Tải bản đầy đủ - 0 (trang)
3 The Institutional Background: Six Reasons for the Existence of DPAs

3 The Institutional Background: Six Reasons for the Existence of DPAs

Tải bản đầy đủ - 0trang

7.3  The Institutional Background: Six Reasons for the Existence of DPAs



331



simply states that the role of the DPAs is essential for the enforcement of the rules

on data protection, and that therefore their status and powers should be strengthened, clarified and harmonised.23 This section mentions six reasons for the existence

of DPAs under EU law.24

First, historical reasons leading to a harmonisation of existing practices are a justification for including DPAs in instruments of EU law. Hustinx recalls the social

and political preferences in the 1970s of the last century to have a public authority dealing with data protection.25 Simitis notes that neither intervention by the

data subject nor any other traditional control mechanism was seen as offering

sufficient guarantees.26 However, there were wide differences in responsibilities.

Directive 95/46 on data protection harmonises these differences to a certain

extent.27 Harmonisation is also how the Council of Europe explains its Additional

Protocol on supervisory authorities adopted in 2001. According to the Explanatory

Report to this Protocol, most countries with data protection laws have supervisory authorities that “provide for an appropriate remedy if they have effective

powers and enjoy genuine independence in the fulfilment of their duties”.28 This

instrument of the Council of Europe fosters harmonisation and cooperation.29

Second, their existence is justified by the need for effective protection of citizens’

rights and for enforcement of the law. The right to data protection requires structural support. As Bennett and Raab observe: “laws are not self-implementing and

the culture of privacy cannot securely establish itself without an authoritative

champion”.30

23



 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A comprehensive approach

on personal data protection in the European Union, COM (2010), 609 final, at 17–18.

24

 In an article on the EDPS (2006) the author gave five reasons for the establishment of the EDPS:

the need for harmonisation, the need for effective data protection as fundamental right, the fact that

this fundamental right is not protected by itself, the principle of good governance and the fact that

existing bodies cannot sufficiently fulfil the necessary tasks, H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by an independent authority, CMLR 43

(2006), at 1323–1324. These five reasons are all valid in connection to DPAs in general, but there

is more to say to it.

25

 P. Hustinx in Reinventing data protection? S. Gutwirth et al. (eds), Springer, 2009, at 131–137.

26

 Spiros Simitis, “Reviewing Privacy in an Information Society”, University of Pennsylvania Law

Review, 135/3, 707–46, 1987, at 743.

27

 Further read: Philip Schütz; (2012): Comparing formal independence of data protection authorities in selected EU Member States, Conference Paper, ECPR Standing Group on Regulation &

Governance (Biennial Conference) <4, 2012, Exeter, at 9.

28

 Explanatory Report to the Additional Protocol to the Convention for the Protection of Individuals

with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, at 4.

29

 Explanatory Report to the Additional Protocol to the Convention for the Protection of Individuals

with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, at 9 and 10.

30

 Colin J. Bennett and Charles Raab, The Governance of Privacy, Policy Instruments in Global

Perspective, MIT Press, 2006, at 107.



332



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



Third, the nature of data processing and the skills required to understand data processing are identified as reasons for the existence of DPAs. The secrecy or invisibility as an element of data processing requires an organisation that has the

powers to protect the individual in a proactive manner. Moreover, dealing with

data protection requires technical expertise.31 Simitis explains that the technical

knowledge needed for effective supervision must be combined with the necessary intensity of this supervision.32

Fourth, there is the need for control of the private sector, but equally of governments

themselves, where they process personal data. This requires, on the one hand, a

consistent approach to these different sectors – at least this is the choice underlying EU data protection law33 – and, on the other hand, an effective mechanism to

supervise governments, operating at some distance from the traditional branches

of government.

