Tải bản đầy đủ - 0 (trang)
2 The General Design of the DPAs: Expert Bodies with Constitutional Status and with Importance in the Information Society

2 The General Design of the DPAs: Expert Bodies with Constitutional Status and with Importance in the Information Society

Tải bản đầy đủ - 0trang


7  Understanding the Role of Independent, Effective and Accountable DPAs: New…

existing framework for control, the fact that this control is now embedded in primary law has substantive effects and gives the DPAs constitutional status.

The control by these authorities is not only an essential part of enforcement, it is

even qualified as “an essential component of the protection”7 itself. In other words,

EU law does not only provide for institutions with a specific responsibility for the

protection, but it gives the right to data protection an institutional dimension.

DPAs as independent public authorities for data protection are a unique phenomenon in EU law. This specific position is, in the first place, the result of the constitutional foundation of the role of the DPAs in primary law. The Court of Justice

emphasises the autonomous nature of the interpretation of Article 28(1) of Directive

95/46 on data protection,8 a provision that since the entry into force of the Lisbon

Treaty is derived from primary EU law.9 Primary law – the TFEU as well as the

Charter – attributes the task of supervising compliance with data protection rules

directly to the DPAs, whereas in most other areas of EU law the institutions delegate

parts of their tasks under the Treaties to bodies of experts, such as EU agencies. The

fact that the role of the DPAs is attributed under primary law and not delegated by

institutions means that the DPAs cannot be considered as ‘agents’ exercising certain

tasks of ‘principals’, a metaphor that plays an important role in the literature on EU


The Treaties have positioned the DPAs as independent bodies with a constitutional nature responsible for a specific aspect of EU law, namely the control on the

rules on data protection. The DPAs have to fulfil their tasks within the constitutional

frameworks of the Member States, based on a separation of powers or trias politica,

but they are not part of it, and within the constitutional framework of the Union,

which is characterised by a closed system of institutional balance11 of powers as

intended by the Treaties,12 but they are equally not part of it. Possibly, with a wide

interpretation of Article 298 TFEU as explained in the ReNEUAL project, the

national DPAs can be regarded as part of the European Administration. They are

definitely not EU bodies.13


 See footnote 9 of this chapter.

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 40.


 Case C-614/10, Commission v Austria, EU:C:2012:631, at 36; Case C-288/12, Commission v

Hungary, EU:C:2014:237, at 47.


 E.g., M. Scholten, “The Political Accountability of EU Agencies: Learning from the US

Experience”, (dissertation Maastricht, 2014), at 14. The metaphor is also used in the relation

between the Member States (‘principals’) and the EU (‘agents’), Craig in: Paul Craig and Grainne

de Burca (eds.), The evolution of EU Law, Second Edition, Oxford University Press 2011, at 27.


 Case 9/56, Meroni, EU:C:1958:7, at 152.


 E.g., Case 138/79, Roquette Frères, EU:C:1980:249, at 33.


 Research Network on EU Administrative Law, ReNEUAL Model Rules on EU Administrative

Procedure: Introduction to the ReNEUAL Model Rules, pp 14–18. The EU Administration will be

explained in Chap. 8, Sect. 8.8.


7.2  The General Design of the DPAs: Expert Bodies with Constitutional Status…


7.2.2  Information Society

The positioning of DPAs is unique within the framework of the Treaties and already

for this reason an interesting object of study. However, it is even more interesting to

analyse their role in the light of the loss of control over information in the internet

society as a result of phenomena like big data and mass surveillance, which reflect

large asymmetries in knowledge and power.14 The DPAs are an additional tool for

oversight on the use of information and are an additional instrument to regain trust

in governments and in the European Union, provided that the DPAs operate in an

independent, effective and accountable way. In the information society, their role is

justified by the size of the issues at stake, based on the hypothesis that traditional

methods are not sufficient.15

An additional factor is that, in the information society, the control of data protection has an inherent cross-border nature. The control the DPAs have to ensure is, as

a rule, confined to their national territories,16 but this also includes the examination

of cases with a cross-border nature, for instance in the basis of a complaint vis-à-vis

a data controller in another Member State.17

International cooperation belongs to the core of their activities. Chapter 8 will

address the specific complexities relating to this cross-border nature. DPAs are public authorities of the Member States and part of the national administration with as

their primary task safeguarding privacy and data protection of individuals within

their national jurisdictions. However, the DPAs are attached to the constitutional

framework of the European Union, and in that role they cooperate with their peers

in other Member States and with European bodies and structures.18 The DPAs exercise their task of ensuring control to a certain extent also outside the national

­jurisdiction where they are established, otherwise they would not effectively ensure

that the rights of individuals are respected. This is particularly necessary in an internet environment.


 In particular Chap. 3 of this book.

 As is, e.g., claimed in relation to judicial oversight by Jack M. Balkin, “The Constitution in the

National Surveillance State”, Minnesota Law Review 93/1, at 22.


 Cases C-230/14, Weltimmo, EU:C:2015:639, at 52, and. C-362/14, Schrems, EU:C:2015:650, at



 Case C-230/14, Weltimmo, EU:C:2015:639, at 54.


 The demarcation between these two chapters of this book largely follows the distinction between

Chapters VI and VII of the GDPR.



