Tải bản đầy đủ - 0 (trang)
11 Effectiveness of DPAs: A Presumed Lack of Effectiveness and the Struggle for Resources

11 Effectiveness of DPAs: A Presumed Lack of Effectiveness and the Struggle for Resources

Tải bản đầy đủ - 0trang

7.11  Effectiveness of DPAs: A Presumed Lack of Effectiveness and the Struggle…



367



7.11.1  The Presumed Lack of Effectiveness of DPAs

At present, a presumed lack of effectiveness of DPAs is seen as a major deficiency

of data protection in the European Union, with an emphasis on insufficiencies in the

powers and resources of the DPAs.262 Bamberger and Mulligan report that these

“shortcomings are particularly acute with regard to regulatory adaptivity to new

technological contexts”.263

Against this background it is not surprising that the need for the creation of more

effective enforcement by DPAs is one of the main purposes of the General Data

Protection Regulation.264 One of the main deficiencies the Commission identifies is

the lack of effective supervision through regulatory authorities with sufficient powers, as well as insufficient guarantees for consistent enforcement. According to the

Commission, the resources and the powers of the national authorities responsible

for data protection vary considerably among Member States. In some cases, DPAs

are unable to perform their enforcement tasks in a satisfactory manner. For these

reasons, the Commission felt that national authorities need to be reinforced and

their cooperation strengthened in order to guarantee consistent enforcement and,

ultimately, the uniform application of rules across the European Union.265

Also the Fundamental Rights Agency of the European Union reported on the

great variety as well as on deficiencies in powers and resources of DPAs.266 As to

powers, the Agency reports that, in certain Member States, the DPAs are not

endowed with the full range of powers of investigation, powers of intervention and

powers to hear claims and engage in legal proceedings. These are the powers

referred to in Article 28(3) of Directive 95/46. Examples of deficiencies the Agency

mentions relate to the lack of intervention powers, as well as the absence of the

power to enter premises where personal data are processed without first obtaining a

judicial warrant.267 Also limited sanctioning powers – for example, fines of a non-­

dissuasive nature – were reported, in combination with the absence of a practice of

262



 Kenneth A. Bamberger, Deirdre K. Mulligan, 2013, “Privacy in Europe: Initial Data on

Governance Choices and Corporate Practices”, George Washington Law Review, Vol. 81, p. 1529,

2013, at 1549–1550. See also: David Barnard-Wills and David Wright, Deliverable 1 –

“Co-ordination and co-operation between Data Protection Authorities”, www.phaedra-project.eu

263

 Kenneth A. Bamberger, Deirdre K. Mulligan, 2013, “Privacy in Europe: Initial Data on

Governance Choices and Corporate Practices”, George Washington Law Review, Vol. 81, p. 1529,

2013, at 1550.

264

 COM (2012), 11 final.

265

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a

Connected World A European Data Protection Framework for the twenty-first century, COM

(2012), 9 final, pp 6–7.

266

 Fundamental Rights Agency, Access to data protection remedies in EU Member States, 2013, at

4.2 and in Fundamental Rights Agency, Data Protection in the European Union, the role of National

Data Protection Authorities, 2010, at 5.1.1.

267

 Fundamental Rights Agency, Data Protection in the European Union, the role of National Data

Protection Authorities, 2010, at 5.1.1.



368



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



imposing sanctions.268 An example of limited sanctioning powers is a decision of

the Sanctions Committee of the French DPA (CNIL), imposing a monetary penalty

of 150,000 Euro on Google, because its privacy policy did not comply with French

data protection law. This penalty is neither substantial nor dissuasive in view of the

annual turnover of Google.269

As a rule, sanction powers are restricted in view of the fact that the DPAs should

be able to effectively enforce infringements by big internet companies. This is

addressed in the General Data Protection Regulation, but in the meantime it is an

obligation for the Member States implementing Directive 95/46 to ensure effectiveness, also by attributing appropriate sanctioning powers.270 Under the General Data

Protection Regulation, this obligation remains with the Member States, but will be

subject to precise parameters set by EU law.



7.11.2  Resources of DPAs

The Fundamental Rights Agency reported on understaffing and a lack of adequate

financial resources of DPAs,271 with the result that in many Member States the DPAs

do not carry out all their tasks.272

The General Data Protection Regulation273 deals with resources and distinguishes

between adequate human, technical and financial resources, premises and infrastructure. Member States shall ensure that adequate resources are provided, without

giving indications how the adequacy of the resources can be measured.274 The legislative resolution of the European Parliament specifies that particular attention

should be given to ensuring adequate technical and legal skills of staff.275 In its



268



 Fundamental Rights Agency, Data Protection in the European Union, the role of National Data

Protection Authorities, 2010, at 5.1.3.

