Few people outside privacy circles know who Andrea Jelinek is.
Thats all about to change.
As chair of the European Data Protection Board, a regional group of EU data protection authorities, the Austrian regulator is in charge of almost the impossible — making sure the Continents new privacy standards, which take effect Friday, run as smoothly as possible from Ireland to Greece.
If that sounds like a daunting task, particularly for a bureaucrat who is now the most important EU regulator most people have never heard of, it is.
Under the European Unions General Data Protection Regulation, or GDPR, national privacy watchdogs have new powers to fine companies — everyone from Facebook and Google to small businesses regionwide — up to €20 million or 4 percent of global revenues, whichever is greater, if they run afoul of the new rules.
But just as companies and regulators are struggling to get their heads around this privacy revamp, Jelinek now has to juggle the competing — and often conflicting — interests of Europes data protection agencies, which have repeatedly clashed over how to enforce the regions tough privacy standards.
On top of this peacemaker role, she also must promote the regions upgraded data protection rules to a general public that is only now becoming aware of how their online information may be misused following the recent Cambridge Analytica data scandal.
And as chairwoman of Europes new blocwide data protection board, the former Austrian police official will be in the crosshairs of many, both throughout the region and beyond, who think the Continents new privacy standards place too much of a regulatory burden on companies, particularly small businesses that do not have the financial firepower to comply with the litany of new rules.
“Data protection hasnt been sexy in the past,” Jelinek, 57, said. “Thats changing. Now, there is the big bang of fines and data protection that is now at the CEO level. It wasnt always at the CEO level.”
Difficult job ahead
With wide-ranging powers to investigate and fine companies over potential data abuses, Europes privacy regulators lie at the heart of the regions new privacy rules.
But with many of the probes likely to include people from many EU countries, Jelinek will direct a team of about a dozen data protection lawyers and professionals in Brussels to help coordinate such upcoming regionwide investigations.
The team of policymakers is expected to grow to over two dozen by next year with a number of experts from the national agencies to be seconded to the Belgian capital. And their main job, led by Jelinek, will be to referee between different national privacy agencies, including making judgements when countries watchdogs want to take different regulatory approaches when enforcing Europes new rules.
“She has a difficult job ahead of her,” said Eduardo Ustaran, co-director of the global privacy and cybersecurity practice of Hogan Lovells, a law firm, in London. “As chair, she effectively needs to lead the group. If there are disagreements, she must find common ground.”
First among equals
Since taking over the Austrian privacy watchdog in 2014, Jelinek cultivated a reputation as a straight-talking regulator who prefers procedure to preaching to companies about potential abuses.
Stern and prone to answering questions in short bursts, Jelinek said Europe became the global leader just as the world became interested in data protection. That came despite growing concerns that many of Europes national privacy regulators are unstaffed or too under-resourced to take on the long-list of new powers that have fallen to them.
“We know there are some countries that had difficulties with the staff and the money,” Jelinek acknowledged. “If the countries dont provide us the money, the Commission can act.”
Austrian lawyers who have worked with Jelinek say she rarely talks about her regulatory priorities, though she had targeted several industries, including financial services, health care and insurance, during her tenure as the countrys privacy regulator.
Rainer Knyrim, a Vienna-based lawyer, said Jelinek would likely prioritize the internal workings of the new regionwide privacy board, as well as use her background in law enforcement to clamp down on the most egregious data abuses.
“She wants to see that companies are doing something,” he said. “If compliance is non-existent, there will be problems.”
Who really has control?
Replicating her role in Austria at an EU-wide level, though, may prove more difficult.
Under Europes new privacy standards, one only national regulator will hold sole responsibility for policing companies activities, based on where businesses have their legal headquarters.
That has given Irelands regulator oversized powers, because many of the worlds data-hungry tech companies, including Facebook and Google, have their EU headquarters located in Dublin.
Other regulators already have complained that the Irish may give these companies an easier ride than in countries like Germany or Spain, where local authorities have been more eager to investigate potential data abuses. And many are now looking to Jelinek to move more aggressively if Dublin fails to act.
Helen Dixon, Irelands data protection commissioner, rejected such predictions.
While she welcomed Jelineks appointment as chair of the new EU data protection board, Dixon maintained that it was for her agency, not the EU-wide group, to determine whether the large tech companies complied with Europes new privacy standards.
“As chair of the board, she is going to play a key role,” Dixon said. “But it is not the responsibility of the European data protection board to take over the role of national data protection agencies.”
Jelinek is likely to find support within the European Commission, which has been actively cajoling national governments to prepare for the new privacy rules.
Vêra Jourová, the European justice commissioner, said the EU-wide board would be key to ensuring that the new data protection standards are applied equally throughout the Continent, instead of national governments tweaking the new rules to fit their own domestic agendas.
“Shes going to have an extremely important role,” Jourová said when asked about Jelinek. “The same rules must apply everywhere.”