Tải bản đầy đủ - 0 (trang)
14 Accountability as an Overarching Solution for Delivering Privacy and Data Protection

14 Accountability as an Overarching Solution for Delivering Privacy and Data Protection

Tải bản đầy đủ - 0trang

6.14  Accountability as an Overarching Solution for Delivering Privacy and Data…



315



Accountability is a concept connected to corporate social responsibility,271 which

is defined by the Commission as “the responsibility of enterprises for their impacts

on society”.272 It requires companies to have in place “a process to integrate social,

environmental, ethical, human rights and consumer concerns into their business

operations”.273 Corporate social responsibility means that companies not only

respect the law, but that they voluntarily go beyond what the law requires. The process should be led by companies themselves, with public authorities in a supporting

role. Corporate social responsibility also extends to the business processes of public

authorities.274 This responsibility is specified for the domain of human rights in a

document of the United Nations High Commissioner for Human Rights: “In order

to meet their responsibility to respect human rights, business enterprises should

have in place policies and processes appropriate to their size and circumstances.”275

These policies and processes require ‘human rights due diligence’, including the

assessment of actual and potential human rights impacts,276 as well as reporting

obligations.277 As explained below, these elements are all relevant for the concept of

accountability in the area of privacy and data protection.

In the area of privacy and data protection, the concept of accountability has various dimensions.278 It was first developed in the context of the OECD279 and plays a

prominent role in the amended OECD Guidelines on the Protection of Privacy and



271



 Although, surprisingly enough, this connection is generally not made in literature on accountability in data protection.

272

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A renewed EU strategy 2011–

2014 for Corporate Social Responsibility, COM(2011) 681 final, at 3.1.

273

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A renewed EU strategy 2011–

2014 for Corporate Social Responsibility, COM(2011) 681 final, at 3.1.

274

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A renewed EU strategy 2011–

2014 for Corporate Social Responsibility, COM(2011) 681 final, at 3.4.

275

 Guiding Principles on Business and Human Rights, Implementing the United Nations “Protect,

Respect and Remedy” Framework, United Nations Human Rights Office of the High Commissioner,

at 15.

276

 Guiding Principles on Business and Human Rights, Implementing the United Nations “Protect,

Respect and Remedy” Framework, United Nations Human Rights Office of the High Commissioner,

at 17.

277

 Guiding Principles on Business and Human Rights, Implementing the United Nations “Protect,

Respect and Remedy” Framework, United Nations Human Rights Office of the High Commissioner,

at 21.

278

 Further read: Joseph Alhadeff, Brendan Van Alsenoy and J. Dumortier, The accountability principle in data protection regulation: origin, development and future directions, in: D. Guagnin,

L. Hempel, C. Ilten a.o. (eds.), Managing Privacy through Accountability, 2012, Palgrave

Macmillan, 49–82.

279

 D. Butin, M. Chicote and D. Le Métayer, Strong Accountability: Between Vague Promises, in

Reloading Data Protection, Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.), Multidisciplinary

Insights and Contemporary Challenges, Springer, 2014, at 345–346.



316



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



Transborder Flows of Personal Data.280 These guidelines state that a data controller

should be accountable for complying with measures that give effect to the data protection principles. This implies that the data controller or processor, inter alia, must

have in place a privacy management programme, must be prepared to demonstrate

how its privacy management programme operates and must notify security breaches

affecting personal data.281

The two central elements, which are also included in Article 24 of the General

Data Protection Regulation, are that a data controller must ensure compliance and

also be capable of demonstrating this. Privacy programmes, as required by the

OECD, internal data protection officers within an organisation, application of the

Privacy by Design principle and the carrying-out of data protection impact assessments for risky data processing operations282 are all elements of the concept of

accountability. The same goes for the obligation of an organisation to issue a public

report on its activities in relation to privacy and data protection.283 A report by

Nymity summarises three main elements of accountability within an organisation:

responsibility of the organisation itself, ownership of the entity within the organisation responsible for personal data processing and evidence based on documentation

that privacy management activities are completed.284

Applying the concept of accountability in the area of privacy and data protection

has merits because it has the potential to enhance the protection’s effectiveness.

