The PHAEDRA project

PHAEDRA II (2015-2017)

There is a range of co-operation and co-ordination mechanisms in Europe, ranging from bilateral agreements between DPAs to regional organisations, and sub-European groupings around particular organisational structures (such as the supervisory groups of Schengen and VIS). The core grouping of all European Member State DPAs is the Article 29 Data Protection Working Party, created under Directive 95/46/EC, which has so far been an important element of European co-operation and co-ordination, It has utilised a range of co-operative strategies, soft law and learning from experience.

This European network of overlapping mechanisms for co-operation provides a range of options for collaboration and the building of consensus at different levels and to different purposes. Regular interaction may be supportive of developing habits of communication, co-operation and co-ordination. However, this does not seem to translate into concrete and practical solutions that could be easily implemented by technical staff of DPAs in their everyday work, like common strategies, procedures, and similar activities.

Moreover, the envisaged reform of the data protection regulation will introduce a major change in data protection law enforcement in EU Member States: It will create a unified legal framework. Under the proposed Regulation only one EU data protection law is to be applied across all Member States. It will also introduce major changes in the character and scope of co-operation between EU data protection authorities. Co-operation will become not merely a possibility, but an obligation under the new EU law. The practical implications of such profound change have not yet been thoroughly examined.

The PHAEDRA II project will:

  • identify existing instruments and forms of co-operation and co-ordination (“best practices”) between the EU DPAs under the EU legal framework in force at the time of the project;
  • identify and analyse obstacles (legal and non-legal) and areas of opportunity (improvement),
  • analyse strategies (solutions) to enhance co-operation in other fields (Schengen co-operation, consumer protection, competition law) from which it might be possible to draw lessons for improving practical co-operation between European DPAs;
  • develop a set of recommendations for improving practical co-operation between European DPAs;
  • provide a set of practical measures to facilitate EU DPA co-operation which can be sustainable by DPAs (depository of decisions, common procedures for complaint-handling, common platform, etc).

PHAEDRA II began on 15 January 2015, will finish on 14 January 2017 and will produce several deliverables.

WS1 will interact with European DPAs in order to gather their views on how best to improve practical co-operation: interviewing European DPAs, European Commission and EDPS on challenges they face and needs they have in the scope of the project; organizing two workshops and three additional round-tables; participating in third-party workshops, conferences and other activities; maintaining and expanding the project’s website; and creating a blog to report findings ant to present other relevant news.

WS2 will identify examples of best practices and the lessons that can be learned and/or adopted by DPAs to improve practical co-operation: Schengen information system, European competition network and European consumer law; sharing information; strategic planning and management; communicating with the media and the public; assessing privacy risks; and efficient common enforcement strategy

WS3 will examine implications of practical co-operation for the legal framework focusing on achieving and enhancing consistency under EU legal framework, ‘one-stop-shop’ principle, consultation mechanisms and distribution of powers, mutual assistance and co-ordination and co-operation re enforcement measures and  sharing information.

WS4 will recommend measures for improving practical co-operation between DPAs regarding the consistency mechanism and will create and develop a depository of DPA decisions and a common approach for complaint-handling

In addition, there is WS0 devoted to project management.


OBJECTIVES

The PHAEDRA II project is focused on practical aspects of European DPA co-operation: Practical challenges to co-operation between DPAs which might result from both non-legal (technical, cultural, economic or other) and legal barriers to co-operation. Primarily, this project will focus on the non-legal issues (technical, practical) which impact co-operation (trust building, best practices, practices for case handling, including information exchange).

Legal obstacles (e.g., obstacles to the exchange of confidential information between DPAs and gathering evidence) can hamper practical co-operation between DPAs. The legal framework may also determine implementing procedures and steps. Hence, this project will also aim to identify the relevant legal challenges, and propose solutions to overcome them: identifying the challenges to effective cooperation between European DPAs; analysing the existing practices of co-operation; and identifying best practices and other solution to co-operation.

The project will focus on three main areas identified as key areas:

  • achieving consistency;
  • exchange of information;
  • co-ordination and co-operation regarding enforcement actions;

FACTSHEET

Name: PHAEDRA II (“Improving Practical and Helpful cooperAtion betweEn Data Protection Authorities II”)
Funding scheme: European Union’s Fundamental Rights and Citizenship Programme
Grant agreement: JUST/2013/FRAC/AG/6068
Duration: 15 January 2015 – 14 January 2017 (24 months)
Total budget: €396.934,32
Total EU funding: €317.547,47


BACKGROUND: PHAEDRA I (2013-2015)

A principal challenge confronting data protection authorities is enforcement of privacy and data protection legislation. DPAs are constrained by a shortage of resources to investigate and prosecute those who violate the legislation. Often, these resource-constrained DPAs may investigate the same privacy issue, in effect, a duplication of effort. For example, several DPAs investigated the hacking of Sony Playstation, Google Street View’s recording of WiFi addresses and Facebook’s collection of personal data and selling it to third-party apps developers and advertisers.

