Podcast exclusive: Talus, assuming chair of EDPB, aims to cut new tracks

Podcast exclusive: Talus, assuming chair of EDPB, aims to cut new tracks

Anu Talus, who succeeded Andrea Jelinek to become the second chair of the European Data Protection Board in May, hopes to build on Jelinek’s work as she focuses on making GDPR enforcement more coherent, efficient and harmonized across the bloc’s member states. In an extended conversation with MLex on the sidelines of the Global Privacy Assembly meetings this year, Talus discussed issues ranging from the EDPB’s highly unusual step of making permanent and EU-wide a temporary Norwegian ban on Meta Platforms targeting users with behavioral-based ads without their consent issued under the GDPR’s urgency procedure, to how she entered the data protection field years ago.

Tune in to our podcast below, or continue scrolling for a related article.

Anu Talus looks to blaze new trails for GDPR enforcement as head of EU watchdogs body

10 November 2023
By Mike Swift

Anu Talus, who took the reins as the second chair of the European Data Protection Board in May, could be said to represent version 2.0 of General Data Protection Regulation enforcement.

The EDPB's first chair, Austrian enforcer Andrea Jelinek, guided it through the first five years of GDPR enforcement, ensuring a consistent enforcement system that initially struggled to gain momentum, but over the past year has led to notable fines and binding decisions against Meta Platforms and TikTok.

Talus, the head of the Finland's data protection authority, succeeded Jelinek on the GDPR’s fifth birthday in May, and as she approaches six months in the chair she sat down with MLex for an extended conversation on the sidelines of the annual Global Privacy Assembly, held in Bermuda recently. 

Focusing on her view of the coming five years of GDPR enforcement, she stressed a focus on making enforcement more coherent, efficient and harmonized across the bloc’s member states.

To describe what that might look like, she offered a particularly Nordic metaphor: "What I would say in Finnish, it's like 'Hiihtää umpihangessa,' which means that you are skiing, cross-country skiing, but you have no tracks; no one has done the tracks for you to do the skiing," she said. "So this would then both make it much more challenging, but also give you the possibility to make the tracks yourself."

Talus and the EDPB, the body that brings together EU privacy regulators, are already cutting new tracks through the snow in one very high-profile case.

Typically a conservative institution, the board has taken the highly unusual step of making permanent and EU-wide a temporary Norwegian ban on Meta Platforms targeting users with behavioral-based ads without their consent issued under the GDPR’s urgency procedure, as part of an ongoing crackdown on the social media company.

It's a complex and significant situation for Talus because the case involves both internal and external issues. The EDPB is attempting to enforce the GDPR in a case that involves the chief source of revenue for a global tech giant, while trying to weigh divergent views between the Irish Data Protection Commission and the Norwegian Data Protection Authority, which brought the action against Meta and that believes the Irish regulator has been too tolerant of the platform giant's privacy transgressions.

The Irish regulator, which oversees Meta because its EU headquarters are in Ireland, has come under attack from European lawmakers and national data protection authorities as being too lenient on Meta. In May, it was obliged to issue a record-breaking fine of 1.2 billion euros ($1.3 billion) against Meta over its data transfers to the US.

Helen Dixon, the head of the Irish DPC, has rejected allegations that she’s regularly corrected by other EU regulators; she has argued that the disputes don’t stem from poor performance, but rather from the GDPR’s "one-stop-shop" arrangements for cross-border cases.

Companies' lead regulator is the one in the EU state where they have their "main establishment," but in cross-border probes other regulators have a voice in critiquing the lead regulator's planned sanctions. And the EDPB chair has taken on increased significance in recent years as more large cases pass through the board's "dispute resolution" mechanism, which takes place when regulators disagree.

In her talk with MLex, Talus pushed back on suggestions that the recent binding decision against Meta in the Norwegian case is an early test of her leadership. "Well, I don't know if it's really testing the leadership. I think it's just simply taking the matter through" to its conclusion, she said, in one of several times during the interview that she came across as calm, cerebral and somewhat understated.

GDPR enforcement

Talus has been clear that there will be a "greater emphasis on enforcement" at the EDPB during her leadership. She told MLex what while Jelinek had the job of getting the one-stop-shop mechanism up and running, her goal is to make the dispute resolution system work better.

"In previous years, we used a lot of time in building the system and also providing guidance to the [data] controllers. GDPR was new, and it was important to give an idea of the interpretation, so we spent a lot of time working on that," Talus said. But now, "when we are talking about, for example, enforcement, one of my goals is to strengthen the cooperation between authorities in the EDPB."

"We already work well together, but there have been some, I would say, procedural issues that we have been working on. And now with the European Commission's new proposal, which will complement the GDPR, I think that there will be even further [efforts] to make the cooperation between authorities more efficient."

The commission earlier this year proposed a law that would streamline privacy regulators' GDPR enforcement, for years now under fire for its sluggish pace. The proposal would standardize parties’ procedural rights, such as the right to be heard, and force watchdogs to cooperate more closely and efficiently.

"It was clear that we needed to have legislation there, and this is when we approached the commission with our wish list," Talus said. "And we were very pleased that the commission actually took really swift actions to provide us the tools that we would need to have fluent cooperation between the authorities."

But, she added, there are still some elements of the commission’s proposal that need more work, including one provision that says that a decision reached through the urgency procedure would only apply in that specific member state. "This is actually an amendment which would take the GDPR backwards," Talus said.

Nevertheless, those problems can be worked out in the next few months, Talus suggested. "I definitely hope that it will happen before we have new parliamentary elections [in June]. I definitely hope that it would take place this year or, at the latest, early next year. But I cannot tell you how it is," she said.

Talus, who is a lawyer and represented the Finnish government in negotiations over the GDPR legislation before it was finally passed in 2016, chuckled at the memory that the predictions back then were that the process would only take a year. It took four.

Listen, then act

In the end, Talus said, it is always important to be open-minded. That won’t necessarily mean avoiding conflict: The Finnish data regulator, under Talus's leadership, objected on four occasions to proposed decisions by the Irish Data Protection Commission.

"If I have one philosophy, well, for me, it's important to listen to different views," she stressed. "Like you know, there might be … differing views when we are talking about the interpretation of GDPR. GDPR gives the possibility to draw different interpretations."

"So I do see that it's important to listen to different views, and then come to a conclusion based on based on that." As she navigates the coming years of enforcement, one thing she surely won't be short of is different views.

For access to our Data Privacy & Security news and analysis in real time, start your free trial today.