Category Archives: Blogger

2017 the year of mutual assistance testing

Blog_zJacek Safell, Specialist
Department of Social Education and International Cooperation
Bureau of the Inspector General for Personal Data Protection

The year 2016 came to an end and people are turning their heads towards 2017 with new energy and hope. And as we all know there is significant change on the horizon of European data protection. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR), is slowly yet unavoidably approaching. It won’t get here quite yet in 2017 but that doesn’t mean this upcoming year will be less important for that. On the contrary, we are facing a year of important decisions and tests. How Europe manages to handle these tasks will have a direct influence on the future of data protection under the GDPR.

In order to prepare data protection authorities (DPAs) for the upcoming changes the Article 29 Working Party (WP29) has been keeping busy, creating guidelines and FAQs that will aid DPAs during the transition. During the December 2016 plenary meeting, WP29 discussed certain critical matters with regard to the implementation GDPR and consistent with its 2016 Action Plan decided in February 2016, the WP29 adopted during the December plenary:

  • Guidelines on the right to data portability (WP 242),
  • Guidelines for identifying a controller or processor’s lead supervisory authority  (WP 244), and
  • Guidelines on Data Protection Officers (DPOs) (WP 243).

 As the PHAEDRA project’s main goal is to identify, develop and recommend measures for improving practical co-operation EU DPAs we believe that the abovementioned guidelines are worth summarising. However, since the issues of DPOs as well data portability don’t relate so directly to DPAs co-operation, we’ll skip it in the following article.

Lead Supervisory Authority

One of the key topics discussed and agreed upon by the WP29 is the issue of cross-border processing of personal data in connection to identifying a lead supervisory authority. As Article 4(23) GDPR clearly states, there are two scenarios in which we’ll be dealing with ‘cross-border processing’. Out of these two cases, one’s “cross-border” character is based on the vague term of “substantial affect”.

A question may arise – what does the Regulation mean by “substantially affects”? Now we won’t find a direct answer in the text of the GDPR so, according to the Opinion WP 244, DPAs will have to determine this on a case-by-case basis. The intention of the wording was to ensure that not all processing activities, with any effect and that take place within the context of a single establishment, fall within the definition of “cross-border processing”. But if we look at a general definition of the word “affect”, we’ll see that there must be influence, that the data processing must impact someone in some way. That way being of “substantial” nature.

So once we establish that we are in fact dealing with cross-border processing, it is mandatory to identify the lead supervisory authority.

Ok, so why do we need this lead supervisory authority? To put it in simple terms, a ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data and the controller/processor is established in more than one EU Member State. The lead supervisory authority will coordinate any investigation, involving other supervisory authorities, according to the consistency mechanism.

Although Article 56 GDPR gives means of determining the lead supervisory authority, often things won’t be so clear and it might be up to data controllers to establish clearly where decisions on the purposes and means of personal data processing activities are being made, thus allowing the lead authority to be appointed. The process of determining where the main establishment is may require active inquiry and co-operation by the supervisory authorities. Conclusions cannot be based solely on statements by the organization under review. The burden of proof ultimately falls on controllers and processors. They should be able to demonstrate to supervisory authorities where decisions about data processing are actually taken and implemented. Effective records of data processing activity would help both organizations and supervisory authorities to determine the lead authority.

One may ask what about other DPAs? Are they excluded from any operations once the lead supervisory authority is established? Well no, quite the contrary. As Article 4(22) GDPR states, other supervisory authorities can be “concerned”. The concept of a concerned supervisory authority is meant to ensure that the ‘lead authority’ model does not prevent other supervisory authorities having a say in how a matter is dealt with when, for example, individuals residing outside the lead authority’s jurisdiction are substantially affected by a data processing activity.

The GDPR requires lead and concerned supervisory authorities to co-operate, with due respect for each other’s views, to ensure a matter is investigated and resolved to each authority’s satisfaction – and with an effective remedy for data subjects. Supervisory authorities should endeavor to reach a mutually acceptable course of action. The formal consistency mechanism should only be invoked where co-operation does not reach a mutually acceptable outcome.

Mutual acceptance of decisions can apply to substantive conclusions, but also to the course of action decided upon, including enforcement activity (e.g. full investigation, investigation with limited scope, a warning or a press statement). It can also apply to a decision not to handle a case in accordance with GDPR, for example because of a formal policy of prioritisation, or because there are other concerned authorities as described above. The development of consensus and good will between supervisory authorities is essential to the success of the GDPR co-operation and consistency process.

To summarise this post, we would like to point out that although the GDPR creates a framework for co-operation and goals which are to be achieved, success depends solely on the DPAs co-operation. With further guidelines from WP29 and enough time to implement, the GDPR can have a positive impact on the data protection in Europe. We will closely follow the WP29’s work and assist DPAs in their difficult task.