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…

7.3  T

 he Institutional Background: Six Reasons

for the Existence of DPAs

7.3.1  The History of DPAs in the EU

The independent supervisory authorities were first introduced in the EU legal framework, with Directive 95/46 on data protection, but they previously existed in a number of Member States. A well known example is the French DPA, the Commission

Nationale de l’Informatique et des Libertés (CNIL), that started its activities in

1978.19 Other authorities were established in the 1970s, for instance in Sweden and

in some German Länder.20 Under Article 28 of Directive 95/46 each Member State

must establish one or more public authorities responsible for data protection. At

present Germany and Spain use the possibility of having more than one DPA: they

have a national DPA, as well as regional DPAs. The same situation exists in

Switzerland, though not a Member State of the European Union.

Article 286 of the EC Treaty, introduced by the Treaty of Amsterdam in 1997,

guaranteed supervision on data processing by EU institutions and bodies, for the

first time mentioning supervision of data protection at the level of primary EU law.

Article 286 EC was the legal basis for the foundation of the European Data Protection

Supervisor (EDPS), the DPA responsible for data protection within EU institutions

and bodies.21

In the European Union, the national DPAs have also enjoyed constitutional status

since the entry into force of the Lisbon Treaty in 2009. This constitutional status

further determines their position.

7.3.2  Six Reasons Behind Their Existence

The reasons behind the existence of independent DPAs have not yet been properly

analysed in comprehensive academic literature. Particularly, little has been said

why, in comparison, in other areas of law the DPA model is not chosen, or why other

approaches under civil, administrative or criminal law were not considered to be

satisfactory for data protection.22 Even more surprisingly, these reasons did not play

a decisive role in the reform of the EU data protection legislation. The Commission


 The French Commission Nationale de l’Informatique et des Libertés exercises its functions in

accordance with the French Data Protection Act of 6 January 1978 (source: www.cnil.fr).


 G. González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the

EU, Law, Governance and Technology Series 16, 2014, Chap. 3.


 Under Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with

regard to the processing of personal data by the Community institutions and bodies and on the free

movement of such data, OJ 2001 L 8/1.


 Some indications why these other approaches would have been less appropriate were given by

P. Hustinx in Reinventing data protection? S. Gutwirth et al. (eds), Springer 2009, at 131

7.3  The Institutional Background: Six Reasons for the Existence of DPAs


simply states that the role of the DPAs is essential for the enforcement of the rules

on data protection, and that therefore their status and powers should be strengthened, clarified and harmonised.23 This section mentions six reasons for the existence

of DPAs under EU law.24

First, historical reasons leading to a harmonisation of existing practices are a justification for including DPAs in instruments of EU law. Hustinx recalls the social

and political preferences in the 1970s of the last century to have a public authority dealing with data protection.25 Simitis notes that neither intervention by the

data subject nor any other traditional control mechanism was seen as offering

sufficient guarantees.26 However, there were wide differences in responsibilities.

Directive 95/46 on data protection harmonises these differences to a certain

extent.27 Harmonisation is also how the Council of Europe explains its Additional

Protocol on supervisory authorities adopted in 2001. According to the Explanatory

Report to this Protocol, most countries with data protection laws have supervisory authorities that “provide for an appropriate remedy if they have effective

powers and enjoy genuine independence in the fulfilment of their duties”.28 This

instrument of the Council of Europe fosters harmonisation and cooperation.29

Second, their existence is justified by the need for effective protection of citizens’

rights and for enforcement of the law. The right to data protection requires structural support. As Bennett and Raab observe: “laws are not self-implementing and

the culture of privacy cannot securely establish itself without an authoritative



 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A comprehensive approach

on personal data protection in the European Union, COM (2010), 609 final, at 17–18.


 In an article on the EDPS (2006) the author gave five reasons for the establishment of the EDPS:

the need for harmonisation, the need for effective data protection as fundamental right, the fact that

this fundamental right is not protected by itself, the principle of good governance and the fact that

existing bodies cannot sufficiently fulfil the necessary tasks, H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by an independent authority, CMLR 43

(2006), at 1323–1324. These five reasons are all valid in connection to DPAs in general, but there

is more to say to it.


 P. Hustinx in Reinventing data protection? S. Gutwirth et al. (eds), Springer, 2009, at 131–137.


 Spiros Simitis, “Reviewing Privacy in an Information Society”, University of Pennsylvania Law

Review, 135/3, 707–46, 1987, at 743.


 Further read: Philip Schütz; (2012): Comparing formal independence of data protection authorities in selected EU Member States, Conference Paper, ECPR Standing Group on Regulation &

Governance (Biennial Conference) <4, 2012, Exeter, at 9.


 Explanatory Report to the Additional Protocol to the Convention for the Protection of Individuals

with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, at 4.


 Explanatory Report to the Additional Protocol to the Convention for the Protection of Individuals

with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, at 9 and 10.


 Colin J. Bennett and Charles Raab, The Governance of Privacy, Policy Instruments in Global

Perspective, MIT Press, 2006, at 107.

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

2 The General Design of the DPAs: Expert Bodies with Constitutional Status and with Importance in the Information Society

Tải bản đầy đủ ngay(0 tr)