269

 http://www.cnil.fr/english/news-and-events/news/article/the-cnils-sanctions-committee-issuesa-150-000-EUR-monetary-penalty-to-google-inc/. See also Dariusz Kloza and Anna Moscibroda,

Making the case for enhanced enforcement cooperation between data protection authorities:

insights from competition law, International Data Privacy Law, 2014, Vol. 4, No. 2.

270

 An example of increased sanctioning powers can be found in The Netherlands. The Dutch DPA

will be, as from 2016, empowered to impose administrative fines with a maximum of 810,000

Euro, Staatsblad 230 Wijziging van de Wet bescherming persoonsgegevens, 2015.

271

 A principle for funding is found in the OECD (2014), The Governance of Regulators, OECD

Best Practice Principles for Regulatory Policy, OECD Publishing. http://dx.doi.

org/10.1787/9789264209015-en, at 98: “Funding levels should be adequate to enable the regulator, operating efficiently, to effectively fulfil the objectives set by government, including obligations imposed by other legislation.”

272

 Fundamental Rights Agency, Data Protection in the European Union, the role of National Data

Protection Authorities, 2010, at 5.1.1

273

 Article 52 (4) GDPR.

274

 Article 52(4) and recital 120 GDPR.

275

 Legislative Resolution of the European Parliament, Amendment 65, relating to recital 94.



7.11  Effectiveness of DPAs: A Presumed Lack of Effectiveness and the Struggle…



369



opinion on the reform package, the Article 29 Working Party suggested a mechanism for measuring the adequacy of financial resources, which should consist of a

fixed amount supplemented by an amount based on a formula related to the population of a Member State and its GDP.276

The allocation of resources starts with an adequate budget for the DPAs,277 allowing for the attribution of sufficient equipment and staff. In Commission v Austria the

Court of Justice ruled that a sufficient budget is needed, but this does not require a

separate budget.278 Normally, the DPAs are (fully) funded by the public budget. An

exception is the Information Commissioner’s Office in the United Kingdom, which

is funded by fees levied from data controllers.279 The responsibility for the public

budget in a democratic society is a matter where involvement of democratically

elected bodies is a conditio sine qua non and where normally spoken the influence

of DPAs is limited.

The available human resources – the members of the DPAs as well as the staff –

must ensure an effective implementation of the powers. This requirement does not

only have a quantitative aspect, but also a qualitative aspect. In Commission v

Austria the Court mentioned that resources – in particular equipment and staff –

must be attributed in such a way that it does not prevent the DPAs from acting

independently.280 The way staff was attributed to the Austrian DPA did not guarantee that the staff would act in an independent manner. As observed before, the staff

was composed of officials of the Federal Chancellery of Austria.

Furthermore, the expertise of the human resources must be guaranteed. In the

preparatory documents leading to the proposed reform of the EU data protection

framework, expertise did not appear as an important issue in relation to DPAs. Lack

of expertise was not mentioned as a trigger for the reform of the EU data protection

legislation. However, ensuring expertise within the DPA is essential, because it is

the expertise that provides legitimacy. The Court did not state this explicitly in its

case law on the independence of DPAs, but it confirmed this for the financial area,

in United Kingdom of Great Britain and Northern Ireland v European Parliament

and Council.281



276



 Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals – WP 191, at 17.

277

 See on this A. Balthasar, “‘Complete Independence’ of National Data Protection Supervisory

Authorities”, Utrecht Law Review, Volume 9, Issue 3 (July) 2013, at 32–37.

278

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 58.

279

 Fundamental Rights Agency, Data Protection in the European Union, the role of National Data

Protection Authorities, 2010, at 4.1.2.

280

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 58. See on this: A. Balthasar,

“‘Complete Independence’ of National Data Protection Supervisory Authorities”, Utrecht Law

Review, Volume 9, Issue 3 (July) 2013, at 37.

281

 Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament

and Council, EU:C:2014:18, at 85.



370



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



Finally, technical resources must be available, including premises and infrastructure.282 These resources are not specifically addressed in this section of the book on

the effectiveness of DPAs. We just mention them to underline that various resources

are needed for a DPA to enable it to operate in an effective manner.