Cooperation among EU DPAs: current status (2015-2016)

1408730997720Andrés Cuella Brenchat, consultant for the Data Protection and Fundamental Rights Group (PRODADEF), University Jaume I (Spain)

The PHAEDRA II project has been devoted to improving practical cooperation and coordination between Data Protection Agencies (DPAs), Privacy Commissioners (PCs) and Privacy Enforcement Authorities (PEAs) in the European Union (EU), especially with regard to the enforcement of privacy and data protection laws. In order to follow up and assess cooperation among EU DPAs, PHAEDRA II created a commented repository of leading decisions in individual cases with cross-border implications among national DPAs in the EU. Since its beginnings, a shortage of “pure” cases of cooperation was noted. Not surprisingly though, as under the current Data Protection Directive 95/46/EC the obligation to cooperate in Article 28 is rather imprecise. From May 2018, the 28 European Union (EU) Member States will have to abide to the recent reform of the basic EU data protection legal framework. The new General Data Protection Regulation (GDPR) 2016/679 introduces major changes in how data protection law is applied and enforced among the EU Member States. It also introduces major changes in the character and scope of cooperation between EU DPAs. Cooperation will not merely be a possibility, but an obligation under EU law. Intensified cooperation among authorities at the European level will be necessary to adequately address cross-border issues.

The repository has shown that cooperation among EU DPAs has actually taken place during the last two years. It has identified cases of cooperation that have taken very different forms and degrees.

The most relevant one, under the current regime, might be the joint investigation teams created by different DPAs. For instance, in 2015 Facebook faced numerous privacy-related investigations in Europe in order to verify if the company was complying with EU and national law. DPAs from France, Spain, the Netherlands, Belgium and Germany (Hamburg’s DPA) joined efforts and created a Working Group to tackle potential breaches or shortcomings in Facebook’s policies. The Article 29 Data Protection Working Party (WP29) also participated in the investigation exercise. We consider this initiative to be one of the most important forms of cooperation and collaboration among EU DPAs.

International platforms have also acquired a major role in the cooperation among DPAs. The PHAEDRA II repository has focused in the activity of two key networks. The first is the International Cybersecurity Enforcement Network (or the so-called LAP-London Action Plan), which seeks to promote international spam enforcement cooperation and address spam related issues (such as online fraud and deception, phishing or dissemination of viruses). Both private sector representatives and government and public agencies are represented. DPAs from Ireland, Spain and the UK are part of this network. Moreover, other EU Member States – Belgium, Finland, Hungary, Latvia, the Netherlands, Portugal and Sweden – are represented through other governmental bodies, mainly consumer agencies. The latest form of cooperation occurred in June 2016, when 11 enforcement authorities across the globe, including those from the UK and the Netherlands, signed a Memorandum of Understanding (MoU) to provide a framework for information and intelligence sharing and to reinforce cross-border cooperation to address unwanted messages and calls. This MoU strengthens the international fight against a global problem.

The second network is more globally represented: the Global Privacy Enforcement Network (GPEN), which aims at facilitating cross border cooperation in the enforcement of privacy laws. The Network enables privacy regulators worldwide to work and cooperate as they address risks to the personal information of their citizens. 17 out of the 28 EU DPAs are members to the GPEN. An example of recent cooperation where the GPEN had the coordinating role is the “Privacy Sweep” or international evaluation dedicated to verify the respect of privacy in the Internet of Things. In this Sweep, which took place on 11-15 April 2016, participated, among others, DPAs from France, Ireland, Italy and Belgium. This exercise is a continuation of the good collaboration between DPAs (in May 2014, 26 DPAs conducted an “Internet Sweep Day” that analysed information related to mobile application; in September 2015, another “Sweep Day” focused on online services for children). Another example is the MoU signed in October 2015 between the Dutch DPA with seven other privacy regulators for exchange of information in the GPEN Alert System or the “Sweeps”. In general terms, DPAs participate, to a greater or lesser extent, to different conferences and seminars organized worldwide where they have the opportunity to share about good practices or new policies, present new projects or to formalize bilateral agreements.

The soon to be replaced WP29 configures itself also as an important actor for cooperation. Indeed, it meets about multiple times a year in Brussels and its latest position in a specific matter was adopted in June through the “Opinion 03/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC)”. The Working Party will be replaced by the European Data Protection Board (EDPB) and will become a EU body with legal personality. It will be composed of national data protection authorities and the European Data Protection Supervisor (EDPS).

