This is one of the areas where we have novelties in the EU.
First off, there are three important rulings from the European Court of Justice concerning independence of supervisory authorities. They relate to Germany, Hungary, and Austria. In these three cases, the countries have been found in breach of the existing directive and there are important recommendations to the legislators to bring forth independence, autonomy of supervisory authorities.
Secondly, the Court of Justice has said that the exercise of all existing powers in directive 95/46/EC is essential in terms of raising the independence, particularly the advisory role, the existence of a robust supervisory role. Therefore, now the regulation and the directive provide for a full list of reinforced powers, an entirely new scheme in terms of budgetary lines, requirements in terms of appointment, and relationship with government and relevant parliaments, depending on the legal system in each country.
Each DPA should be equipped with substantive powers in terms of warnings, with a view to admonish relevant comptrollers. Another novelty relates to the application of administrative fines. It is now mandatory for all member states to keep independent supervisory authorities with the duty and power to apply those fines where appropriate. The novelties are not only in terms of enforcement, but also with a view to consider all seven functions of a DPA listed by a famous Canadian professor, Colin Bennett, together with Charles Raab. They drafted the book listing seven missions of DPAs, including those concerning awareness, with a view to creating also a culture in terms of data protection.
In terms of more co-operation and more transparency, DPAs should be more selective in exercising their functions. One of the key pillars of the new regulation is accountability, which means that each private and public comptroller is requested to go beyond mere compliance, to have an internal policy to demonstrate that they comply in practice, to have an answer to every pressing need, including the allocation of resources and responsibilities. We would like to treat all comptrollers more responsibly, as adults, we might say. Therefore, DPAs should be more effective when appropriate, but also more selective, and more transparently define their priorities. They should publish a program and they should be more predictable, more accessible, and more protective.
So it's a less prescriptive approach, with more engagement, more interaction with new technology. It's also from the perspective of making new rules on accreditation, certification, seals, and privacy by design and privacy by default more effective in practice.