7.12  E

 ffective Powers of DPAs, Proximity

and the Developing Information Society

7.12.1  Member States Must Ensure Effective Powers

The consequences of the principle of effectiveness for the powers of investigation

and the powers of intervention of DPAs are that the Member States must ensure that

these powers can be exercised in an effective manner. This is not an obligation that,

under current law, can easily be quantified or challenged in legal proceedings.

Article 28(3) of Directive 95/46 is not very specific. The Commission has not

brought cases before the Court of Justice under the infringement procedure of

Article 258 TFEU based on the argument that a Member State has provided insufficient powers to a DPA. However, the Court recognised that the absence of intervention powers is problematic when the processing is carried out outside the

territory of the European Union.283

From the perspective of the individual who is entitled to – effective – protection

the following elements are relevant, as a result of Article 16(2) TFEU and Article

8(3) Charter, read in combination with Article 28 of Directive 95/46. In the first

place, when an individual (or an association representing him or her) lodges a complaint with the DPA the claim shall be heard and the complainant shall be informed

of the outcome.284 The claim can also relate to an act of a controller established in

another Member State. A DPA may examine a complaint irrespective of the applicable law.285 In the second place, Article 16(2) TFEU and Article 8(3) Charter

require that individuals shall have effective access to remedies against breaches of

data protection law, in line with Article 47 Charter. This follows from the very

nature of the control, by DPAs, an essential component of the protection of indi-



282



 Article 52(4) GDPR.

 Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger

(C-594/12), at 68, and Case C-362/14, Schrems, EU:C:2015:650, at 44.

284

 Article 28(4) of Directive 95/46.

285

 Case C-230/14, Weltimmo, EU:C:2015:639, at 54.

283



7.12  Effective Powers of DPAs, Proximity and the Developing Information Society



371



viduals.286 This presupposes ensuring remedies in national law, in accordance with

the principles of equivalence and effectiveness.287



7.12.2  Proximity of DPAs Enhancing Effectiveness

Under Article 16(2) TFEU and Article 8(3) Charter, an individual may, under all

circumstances, claim that the exercise of his or her rights is under the control of an

independent authority. Member States should ensure that the procedures are put in

place to guarantee protection by DPAs, in accordance with the principles of equivalence and effectiveness.288 The legal order of the Union is based on the notion that

where competences are transferred to the Union, the Member States remain responsible for remedies being available in the national legal order.289

The debate during the legislative procedure on the Commission proposal for a

General Data Protection Regulation290 on what is referred to as proximity could be

seen in this context. This debate related to the question whether proximity required

that individuals are entitled to protection by the DPA within the Member State

where he or she resides, or whether effective protection can also be provided by

another DPA. Proximity is a specification of a basic principle of the Treaty on

European Union, namely that decisions are taken as closely as possible to the

citizen.291

It could be argued that this control should be guaranteed by an authority of the

jurisdiction where an individual has his usual residence, which would mean that the

requirements of Article 16(2) TFEU and Article 8(3) Charter influence the functioning of the European composite administration292 in this specific area. Proximity is

not a prerequisite for legal protection under EU law.293 What counts is the effectiveness of redress mechanisms.294 However, proximity could be an argument in support

of effectiveness in an internet context, since it counterbalances forum shopping by

286



 See, e.g., Sect. 7.1 of this chapter.

 Koen Lenaerts and Piet van Nuffel European Union Law (Third edition), Sweet & Maxwell,

2010, at 7–045 and case law mentioned in footnote 101 of Chap. 2.

288

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 7–045 and case law mentioned in footnote 101 of Chap. 2.

289

 Further read: Paul Craig and Grainne de Burca, EU Law, Text, Cases and Material (Fifth

Edition), Oxford University Press, 2011, Chap. 8.

290

 Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final.

291

 Article 1(2) TEU.

292

 The interaction of individuals with the European composite administration in this area is mentioned in Anna-Sara Lind and Jane Reichel, Administrating Data Protection – or the Fort Knox of

the European Composite Administration, Critical Quarterly for Administration and Law (EuCritQ),

2014, 1, pp. 44–57, at 55.

293

 Further read, Opinion Legal Service Council, e.g. 18031/13 (19 Dec 2013, full version on lobbyplag.eu).

294

 As explained in Chap. 8, Sect. 8.12.

287



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

11 Effectiveness of DPAs: A Presumed Lack of Effectiveness and the Struggle for Resources

Tải bản đầy đủ ngay(0 tr)

×