This non-exhaustive description of forms of cooperation allows us to conclude that EU DPAs share common activities and goals and do engage in mutual cooperation. However, there are areas where cooperation could be increased to better achieve their mutual goals. For instance, guidelines are one of the favored instruments of DPAs. Positions papers or guidelines on different aspects of the General Data Protection Regulation (GDPR) have been released by, among others, the UK, Spain, Germany or Belgium. The WP29 has also released an Action plan concerning the implementation of the new Regulation. Other topics have brought the attention of many DPAs and have published their own guidelines, for instance, the implications of the Schrems Judgement, the implications of the right to be forgotten (France, Spain, Denmark, WP29) or the data protection issues relating to the utilization of drones (Sweden, WP29, Ireland). Moreover, the same issue may be tackled through different channels. For instance, video surveillance has raised interrogations in Spain (the Supreme Court has ruled and clarified data protection issues), France (guidelines have been issued) and Italy (the Italian DPA notes in its Annual Report that it handled more than 30.000 queries concerning, among others, video-surveillance). Finally, the European Data Protection Day, held every year on 28 January, is an event seeking to raise awareness and promote privacy and data protection. In 2016, 22 out of the 28 EU DPAs participated in the event. Nevertheless, the activities were not especially coordinated and were addressed to domestic audience. PHAEDRA’s study on best practices of cooperation found that the benefits of coordination in this area are however limited by the need for DPAs to communicate with the media and the public in the relevant Member State languages and to be responsive to local contexts, media usage and channels, and public attitudes.

Apart from the novel joint investigation teams, the rest of the cooperation activities were organized in the framework of existing platforms and bodies. The Investigations Teams therefore constitute the most telling example of spontaneous cooperation among DPAs. Moreover, it can be inferred from the above that DPAs collaborate mainly in three issues: investigation of common threats (Facebook, Sweeps), tackling very specific issues (MoU) and participation in common approaches (WP29).

Even if the new GDPR changes how data protection law is applied and enforced among the EU Member States, uncertainties persist as to how this new legal framework will be applied in practice and how it will impact the day-to-day activities of EU DPAs. The recent GDPR makes cooperation among DPAs mandatory but does not provide comprehensive rules on the modalities and procedures involved. As the recently published PHAEDRA study shows, there is a need for supplementary operational and legal guidance. Be that as it may, many questions arise: are there other circumstances hampering a more enhanced cooperation (different national legislation, political willingness…)? Are DPAs in a position to reinforce their cooperation? Will the entry into force of the GDPR boost cooperation? The extent and purpose of this entry in this blog cannot cover in these many issues but two main remarks may be added. Firstly, with the entering into force of the GDPR in less than two years, cooperation will be granted the importance it deserves. Indeed, Chapter VII of the GDPR boosts many aspects of cooperation (most notably, the consistency or the one-stop-shop mechanisms) that are missing in the Data Protection Directive. Secondly, cooperation is not circumscribed to a single chapter or provision acting independently of the rest of the Regulation. Quite the contrary, cooperation is predicated throughout the rest of the text, present in the tasks and duties carried out by each EU DPA. Consequently, a multiplication of “pure” cooperation cases in a very near foreseeable future should not be surprising. In order to follow-up, just check PHAEDRA’s repository!

Image credit: A New Resource For Educators, Practitioners & Researchers (via CaseRe3: Case Report Research Repository)

PHAEDRA II Second round-table event at the Spring Conference of European DPAs

FOTO-BLOG-JULIODavid Barnard-Wills, Trilateral Research Ltd.

In May the PHAEDRA II project conducted its second round-table event. This workshop took place just in advance of the Spring Conference of European Data Protection authorities, this year held in Budapest and hosted by the Hungarian DPA. We were very pleased that this roundtable was a joint meeting between the PHAEDRA II project partners, and the cooperation sub-group of the Article 29 Data Protection Working Party. The two groups are devoted to working on similar issues and PHAEDRA II is committed to providing research-based support and guidance to the cooperation sub-group. The workshop was therefore an opportunity to identify synergies and to find ways for the two groups to work together.

The workshop was divided into two parts. The first part built up on the last deliverable from the PHAEDRA II project, our study on the lessons for co-operation between data protection supervisors that could be learnt by analogy with six other areas of cross-border regulatory cooperation and coordination provided for within the law of the EU. The second session attempted to define and understand the room available to national lawmakers in the implementation of the now adopted General Data Protection Regulation, and the impacts upon national data protection and freedom of information norms. Two invited speakers started the discussions by giving their detailed perspectives upon these issues: Wilbert Tomesen from the Autoriteit Persoonsgegevens, the Dutch DPA, and Tamás Bendik , legal advisor in the Hungarian Ministry of Justice, Department of Constitutional Law.

