Maciej Kawecki, Bureau of the Inspector General for Personal Data Protection, Poland
Dariusz Kloza, Vrije Universiteit Brussel, Belgium
While the work on the General Data Protection Regulation slowly comes to an end, recently causing both self-reflection and worldwide heated debates on its prospects, there is no doubt two particular judgments of the Court of Justice of the European Union from October 2015 gained no less attention. Obviously we have in mind judgements in widely-debated Schrems and in yet-not-so-popular Weltimmo cases, whose influence on the regulation of personal data protection in Europe and beyond is unprecedented. This influence is at least twofold.
First, both judgments have abruptly changed the landscape of cross-border data protection relationships. In Schrems, the Court annulled Commission’s Decision of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles. This has forced the majority of American data controllers, who had self-certified to the US Department of Commerce their adherence to these principles, to search for another premise for transfers of personal data, such as binding corporate rules, model contractual clauses or simply individual’s consent. In Weltimmo, the Court – ‘in construing the coordinates of human rights protection in the digital age’ (as Zanfir puts it) – has further extended the range of competences of national supervisory authorities. They are now authorised, so to speak, to exercise supervisory powers over even those data controllers and processors who do not fall into their territorial jurisdiction due to lack of a ‘registered office or branch’ therein, but exercise ‘through stable arrangements in the territory of that Member State, a real and effective activity’ (§41).
Second, although this will not be any obvious conclusion from reading the respective texts of these judgments, these two cases have reinforced cooperation between European data protection authorities. This development particularly interests the PHAEDRA project consortium.
In Weltimmo, the Court made one of not-so-many such strong interpretations of Article 28(6) of Directive 95/46 (i.e. ‘supervisory authorities shall cooperate…’). The judges in Luxembourg argued that cooperation is ‘necessary in order to ensure the free flow of personal data in the European Union, whilst ensuring compliance with the rules aimed at protection of personal data of natural persons’ (§53) and even spoke about ‘the duty of cooperation laid down in Article 28(6)’ (§57; emphasis ours). But what struck our attention is that the Court not only made a distinction between investigative and adjudicative/enforcement jurisdictions (see the writings of Svantesson on this matter), but also reaffirmed that enforcement cooperation is an obligation. A supervisory authority ‘may exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable to the processing in question’ (§57). However, in case ‘the law of another Member State is applicable, [the authority] […] must […] request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits’ (§57; emphasis ours).
A reader would easily note the term ‘must’ was used in the context of the ‘duty of cooperation’. The fulfilment thereof, in the still-old regime of Directive 95/46, is rather problematic. The list of troubles is long, but one of the most pertinent is the absence of explicit and detailed legal provisions on cooperation at the European Union level or at a domestic one. Can supervisory authorities rely solely on Article 28(6)? This question should rather be rephrased as whether this provision had a vertical direct effect. Were it found unconditional, sufficiently clear and precise, its direct applicability could mean, inter alia, that an authority from one Member State must request its counterpart from another Member State to cooperate on a cross-border case and the latter must not refuse. (The Weltimmo decision tends to confirm so. The judgement concludes with a sentence that a supervisory authority ‘should […] request the supervisory authority within the Member State whose law is applicable to act’.) Or, speaking more bravely, a data subject might demand her supervisory authority to cooperate with the counterpart of the latter and none of them might refuse either.
Few readers would disagree that the Schrems judgment does not concern any aspect of cooperation between supervisory authorities. Yet, its ramifications simply constitute another impeccable example of the need to cooperate between supervisory authorities on a “general” or “abstract” level. (While in Weltimmo we analysed enforcement cooperation, this does not exhaust the range of cooperation activities supervisory authorities may engage in.) After each important data protection judgement arriving from Luxembourg – be it Digital Rights Ireland, Costeja or Schrems – the necessity to develop a common position both on the forum of the Article 29 Working Party and by all and every supervisory authority forced them to act. Concerning the latest ruling, in its statement of 16 October 2015 the Working Party directly indicated ‘it is absolutely essential to have a robust, collective, and common position on the implementation of the judgment’ (emphasis ours). A reader would easily note a plea for more unity.
Weltimmo and Schrems judgements are yet another set of decisions that have unprecedented consequences for the data protection landscape in Europe and beyond. The former case underlined both the significance of enforcement cooperation and the duty to cooperate between supervisory authorities. The consequences of the latter case once again forced these authorities to speak with one voice. In our opinion, both judgements reinforced cooperation mechanisms and pleaded towards their efficiency. Using the narrative of human rights, such efficiency is a means of practical and effective protection of personal data. What is now left on the agenda is to ensure efficiency of cooperation between supervisory authorities under the future regime of General Data Protection Regulation. Weltimmo and Schrems remain instructive here.