Tải bản đầy đủ - 0 (trang)
12 Effective Powers of DPAs, Proximity and the Developing Information Society

12 Effective Powers of DPAs, Proximity and the Developing Information Society

Tải bản đầy đủ - 0trang

7.12  Effective Powers of DPAs, Proximity and the Developing Information Society



371



viduals.286 This presupposes ensuring remedies in national law, in accordance with

the principles of equivalence and effectiveness.287



7.12.2  Proximity of DPAs Enhancing Effectiveness

Under Article 16(2) TFEU and Article 8(3) Charter, an individual may, under all

circumstances, claim that the exercise of his or her rights is under the control of an

independent authority. Member States should ensure that the procedures are put in

place to guarantee protection by DPAs, in accordance with the principles of equivalence and effectiveness.288 The legal order of the Union is based on the notion that

where competences are transferred to the Union, the Member States remain responsible for remedies being available in the national legal order.289

The debate during the legislative procedure on the Commission proposal for a

General Data Protection Regulation290 on what is referred to as proximity could be

seen in this context. This debate related to the question whether proximity required

that individuals are entitled to protection by the DPA within the Member State

where he or she resides, or whether effective protection can also be provided by

another DPA. Proximity is a specification of a basic principle of the Treaty on

European Union, namely that decisions are taken as closely as possible to the

citizen.291

It could be argued that this control should be guaranteed by an authority of the

jurisdiction where an individual has his usual residence, which would mean that the

requirements of Article 16(2) TFEU and Article 8(3) Charter influence the functioning of the European composite administration292 in this specific area. Proximity is

not a prerequisite for legal protection under EU law.293 What counts is the effectiveness of redress mechanisms.294 However, proximity could be an argument in support

of effectiveness in an internet context, since it counterbalances forum shopping by

286



 See, e.g., Sect. 7.1 of this chapter.

 Koen Lenaerts and Piet van Nuffel European Union Law (Third edition), Sweet & Maxwell,

2010, at 7–045 and case law mentioned in footnote 101 of Chap. 2.

288

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 7–045 and case law mentioned in footnote 101 of Chap. 2.

289

 Further read: Paul Craig and Grainne de Burca, EU Law, Text, Cases and Material (Fifth

Edition), Oxford University Press, 2011, Chap. 8.

290

 Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final.

291

 Article 1(2) TEU.

292

 The interaction of individuals with the European composite administration in this area is mentioned in Anna-Sara Lind and Jane Reichel, Administrating Data Protection – or the Fort Knox of

the European Composite Administration, Critical Quarterly for Administration and Law (EuCritQ),

2014, 1, pp. 44–57, at 55.

293

 Further read, Opinion Legal Service Council, e.g. 18031/13 (19 Dec 2013, full version on lobbyplag.eu).

294

 As explained in Chap. 8, Sect. 8.12.

287



372



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



big internet companies, choosing a Member State of establishment on the basis of

the (lack of) enforcement capacity of its DPA.

Under the same argument that control should be guaranteed by an authority in

the country of residence, current EU law permits forum shopping by big internet

companies, choosing as Member State of its main establishment a country with a

perceived low level of DPA enforcement. Vice versa, a DPA is not permitted to

enforce data protection law, if an internet company chooses an establishment

abroad, whilst targeting individuals within the Member State where the DPA

functions.295

The topic is illustrated by the enforcement actions of several national DPAs

against Facebook. According to a press release of the Belgian DPA Facebook seems

to claim that under Article 4(1)(a) of Directive 95/46 only the Irish DPA is competent to enforce the directive against it, as Facebook has its main European establishment in Ireland.296 Without prejudice to the correctness of the position of Facebook

under Directive 95/46, the argument based on proximity could be made that an EU

citizen who is directly affected by data processing of his personal data by Facebook

would be entitled to protection by the DPA in the Member State where he or she

resides, directly on the basis of Article 16(2) TFEU and Article 8(3) Charter.



7.12.3  Effective DPAs in a Developing Information Society

This book started from the presumption that governments have lost control over

societal developments, due to globalisation and technological developments, exemplified by big data and mass surveillance.

The European Union and the Member States have the obligation to ensure effective protection by DPAs, in a complex global and technological environment, and

that, where needed, trust can be restored. Obviously, there is a budgetary restriction.

Resources given to DPAs are part of the national budget – or in the case of the

European Union itself, of the EU budget – and have to be balanced against resources

spent for other public tasks.