Fifth, as underlined by the Court of Justice of the Eurropean Union in its case law

on the independent data protection authorities34 there is a need for independence

from political preferences. This is an essential difference with autonomous

agencies.35

Sixth, there are the advantages of an organisation dedicated solely to privacy and

data protection. Such an organisation can combine expertise with flexibility, for

instance when deciding to investigate a presumed breach of data protection law,

or where cooperation with other authorities is needed. Such other authorities can

be authorities within the same jurisdiction in related areas of law, or authorities

in other jurisdictions, within and outside the European Union. Moreover, DPAs

have the advantage that they can dedicate their resources fully to data protection,

and do not need to weigh the use of resources with other policy objectives in their

area of responsibility. This argument relates to the use of resources and must not

be confused with the need for weighing other policy objectives, where DPAs take

decisions on data protection.



31



 Further read: P. Hustinx in Reinventing data protection? S. Gutwirth et al. (eds), Springer, 2009,

at 131–137;, H. Hijmans, The European data protection supervisor: The institutions of the EC

controlled by an independent authority, CMLR 43 (2006), at 1323–1324.

32

 Spiros Simitis, “Reviewing Privacy in an Information Society”, University of Pennsylvania Law

Review, 135/3, 707–46, 1987, at 743.

33

 E.g., Directive 95/46 equally applies to the public and private sector and the ‘comprehensive

approach’ was a cornerstone for the Commission in the reform of the EU data protection laws, as

is illustrated by Communication from the Commission to the European Parliament, the Council,

the European Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM (2010), 609 final.

34

 See Sect. 7.9 below.

35

 This will be explained in Sect. 7.6 below.



7.4  The Competences of DPAs: A Variety of Roles



333



7.4  The Competences of DPAs: A Variety of Roles

Article 16(2) TFEU and Article 8(3) Charter lay down the task of the DPAs to

ensure compliance with the data protection rules. These provisions and their implementation in EU law and national law must ensure the ‘legality’36 or ‘role clarity’37

of the DPAs.

These provisions of primary law give a mandate to the DPAs. Article 8(3) Charter

and Article 16(2) TFEU reflect that the system of control is a complete system:

Compliance shall be subject to control of these independent authorities, operating

with a high degree of independence as confirmed in the case law of the Court of

Justice of the European Union. This does not mean that others – like for instance

national ombudsmen or agencies in neighbouring areas – cannot be competent, but

their competence cannot derogate from the competence of the DPA.

At the same time Article 8(3) Charter and Article 16(2) TFEU limit this task.

This section analyses three limitations: the limitation to privacy and data protection,

the limitation relating to ensuring control of compliance and the limitation relating

to the role of the DPAs as offering a remedy for individuals against breaches of EU

data protection law.



7.4.1  T

 he First Limitation: Article 16(2) TFEU and Article

8(3) Charter Are Imprecise, But Privacy and Data

Protection Are Meant in a Wide Sense

In relation to the EDPS, the Court of Justice has declared that the competences of

this DPA are circumscribed within the limits deriving from the task entrusted to

them.38 We use this formula for the circumscription of DPAs in general.

Article 16 (2) TFEU and Article 8(3) Charter entrust the DPAs with a number of

tasks, albeit in an imprecise manner. The Charter was enshrined in the Treaty of

Nice (2000) as a non-binding document39 and predates the TFEU. It refers to DPAs

as responsible for ensuring the control of “these rules”, whereas neither Article 8(1)

nor Article 8(2) Charter mention rules.

At first sight it appears that this reference relates to the rules under Article 16(2)

TFEU, first sentence. As a result Article 16(2) TFEU and Article 8(3) Charter imply

36



 The first of the LITER principles in A. Ottow, Market & Competition Authorities, Good Agency

Principles, Oxford University Press, 2015, Chap. 3.

37

 The first of the OECD Best Practice Principles, OECD (2014), The Governance of Regulators,

OECD Best Practice Principles for Regulatory Policy, OECD Publishing.

