Andrés Cuella Brenchat, consultant for the Data Protection and Fundamental Rights Group (PRODADEF), University Jaume I (Spain)
The PHAEDRA II project has been devoted to improving practical cooperation and coordination between Data Protection Agencies (DPAs), Privacy Commissioners (PCs) and Privacy Enforcement Authorities (PEAs) in the European Union (EU), especially with regard to the enforcement of privacy and data protection laws. In order to follow up and assess cooperation among EU DPAs, PHAEDRA II created a commented repository of leading decisions in individual cases with cross-border implications among national DPAs in the EU. Since its beginnings, a shortage of “pure” cases of cooperation was noted. Not surprisingly though, as under the current Data Protection Directive 95/46/EC the obligation to cooperate in Article 28 is rather imprecise. From May 2018, the 28 European Union (EU) Member States will have to abide to the recent reform of the basic EU data protection legal framework. The new General Data Protection Regulation (GDPR) 2016/679 introduces major changes in how data protection law is applied and enforced among the EU Member States. It also introduces major changes in the character and scope of cooperation between EU DPAs. Cooperation will not merely be a possibility, but an obligation under EU law. Intensified cooperation among authorities at the European level will be necessary to adequately address cross-border issues.
The repository has shown that cooperation among EU DPAs has actually taken place during the last two years. It has identified cases of cooperation that have taken very different forms and degrees.
The most relevant one, under the current regime, might be the joint investigation teams created by different DPAs. For instance, in 2015 Facebook faced numerous privacy-related investigations in Europe in order to verify if the company was complying with EU and national law. DPAs from France, Spain, the Netherlands, Belgium and Germany (Hamburg’s DPA) joined efforts and created a Working Group to tackle potential breaches or shortcomings in Facebook’s policies. The Article 29 Data Protection Working Party (WP29) also participated in the investigation exercise. We consider this initiative to be one of the most important forms of cooperation and collaboration among EU DPAs.
International platforms have also acquired a major role in the cooperation among DPAs. The PHAEDRA II repository has focused in the activity of two key networks. The first is the International Cybersecurity Enforcement Network (or the so-called LAP-London Action Plan), which seeks to promote international spam enforcement cooperation and address spam related issues (such as online fraud and deception, phishing or dissemination of viruses). Both private sector representatives and government and public agencies are represented. DPAs from Ireland, Spain and the UK are part of this network. Moreover, other EU Member States – Belgium, Finland, Hungary, Latvia, the Netherlands, Portugal and Sweden – are represented through other governmental bodies, mainly consumer agencies. The latest form of cooperation occurred in June 2016, when 11 enforcement authorities across the globe, including those from the UK and the Netherlands, signed a Memorandum of Understanding (MoU) to provide a framework for information and intelligence sharing and to reinforce cross-border cooperation to address unwanted messages and calls. This MoU strengthens the international fight against a global problem.
The second network is more globally represented: the Global Privacy Enforcement Network (GPEN), which aims at facilitating cross border cooperation in the enforcement of privacy laws. The Network enables privacy regulators worldwide to work and cooperate as they address risks to the personal information of their citizens. 17 out of the 28 EU DPAs are members to the GPEN. An example of recent cooperation where the GPEN had the coordinating role is the “Privacy Sweep” or international evaluation dedicated to verify the respect of privacy in the Internet of Things. In this Sweep, which took place on 11-15 April 2016, participated, among others, DPAs from France, Ireland, Italy and Belgium. This exercise is a continuation of the good collaboration between DPAs (in May 2014, 26 DPAs conducted an “Internet Sweep Day” that analysed information related to mobile application; in September 2015, another “Sweep Day” focused on online services for children). Another example is the MoU signed in October 2015 between the Dutch DPA with seven other privacy regulators for exchange of information in the GPEN Alert System or the “Sweeps”. In general terms, DPAs participate, to a greater or lesser extent, to different conferences and seminars organized worldwide where they have the opportunity to share about good practices or new policies, present new projects or to formalize bilateral agreements.