Tomesen made the argument that practical cooperation on a case by case basis is just the starting point, and that it will be followed by structural cooperation, leading to a common responsibility for the protection of the fundamental right to privacy. He spoke about his personal experience prior to joining the DPA as a public prosecutor in the Netherlands and in Aruba, including his experiences of cross border cooperation across the Netherlands-German border, and with the United States. When he was Chief public prosecutor structural cooperation between the Netherlands and Germany was limited, with prosecutors reaching out only when there was immediate need. He said this was now changing rapidly, with lots of joint investigation teams, and the important work of Eurojust. He also spoke about his experience of one-side cooperation meetings with a dominant player, where true common ground was lacking. From these experiences, as well as the positively regarded Dutch DPA’s cooperation with Canadian DPAs during its investigation of WhatsApp, Tomesen extracted lessons for EU DPAs. He argued that cooperation needs to be based on common interests and necessity. If DPAs want to develop more structural ways of cooperation, DPAS will need to find a common necessity. This needs to be deeply rooted in the organisations themselves – staff members need to value cooperation, not just have it imposed at a policy level. The lessons he extracted were:

     1. When embarking on a joint initiative, first get comfortable – take time to establishing trust and positive communication on a human level with occupational counterparts. Get used to the idea that you will be sharing information, but that some information will rightfully be withheld. Have respect for each other’s way of doing things. In the WhatsApp case, after some initial discussions the two authorities kept in touch by standing teleconferences, with team leads in communication daily by telephone and encrypted email. He said it felt like working with colleagues on the next floor.

2. Recognise each other strengths and weaknesses, and take account of this when allocating work (e.g. geographical location, pre-existing relationships, tech capacity). In the WhatsApp investigation the Canadian system allowed more contact with the data controllers under investigation, whilst the Dutch threat of punitive enforcement encouraged compliance with the investigation as a whole.

3. Simple importance of showing solidarity – spreading a message within organisations that commissioners are strongly committed to the project, making sure that teams were told they would be supported in making it work. Investigative teams need to be creative and adaptive, and with support of senior management this is easier.

For Tomesen these lessons can already by seen in current EU cooperation as case-by-case cooperation evolves into a more structural cooperation. The whatsApp lessons are already put into practice by EU DPAs.  This legal obligation in the Data Protection Directive has been put into structural practice in the art 29 Working Party, both at Commissioner and staff level. Structural cooperawtion can have important practical benefits to common investigations. Tomesen’s example for this was the Labour intensive assessment of the privacy shield. DPA analysis of the Privacy Shield is a prime example of structural cooperation, making use of existing structures and relationships, and expertise. Work was divided between national experts, two Working Groups, one on commercial, and other on surveillance and law enforcement. Most of the lessons learned from WhatsApp are also recognisable in the drafting sessions on Privacy Shield. For Tomesen, this saw DPAs operating as one team which had the support of their commissioners.

He argued that the third stage of the evolution of cooperation will be the emergence of truly shared responsibility. As DPAs have more and more common interests, and with the GDPR, structural cooperation will have to develop into something more. No longer think of cooperating with other DPAs but accept that they have a shared responsibility for the consistent application of the new regulation. This will require more trust and will not be without obstacles.

Several sub-groups are already analysing implications of the GDPR, and new policies. Tomesen saw a need for common responsibility in article 51 – each national DPA shall contribute to the consistent application of the regulation throughout the union (not only in their own states). The European Data Protection Board (EDPB) will play an important part in this. Regulation codifies a number of procedures for mutual assistance on cross-border investigations, intensified cooperation between DPAS, and common responsibility will have profound consequences on both policy and personal levels. Tomesen felt that the mindset needs to change, with cooperation needing to be starting point. He acknowledged that this will cost time and energy, but saw it as an exciting project for DPA.

DPA need to find common interpretation of the Regulation. both for consistency and improved relationships. In particular, What exactly will “mutual assistance” be? This needed to be sorted out before the Regulation enters into force, otherwise Tomasen feared this would be counterproductive and inconsistent. He argued that agreements need to be made between DPA on how to deal with national obligations. E.g. if the Dutch was DPA obliged to share information as part of common responsibility, would the other DPAs be obliged to keep it confidential even when no obligation on them to do so. He envisaged that cultural differences will remain. The implication he drew from this was not that DPAs shouldn’t try to collaborate, instead he advocated for a certain humbleness, and letting go of the mentality that a particular DPA is the sole possessor of the truth, consensus might be mean accepting decisions that are not “the best” but the “not worst”.

The discussion that followed Tomesen’s speech included topics such as the length of time available for implementation of the GDPR, respecting the intentions of other authorities, curiosity about others’ ways of working, the importance of human-to-human contact for international cooperation, and the challenges created for this by staff turnover, and the fundamental issue of language challenges. Participants also reflected positively upon the contribution that PHAEDRA I and II deliverables had made to this shared learning. An encouraging message for those of us working on the project.