This potential has to do with various factors. The first factor is that accountable

organisations are encouraged to take ownership over compliance with data protection law. It confers responsibility on those actors that are best placed to deliver

protection, by encouraging them to take a proactive approach and to include data

protection in daily business practices. Because controllers and, where relevant, data

processors have been involved in the design of the accountability schemes and the

schemes can be tailored to their specific needs, they are more likely to follow

them.285



280



 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)

as amended on 11 July 2013 by C(2013)79, available on the OECD website.

281

 Sections 14 and 15 of the OECD guidelines.

282

 Article 35 GDPR.

283

 As suggested by the European Data Protection Supervisor, Opinion of 7 March 2012 on the data

protection reform package, at 175. The Legislative Resolution of the European Parliament amends

Article 22(3) in this direction.

284

 Nymity, Getting to Accountability, Maximizing Your Privacy Management Program, The

Nymity Approach to Getting to Accountability, at 8–10, available on: https://www.nymity.com/~/

media/NymityAura/Resources/Getting%20to%20Accountability/Nymity-Getting-toAccountability-Paper.ashx

285

 Butin, M. Chicote and D. Le Métayer, Strong Accountability: Between Vague Promises, in:

Reloading Data Protection, Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.), Multidisciplinary

Insights and Contemporary Challenges, Springer, 2014, at 354.



6.14  Accountability as an Overarching Solution for Delivering Privacy and Data…



317



The second factor is related to the first and also has to do with the creation of the

schemes. Various actors may be involved in designing accountability schemes,

which may enhance the quality of these schemes and may also provide an incentive

for wider notions of public interest to be taken into account in the schemes. In its

opinion on accountability, the Article 29 Working Party286 suggests that guidance be

given, for instance by data protection authorities to data controllers. In other contexts it is even proposed that data protection authorities should be actively involved

in designing specific accountability schemes.287

The third factor concerns flexibility. Accountability allows organisations to better focus the protection on processing activities that are likely to involve a “high

risk” to qualified interests of individuals, such as discrimination, identity theft,

fraud or financial loss.288 Flexibility is even more relevant in the absence of consensus on the meaning of risk and harm for the individual.289

The fourth factor has to do with the inherent cross-border nature of data processing operations. This is the most evident factor: accountability encompasses data

processing operations outside the territory of the European Union, for which an

operator within the Union or with a link to the Union is responsible. Effective control is more difficult where an authority within the Union has to ensure compliance

with command-and-control rules.

The fifth factor has to do with transparency. Accountability schemes – especially

when they are designed to demonstrate compliance with the law – may reveal a lot

about what actually happens with personal data, also on the internet. These schemes

provide all those having to deal with privacy and data protection on the internet with

information that can be used to improve policies or other relevant actions in this

domain. Accountability thus compensates for loss of control in the era of big data.290

The sixth factor has to do with enforcement. Since controllers have to demonstrate compliance, there is an opportunity for enforcement, enabling data protection

authorities – or data subjects and their representatives – to act on the basis of the

data controllers’ reporting. If accountability schemes work properly, enforcement

by data protection authorities could become a second line of enforcement, which



286



 Article 29 Data Protection Working Party, Opinion 3/2010 on the principle of accountability,

WP 173, at 30.

287

 E.g., the “on-demand accountability rules” as proposed by Nymity; see: Nymity, Getting to

Accountability, Maximizing Your Privacy Management Program, The Nymity Approach to

Getting to Accountability, available on: https://www.nymity.com/~/media/NymityAura/Resources/

Getting%20to%20Accountability/Nymity-Getting-to-Accountability-Paper.ashx

288

 These “high risk” categories are mentioned in Centre for Information Policy Leadership, The

Role of Risk Management in Data Protection, at 10, with reference to a Council document in the

context of the data protection reform package.

289

 Centre for Information Policy Leadership, The Role of Risk Management in Data Protection, at 1.

290

 D. Butin, M. Chicote and D. Le Métayer, Strong Accountability: Between Vague Promises, in:

Reloading Data Protection, Serge Gutwirth, Ronald Leenes and Paul De Hert (eds.),

Multidisciplinary Insights and Contemporary Challenges, Springer, 2014, at 352–353. They mention mobile and cloud computing in connection of use of control.



318



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



could allow for a more efficient use of resources, because data protection authorities

could be more selective in their acts.

