Tải bản đầy đủ - 0 (trang)
2 A General Design of DPAs Cooperating with Each Other and in Composite Administrations or Trans-­governmental Networks

2 A General Design of DPAs Cooperating with Each Other and in Composite Administrations or Trans-­governmental Networks

Tải bản đầy đủ - 0trang

8.2 A General Design of DPAs Cooperating with Each Other and in Composite…



391



effective level of data protection within the wider territory of Union. This is particularly important in an internet environment, where dealing with cross-border effects

is an inherent element of the protection that must be given. Moreover, this obligation for DPAs is the consequence of the recognition that the European Union is the

appropriate platform for dealing with internet privacy and data protection. Article

51(2) of the General Data Protection Regulation makes this obligation explicit. The

obligation also exists – although in a more implicit manner – under current data

protection law.2

Hence, the mandate of the DPAs has an EU-wide component. This component of

the mandate does not fully fit in our understanding of the division of competences

between the Member States and the Union. The DPAs are hybrid in character, operating in between the Member States and the Union. Whereas, as a rule, the competences are divided between the European Union and the Member States,3 the

cooperation mechanisms between DPAs are an example of competences that are not

divided, but shared.4

Cooperation has an impact on the independence of the DPAs, for instance

because national DPAs should mutually cooperate with their peers in other Member

States and take the positions of these peers into account. Cooperation is a requirement for effective protection, but may also adversely affect the effectiveness of the

exercise of the tasks of the DPAs. For instance, where DPAs must dedicate resources

to ensure data protection outside their national jurisdictions, this will limit the

resources available for purely national protection.

In addition, judicial accountability must be guaranteed through the existence of

judicial review mechanisms in a multi-level legal environment. The democratic

accountability – which is not evident for these expert bodies, as was explained in

Chap. 7 – becomes even more complicated where DPAs operate at multiple levels,

in European networks.5

This chapter analyses how the cooperation is carried out and how the institutional mechanisms function, from the perspectives of independence, effectiveness

and democratic as well as judicial accountability. The chapter examines the obligation of DPAs to contribute to data protection in the whole of the European Union as

an additional component of their mandate to ensure control over the protection of

the fundamental rights to privacy and data protection under EU law. This component also includes the obligation of the DPAs to cooperate with one another, an

obligation that serves “to ensure that the rules of protection are properly respected

2



 Recital 65 and Articles 29 and Article 30 (1) (a) of Directive 95/46.

 As explained in Chap. 4. Even the domain of shared competence, as specified in Article 2 (2)

TFEU essentially means a procedure for the division of competences.

4

 Francesca E. Bignami, Transgovernmental Networks vs. Democracy: The Case of the European

Information Privacy Network, Michigan Journal of International Law, Vol. 26, pp. 807–868, 2005,

at 821, as will be explained in Sect. 8.7 below.

5

 Comparable to regulatory agencies as described by David Coen and Mark Thatcher, Network

Governance and Multi-level Delegation: European Networks of Regulatory Agencies, Journal of

Public Policy, Vol. 28, Issue 01, April 2008, pp 49–71.

3



392



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



throughout the Union”.6 Cooperation of DPAs is also a means to forego forum shopping by regulatees in an attempt to engage the authority that is perceived as most

convenient.7

The chapter builds on Chap. 7, which already highlighted the hybrid nature of

the DPAs. As a rule – the European Data Protection Supervisor is the exception –

the DPAs operate in between the European Union and the Member States. The

DPAs are authorities established within the national legal order, but who act as

agents of the European Union, with a mandate to ensure control of the EU rules on

privacy and data protection within the national jurisdictions. This chapter demonstrates that the hybrid nature also includes a responsibility outside the jurisdiction in

which the DPAs are established. The DPAs cooperate in what is defined as “multi-­

jurisdictional networks”8 or as a European composite administration.9

The obligation of DPAs to cooperate also has institutional aspects. Under EU

law, various mechanisms for institutional cooperation between the DPAs have been

established, with the Working Party on the Protection of Individuals with regard to

the Processing of Personal Data (the “Article 29 Working Party”) as the most prominent example. The General Data Protection Regulation intends to strengthen the

institutional cooperation within the framework of the EDPB, which still must be set

up. These institutional mechanisms for cooperation are further actors in ensuring

the respect of privacy and data protection under EU law. These institutional mechanisms are not provided for in the Treaties. Hence, their tasks are not attributed by

primary EU law, but derived from the tasks of the DPAs. This means, as a basic

condition, that where these mechanisms have a role in ensuring control on the rules

on data protection, this should not compromise the independence of the DPAs.

Cross-border cooperation is particularly important in view of the challenges

resulting from the developments in the information society.10 In an information society, the processing of personal data is in many situations not confined to one

­jurisdiction and has an inherent cross-border effect. Cross-border cooperation of

supervisory authorities is a conditio sine qua non for effective control. Directive

95/46 on data protection acknowledges this, for instance where it includes an obligation for DPAs to exchange all useful information.11 However, the effectiveness of

enforcement cooperation and of harmonised approaches in enforcement is not self-­

evident. The need to improve consistency in the enforcement of data protection

rules across Europe was an important trigger for the Commission to initiate the data

6



 Recital 64 of Directive 95/46.

 See on this, E. Chiti, An important part of the EU’s institutional machinery: Features, problems

and perspectives of European agencies, CMLR, 46, pp. 1395–1442, 2009, at 1412.