In the second session of the roundtable, Tamás Bendik presented on the challenges of a consistent application of the GDPR and the extent to which it would really create a level playing field in the EU data protection, based upon his experience in drafting Hungarian legislation, but also from his involvement in the DAPIX working group. He explored provisions where GDPR provides the member states legislature with certain room for manoeuvre to adopt/maintain national legislation. He also Explored how these pieces of legislation might affect cooperation of DPAs, and tried to identify and discuss practical tools and techniques to facilitate future cooperation. He addressed those elements excluded from the material scope of the GDPR (particularly those things outside the scope of Union law that remained in Member State competencies, elements outside the scope of the GDPR such as in the Police Directive, and under Common Foreign and Security Policy, and the elements in the GDPR that provide for Member State leeway). His examples of the latter were Article 6(2) and 6(3) -lawfulness of processing, Article 8(1) – conditions applicable to a child’s consent in relation to information services, Article 9(2) and (4) processing of special categories of personal data, Article 23 – restrictions, and Article 85 – processing and freedom of expression and information.

The challenges for a consistent application of the GDPR, as Bendik summarised them, are that Member State legislations are entitled and obliged to maintain and adoption national rules (both sectorial and general), that Member State law forms an integral part of the data protection acquis, DPAS and the EDPB apply Member State law, and therefore, the lawfulness of the same data processing activity may vary by Member States.

Finally, Bendik spoke about two ways that lawmaker can assist to the DPAs. At the level of the EU this meant having harmonised rules adopting the sector-specific legislation harmonised beyond the GDPR, and at the national level, those involved in preparing national legislation should keep an eye on each other’s activity and on the product of national  lawmakers. In addition he reiterated the importance that Tomesen had placed upon developing cooperation tools, including formal (consistency, mutual assistance, joint operations) and informal mechanisms (including workshops, symposia etc). Aim is to identify those tools and techniques will facilitate the work of DPAs and make them able together to apply the law together.

The PHAEDRA II project partners would like to thank all participants at the roundtable for taking the time to discuss these issues with us, and for taking the time to engage with our research activity. Information about future PHAEDRA II roundtables and events can be found on the relevant pages of the PHAEDRA II website.

Further food for thought on the role of DPAs in our European structures: some personal observations

Hielke Hijmans, VUB-LSTS

The PHAEDRA project focuses on the cooperation of DPAs, a highly topical subject, if only because the GDPR will significantly change and intensify the nature of this cooperation. Presently, the cooperation is based on some general notions of cooperation, laid down in Article 28 (6) of Directive 95/46. DPAs should help each other, when requested. An earlier blog post on this website quoted the case Weltimmo where the Court (in Para 57) mentioned more or less in passing a duty to cooperate. It is not evident to deduct from this mere statement of the Court the precise of extent of the need for cooperation. Is this a legal obligation, binding the DPAs? It is even less evident what such a legal obligation would entail and how this should be reconciled with the position of a DPA within the national jurisdictions, as national authorities ensuring control within national territory.

Under the GDPR, this situation will change, with the applicability of the one stop shop mechanism and the consistency mechanism. These new mechanisms are widely discussed. However, in the debate, there is less attention for the new Article 46 (2) of the GDPR, which stipulates that a “supervisory authority shall contribute to the consistent application of this Regulation throughout the Union.” Article 46 (2) gives the DPAs a European responsibility, exceeding their basic task of ensuring control in the national jurisdiction.

This duty adds a new dimension to the wide variety of duties the DPAs already have and which are not always easy to reconcile. An authoritative source is Bennet & Raab’s ‘Governance of Privacy’, which qualifies DPAs as ombudsmen, auditors, consultants, educators, negotiators, policy advisers and enforcers. In my doctorate thesis, I distinguished DPAs’ roles varying from policy oriented tasks, such as advising on new laws and policies, to quasi-judicial functions, such as deciding on individual complaints (in section 7.4). The position the DPA took in its advisory role should in principle not influence a decision about compliance with the same law, after its adoption. However, one can imagine a potential conflict of roles. Another conflict of roles may arise where a DPA engages intensively with the supervisee and advises on accountability schemes. Afterwards, the DPA might not be in a position to enforce, where the compliance of the schemes with the law is put into question.

The accumulation of roles thus raises questions. However, it is precisely this accumulation that gives the DPAs legitimacy, or, in the words of Bennett & Raab, qualifies them as authoritative champions.

In short, the DPAs should cooperate, they have a national as well as a European responsibility, and have to execute potentially conflicting roles. In this context, it would make sense to base DPA cooperation on a common understanding of what the main role of an individual DPA is.

Let me give three telling examples of issues that could benefit from further thinking, for instance in the context of the Phaedra project.

