Tag Archives: Data Protection Reform

Datatilsynet

Data Protection Package is now finally adopted

<<” In January 2012, the European Commission presented a proposal for data protection package. The package is formally adopted on 14 April 2016. The package will take effect two years after entry into force, which will be mid-May 2018.

The package consists of a general regulation on the protection of personal data, which will apply horizontally in both the private and public sector (Data Protection Regulation), and a directive on the protection of personal data, which will apply to law enforcement (Data Protection Directive). The regulation will replace the Data Protection Directive of 1995, while the Directive will replace a framework decision from 2008.” >>

 

Weltimmo, Schrems and the reinforcement of cooperation between European data protection authorities

Maciej Kawecki, Bureau of the Inspector General for Personal Data Protection, Poland
Dariusz Kloza, Vrije Universiteit Brussel, Belgium

Cranes in St. Helier, Søren Øxenhave via Flickr (CC BY-ND 2.0)

While the work on the General Data Protection Regulation slowly comes to an end, recently causing both self-reflection and worldwide heated debates on its prospects, there is no doubt two particular judgments of the Court of Justice of the European Union from October 2015 gained no less attention. Obviously we have in mind judgements in widely-debated Schrems and in yet-not-so-popular Weltimmo cases, whose influence on the regulation of personal data protection in Europe and beyond is unprecedented. This influence is at least twofold.

First, both judgments have abruptly changed the landscape of cross-border data protection relationships. In Schrems, the Court annulled Commission’s Decision of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles. This has forced the majority of American data controllers, who had self-certified to the US Department of Commerce their adherence to these principles, to search for another premise for transfers of personal data, such as binding corporate rules, model contractual clauses or simply individual’s consent. In Weltimmo, the Court – ‘in construing the coordinates of human rights protection in the digital age’ (as Zanfir puts it) – has further extended the range of competences of national supervisory authorities. They are now authorised, so to speak, to exercise supervisory powers over even those data controllers and processors who do not fall into their territorial jurisdiction due to lack of a ‘registered office or branch’ therein, but exercise ‘through stable arrangements in the territory of that Member State, a real and effective activity’ (§41).

Second, although this will not be any obvious conclusion from reading the respective texts of these judgments, these two cases have reinforced cooperation between European data protection authorities. This development particularly interests the PHAEDRA project consortium.

I.

In Weltimmo, the Court made one of not-so-many such strong interpretations of Article 28(6) of Directive 95/46 (i.e. ‘supervisory authorities shall cooperate…’). The judges in Luxembourg argued that cooperation is ‘necessary in order to ensure the free flow of personal data in the European Union, whilst ensuring compliance with the rules aimed at protection of personal data of natural persons’ (§53) and even spoke about ‘the duty of cooperation laid down in Article 28(6)’ (§57; emphasis ours). But what struck our attention is that the Court not only made a distinction between investigative and adjudicative/enforcement jurisdictions (see the writings of Svantesson on this matter), but also reaffirmed that enforcement cooperation is an obligation. A supervisory authority ‘may exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable to the processing in question’ (§57). However, in case ‘the law of another Member State is applicable, [the authority] […] must […] request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits’ (§57; emphasis ours).

A reader would easily note the term ‘must’ was used in the context of the ‘duty of cooperation’. The fulfilment thereof, in the still-old regime of Directive 95/46, is rather problematic. The list of troubles is long, but one of the most pertinent is the absence of explicit and detailed legal provisions on cooperation at the European Union level or at a domestic one. Can supervisory authorities rely solely on Article 28(6)? This question should rather be rephrased as whether this provision had a vertical direct effect. Were it found unconditional, sufficiently clear and precise, its direct applicability could mean, inter alia, that an authority from one Member State must request its counterpart from another Member State to cooperate on a cross-border case and the latter must not refuse. (The Weltimmo decision tends to confirm so. The judgement concludes with a sentence that a supervisory authority ‘should […] request the supervisory authority within the Member State whose law is applicable to act’.) Or, speaking more bravely, a data subject might demand her supervisory authority to cooperate with the counterpart of the latter and none of them might refuse either.

II.

Few readers would disagree that the Schrems judgment does not concern any aspect of cooperation between supervisory authorities. Yet, its ramifications simply constitute another impeccable example of the need to cooperate between supervisory authorities on a “general” or “abstract” level. (While in Weltimmo we analysed enforcement cooperation, this does not exhaust the range of cooperation activities supervisory authorities may engage in.) After each important data protection judgement arriving from Luxembourg – be it Digital Rights Ireland, Costeja or Schrems – the necessity to develop a common position both on the forum of the Article 29 Working Party and by all and every supervisory authority forced them to act. Concerning the latest ruling, in its statement of 16 October 2015 the Working Party directly indicated ‘it is absolutely essential to have a robust, collective, and common position on the implementation of the judgment’ (emphasis ours). A reader would easily note a plea for more unity.

III.

Weltimmo and Schrems judgements are yet another set of decisions that have unprecedented consequences for the data protection landscape in Europe and beyond. The former case underlined both the significance of enforcement cooperation and the duty to cooperate between supervisory authorities. The consequences of the latter case once again forced these authorities to speak with one voice. In our opinion, both judgements reinforced cooperation mechanisms and pleaded towards their efficiency. Using the narrative of human rights, such efficiency is a means of practical and effective protection of personal data. What is now left on the agenda is to ensure efficiency of cooperation between supervisory authorities under the future regime of General Data Protection Regulation. Weltimmo and Schrems remain instructive here.

Conference of the German Data Protection Commissioners of the Federal Government and the Federal States

Key data protection points for the trialogue on the General Data Protection Regulation

On 14 August 2015 the Conference of the German Data Protection Commissioners of the Federal Government and the Federal States issued a position paper (as well as a press release) inviting the European Commission, the Parliament and the Council to address specific issues in the trialogue negotiations on the General Data Protection Regulation. The position paper, whose main points are illustrated here, is basically a critical analysis of aspects that according to the Conference have been disregarded or overlooked in the Regulation.

European Data Protection Supervisor (EDPS)

Opinion 3/2015 – Europe’s big opportunity. EDPS recommendations on the EU’s options for data protection reform

Further to the European Commission’s proposal on the EU data protection reform (January 2012), the resolution of the European Parliament (12 March 2014) and the vote of the Council of the EU on the General Data Protection Regulation (GDPR) (15 June 2015), these three EU institutions entered the so-called “trialogue” on 24 June 2015. The EDPS opinion 3/2015 provides recommendations on the EU data protection reform and in particular on the GDPR, and suggests amendments to the proposed text. Moreover, apart from illustrating the position of the EDPS on the proposed GDPR and its provisions, opinion 3/2015 presents possible solutions towards the best possible compromise on the reform, and so on the best possible text of the GDPR.

Commission de la protection de la vie privée

Opinion 23/2015 on the coming trialogue regarding the European Commission’s proposal for a regulation

The Privacy Commission released opinion 23/2015 on 17 July 2015 to express its position and views with regard to the General Data Protection Regulation (GDPR) currently under discussion in the trialogue. This opinion follows other two critical opinions issued by the Privacy Commission on the texts of the GDPR elaborated by the Commission and by the European Parliament, respectively. Opinion 23/2015 can be rightly considered as the most comprehensive but targeted opinion of the Privacy Commission on the GDPR in which some of the most important aspects of the reform are analysed and commented upon. This brief assessment of opinion 23/2015 focuses on specific aspects of the reform highlighted by the Privacy Commission that are relevant to the PHAEDRA II project.