Tải bản đầy đủ - 0 (trang)
13 Effectiveness and Conditions for Good Legislation: Engaging the Private Sector

13 Effectiveness and Conditions for Good Legislation: Engaging the Private Sector

Tải bản đầy đủ - 0trang

312



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



6.13.1  I ntroductory Remarks on Engaging with the Private

Sector

Another perspective for analysing the EU legislator’s competence under Article

16(2) TFEU is the choice of legislative arrangements, which is crucial in the complex environment of privacy and data protection on the internet. The instruments

chosen should give the right incentives to data controllers to effectively ensure protection on the internet. In the words of Bamberger & Mulligan, it is not privacy in

the books that counts, but privacy on the ground.257 This is in line with an earlier

orientation of the Commission in relation to EU legislation in general, to focus on

the impact of this legislation on the ground by “paying constant attention to improving the quality, effectiveness and simplicity of regulatory acts”.258

The Better Regulation Guidelines (2015) the Commission uses when preparing

legislation indicate that attention be given to the internet. These guidelines recommend anticipating “technological or societal developments such as the pervasiveness of internet” and emphasise that new initiatives should operate effectively

offline as well as online.259 More generally, the legislator needs alternative

approaches to traditional command-and-control legislation in order to effectively

intervene in global and technologically complex environments. This is widely recognised. Rubinstein refers to modern legislative theory260 declaring that traditional

forms of state regulation are inadequate for the following reasons: costly, inefficient, intrusive, disregards the unique interests of individual businesses in favour of

a ‘one-size-fits-all’ approach, fails to harness industry expertise, and stifles

innovation.

Various efforts have taken place in the EU context under the umbrella of ‘Smart

Regulation’.261 Craig and de Búrca describe these developments as a shift away

from hierarchical governance.262 Shapiro mentions the downplay of command-and-­



257



 Kenneth A. Bamberger, Deirdre K. Mulligan, Privacy on the Books and on the Ground, 2011,

Stanford Law Review, Vol. 63, January 2011.

258

 Communication from the Commission of 25 July 2001 “European governance – A white paper”,

COM(2001) 428 final, OJ C 287, at 3.2.

259

 Commission Staff Working Document, Better Regulation Guidelines, SWD (2015) 111 final, at

23.

260

 Shortcomings of traditional State legislation recognised by modern regulatory theory are listed

by: Ira Rubinstein, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, NYU

School of Law, Public Law Research Paper No. 10–16, at 367. See also: Robert Baldwin, Martin

Cave, Martin Lodge, Understanding Regulation, Theory, Strategy, and Practice, Second Edition

2012, Oxford University Press.

261

 The European Commission uses this term mostly in its policies to reduce red tape, under the

umbrella of ‘regulatory fitness’; see: http://ec.europa.eu/smart-regulation/index_en.htm

262

 Paul Craig and Grainne de Búrca, EU Law, Text, Cases and Material (Fifth Edition), Oxford

University Press, 2011, at 159 (and the sources mentioned there).



6.13  Effectiveness and Conditions for Good Legislation: Engaging the Private Sector



313



control regulation in favour of negotiated, consensual regulation with the market

having a role in the process.263

This development of shifting away from hierarchical governance is driven by the

requirement of effectiveness as a condition for good legislation. However, legislation must also be based on democratic legitimacy and accountability, as was

explained in Chap. 4. Democratic legitimacy is a requirement for all government

intervention, but is crucial in the area of fundamental rights where essential values

are at stake.

Most importantly, in the area of fundamental rights the primary responsibility

remains with the government, which means, in the present context, that the EU

legislator acts on the basis of Article 16(2) TFEU, with full democratic accountability. This does not preclude multi-stakeholder solutions from playing a role in this

area, provided that this does not diffuse responsibility among a possibly wide range

of actors.264

Equally, judicial accountability must be ensured. Individuals should be given the

necessary tools to act and defend their rights. Where the private sector is involved in

core government tasks, such as law enforcement, the requirements for judicial

accountability are even higher. Good enforcement is needed, under the rule of law

judicial and other remedies must be easily accessible and complete, and the mechanism of protection must be transparent for individuals.



6.13.2  Multi-stakeholder Solutions or Multi-level Governance

Multi-stakeholder solutions265 is a concept that plays a key role in the governance of

privacy and data protection in the United States. Governments cooperate closely

with private sector and citizens’ representatives, with the aim of developing self-­

regulatory or co-regulatory mechanisms. In the European Union the term used is

multi-level governance.266

Multi-level governance means that government involves various actors in the

public and private sector. This involvement is expected to lead to greater responsibility of these actors.267 Multi-level governance engaging the private sector is



263



 M. Shapiro in: Paul Craig and Grainne de Búrca (eds), The evolution of EU Law (Second

Edition) Oxford University Press, 2011, at 113.

264

 Vandenbruwaene in: Special Issue on the Constitutional Adulthood of Multi-Level Governance

of the Maastricht Journal of European and Comparative Law, 2014, Vol. 21/2, at 231.

265

 The central term in policy discussions in the United States; see: White House paper, Consumer

data privacy in a networked world, a framework for protecting privacy and promoting innovation

in the global digital economy, February 2012.

266

 As illustrated by the Special Issue on the Constitutional Adulthood of Multi-Level Governance

of the Maastricht Journal of European and Comparative Law, 2014, Vol. 21/2.

