laboratory. He served between 2014 and 2024, as a member of the Board and Vice-President of the French data protection authority CNIL.
At CNIL, he was in charge of sectors including e-commerce and cybersecurity, which will be very relevant as the European Commission is expected to re-assess existing cybersecurity legislation during this new mandate.
He told committee members in written answers that his vision of the future of the EDPS “is that of an agile and proactive regulator, with cutting-edge legal and technical expertise”, working together with counterparts, and being able to provide relevant opinions and advice to co-legislators and the EU.
Bruno Gencarelli
Gencarelli is an EU official with a long career in privacy: most recently he was a cabinet member of former EU Justice Commissioner Didier Reynders, and head of the International Affairs and Data Flows Unit within the Commission.
He was responsible for the Commission’s work in the field of data protection in recent years including when the General Data Protection Regulation (GDPR) was discussed. Gencarelli also led negotiations of several data transfer agreements with third countries, such as the EU-Japan arrangement, and the EU-US Data Privacy Framework.
His experience with US data exchanges might be of particular use as the EDPS probed whether the Commission’s use of Microsoft 365 was legitimate, and as the current EU-US Data Privacy Framework is facing a legal challenge. In his answers to committee questions, he said that the agency will “have to operate in a more complex governance system”, alluding to developments around AI.
ADVERTISEMENT“In that renewed environment, my top priority would be to ensure that the EDPS is ready for these changes, including the taking on of additional responsibilities that go beyond its ‘traditional’ role,” he added.
Anna Pouliou
Until now, the role of EDPS – the job was created in 2004 – has always been awarded to men. Anna Pouliou, the current chair of the Data Protection Commission at CERN, the data protection supervisory authority of the European Organization for Nuclear Research, could be the first woman to get the job.
Pouliou is an attorney, who has led corporate privacy teams including at consultancy Mars. She is also a lecturer in data governance, International Privacy Laws and Artificial Intelligence at the Universities of Saint-Gallen and Maastricht. Pouliou has also worked with the Commission on the GDPR: between 2017 and 2022, she was one of the 27 members of the GDPR Multi-Stakeholder Expert Group advising the European Commission on GDPR implementation on behalf of Business Europe.
She wrote to lawmakers that she wants the EDPS to become “a global leader in the debate for innovation-friendly digital ethics and data governance.”
ADVERTISEMENT