The next issue is how – given restrictions in terms of resources – the authorities

can be incentivised to ensure control in the most effective manner. Here we encounter a dilemma. As explained, the DPAs are given a high degree of independence

because of the added value of having authorities with specific expertise and acting

impartially, free from any external influence.297 This independence does not only

mean that they have discretion in solving cases before them, but also in setting priorities. The DPAs also claim that a wide discretionary power is needed to be effec295



 With the nuances in the case law of the Court, particularly C-131/12, Google Spain and Google

Inc, EU:C:2014:317 and C-230/14, Weltimmo, EU:C:2015:639.

296

 http://www.privacycommission.be/en/news/13-may-belgian-privacy-commissionadopted-first-recommendation-principle-facebook

297

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 19.



7.12  Effective Powers of DPAs, Proximity and the Developing Information Society



373



tive, which means that selective approaches are seen as a guarantee for effective

data protection.298

In other words, the DPAs are free to set their own agenda. There is one limitation,

the complaint handling by a DPA.299 Under Article 28(4) of Directive 95/46 a DPA

“shall hear claims lodged by any person”. Furthermore, the “person concerned shall

be informed of the outcome of the claim”. The obligation of a DPA to handle a

complaint was the subject of Rease and Wullems.300 The referring judge has asked

the Court of Justice whether a DPA – in this case the DPA of the Netherlands – is

free “to set priorities which result in such enforcement not taking place in the case

where only an individual or a small group of persons submits a complaint alleging

a breach of that directive”. In other words, is a DPA empowered to renounce from

enforcement in a case that may be important for the complainant but not for society

as such.

The question is not so much whether an individual is entitled to an answer when

he lodges a complaint, but whether the DPA is required to take any further action

after a complaint is lodged. Hustinx pleads for a reasonable discretion of DPAs as

to whether and how to deal with complaints.301 In essence, the issue is whether an

individual is entitled to a remedy before a DPA as part of his fundamental right

under Article 47 Charter, or that it suffices that he can invoke his right, alternatively,

before a court.

This is an essential issue for the functioning of the relatively small DPAs, which

could become paralysed if disproportionate resources have to be used for complaint

handling. The ruling in Rease and Wullems could have presented an opportunity to

resolve this issue, and at the same time provide clarity on the nature of the right to

complain with the DPAs.

The DPAs are important actors under EU law in an area where trust in the capacity of governments to deal with fundamental developments in our societies in an

effective manner should be ensured. Moreover, action in this area requires a balancing of various interests, as was confirmed by the Court of Justice in connection with

the free movement of data.302 In this perspective, the majoritarian institutions may



298



 P. Hustinx in María Verónica Pérez Asinari et Pablo Palazzi (eds.), Défis du droit a la protection

des données, Perspectives du Droit Européen et Nord-Américain, Challenges of privacy and data

protection law, Perspectives of European and North-American Law, Cahiers du Centrede

Recherches Informatique et Droit, 2008, pp 561–568, at 567.

299

 In Case C-362/14, Schrems, EU:C:2015:650, at 53, the Court reiterates the importance of lodging complaint before a DPA.

300

 Case C-192/15, Rease and Wullems. The case was repealed by Decision of the President of the

Court of 9 December 2015, EU:C:2015:861, but the substantive issue remains relevant.

301

 Hustinx in María Verónica Pérez Asinari et Pablo Palazzi (eds.), Défis du droit a la protection

des données, Perspectives du Droit Européen et Nord-Américain, Challenges of privacy and data

protection law, Perspectives of European and North-American Law, Cahiers du Centrede

Recherches Informatique et Droit, 2008, pp 561–568, at 567.

302

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 24.



374



7  Understanding the Role of Independent, Effective and Accountable DPAs: New…



have a legitimate expectation that certain phenomena in society having a specific

impact on the trustworthiness of governments are addressed by the DPAs, and that

the DPAs take into consideration that various public interests need to be balanced.

This expectation also implies not using resources in a disproportionate manner in

dealing with claims of individuals, where the DPAs possibly are under an obligation

to act.