However, the concept of accountability also raises objections, varying from the

view that accountability brings nothing new, or even accentuates the imbalance

between controllers and data subjects, to technical and economic arguments.291 An

obvious economic argument is based on the criticism that it will be mainly consultants, lawyers and accountants or, more generally, experts hired to write privacy

programmes and reporting tools who will profit from the implementation of the

concept of accountability.

Two main objections this book identifies are: the lack of legal certainty, caused

by flexibility, and the blurring of responsibilities. These two objections relate to the

status of data protection as a fundamental right, which requires, as has been

explained in this book,292 a high level of legitimacy. More specifically, individuals

must be empowered to invoke their right before a court and to complain before a

data protection authority.293 This requires both the rules relating to rights and obligations, and the responsibilities to be unambiguously identified.

This leads to the following conclusions. Accountability is an effective and legitimate instrument for the governance of privacy and data protection, since it places

emphasis on the social responsibility of companies and public authorities in carrying out their respective business and policy practices.

Accountability schemes, such as company privacy programmes, should be sufficiently precise in order to ensure that data subjects or other affected third parties

are able to understand their rights and obligations. The relation of these schemes to

the provisions of EU data protection law should be fully transparent.

Prior involvement of public authorities – in particular data protection authorities – may be advantageous for controllers and may promote the compatibility of

accountability schemes with EU data protection law, but should not bind these

authorities in the exercise of their enforcement role, in particular where they are

acting in response to individual complaints. Co-responsibility of data protection

authorities – for instance through endorsement of accountability schemes – is to be

avoided.294



291



 D. Butin, M. Chicote and D. Le Métayer, Strong Accountability: Between Vague Promises, in:

Reloading Data Protection, Serge Gutwirth, Ronald Leenes and Paul De Hert (eds.),

Multidisciplinary Insights and Contemporary Challenges, Springer, 2014, at 353–355.

292

 E.g., in Chap. 4.

293

 As specified in Article 28 of Directive 95/46.

294

 See Chap. 7, Sect. 7.4 of this book and, in the opposite sense, D. Butin, M. Chicote and D. Le

Métayer, Strong Accountability: Between Vague Promises, in: Reloading Data Protection, Serge

Gutwirth, Ronald Leenes and Paul de Hert (eds.), Multidisciplinary Insights and Contemporary

Challenges, Springer, 2014, at 354.



6.15 Conclusions



319



6.15  Conclusions

The mandate of the European Union to act under Article 16 TFEU is widely formulated, and gives the Union the opportunity to deliver upon its ambitions. Article

16(2) TFEU must be seen as an explicit choice in the Treaty to bring data protection

to the Union level, by giving the European Parliament and the Council, in their common capacity as EU legislator, the duty to lay down the rules.

The material scope of the rules must include all personal data. An exception to

the material scope, excluding certain types of personal data, cannot be laid down in

secondary EU law. The data protection reform – with the General Data Protection

Regulation as its centerpiece – should lead to the full implementation of this obligation of the EU legislator, also in domains where at present EU rules are lacking.

Article 16(2) TFEU is a shared competence between the Union and its Member

States, but there is not much autonomous room for the Member States to adopt legislation in this area. The General Data Protection Regulation, in particular, will take

away most of the Member States’ autonomy.

In exercising its mandate, the EU legislator must take account of the Union’s

competences in other areas, as well as the Member States’ legitimate claims for

competence. EU data protection has an impact on core competences of Member

States and, therefore, they have a legitimate role to play, although often by delegation. The Union acts internally within a pluralist legal context, with an important

role for the Member States in accordance with the principle of subsidiarity (Sect.

6.2).

There is one EU legislator, although it is composed of different institutions. The

input of the three institutions, respecting the institutional balance, provides the mandate of the EU legislator with democratic legitimacy, with the nuances explained in

Chap. 4. The positions the institutions take in data protection and their input in the

negotiations on the data protection reform also reflect institutional concerns. As a

rule, the European Parliament acts as a supporter of strong privacy and data protection, the Council represents national concerns and the Commission is committed to

integration. Hence, the outcome of the legislative process by definition has the features of a compromise (Sect. 6.3).

The EU legislator involves the Member States and the private sector and civil

society. Involvement of these various stakeholders in the decision-making process

must give the procedure further democratic legitimacy, and produce an outcome that

takes into account the different interests at stake. Integration as a result of Article 16

TFEU is not a goal in itself but an instrument to enhance internet privacy and data

protection, which includes the bureaucratic capacity to deliver and aspires to public

acceptance of EU involvement (Sect. 6.4).

