مقاله سال ۲۰۱۶

Data Protection Authorities (DPAs) are independent authorities (with their own powers and responsibilities, and that are organisationally separate from government1 ) with a supervisory role in relation to data protection. Globally, DPAs (also known as privacy commissioners, data privacy agencies and privacy enforcement authorities2 ) play multiple roles, including education, consultancy, provision of policy advice, international coordination, as well as enforcement of regulation.3 Within the EU, they primarily draw their authority from the national implementations of the Data Protection Directive 95/46/EC. The data protection legal regime in the EU is currently undergoing a significant reform process: The General Data Protection Regulation (GDPR),4 and the associated Police and Criminal Justice Data Protection Directive, are intended to reform and update the 1995 EU Data Protection Directive and replace the 2008 Framework decision.5 This will further expand the roles of EU DPAs whilst at the same time increasing the harmonisation of their powers and increasing the level of cooperation between them.

Technology foresight encompasses a range of activities centred around understanding new technology developments, and anticipating their potential effects and impacts. In the context of DPA’s roles and their collaborative activity (where this activity is sometimes also termed “technology watch”) this focuses upon the potential impacts of emerging technologies upon data protection and privacy. Whilst there are many accounts of foresight approaches in information technology in general,6 and privacy and data protection in particular,7 as well as the technology foresight activities of national governments,8 the foresight activity of data protection authorities has not been the subject of systematic study.

One reason for this is that technology foresight is not, for the most part an explicitly mandated task for EU DPAs. Further, many EU DPAs mandate as supervisory and enforcement agencies is a primarily reactive function. However, technology foresight prepares data protection authorities for enforcement action they may have to take in the future, but also allows them to intervene as stakeholders in the development of new technologies, and in particular better influence their adoption and deployment. Technology foresight activities allow regulators to get ahead of potential data protection problems and concerns. As responsible parties in relation to enforcement of national data protection law DPAs are in a clear position to assess or provide guidance upon the requirements of the existing legal framework in relation to new technologies. In this manner, technology foresight supports approaches such as privacy-by-design,9 allowing for earlier intervention and for the better adoption and promotion of privacy-enhancing technology. It will also support DPAs in their role in data protection impact assessments under Article 35 of the GDPR, prior consultation under Article 36, and most significantly, the Article 57(i) obligation to “monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices”.