Did you know that the European Data Protection Board has 486 approved subject-matter experts on call? And that they've relied on only around 2% of them since 2022? I didn't, at least not until I made an information request. Here's what else I discovered.

The Support Pool of Experts

In February 2022, the European Data Protection Board (EDPB) put out an expression of interest seeking subject matter experts across a variety of domains. The goal was to bring experts and supervisory authorities (SAs) together by providing qualified, Board-approved legal and technical expert assistance across a broad range of areas including

IT auditing, website security, mobile OS and apps, IoT, cloud-computing, behavioural advertising, anonymization techniques, cryptology, AI, UX design, Fintech, Data science, digital law, etc.

This "Support Pool of Experts" (SPE) would assist SAs at "different stages of their investigation and enforcement activities in the field of data protection law”, including:

• providing support with investigations;

• guidance on support tooling;

• legal advice on the use of specific forensic methods to gather evidence;

• creating written and oral reports on data protection matters; and

• participation in face-to-face and teleconference working group meetings

At the time, the SPE program was billed as a "key strategic initiative" of the EDPB and was hailed by many practitioners as a positive step forward. The SAs collectively were acknowledging that a little outside expertise and perspective might lead to more informed outcomes. I was excited and immediately applied. In June 2022, I was accepted.

For the next year and change, I kept tabs on the EDPB and whether any SPEs were being utilized. I checked the EDPB website, and would ask colleagues in confidence if they had been asked to submit a bid or brought on to provide expert advice. Nobody knew.

Fun With FOI

In October 2023, I decided to broaden my scope by asking data protection community on LinkedIn. The public response I got was crickets, but I did get a lot of people hitting me up in DMs to share their curiosity.

So, on 16 October 2023, I went to the source and filed a request for information. Like most institutions or public bodies within the EU, the EDPB is governed by a public access (or "Freedom of Information") law (Regulation 1049/2001). The EDPB is better than most in that they helpfully have a dropdown for such requests right on their website.

A little over a month later (37 days) I received the following response, which I'm posting in its entirety. My questions are in bold, and thoughts below.

Dear Carey Lening,

Please find below our answers to your email dated 16 OCT, which is asking for specific information and has been therefore handled as a request for information according to [The European Code of Good Administrative Behaviour](https://www.ombudsman.europa.eu/pdf/en/3510) by the European Ombudsman.

1. The number of expert members who are currently approved by the EDPB

There is currently 486 experts on the reserve list.

2. The number of times individual support pool members have been requested to assist the EDPB.

and 3. The number of times individual support pool members have been requested to assist individual supervisory authorities.

Eleven experts of the SPE list have been requested to assist the EDPB on eleven projects initiated by either a supervisory authority or the EDPB. When such an SPE project is initiated by one supervisory authority in particular, other interested authorities are invited to participate and, all final documents are available to all of them, at the latest, at the end of the project.

One expert has been requested to assist an individual supervisory authority on one SPE project.

4. If the answer to 2 and 3 are greater than zero, a breakdown of the count and types of issues (e.g., IT auditing, website security, mobile OS and apps, IoT, cloud-computing, behavioural advertising, anonymization techniques, cryptology, AI, UX design, Fintech, Data science, AI, digital law/legal) where experts have been utilized.

- 1 expert has been selected based on:  “Website security, Mobile OS, internet of things, mobile applications“

-  4 experts have been selected based on:  “Digital laws, EU legal framework on data protection and privacy, legislation on forensics”

- 2 experts have been selected based on:  “Artificial intelligence”

-  2 experts have been selected based on:  “ IT auditing, information security auditing”

- 2 experts have been selected based on:  “DPIA, personal data breaches, risk management”

-  1 expert has been selected based on: “Digital forensics, Eavesdropping techniques, MITM proxy”

5. Whether any reports have been published by support pool experts (and details on any reports that are public, or can be shared with the public).

At the moment, only one report for the SPE project 'One-Stop-Shop thematic case digest - right to object and right to erasure' has been made public at the following url : https://edpb.europa.eu/system/files/2023-02/one-stop-shop_case_digest_on_the_right_to_object_and_right_to_erasure_en.pdf.