The mandate under Article 16 TFEU presents a parallel with the competence of

the EU legislator under Articles 18 and 19 TFEU on equal treatment and non-­

discrimination. Both mandates have their origins in the internal market, but now

deal with fundamental rights. Due to this increased status, high standards of effective protection are observed in both areas. However, under Articles 18 and 19 TFEU,



320



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



the Member States may claim wider discretionary powers and require a higher level

of protection under national law. These discretionary powers do not exist under

Article 16 TFEU, for instance because of the importance of a uniform level of data

protection in the digital single market (Sect. 6.5).

The European Data Protection Supervisor has identified four categories of provisions where the Member States should exercise competence in privacy and data

protection. These are: where EU law builds on national law to provide a ground for

processing personal data, for instance in the public interest; where EU law mandates

national law to give effect to its provisions, for instance where it obliges the Member

States to establish data protection authorities; where EU law allows or requires

national law to specify EU rules; and where EU law allows or requires national law

to depart from EU rules. This book adds a fifth category: provisions enabling the

Member States to balance privacy and data protection with other fundamental

rights, within their field of competence (Sect. 6.6).

The EU legislator is – in the exercise of its mandate – confronted with interfaces

with other competences of the Union and the Member States in related areas. These

interfaces impact the mandate under Article 16 TFEU. This book identifies specific

areas where interfaces exist: the freedom of expression and information where the

EU has limited competence but where internet developments can have a big impact

on the enjoyment of the freedom; open data and the interface between transparency

and data protection; and measures for internet monitoring with the aim of enforcing

intellectual property rights (Sect. 6.7).

Legitimacy also requires the EU legislator to address the interfaces of privacy

and data protection with security in an intelligent manner, taking into account the

case law of the Court of Justice. Security is a priority both for the European Union

and its Member States, and national and EU laws are adopted allowing a wide use

of personal data for security purposes. The EU competences in the area of freedom,

security and justice focus on the coordination and cooperation between the Member

States for reasons of security. The exercise of these competences – for instance

through EU legislation – facilitates the exchange of large amounts of personal data

between police and judicial authorities on national and EU level, but should not

unduly impact on everyone’s right to privacy and data protection (Sect. 6.8).

Important synergies exist between privacy and data protection on the one hand,

and economic interests on the other hand. Addressing these synergies is primarily a

task of the EU legislator and not of the Court of Justice, which adjudicates when

there are disputes, but not where synergies between different areas of intervention

can be found. Using synergies in different areas of intervention by the Union and the

Member States enhances the legitimacy of the EU legislator’s contribution under

Article 16 TFEU.

Privacy and data protection are intended to create trust, thereby positively influencing – or even boosting – growth and innovation, for instance in connection with

the Digital Agenda for Europe. Privacy by Design is the prime example, given that

it is aimed at enhancing trust in data protection whilst creating economic incentives.

It should thus also be an instrument in economic policies of the Union. Moreover,

the right to data protection itself provides for a system of checks and balances and



6.15 Conclusions



321



allows processing of personal data so long as requirements of fairness and lawfulness are satisfied (Sect. 6.9).

The legal framework for electronic communications may create synergy, in addition to Directive 2002/58 on privacy and electronic communications, since it gives

governments responsibility in network governance, in contrast with the governance

of the internet infrastructure, with little role for governments. Government responsibility in network governance could be used for enhancing control over the processing of personal data. In consumer protection, Directive 2005/29 on unfair

commercial practices prohibits misleading omissions and requires transparency in

business-to-consumer transactions. A misleading practice directly related to internet

privacy and data protection is the offering of ‘free’ services on the internet, where

individuals pay with their personal data. This directive in the field of consumer protection could also be used to require from internet services to apply transparent

privacy policies. The EU legislator should consider addressing these synergies

(Sect. 6.10).

Competition law is relevant in the context of this book, because of the asymmetric structure of the information economy. In this economy, personal data have

become an asset, which leads to companies acquiring market dominance precisely

because they accumulate large quantities of personal data. This synergy between

competition law and privacy and data protection should be addressed by the EU

legislator in further changes of the EU legislative framework. A topical subject that

should be part of such change is including considerations of privacy and data protection as such in EU competition law and enforcement. At present, these are areas

of EU intervention with little interconnection. However, an approach based on synergies would enhance the Union’s legitimacy, demonstrating that different parts of

bureaucracy manage to join efforts (Sect 6.11).