38

 Order of the Court of 17 March 2005, EU:C:2005:189 in Joined cases C-317/04 and C-318/04,

European Parliament v Council Union (C-317/04) and Commission (C-318/04), EU:C:2006:346,

at 16.

39

 Foreword of Vassilios Skouris in The EU Charter of Fundamental Rights, A Commentary, Edited

by Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward, Hart Publishing, 2014.



334



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



a limitation that may be understood in a way that only the rules relating to the protection of personal data are covered, meaning that the rules on the use of personal

data are not subject to the control of the DPAs. However, such a narrow interpretation would not do justice to the principle of effectiveness, nor be in line with the

interpretation that the control by a DPA is “an essential component of the

protection”40 itself. This means that the control by a DPA is required wherever the

right to data protection is affected, which is the case where a legal instrument

enables the use of personal data.

This does not specify the competences of a DPA either. Privacy and data protection have interfaces with other fundamental rights and public interests.41 The DPAs

have a role to play in relation to these interfaces – to ensure privacy and data protection –, but it is not clear to what extent they are competent. For instance, do they

have any competence in relation to a request for access to documents containing

personal data?



7.4.2  T

 he Second Limitation: Ensuring Control of Compliance

Is Not Limited to Enforcement Strictu Sensu

One could interpret “ensuring control of compliance” as meaning that Article 16(2)

TFEU and Article 8(2) Charter only cover enforcement of data protection law and

do not cover other tasks allotted to DPAs, such as advisory tasks. One could also

interpret these provisions more broadly as covering these other tasks based on the

reasoning that these other tasks are intended to ensure the practical effect of the

provisions of primary law.42

This latter interpretation confirms the choice to confer a wide variety of tasks to

the DPAs. Primary EU law indicates that certain tasks must be given to DPAs.

Article 28(3) and (4) of Directive 95/46 contain enforcement powers, namely powers of investigation, powers of intervention, powers to hear claims, as well as powers to engage in legal proceedings.43 Since Directive 95/46 is one of the bases of

40



 Recital (62) of Directive 95/46/EC of the European Parliament and of the Council of 24 October

1995 on the protection of individuals with regard to the processing of personal data and on the free

movement of such data, OJ L 281/31, as confirmed in Case C-518/07, Commission v Germany,

EU:C:2010:125, at 23.

41

 As has been explained in this book, mainly in Chaps. 5 and 6.

42

 This argument was used by the Court of Justice in admitting the EDPS to intervene before it. The

power to intervene was “intended to ensure the practical effect” of (the former) Article 286 EC

Treaty, Order of the Court of 17 March 2005, EU:C:2005:189 in Joined cases C-317/04 and

C-318/04, European Parliament v Council Union (C-317/04) and Commission (C-318/04),

EU:C:2006:346, at 15.

43

 Further read: Herke Kranenborg on Article 8, The EU Charter of Fundamental Rights, A

Commentary, Edited by Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward, Hart

Publishing 2014, at 257–259, and also, Fundamental Rights Agency, Data Protection in the

European Union, the role of National Data Protection Authorities, 2010.



7.4  The Competences of DPAs: A Variety of Roles



335



Article 8 Charter44 it is argued that primary law requires these tasks to be given to

the DPAs. Moreover, since these tasks are now grounded on primary law, the EU

legislator can no longer withdraw these tasks.

Article 28 of Directive 95/46 also mentions other tasks that are not enforcement

strictu sensu. Under Article 28(2) of Directive 95/46 the DPAs must be consulted

when governments are drawing up administrative measures or regulations.

Furthermore, an obligation is laid down to draw up regular reports on activities and

to cooperate with other DPAs. These tasks derive from Directive 95/46 but do not

directly ensure compliance. One could qualify these tasks as supporting, intended to

ensure the practical effect of compliance.45 Based on this qualification this book

submits that the EU legislator retains discretionary power in respect of these supporting tasks, provided that the result – compliance with practical effect – is

achieved.