The soon to be replaced WP29 configures itself also as an important actor for cooperation. Indeed, it meets about multiple times a year in Brussels and its latest position in a specific matter was adopted in June through the “Opinion 03/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC)”. The Working Party will be replaced by the European Data Protection Board (EDPB) and will become a EU body with legal personality. It will be composed of national data protection authorities and the European Data Protection Supervisor (EDPS).
This non-exhaustive description of forms of cooperation allows us to conclude that EU DPAs share common activities and goals and do engage in mutual cooperation. However, there are areas where cooperation could be increased to better achieve their mutual goals. For instance, guidelines are one of the favored instruments of DPAs. Positions papers or guidelines on different aspects of the General Data Protection Regulation (GDPR) have been released by, among others, the UK, Spain, Germany or Belgium. The WP29 has also released an Action plan concerning the implementation of the new Regulation. Other topics have brought the attention of many DPAs and have published their own guidelines, for instance, the implications of the Schrems Judgement, the implications of the right to be forgotten (France, Spain, Denmark, WP29) or the data protection issues relating to the utilization of drones (Sweden, WP29, Ireland). Moreover, the same issue may be tackled through different channels. For instance, video surveillance has raised interrogations in Spain (the Supreme Court has ruled and clarified data protection issues), France (guidelines have been issued) and Italy (the Italian DPA notes in its Annual Report that it handled more than 30.000 queries concerning, among others, video-surveillance). Finally, the European Data Protection Day, held every year on 28 January, is an event seeking to raise awareness and promote privacy and data protection. In 2016, 22 out of the 28 EU DPAs participated in the event. Nevertheless, the activities were not especially coordinated and were addressed to domestic audience. PHAEDRA’s study on best practices of cooperation found that the benefits of coordination in this area are however limited by the need for DPAs to communicate with the media and the public in the relevant Member State languages and to be responsive to local contexts, media usage and channels, and public attitudes.
Apart from the novel joint investigation teams, the rest of the cooperation activities were organized in the framework of existing platforms and bodies. The Investigations Teams therefore constitute the most telling example of spontaneous cooperation among DPAs. Moreover, it can be inferred from the above that DPAs collaborate mainly in three issues: investigation of common threats (Facebook, Sweeps), tackling very specific issues (MoU) and participation in common approaches (WP29).
Even if the new GDPR changes how data protection law is applied and enforced among the EU Member States, uncertainties persist as to how this new legal framework will be applied in practice and how it will impact the day-to-day activities of EU DPAs. The recent GDPR makes cooperation among DPAs mandatory but does not provide comprehensive rules on the modalities and procedures involved. As the recently published PHAEDRA study shows, there is a need for supplementary operational and legal guidance. Be that as it may, many questions arise: are there other circumstances hampering a more enhanced cooperation (different national legislation, political willingness…)? Are DPAs in a position to reinforce their cooperation? Will the entry into force of the GDPR boost cooperation? The extent and purpose of this entry in this blog cannot cover in these many issues but two main remarks may be added. Firstly, with the entering into force of the GDPR in less than two years, cooperation will be granted the importance it deserves. Indeed, Chapter VII of the GDPR boosts many aspects of cooperation (most notably, the consistency or the one-stop-shop mechanisms) that are missing in the Data Protection Directive. Secondly, cooperation is not circumscribed to a single chapter or provision acting independently of the rest of the Regulation. Quite the contrary, cooperation is predicated throughout the rest of the text, present in the tasks and duties carried out by each EU DPA. Consequently, a multiplication of “pure” cooperation cases in a very near foreseeable future should not be surprising. In order to follow-up, just check PHAEDRA’s repository!
Image credit: A New Resource For Educators, Practitioners & Researchers (via CaseRe3: Case Report Research Repository)