The approach to governance in respect of privacy and data protection in the

United States provides some insight in the importance of multi-stakeholder solutions, in which the private sector is engaged, as a means to provide effective protection. In the US non-legislative instruments are a key element in consumer privacy,

in the absence of a general US law on privacy and data protection. Engaging the

private sector is a trend in the EU as well, also in the exercise of the mandate of the

EU legislator under Article 16(2) TFEU (Sect. 6.12).

The choice of legislative arrangements is crucial in the complex environment of

privacy and data protection on the internet. The European Commission recognises

the need for specific arrangements that anticipate the developments on the internet,

more generally, in its Better Regulation Guidelines of 2015 and in its policies under

the umbrella of Smart Regulation. Effective enforcement is needed, under the rule

of law judicial and other remedies must be easily accessible and complete, and the

mechanism of protection must be transparent for the individual. Multi-stakeholder

solutions and multi-level governance are concepts that play an increasing role in the

governance of privacy and data protection in the European Union (Sect. 6.13).

Accountability of data controllers and data processors should play an important

role as a legislative technique, allocating responsibility to data controllers.

Accountability, as a concept, is connected to corporate social responsibility and an



322



6  Understanding the Scope and Limits of the EU Legislator’s Contribution…



alternative for command-and-control legislation, based on general notions of quality of legislation. Accountability schemes, such as company privacy programmes,

should be sufficiently precise. The relation of these schemes to the provisions of EU

data protection law should be fully transparent. Prior involvement of data protection

authorities in accountability schemes should not bind these authorities in the exercise of their enforcement role, in particular where they act in response to individual

complaints (Sect. 6.14).

Finally, the adoption of the General Data Protection Regulation – an EU regulation replacing an EU directive – as main instrument for data protection is an appropriate choice of a legislative instrument. This regulation should not only ensure a

high, but also a harmonised level of protection. A distinctive approach for the public

sector does not appear an appropriate choice of instrument: there should be no distinction in law between the private and public sectors, the individual deserving

equal protection in both sectors, in the entire European Union. The fact that the

Member States play and should play an important role should not result in a non-­

satisfactory choice of instruments.



References

Albrecht, Jan Philipp. 2015. No EU data protection standard below the level of 1995. European

Data Protection Law 1: 3–4.

Alhadeff, Joseph, Brendan Van Alsenoy, and J. Dumortier. 2011. The accountability principle in

data protection regulation: Origin, development and future directions. In Managing privacy

through accountability, 2012, ed. D. Guagnin, L. Hempel, and C. Ilten a.o, 49–82. Palgrave

Macmillan.

Baldwin, Robert, Martin Cave, and Martin Lodge. 2012. Understanding regulation, theory, strategy, and practice, 2nd ed. Oxford University Press.

Bamberger, Kenneth A., and Deirdre K. Mulligan. 2011. Privacy on the books and on the ground.

Stanford Law Review 63, 247–316.

Barak, Aharon. 2012. Proportionality; constitutional rights and their limitations. Cambridge

University Press.

Boehm, Franziska. 2012. Information sharing and data protection in the area of freedom, security

and justice, towards harmonised data protection principles for information exchange at

EU-level. Springer.

Brugger, Winfried. 2003. The treatment of hate speech in German constitutional law (part I).

German Law Journal. Available at

http://www.germanlawjournal.com/index.

php?pageID=11&artID=212.

Carrera, Sergio, Nicholas Hernanz, and Joanna Parkin. 2013. The ‘Lisbonisation’ of the European

Parliament, Assessing progress, shortcomings and challenges for democratic accountability in

the area of freedom, security and justice, CEPS Paper, No. 58/September 2013. EU Publications

Office

Craig, Paul, and Grainne de Búrca (eds.). 2011. The evolution of EU law, 2nd ed. Oxford University

Press.

FIDE Congress. 2012. Reports of the FIDE Congress in Tallinn, volume 3: The area of freedom,

security and justice, including information society issues. Tartu University Press.