267

 Communication from the Commission of 25 July 2001 “European governance - A white paper”,

COM(2001) 428 final, OJ C 287, at 3.1.



314



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



increasingly recognised as being necessary for effective governance268 or, in other

words, as a means for complying with the principle of effectiveness. As a result,

traditional functions of the nation-state are diffused.

Directive 95/46 contains some tools which give effect to the concept of multi-­

level governance. Article 17 of Directive 95/46 requires data controllers to implement appropriate technical and organisational measures to protect personal data269

and is an example of the notion of accountability, as explained below. Article 27 of

Directive 95/46 provides that the Member States and the Commission shall encourage the drawing up of codes of conduct and is an example of self-regulatory or co-­

regulatory approaches. Multi-level governance has a far more prominent role in the

General Data Protection Regulation, which contains a Chapter IV on the controller

and processor that is based on the notion of accountability270 and also includes provisions on codes of conduct and certification.

The notion of accountability of data controllers and processors is an important

element in the discussions on effective data protection. Accountability can be

defined as a result-oriented approach, whereby the addressee of the law must ensure

and demonstrate compliance, but is free in choosing the means. Basically, data controllers – private actors as well as public authorities – must translate the need to

ensure respect for the fundamental rights of privacy and data protection into their

daily practices.

This book discusses accountability in more detail, as a multi-stakeholder solution where governments work together with private sector and citizens’ representatives. Accountability is closely related to instruments of self-regulation or

co-regulation, including standardisation and certification. However, it is not the

same.



6.14  A

 ccountability as an Overarching Solution

for Delivering Privacy and Data Protection

In this chapter the term accountability is used in relation to those private and public

actors that bear responsibility for data processing, i.e. the data controllers and the

data processors in the sense of EU data protection law, whereas other parts of this

book deal with accountability as a notion linked to the democratic legitimacy of

governmental actors of the European Union and its Member States.



268



 Vandenbruwaene in: Special Issue on the Constitutional Adulthood of Multi-Level Governance

of the Maastricht Journal of European and Comparative Law, 2014, Vol. 21/2, at 230.

269

 Article 17(1) of Directive 95/46. Similar measures must be taken by the data processor, under

Article 17(2) and (3). To be complete, also Article 26(2) relating to data transfers contains some

elements of accountability.

270

 Although the word accountability is not mentioned in Chapter IV. It only appears in Article 5(2)

GDPR.



6.14  Accountability as an Overarching Solution for Delivering Privacy and Data…



315



Accountability is a concept connected to corporate social responsibility,271 which

is defined by the Commission as “the responsibility of enterprises for their impacts

on society”.272 It requires companies to have in place “a process to integrate social,

environmental, ethical, human rights and consumer concerns into their business

operations”.273 Corporate social responsibility means that companies not only

respect the law, but that they voluntarily go beyond what the law requires. The process should be led by companies themselves, with public authorities in a supporting

role. Corporate social responsibility also extends to the business processes of public

authorities.274 This responsibility is specified for the domain of human rights in a

document of the United Nations High Commissioner for Human Rights: “In order

to meet their responsibility to respect human rights, business enterprises should

have in place policies and processes appropriate to their size and circumstances.”275

These policies and processes require ‘human rights due diligence’, including the

assessment of actual and potential human rights impacts,276 as well as reporting

obligations.277 As explained below, these elements are all relevant for the concept of

accountability in the area of privacy and data protection.

In the area of privacy and data protection, the concept of accountability has various dimensions.278 It was first developed in the context of the OECD279 and plays a

prominent role in the amended OECD Guidelines on the Protection of Privacy and



271



 Although, surprisingly enough, this connection is generally not made in literature on accountability in data protection.

272

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A renewed EU strategy 2011–

2014 for Corporate Social Responsibility, COM(2011) 681 final, at 3.1.

273

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A renewed EU strategy 2011–

2014 for Corporate Social Responsibility, COM(2011) 681 final, at 3.1.

274

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A renewed EU strategy 2011–

2014 for Corporate Social Responsibility, COM(2011) 681 final, at 3.4.

275

 Guiding Principles on Business and Human Rights, Implementing the United Nations “Protect,

Respect and Remedy” Framework, United Nations Human Rights Office of the High Commissioner,

at 15.

276

 Guiding Principles on Business and Human Rights, Implementing the United Nations “Protect,

Respect and Remedy” Framework, United Nations Human Rights Office of the High Commissioner,

at 17.

277

 Guiding Principles on Business and Human Rights, Implementing the United Nations “Protect,

Respect and Remedy” Framework, United Nations Human Rights Office of the High Commissioner,

at 21.

278

 Further read: Joseph Alhadeff, Brendan Van Alsenoy and J. Dumortier, The accountability principle in data protection regulation: origin, development and future directions, in: D. Guagnin,

L. Hempel, C. Ilten a.o. (eds.), Managing Privacy through Accountability, 2012, Palgrave

Macmillan, 49–82.

279

 D. Butin, M. Chicote and D. Le Métayer, Strong Accountability: Between Vague Promises, in

Reloading Data Protection, Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.), Multidisciplinary

Insights and Contemporary Challenges, Springer, 2014, at 345–346.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

13 Effectiveness and Conditions for Good Legislation: Engaging the Private Sector

Tải bản đầy đủ ngay(0 tr)

×