First, is the essence of the DPA role serving the individual interest or the collective interest? The case law of the EU Court of Justice does not give a clear answer:  on the one hand, the Court emphasises the link of the control by a DPA with the individual’s fundamental right to data protection, and qualifies the control even as an essential component of this right. This is logical, also in view of the fact that control by DPAs is included in Article 8 Charter. On the other hand, the Court reiterates the importance of serving the interest of the free flow of information, which is of a collective nature. To make it even more complicated, also privacy and data protection are societal interests. Our democratic societies cannot properly function without a sufficiently high level of privacy and data protection. This dilemma between an individual or a collective emphasis was very well illustrated by a case (Reese and Wullems) involving the Dutch DPA, which made it to the Court of Justice, but which was then withdrawn. Is a DPA entitled to abstain from investigating a complaint which is extremely important for the complainant’s privacy but does not represent any wider societal interest?

Second, to what extent is enforcement the essence of the DPAs’ task? If one considers the DPAs as public authorities put in place to promote a high level of privacy and data protection in our societies, then enforcement of the law is only one of their tasks. This relates to a discussion often heard in The Netherlands where the DPA – already a few years ago – has chosen to dedicate its resources to enforcement, and, as a result, it is no longer available to advise data controllers on how to best implement privacy. Data controllers did not always support this choice. They argued that, since data protection law is of a general nature and therefore imprecise, a DPA should give guidance on how the law should be applied to specific situations. One cannot subject controllers to enforcement measures, if the obligations arising from the law are not sufficiently precise. The counter argument is that controllers are responsible and they are, for seeking advice, not depending on DPAs.

Third, the DPAs act in complete independence, but what are the boundaries of this independence? It is clear that under the rule of law their decisions are subject to judicial control, but the DPAs’ accountability towards democratic bodies is less clear. As the Court of Justice already underlined in Commission/Germany:  “the absence of any parliamentary influence over those authorities is inconceivable” (para 43). But, what does this mean?  It definitely does not mean that the performance of a DPA in individual cases is subject to parliamentary scrutiny. But, how to avoid that a parliament considers the performance where it has to decide on (additional) resources, using its budgetary powers? Also, the DPAs themselves will be confronted with limitations to independence where they cooperate with their peers in other Member States. Their duty to cooperate – which will undoubtedly exist under the GDPR – is in potential conflict with the independence in setting priorities. A potential limitation to independence is even more obvious, where DPAs will be under an obligation to take utmost account, in their enforcement practice, of opinions of the European Data Protection Board.

In short, I suggest the Phaedra project develops views on a common understanding of the roles of the DPAs.


CPDP panel on the role and powers of DPAs between CJEU & GDPR

David Barnard-Wills, Trilateral Research Ltd.

Members of the PHAEDRA II project had the fortune to attend the Computers Privacy and Data Protection (CPDP) conference in Brussels in January 2016. Whilst we were mainly there to conduct a PHAEDRA II roundtable event on cooperation between DPAs both within and outside the EU, and to present the findings from the project’s first report, several panels and talks were relevant to the activities of the PHAEDRA II project.

We had the fortune to observe a panel organised by the University of Luxembourg and the National Commission for Data Protection (CNPD). The panel, chaired by Mark Cole from the University of Luxembourg and moderated by Andra Giurgiu of the Interdisciplinary Centre for Security explored the role and powers of EU data protection authorities (EU DPAs) in the particular context that exists between the  Court of Justice of the European Union decisions on the Weltimmo, Google Spain and Schrems cases and the implementation of the General Data Protection Regulation (GDPR), of which a consensus version now exists following the trialog process.

Franziska Boehm (Karlsruhe Institute of Technology, and a member of PHAEDRA II’s advisory board) gave an overview of the three CJEU cases, and in particular, the elements that applied to the powers of DPAs. Her argument was that these cases expanded the role of the DPAs.

In the Google Spain vs AEPD case, the court recognised that search engines process personal data and qualify as data controllers. This was seen as a wide application of EU law regarding the territorial scope of the directive – Google Spain is an establishment within the DP directive. According to court if a data processor does not grant the request for deletion from a data subject, then the subject may bring the matter before the DPA, must handle this like a normal complaint to DPA and must check if the refusal is valid. Additionally Dr Boehm suggested that the judgement gave DPAs the task of developing codes of conducts together with the search engines, and that they would therefore need to find a way of cooperating. This is manifested in the Guidelines from Article 29 Working Party on how to handle complaints with the right to be forgotten.