6. Whether there is an allocated budget to pay the EDPB support pool of experts, and what that budget is.

There is a dedicated budget allocated to pay experts who participate in SPE projects. The budget of the EDPB is voted and published in the Official Journal of the European Union (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023B0278)

When an expert is selected for a project, this expert is remunerated with a fixed fee of €450 per person-day plus any travel and subsistence related costs, which will be based on EDPS’s applicable rules. If an expert has concluded contracts for a total amount exceeding €15 000 in a calendar year, the name, the locality (region of origin), amount, and subject of the contracts shall be published on the website of the contracting authority no later than 30 June of the year following contract award.

Finally, and as a reminder, you should have received a Save the Date for our SPE event of 8 FEBR where we will have discussions about how a SPE project is built as well as on the SPE project experience of experts and supervisory authorities, we hope you will join us for this online event.

We hope that this is of assistance to answer your questions relating to the SPE projects, unless you get back to us, we consider your case as fulfilled and closed.

Best regards,

The EDPB Secretariat

Why Is Usage is So Low?

As I noted at the beginning, the SPE program has been in place arguably since May or June 2022, when candidates first started being selected. Since May 2022, the SAs have collectively issued nearly 800 fines or reprimands (according to Enforcement Tracker), but only 12 experts have been brought in to assist, approximately 2.4% of the Support Pool. These numbers seem shockingly low.

There's also only been one publicly-facing document produced in that time (Professor Mantelero's 'Right to Object and Right to Erasure' case digest), which to me represents a missed opportunity. Yes, we're all confronted with lots of guidance from the EDPB and individual SAs, but a lot less in the way of data and comprehensive source analysis. More documents like Professor Mantelero's would benefit everyone. For example, the Article 29 Working Party guidance on meeting transparency obligations under the GDPR came out in 2018. A comprehensive case summary and practical nuts-and-bolts suggestions for drafting a privacy notice would be quite impactful.

Maybe It's a Budget Thing?

The EDPB's 2023 budget is reasonably healthy (€7,665,782). A quick read of the budget and some admittedly bad back-of-the-envelope math suggests that from that budget, the EDPB spent around €57,000 on outside support for 2023, and €55,000 in 2022.1 Assuming all of that went to the Support Pool (which seems unlikely), at €450 per day, that's 127 and 122 days' worth of work for each respective year, or around 9-10 days of work for each expert, on average. That isn't counting the one expert selected by an individual SA though, and I'm not so inclined to dig through the various budgets of each to figure out which SA paid that person.

To be charitable to the EDPB, it's not clear to me whether there's some discretion in this allowance if the EDPB needs to spend more, or if this is a fixed allocation.

Maybe They Have Enough Internal Expertise?

It's possible that all the respective SAs have a well-distributed set of technical and legal personnel at their disposal, so they don't need to avail of the Support Pool. But one might ask why establishing the SPE was a "key strategic initiative" of the EDPB, or why they bothered to approve such a large number of experts in the first place.

It's telling that when SAs do rely on their experts, it tends to be primarily in relation to technical problems:

• 1 expert on “Website security, Mobile OS, internet of things, mobile applications“

• 2 experts have been selected based on:  “Artificial intelligence"

• 2 experts have been selected based on:  “ IT auditing, information security auditing”

• 2 experts have been selected based on:  “DPIA, personal data breaches, risk management”

• 1 expert has been selected based on: “Digital forensics, Eavesdropping techniques, MITM proxy”

Most of these areas have only a small subset of experts in this area to begin with, much less those with data protection knowledge. And I don't think I'm out of bounds to assume that the majority of said experts are not working in the public service in the EU, for SAs or the EDPB.

It's striking that the SPE usage is so low then, given that these are all hot topics in terms of enforcement (data breaches/web & mobile security, IT/information security auditing), and/or frequent talking points by the SAs individually or the EDPB collectively (AI, personal data breaches). Other areas (including the recent ePrivacy Directive Guidance) appeared to have no SPE involvement at all.

There might be other reasons as well, including political drivers, a culture of insularity, or just plain ol' status quo bias. The SPE is still a new program after all, and I'll be the first to admit, I'm not inside the tent to know the inner workings of any of it. Perhaps someone at the EDPB, or one of the individual SAs will reach out and share more insight as to why the pool is so underutilized.

In closing, I want to add that part of what I learned posing the initial question was that many of us genuinely want to help, share our expertise and provide outside perspectives when it comes to data protection issues that have the ability to impact all of us. I'm certainly one of them.

As always, if you like what I’m writing about or have comments, feel free to

Share

Leave a comment