7.4.3  T

 he Third Limitation: The Remedy Before a DPA Is Not

Exclusive

The remedy before a DPA is part of a system of remedies that is multi-layered.46

Article 8(2) Charter gives the individual a right to access his personal data, to be

exercised against the data controller, and under Article 47 Charter everyone has the

right to an effective remedy before a tribunal, against violations of EU law.

The administrative remedies before the DPA are not exclusive, but constitute a

layer situated between the remedies that are available before the data controller and

before a court.47 This is well illustrated by Directive 95/46. Article 12 of this directive gives the data subject the right to obtain from the controller specific information

about the personal data about him or her that this controller is processing. This right

to access also includes a right to the rectification, erasure or blocking of personal

data, in particular because of the incomplete or inaccurate nature of the data.48 The

data subject can exercise his right to access against the data controller, but can also

directly involve a DPA.

Moreover, Chapter III of Directive 95/46 contains specific judicial remedies, in

addition to the administrative remedies before a DPA. A data subject has a judicial

44



 Explanations relating to the Charter of Fundamental Rights, OJ (2007) 303/17, Explanation on

Article 8.

45

 Wording based on Order of the Court of 17 March 2005, EU:C:2005:189 in Joined cases

C-317/04 and C-318/04, European Parliament v Council Union (C-317/04) and Commission

(C-318/04), EU:C:2006:346, at 15.

46

 Further read: Antonella Galetta, Paul De Hert, “The Proceduralisation of Data Protection

Remedies under EU Data Protection Law: Towards a More Effective and Data Subject-oriented

Remedial System?” Review of European Administrative Law (REALaw), 2015/1, pp. 123–149.

47

 On this layered structure in relation to the EDPS, H. Hijmans, The European data protection

supervisor: The institutions of the EC controlled by an independent authority, CMLR 43 (2006),

1313–1343.

48

 Article 12, sub b) of Directive 95/46. See also Article 58 GDPR.



336



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



remedy against any breach of data protection law and is entitled to compensation for

damages. In other words, the data subject has a right to directly invoke his right

before a court, as an alternative for involving a DPA. This alternative played a role

in Rease and Wullems, a case brought before the Court of Justice.49 The referring

national court – the Council of State of the Netherlands – asks whether a DPA would

be allowed to set priorities, which result in abstaining from enforcement upon a

complaint by an individual. Possibly, the DPA has this discretion because of the

existence of an alternative remedy.



7.4.4  F

 urther Tasks of DPAs: The Attribution of Powers Must

Be Sufficient to Ensure Control

Further tasks of DPAs may be required under secondary EU law or under national

law. These tasks of the DPAs do not only extend to enforcement strictu sensu, but

are of a more general nature, such as advising legislators and administrators and

raising the awareness of the public on data protection related issues. To a certain

extent the DPAs also exercise rule-making powers. The guidance provided by the

DPAs and by the Article 29 Working Party50 could qualify as a soft way of rule-­

making. The Fundamental Rights Agency reports that there is a wide variety in the

duties and powers that the Member States have handed to the DPAs.51 At the EU

level, a wide scope of duties and powers is listed in Regulation 45/200152 in relation

to the EDPS.53 This was the inspiration for the lists included in Articles 57 and 58

of the General Data Protection Regulation.

Although most tasks are not based on primary law, the attribution of powers must

be sufficient to ensure control, as required by Article 16(2) TFEU and Article 8(3)

Charter. This also requires judicial remedies, liability and sanctions, as currently

foreseen in Chap. III of Directive 95/46. The Member States have implemented this

chapter in a manner demonstrating that big differences between them still exist and

which is not fully satisfactory.54 Article 83 of the General Data Protection Regulation



 Case C-192/15, Rease and Wullems. The case was repealed by Decision of the President of the

Court of 9 December 2015, EU:C:2015:86, but the substantive issue remains relevant.

50

 For instance, in its opinions on general concepts on data protection law, referred to at various

places in this book.