In the case of Schrems vs Data Protection Commissioner the CJEU declared the Commission decision on the Safe Harbor agreement invalid and decided that DPAs have a role to play in this judgement. The existence of a Commission decision cannot eliminate or even reduce the powers of the DPAs. DPAs must independently examine if a data transfer to a third country aligns with the requirements of the directive. Third, in the Weltimmo judgement the court responded to a request for a preliminary ruling from the from Hungarian court on a dispute between a Slovak company and the Hungarian DPA. For Dr Boehm, the role of DPA was described in more detailed manner in this judgement. Hungarian law is applicable if an establishment in Hungary but the court gave wide criteria for establishment – having stable arrangements and real and effective activity, a website in Hungarian, and activity (e.g. advertising) directed at that Member State. Sanctions of DPAs apply only within their territory, but they have a duty to cooperate with other DPAs. She concluded that court really went into details in adding to the tasks of the DPAs, with wide understanding of establishment, duties to investigate and enforce (even if they have to cooperate with other DPAs). These cases are remarkable for DPAs task. They need to comply with these tasks and they will need the personnel resources to do that.

Bart Van der Sloot (IViR-UvA) spoke primarily about the increasing volume of text in EU regulation on data protection. He stated that early council texts were really concise, but have most of the same rights in them as now. The proposed GDPR is enormous. Van der Sloot questioned if this situation is really desirable and expressed concern about the ability of DPAs to enforce such a long and detailed text. He felt the increase is not in the core principles, but rather on articles of enforcement of the principles (resolutions in the 70’s had no clauses on enforcement). He identified two main problems of enforcement – different levels of enforcing in countries, and between different international countries and the EU -. He felt that we are seeing an increase in the EU claiming territorial application of its instruments, as part of an explicit power struggle. The Data Protection Directive focused on the controller’s location, whilst under jurisprudence this has been widened to establishment, in the GDPR this is even wider context relating to the collection and processing of personal data of EU citizens regardless of location.  On cooperation between DPAs, Van der Sloot spoke about how the 1981 Convention No. 108 had some clauses on cooperation, Directive 95/46/EC ignored it, but in the GDPR the tasks and powers are very specified in the regulation in a detailed manner.

Hielke Hijmans from the European Data Protection Supervisor argued against the concept of the expansion of DPA powers as a power struggle, instead that the EU has a role to play because worldwide companies have to be adequately covered by regulation and that it doesn’t make sense if every Member State makes their own decisions. Hijmans spoke about the key differences that the GDPR will make to the role of the DPA particularly in relation to the one-stop-shop and the establishment of the European Data Protection Board. In his opinion, enforcement of the GDPR will be the key to its success and in this case the GDPR puts in place a layered system of enforcement. This must lead to one decision in international cases, which will help against forum shopping. Strong enforcement also requires good judicial redress mechanism and Hijmans feels that the CJEU will play a bigger role in this. He also expected the emphasis of DPA work to change, becoming more European. He welcomed this shift because the internet cannot be regulated at a national level and it is good that the EU takes this subject on board and protects fundamental rights as recognised in the European Charter of Fundamental Rights. In his view, EU DPAs become no longer simply national authorities but organisations somewhere between the EU and national levels, with EU law deciding what they will do – Including lots of tasks and duties and cooperation mechanisms. There are issues with this situation – DPAs remain national authorities, covered by national administrative law – so there may be two sets of law they need to comply with. In many EU countries, national administrative law says what organisations can and can’t do, which may be overruled by the Regulation. He argued that there would need to be some further reflection on the role of the DPA, which would impact upon selection and prioritisation of its activity. Is the main role contributing towards a high level of privacy and data protection in European society, or are they an administrative body, are they an advocate or a body for pre-judicial administrative review and individual remedy?

Georges Weiland from the National Commission for Data Protection, Luxembourg,  spoke about practical cooperation between DPAs on a day to day basis. He spoke about how Luxembourg had received many cooperation requests and information request, and that in 90% of the requests they were involved in they were the recipient of a request – given the number of international companies headquartered in the country. In this domain he identified an absence of detailed legal provision, but that cooperation was still a very practical matter and that even based on experience and best practice 20 years after the Directive there are issues pending. These issues included an increasing number of cross border complaints and cooperation requests, limited number of staff, difference in expectations, language barriers, confidentiality issues, experience issues, duplication of efforts, administrative burden, and unsuccessful coordination efforts in the past. Citizen’s making cross border complaints can sometimes invoke their own laws. Complaints may be forwarded by DPAs whilst at the same time failing to informing citizens of the applicable laws. He noted that they don’t get too many requests from anybody other than their near neighbours, possible based upon the lack of awareness of cross-border data processing or the possibility of making a complaint. He also pointed out that Luxembourg applied strict criminal sanctions for confidentiality, placing some strong limitations upon the information that can be shared. Other EU DPAs have a longer experience of complaints (Luxembourg is newish) could not share common positions in others (e.g. monitoring of employees). Weiland expressed the opinion that it would have been helpful if these key judgements, detailed by Franziska Boehm had come earlier in the lifespan of the 95/46/EC Directive.