Geradin, Damien, and Monika Kuschewsky. 2013. Competition law and personal data: Preliminary

thoughts on a complex issue. Discussion Papers Tilburg Law and Economics Center, DP

2013-010.



References



323



Goodman, J.W. 2006. Telecommunications policy-making in the European Union. Edward Elgar

Publishing.

Gutwirth, Serge, Ronald Leenes, and Paul de Hert (eds). 2014. Reloading data protection. In

Multidisciplinary insights and contemporary challenges. Springer.

Hijmans, H. 2013. De nieuwe Europese privacywetgeving: Stand van zaken bijna twee jaar na

Commissievoorstel. Nederlands tijdschrift voor Europees recht 19(10): 346–351.

Hijmans, Hielke, and Herke Kranenborg (eds). 2014. Data protection Anno 2014: How to restore

trust? Contributions in honour of Peter Hustinx, European Data Protection Supervisor (2004–

2014), Intersentia.

Hijmans, H., and A. Scirocco. 2009. Shortcomings in EU data protection in the third and the second pillars. Can the Lisbon Treaty be expected to help? Common Market Law Review 46:

1485–1525.

Hustinx, Peter. 2013. EU data protection law: The review of directive 95/46/EC and the proposed

general data protection regulation. In Collected courses of the European University Institute’s

Academy of European Law, 24th Session on European Union Law, 1–12 July 2013.

Jančić, Davor. 2015. The game of cards: National parliaments in the EU and the future of the early

warning mechanism and the political dialogue. Common Market Law Review 52: 939–975.

Kardasheva, Raya. 2012. Trilogues in the EU legislature. King’s College London, Department of

European and International Studies, Research Paper, 30 April 2012.

Kotschy, Waltraut. 2014. The proposal for a new general data protection regulation—problems

solved? International Data Privacy Law 4(4): 274–281.

Lenaerts, Koen, and Piet van Nuffel. 2011. European Union law, 3rd ed. Sweet & Maxwell.

Maastricht Journal of European and Comparative Law, Special issue: The constitutional adulthood of multi-level governance, 2014, 21(2).

Mayer-Schönberger, Viktor, and Kenneth Cukier. 2013. Big data: a revolution that will transform

how we live, work, and think. Eamon Dolan/Houghton Mifflin Harcourt.

Middelaar, Luuk van. 2009. De passage naar Europa. Geschiedenis van een begin (published in

English as: The Passage to Europe: How a Continent Became a Union), Historische Uitgeverij.

Murphy, Erin. 2013. The politics of privacy in the criminal justice system: Information disclosure.

The fourth amendment, and statutory law enforcement exemptions. Michigan Law Review

111(4): 485–546.

Nicholas, Mary Lynn. 1990. United States v. Verdugo-Urquidez: Restricting the borders of the

fourth amendment. Fordham International Law Journal 14(1): 267–308.

Peers, Steve, Tamara Hervey, Jeff Kenner, and Angela Ward (eds.). 2014. The EU Charter of

Fundamental Rights, a commentary. Hart Publishing.

Rainey, Bernadette, Elizabeth Wicks, and Clare Ovey. 2014. Jacobs, White & Ovey: The European

convention on human rights, 6th ed. Oxford University Press.

Read, Darren. 2012. Net neutrality and the EU electronic communications regulatory framework.

International Journal of Law and Information Technology 20(1): 48–72.

Rotenberg, Marc, Julia Horwitz, and Jeramie Scott (eds.). 2015. Privacy in the modern age, the

search for solutions. The New Press.

Rubinstein, Ira. 2011. Privacy and regulatory innovation: Moving beyond voluntary codes. NYU

School of Law, Public Law Research Paper No. 10–16. Available on: http://papers.ssrn.com/

sol3/papers.cfm?abstract_id=1510275.

Vainio, Niklas, and Samuli Miettinen. 2015. Telecommunications data retention after Digital

Rights Ireland: Legislative and judicial reactions in the Member States. International Journal

of Law and Information Technology 23(3): 290–309.

Vladeck, David C. 2015. A U.S. perspective on narrowing the U.S.-EU privacy divide. In Hacia un

Nuevo derecho europea de protección de datos, towards a new European data protection regimeed, ed. Artemi Rallo Lombarte, and Rosario García Mahamut, 207–245. Tirant lo Blanch.