51

 Fundamental Rights Agency, Data Protection in the European Union, the role of National Data

Protection Authorities, 2010, mainly Chap. 4.

52

 Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard

to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ 2001 L 8/1, Articles 46–47.

53

 As explained by H. Hijmans, The European data protection supervisor: The institutions of the EC

controlled by an independent authority, CMLR 43 (2006), at 1323–1324.

54

 Fundamental Rights Agency, Data Protection in the European Union, the role of National Data

Protection Authorities, 2010, at 4.3.

49



7.4  The Competences of DPAs: A Variety of Roles



337



includes a detailed provision for administrative sanctions, providing for financial

sanctions that are much higher than those currently available in the Member States.

Finally, the discretionary powers of the national legislator are expected to significantly diminish after the entry into force of the General Data Protection Regulation.



7.4.5  A Variety of Roles Raising Questions

In short, DPAs have a variety of roles. Bennett and Raab distinguish the roles of

ombudsmen, auditors, consultants, educators, policy advisors, negotiators and

enforcers.55 A paper on the European Data Protection Supervisor also mentions this

DPA as having the functions of a handler of complaints, a center of expertise, a

function of ensuring the correct application of the law, offering legal protection, a

regulator and finally a “constitutional function”.56 These roles are not very different

from the roles given to EU agencies and national agencies,57 varying from policy

oriented tasks (like advising on new legislation) to quasi-judicial functions where

decisions must be taken vis-à-vis individuals.

The roles may sometimes conflict with each other. For example, in its role as a

policy advisor, the DPA may oppose the compatibility of a proposed legal instrument with principles of data protection.58 However, after adoption of the instrument,

the DPA has to enforce the instrument, in its role as an enforcer.

Another conflict may arise where DPAs cooperate with private entities, in developing frameworks for compliance of privacy and data protection, whereas they may

be called upon to independently assess these frameworks in a later stage in the

context of a complaint procedure. This is what Ottow describes as a horizontal style

of supervision, focusing on cooperation with the supervisee.59 There is a risk that

engaging in a dialogue with the private sector may complicate enforcement in the

event of a later – alleged – breach of data protection law.60 This is in particular the

case where DPAs engage with private parties in the implementation of more general



55



 Colin J. Bennett and Charles D. Raab, The Governance of Privacy, Ashgate Publishing, 2003 at

109–114.

56

 H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by

an independent authority, CMLR 43, 2006, at 1323–1324.

57

 As listed by A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford

University Press, 2015, at 26.

58

 Jóri describes this role as shaping data protection law, taking the perspective of a privacy advocate, András Jóri, Shaping vs applying data protection law: two core functions of data protection

authorities, International Data Privacy Law, 2015, Vol. 5, No. 2.

59

 A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press,

2015, at 164.

60

 As Chiti formulates, in relation to EU agencies, it may make the authorities “excessively permeable” to private parties. E. Chiti, An important part of the EU’s institutional machinery: Features,

problems and perspectives of European agencies, CMLR 46 (2009), at 1395–1442, at 1401.



338



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



legislative arrangements such as accountability as provided for in Article 24 of the

General Data Protection Regulation.61

This engagement may vary from developing general frameworks for accountability62 to specific consultations between individual data controllers and DPAs.63 In

the latter situation the DPAs may actively contribute to the solution, and hence be

limited in their discretion at the stage of enforcement, even upon a complaint by an

individual. Engagement processes must address potential conflicts of interests of

participants and guard against the risks that the regulator may (be seen to) be captured by special interests.64

These are just examples of how different tasks may possibly compromise the

core task of DPAs under primary EU law, which is ensuring compliance with EU

data protection law. However, in general, it is the combination of roles that

­established the DPAs as strong actors in ensuring privacy and data protection. This

is what makes the DPAs, in Bennett and Raab’s words “authoritative champions”.65

As required by EU law, the DPAs necessarily have decision-making powers.