He spoke about how the Article 29 Working Party cooperation subgroup was set up because of these issues, but that it now intends to work on implementation of cooperation with regard to the GDPR. This preparation includes organising workshops on specific topics, and looking into the creation of an electronic platform to share information. For Weiland, the GDPR resolves several issues. Under the Directive a company in several EU countries has to deal with several DPAs, creating uncertainly. For example, in the Google Street View case, DPAs faced the same technical issues but had very different response. The PHAEDRA project examined the Google Street View case as one of eleven case studies of  cooperation between DPAs. With the GDPR cooperation is a requirement. It establishes a new system of supervision for controllers and processes. One DPA determined by main establishment is responsible for legally binding decisions (one-stop-shop) and required cooperation in practical terms. Weiland expects cooperation will increase, become routine and part of the daily work of DPAs. Further, increased cooperation will smooth interaction and create a culture over time. Data subjects and business will have increased expectations. For Weiland, the GDPR will also increase harmonisation and equivalent powers and roles, producing a single regime of data protection rather than 28 different sets of practices. He did still have some concerns. A spirit and attitude of cooperation might take some time to develop properly. Differences are not swept away and additional work is inevitable. He envisaged that the number of complaints is likely to increase, that the obligation to cooperate will also provide additional weight to requests for cooperation, that common approaches to complaint handling will need to be developed, and that joint operations will require the reassignment of staff and de-prioritise other activities. What counts as “necessary information” to be shared between DPAS still needs to be agreed and some DPAS will still be bound to professional secrecy (particularly in audit and inspection functions). Whilst non-compliance with mutual assistance and joint operations can be reported to the EDPB there is still uncertainty about how this will work it practice. There might be misuse of this mechanism. Weiland concluded by stating that it will be important in practice to achieve a balance between the autonomy of the board, and the independence of the DPAs.

PHAEDRA II would like to congratulate the organisers on a content-rich and informative panel that touched on several issues of key importance. In particular, the practical issues raised by Georges Weiland, as well as the structural/political questions of “Europeanised” DPAs raised by Hielke Hijmans are worthy of further policy attention by EU DPAs and the Article 29 Working Party, and will inform our work and our resulting recommendations.

The challenge of enforcement in the proposal for a General Data Protection Regulation

Ricard Martínez, President of the Spanish Privacy Professional Association (APEP)

Ingimage | Stock Image Details: ISS_11335_02627 - Judge gavel and euro banknotes (licenced via UJI)The coming into effect of the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data will be a Copernican revolution for many data protection authorities. In many cases the actions of DPAs are focused on developing strategies for awareness and promotion of the fundamental right to data protection, the promotion of compliance through incentives to sectors and/or the publication of Guidelines. Although it is true that in many Member States, such as France or Great Britain the powers of enforcement have been growing significantly, it is probably in Spain where such powers have reached their maximum in the whole of the European Union.

From this point of view, a reading of the future Regulation from the Spanish experience might prove rewarding. The best-known feature of Spanish Data Protection Law (Organic Law 15/1999, 13 December) is the provision of fines of up to €600.000. This sanction regime is accompanied by powers of inspection and investigation since the DPA officials are considered a public authority in the execution of its powers.

The Spanish reality thus offers a measure of what can lead to a high level of enforcement. The figures offered by the Annual reports of the Spanish Agency of Data Protection can illustrate what the practical results of the deployment of their powers are. Since the power of “enforcing fines” affects the private sector, we will examine some comparative figures provided by the Annual report 2014 in this area.

First, a significant and repeated phenomenon is the persistence of very specific sectors in the top places among the entities sanctioned, both by number of procedures and the monetary value of the fines imposed.

The total amount of penalties imposed in the last decade has fluctuating figures from 15 to 20 million euros with different oscillations.

A very basic reading of this brief overview highlights some interesting phenomena. First of all, among these is that the fine does not necessarily act as a crucial deterrent. The Top-Five sectors are always the same. And this is probably produced by the volume of processing operations, and therefore, by the statistical risk of making a mistake or the ability to absorb the volume of infringements in the annual budget.

Whatever the cause of this constant, what we also learned in Spain is how a rigid disciplinary system in the fixation of the amounts of the fines, which does not take into account the economic situation of the offender or the profit made, generates asymmetries. Therefore, to limit the perverse effect on small and medium-sized enterprises the legislator had to refine the criteria for modulation of sanctions and provide a symbolic punishment of “warning” in the case of the first violation.

But as significant as the result of the action of the DPA, has been the volume of complaints and procedures handled.