Chapter 7



Understanding the Role of Independent,

Effective and Accountable DPAs: New

Branches of Government in Between

the Union and the Member States

Abstract  This chapter analyses the legitimate role of the independent data protection authorities (“DPAs”) in ensuring the control over the fundamental rights of

privacy and data protection on the internet. It focuses on the constitutional position

of the DPAs and on their tasks. The role of the DPAs is derived from primary law

and recognised as being essential in an information society.



The chapter describes the reasons of existence of DPAs, which are specific for the

area of data protection. The DPAs have a variety of roles. They are at the same time

ombudsmen, auditors, consultants, educators, policy advisors, negotiators and

enforcers.

DPAs are qualified as a new branch of government, according to a theory on

expert bodies by Vibert. They are different but similar to EU agencies, which do not

enjoy the same level of independence. DPAs also have a hybrid position in between

the European Union and the Member States.

The chapter elaborates the notion of complete independence as specified in the

case law of the Court of Justice, the presumed lack of effectiveness of DPAs, as well

as the democratic and judicial accountability of DPAs which are public bodies that

may be independent, but are not exempted from democratic and judicial control.

The chapter proposes a model for good governance by DPAs.



7.1  Introduction

The independent data protection authorities (“DPAs”) are a further group of actors

that shape the landscape of data protection within the European Union. Their task is

to enforce the laws, or in the terms of primary EU law: to ensure independent



© Springer International Publishing Switzerland 2016

H. Hijmans, The European Union as Guardian of Internet Privacy, Law,

Governance and Technology Series 31, DOI 10.1007/978-3-319-34090-6_7



325



326



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



control on the rules on data protection. The Court of Justice of the European Union

regards these authorities as the guardians of data protection.1

The first objective of the chapter is to position the DPAs as new branches of

government in between the Union and the Member States. The second objective of

the chapter is to set the conditions for reconciling the requirements of independence, effectiveness and accountability. DPAs are independent, they must effectively exercise their tasks, but they act within the constitutional frameworks of the

Union and the Member States and cannot escape accountability.

In the area of data protection, independent control is an essential component of

the protection of the individual.2 The DPAs have a responsibility in supervising

compliance that does not exist in most other areas of law, in any event not in the field

of the protection of other fundamental rights. There is a similarity with autonomous

agencies operating in a number of other areas, for instance where these bodies are

set up to ensure supervision of the markets. The DPAs as well as these agencies are

expert bodies exercising public tasks at a certain distance from the traditional governmental structures that are characterised by the separation of powers under the

traditional trias politica or – in case of the European Union – the institutional

balance.

However, there are also significant differences, because of the DPAs’ specific

tasks – fundamental rights, not market supervision – and because of the fact that the

DPAs do not exercise their tasks on the basis of powers delegated to them by governmental bodies. Their independent role results directly from the Treaties.

This chapter includes the following subjects:

(a) The general design of the contribution by DPAs derived from primary law and

recognised as being essential in an information society (Sect. 7.2);

(b) Reasons of existence, a variety of roles and a different system in the United

States (Sects. 7.3, 7.4, and 7.5);

(c) DPAs as a new branch of government, different but similar to EU agencies, and

a theory on expert bodies; the hybrid position in between the European Union

and the Member States (Sects. 7.6, 7.7, and 7.8);

(d) Complete independence of DPAs as specified in the case law of the Court of

Justice (Sects. 7.9 and 7.10);

(e) A presumed lack of effectiveness of DPAs (Sects. 7.11 and 7.12);

(f) Democratic and judicial accountability of DPAs (Sects. 7.13 and 7.14);

(g) Conclusions with a model for good governance by DPAs (Sect. 7.15).

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 23.

 Recital (62) of Directive 95/46/EC of the European Parliament and of the Council of 24 October

1995 on the protection of individuals with regard to the processing of personal data and on the free

movement of such data, OJ L 281/31, as confirmed, most recently, in Case C-362/14, Schrems,

EU:C:2015:650, at 42. See also the preamble to Additional Protocol to the Convention for the

Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, stating “Convinced that supervisory authorities, exercising their functions in complete independence, are an element of the effective protection of

individuals with regard to the processing of personal data”.

1

2



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

14 Accountability as an Overarching Solution for Delivering Privacy and Data Protection

Tải bản đầy đủ ngay(0 tr)

×