However, this does not comprise rule-making powers, which contrasts with the situation in the United States where rule-making powers are at the core of the tasks of

the Federal Trade Commission.66 Rule-making powers of expert bodies have traditionally been looked at in a critical manner within the context of EU law. This critical approach has even resulted in a renaming of what the Commission used to call

regulatory agencies67 into decentralised agencies.68

The case law of the Court of Justice however became, in recent years, more open

towards giving rule-making powers to expert bodies. Before, in the light of

Romano,69 EU law presumably prohibited conferring legislative powers on bodies

other than the EU legislature.70 In United Kingdom of Great Britain and Northern

61



 See Chap. 6, Sect. 6.14 of this book.

 Examples on https://www.informationpolicycentre.com/accountability-based_privacy_

governance/

63

 Nymity, Getting to Accountability, Maximizing Your Privacy Management Program, The

Nymity Approach to Getting to Accountability, https://www.nymity.com/~/media/NymityAura/

Resources/Getting%20to%20Accountability/Nymity-Getting-to-Accountability-Paper.ashx

64

 OECD (2014), The Governance of Regulators, OECD Best Practice Principles for Regulatory

Policy, OECD Publishing. http://dx.doi.org/10.1787/9789264209015-en, at 55–58.

65

 As stated above, quoting Colin J. Bennett and Charles Raab, The Governance of Privacy, Policy

Instruments in Global Perspective, MIT Press, 2006, at 107.

66

 M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience,

(dissertation Maastricht, 2014), at 183.

67

 Communication from the Commission of 11 December 2002, The operating framework for the

European Regulatory Agencies, COM (2002) 718 final.

68

 Vos in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between

Institutions and Member States, Kluwer Law International 2014.

69

 Case 98/80, Romano, EU:C:1981:104.

70

 As argued by the Council in Case C-270/12, United Kingdom of Great Britain and Northern

Ireland v European Parliament and Council, EU:C:2014:18, at 60 of the ruling of 22 January

2014.

62



7.5  Enforcement in the US: An Alternative System with a Strong Role for the FTC…



339



Ireland v European Parliament and Council (ESMA)71 the Court changed its position, based on the amendment of the institutional framework of the European Union

that now “expressly permits Union bodies, offices and agencies to adopt acts of

general application”. In line with this ruling, there may be room for the EU legislator to allot rule-making powers to the DPAs.



7.5  E

 nforcement in the US: An Alternative System

with a Strong Role for the FTC in Consumer Privacy

A system of independent DPAs does not exist in all democratic countries. The US

has a different system, without independent supervision as an essential component

of data protection,72 contrary to the European Union and a large number of other

Western countries,73 where a system of independent supervision exists. This

­systemic difference does not necessarily have a background of legal or constitutional principle, but may have been the result of opposition in the administration.

Earlier drafts of the US Privacy Act (1974)74 contained a Federal Privacy Board.75

Opposition by administrative forces is mentioned as the main or even the sole reason for deleting this provision.76

In the private sector, the most visible enforcement body is the Federal Trade

Commission (FTC), which uses its authority against unfair or deceptive practices in

the area of consumer privacy.77 Enforcement by the FTC encompasses the enforcement of some sectoral federal privacy laws, such as the Fair Credit Reporting Act

(FCRA)78 and the Children’s Online Privacy Protection Act of 1998 (COPPA).79

The FTC also had enforcement authority on the basis of the Safe Harbor Agreement

between the US and the EU,80 which the Court of Justice declared invalid in



 Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament

and Council, EU:C:2014:18, at 65–66.

72

 See Sect. 7.1 above.

73

 For an overview, Monika Kuschewsky (General Editor), Data Protection & Privacy, Jurisdictional

Comparisons (Second edition), Thomson Reuters, 2014.

74

 Privacy Act, 5 U.S.C. 552a.

75

 G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the

EU”, Law, Governance and Technology Series 16, at 16.