A comparable dilemma– in relation to EU agencies303 – is characterised as a

‘Catch 22’ situation. On the one hand, the high degree of independence is the rationale for the role of DPAs. Precisely because of their independence they are considered as being an effective instrument for dealing with complex issues in a

technological complex environment with big data and mass surveillance. On the

other hand, there is the legitimate expectation that DPAs act in the wider interest of

society, which requires that there must be some means to keep them under

control.304

Various tools could enhance the effectiveness of DPAs without prejudice to their

independence. Examples are peer reviews, impact assessments or engaging with

external experts. The use of these tools also enhances the accountability of DPAs.



7.13  D

 PAs Are Accountable to the Judiciary and Not Totally

Free from Parliamentary Influence

Accountability of DPAs as independent authorities means in the first place that they

should be accountable for their acts before a court, under the rule of law. Article

78(1) of the General Data Protection Regulation states the obvious: Each “natural or

legal person shall have the right to an effective judicial remedy against a legally

binding decision of a supervisory authority concerning them.”

In addition, in Commission v Germany305 the Court of Justice of the European

Union ruled that the independence of the data protection authorities does not free

these authorities from any parliamentary influence by underlining that there should

be some degree of parliamentary influence, illustrated by some examples. Albeit in

an indirect manner, the Court thus underlined that DPAs are not only accountable

for their acts before the judiciary under the rule of law, but that Member States must

also ensure some degree of democratic accountability.306

In other words, the DPAs remain – to a certain extent – accountable towards the

democratically elected institutions in society. The Court of Justice had already ruled

303



 Zinzani in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in

between Institutions and Member States, Kluwer Law International 2014, at 184.

304

 See, in relation to agencies, E. Chiti, An important part of the EU’s institutional machinery:

Features, problems and perspectives of European agencies, CMLR, 46, 1395–1442, 2009.

305

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46, as explained in Sect. 7.9

above.

306

 Or, as Scholten calls it, political accountability,, M. Scholten, The Political Accountability of

EU Agencies: Learning from the US Experience (dissertation Maastricht, 2014).



7.13  DPAs Are Accountable to the Judiciary and Not Totally Free…



375



on a similar matter in Commission v European Central Bank.307 That ruling is even

more precise than Commission v Germany. Independence of the ECB – which is, as

was explained before, surrounded by strong safeguards – does not mean that the

ECB is entirely separated from the EU framework and exempt from rules of EU law.

The Court confirmed that there is judicial accountability before the Court itself as

well as control by the Court of Auditors. Moreover, the ECB is subject to various

other measures adopted by the EU legislature, such as, for instance, the data protection regime as laid down in Regulation 45/2001, including the control by the EDPS.

The ruling of the Court in Commission v European Central Bank can, therefore,

be understood as meaning that the ECB operates within the institutional system of

the European Union, and is accountable within this system. The same can be said

about the DPAs under the Court’s case law.

The term accountability – as an obligation of public bodies, not to be confused

with the accountability of data controllers and processors under EU data protection

law308 – is used in the literature both in a wider and a narrower sense.309 In the wider

sense it is similar to the notion of ‘good governance’; in a narrower sense it is

described as the obligation to explain and justify conduct.310 Here, the latter, narrow

understanding is used, for the reason that we are focusing on accountability as a

constraint for complete independence.



7.13.1  J udicial Accountability as Compensation for the Loss

of Full Parliamentary Control

Under the rule of law, the procedures before the authorities and the possibilities for

judicial review of the acts of the authorities must respect the rights to an effective

remedy and fair trial. The requirement of a complete system of judicial protection

follows from the right to an effective remedy and to a fair trial under Article 47

Charter.

This requirement plays a role in the General Data Protection Regulation.311 The

issue is how effective remedies can be ensured in a multi-jurisdictional environment

 Case C-11/00, Commission v European Central Bank, EU:C:2003:395, at 135.

 See Chap. 6, Sect. 6.14.

309

 Mark Bovens, Analysing and Assessing Accountability: A Conceptual Framework, European

Law Journal, Vol. 13, No. 4, July 2007, pp. 447–468, at 449–450.

310

 Also in this narrower sense accountability is sometimes seen as more than judicial and democratic accountability, M. Busuioc and M. Groenleer in Everson, Michelle, Cosimo Monda, and

Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law

International 2014, at 192. We stick to judicial and democratic accountability, because this links

directly to the rule of law and democracy, and closely links to legitimacy, as understood in this

book (see Chap. 1, Sect. 1.2).

311

 Particularly in Chapter VIII thereof.

307

308



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

12 Effective Powers of DPAs, Proximity and the Developing Information Society

Tải bản đầy đủ ngay(0 tr)

×