Given the constraints of most DPAs, it seems an inefficient use of resource to have several DPAs investigating the same issue. DPAs themselves have recognised the need to improve practical co-operation.

The OECD adopted a Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy in 2007. The OECD said member countries should foster the establishment of an informal network of Privacy Enforcement Authorities and other stakeholders to discuss the practical aspects of privacy law enforcement co-operation, share best practices and support joint enforcement initiatives and awareness raising campaigns. Such a network has been established. This is the Global Privacy Enforcement Network (GPEN). As another follow-up to the OECD Recommendation, the 29th International Conference of Data Protection and Privacy Commissioners (ICDPPC) adopted a “Resolution on International Co-operation” at its meeting in Montreal in 2007. The 33rd ICDPPC, held in Mexico City in 2011, adopted an even more detailed Resolution, encouraging more effective co-ordination of cross-border investigation and enforcement. The European Commission’s proposal for a new Data Protection Regulation explicitly mentions the OECD Recommendation of 2007.  The Art 29 WP also has on its agenda enhancing enforcement and promoting international co-operation between privacy authorities.The PHAEDRA consortium fashioned its first proposal to the European Commission to respond to the needs for improved co-operation identified in the documents mentioned above and in its exchanges with several DPAs. PHAEDRA stands for “Improving Practical and Helpful cooperAtion betweEn Data PRotection Authorities”. The consortium’s key objective was to add value, complement and support the initiatives of DPAs, especially in the context of the GPEN group.

PHAEDRA I was a two-year project which began on 15 January, 2013 and finished on 14 January 2015. It produced several deliverables.

WS1, the output of Work Stream 1, set the scene: It reviewed and summarised efforts to improve practical co-operation by DPAs as well as international organisations. It included case studies of where two or more DPAs had investigated the same privacy issue and analysed whether co-operation would had helped. It identified and evaluated existing mechanisms for co-operation between DPAs. It specified and characterised different forms of co-operation and co-ordination between DPAs.

WS2 reviewed the legislation establishing DPAs to identify whether there were provisions that acted as barriers or that inhibited international co-operation and co-ordination and what measures could be taken to reduce such barriers.

In WS3, the PHAEDRA consortium  contacted DPAs to determine how our project could reinforce their efforts. We held four workshops for DPAs.. We co-ordinated our workshops with the International Conference of Data Protection and Privacy Commissioners.

In WS4, the consortium prepared its findings and recommendations for improving co-operation and co-ordination.

In addition, there were two other WSs, one devoted to project management and the other, to dissemination activities.


OBJECTIVES

The principal objective of the PHAEDRA project was to help improve practical co-operation and co-ordination between DPAs, privacy commissioners and privacy enforcement authorities, especially in regard to the enforcement of privacy laws. The consortium recognised that many DPAs face constraints, by way of human and/or budgetary shortages, institutional and legislative rules and other factors. Thus, the project has several sub-objectives:

  • To build upon recent efforts to improve co-operation and co-ordination in the enforcement of privacy laws;
  • To identify other areas beyond enforcement where co-operation could offer practical benefits to all concerned;
  • To identify and characterise the stakeholder constituency — e.g., not only data protection authorities and privacy commissioners but also privacy enforcement authorities;
  • To convene workshops in association with the GPEN and ICDPPC and/or other relevant meetings to discuss how the project can support their initiatives and to share our findings with them;
  • To review the legislation that empowers DPAs to identify possible legislative measures inhibiting co-operation and to identify “work-around” solutions;
  • To investigate two key issues of concern to DPAs as “real life” case studies in how co-operation and co-ordination works or could work;
  • To prepare a final report of our findings and recommendations.

FACTSHEET

Name: PHAEDRA (“Improving Practical and Helpful cooperAtion betweEn Data PRotection Authorities”)
Funding scheme: European Union’s Fundamental Rights and Citizenship Programme
Grant agreement: JUST/2012/FRAC/AG/2781
Duration: 15 January 2013 – 14 January 2015 (24 months)
Total budget: €647.029,00
Total EU funding: €516.168,00 (79,78%)