76

 James Rule, Douglas McAdam, Linda Stearns and David Uglow, The Politics of Privacy,

Planning for Personal Data Systems as Powerful Technologies, Elsevier, New York, 1980, at 111.

77

 This authority is laid down in Article 5 of the FTC Act. The FTC positions itself as the nation’s

chief privacy policy and enforcement agency, http://www.ftc.gov/news-events/pressreleases/2012/03/ftc-issues-final-commission-report-protecting-consumer-privacy

78

 15 USC § 1681 et seq.

79

 15 U.S.C. §§ 6501–6506 (Pub.L. 105–277, 112 Stat. 2681–728.

80

 Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the

European Parliament and of the Council on the adequacy of the protection provided by the safe

71



340



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



Schrems.81 This agreement provided for an enforcement mechanism with a key role

for the FTC.82 The role of the FTC comes closest to the role of a data protection

authority in the European Union.83

The FTC adopts a wide and flexible strategy to privacy and data protection that

focuses, to a large extent, on self-regulatory mechanisms. This strategy evolved

from an approach based on the implementation of the Fair Information Practice

Principles84 in the privacy policies of companies to a more harm-based approach.85

In recent years the FTC initiated enforcement actions against some of the big

internet companies, with Google and Facebook as the most significant examples.86

In connection to its enforcement work, the FTC also assumes a role in policy development and actively promotes self-regulation. The FTC also calls on Congress to

consider enacting baseline privacy legislation.87

FTC enforcement is described by several scholars as a big success factor of protection in the US, delivering “privacy on the ground”.88 Emphasis is given to the

magnitude of financial penalties, as well as to forward-looking injunctions. An

example is the imposition of periodic audit requirements on companies that have

violated privacy rules. These requirements may stay in force for 20 years and contain high civil penalties, in case a company does not comply with the requirements.89

Others point at the flaws in FTC enforcement, because of limitations in scope – for

example, the FTC does not have competence as regards the financial sector – or

because the FTC does not persist in following up on its injunctions. This perceived



harbour privacy principles and related frequently asked questions issued by the US Department of

Commerce, OJ L 215/7. The role of the FTC is clarified in Annex V of the Commission Decision.

81

 Case C-362/14, Schrems, EU:C:2015:650.

82

 DJ Solove, W Hartzog, “The FTC and the new common law of privacy”, Columbia Law Review,

2014, Vol. 114:583, at 603.

83

 Lee A. Bygrave, Data Privacy Law, An International Perspective, Oxford University Press, 2014,

at 110.

84

 See below, Substantive standards of protection.

85

 Preliminary FTC Staff Report, Protecting Consumer Privacy in an Era of Rapid Change: A proposed framework for business and policymakers, 1 December 2010.

86

 This is well described by Julie Brill, “Bridging the divide”, in: Hijmans and Kranenborg, Data

protection anno 2014: how to restore trust? Contributions in honour of Peter Hustinx, European

Data Protection Supervisor (2004–2014), pp. 179–190.

87

 FTC Report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For

Businesses and Policymakers”, 26 March 2012.

88

 E.g., Kenneth A. Bamberger, Deirdre K. Mulligan, “Privacy on the Books and on the Ground”,

2011, Stanford Law Review, Vol. 63, January 2011; Ira Rubinstein, “Privacy and Regulatory

Innovation: Moving Beyond Voluntary Codes”, NYU School of Law, Public Law Research Paper

No. 10–16.

89

 See David C. Vladeck, “A U.S. Perspective on Narrowing the U.S.-EU Privacy Divide”, in:

Artemi Rallo Lombarte, Rosario García Mahamut (eds), Hacia un Nuevo derecho europea de

protección de datos, Towards a new European Data Protection Regime, Tirant Lo Blanch, at II.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

3 The Institutional Background: Six Reasons for the Existence of DPAs

Tải bản đầy đủ ngay(0 tr)

×