8

 Herwig C.H. Hofmann, Herwig & Morgane Tidghi, “Rights and Remedies in Implementation of

EU Policies by Multi-Jurisdictional Networks”, European Public Law, 20, No.1, 147–164, 2014.

9

 Anna-Sara Lind and Jane Reichel, Administrating Data Protection – or the Fort Knox of the

European Composite Administration, Critical Quarterly for Administration and Law (EuCritQ), 1,

pp. 44–57, 2014.

10

 As explained in Chap. 3.

11

 Article 28(6) of Directive 95/46.

7



8.2 A General Design of DPAs Cooperating with Each Other and in Composite…



393



protection reform. One of the objectives of this reform is to avoid inconsistent

responses of EU data protection authorities to services offered on the internet.12

This chapter analyses the judicial and democratic accountability of DPAs with a

different focus from that used in Chap. 7. Whereas Chap. 7 emphasised the accountability of DPAs as unelected bodies, the present chapter deals with aspects of judicial and democratic accountability as a consequence of the fact that the DPAs

operate in multiple jurisdictions.



8.2.1  D

 PAs Operating in Multiple Jurisdictions: A Challenge

to Reconcile Independence, Effectiveness

and Accountability, as Illustrated by the GDPR

DPAs are national authorities that fulfil a role under EU law. This has a positive

impact on the legitimacy of EU action in the area of privacy and data protection.

Their role is comparable to the roles of national and EU agencies operating in

between the national and the Union level.13 These roles include both contributing to

harmonisation within the European Union and safeguarding national specificities.

However, the fact that DPAs operate in multiple jurisdictions may adversely

affect their democratic legitimacy and accountability. As was explained in Chap. 7,

in Commission v Germany14 the Court of Justice of the European Union ruled that

the independence of DPAs does not free them from every parliamentary influence.

The question arises which parliament is entitled to exercise influence, because DPAs

operate in composite administrations15 or transgovernmental networks.16 The DPAs

are not only separated from the democratic structure within the jurisdiction in which

they operate, but they are also separated from the specific jurisdiction itself, since

they operate on various jurisdictional levels.17



12



 See example in Communication from the Commission to the European Parliament, the Council,

the European Economic and Social Committee and the Committee of the Regions, Safeguarding

Privacy in a Connected World A European Data Protection Framework for the 21st Century, COM

(2012), 9 final, at 7.

13

 As explained in Chap. 7, Sect. 7.8.

14

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46.

15

 Term used by Anna-Sara Lind and Jane Reichel, Administrating Data Protection – or the Fort

Knox of the European Composite Administration, Critical Quarterly for Administration and Law

(EuCritQ), 1, pp. 44–57, 2014.

16

 Term used by Francesca E. Bignami, Transgovernmental Networks vs. Democracy: The Case of

the European Information Privacy Network, Michigan Journal of International Law, Vol. 26,

pp. 807–868, 2005.

17

 In the words of Lind and Reichel, they are cut loose from their foundation in the national and the

European legal order, Anna-Sara Lind and Jane Reichel, Administrating Data Protection – or the

Fort Knox of the European Composite Administration, Critical Quarterly for Administration and

Law (EuCritQ), 1, pp. 44–57, 2014, at 53–54.



394



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



This situation also affects the judicial accountability. Where DPAs operate in

multiple jurisdictions, in particular in an institutional setting, multiple actors in multiple jurisdictions may bear legal responsibility for the same act. Bignami argues

that under current EU data protection law the judicial accountability – expressed in

terms of standards of judicial review – is not affected by the involvement of multiple

jurisdictions, in any event not in a similar way as the democratic or political accountability.18 However, an appropriate standard of judicial review will not necessarily be

guaranteed under the General Data Protection Regulation.19

Independence, effectiveness and judicial and democratic accountability should

be reconciled in a satisfactory way. The extensive discussions in the Council on the

one-stop shop mechanism and the consistency mechanism20 illustrate that this result

is not easy to reach. The one-stop shop mechanism and the consistency mechanism

were proposed with the objective of increasing the effectiveness of data protection

within the European Union. In all cases, the enforcement of EU data protection law

should result in a single decision with EU-wide application.

This objective of increasing effectiveness did not convince everyone. It was

stated that these mechanisms are not achieving a better protection for the data subjects and that it is mainly the businesses who benefit (in their capacities as data

controllers or data processors).21 However, individuals may feel that decisions are

taken at a considerable distance, and the rights to an effective remedy and fair trial

as laid down in Article 47 Charter may not be sufficiently respected. The mechanisms may result in a situation where an individual no longer has effective redress

before the DPA in the Member State where he or she resides. The term ‘proximity’

was used as a requirement for legitimate and accountable protection.22 Moreover, as

this chapter explains, the current mechanisms are already complicated and with the

introduction of further mechanisms under the General Data Protection Regulation

the complexity increases, possibly leading to legal uncertainty. These (new) mechanisms put the legitimacy of the protection at risk.



18



 Her research focused on the Italian DPA (“Garante”) and the judicial review in Italy. Francesca

E. Bignami, Transgovernmental Networks vs. Democracy: The Case of the European Information

Privacy Network, Michigan Journal of International Law, Vol. 26, pp. 807–868, 2005, e.g. at 852.

19

 See Sect. 8.12.

20

 Council of the European Union, various Council documents on Council Public Register, re

Interinstitutional file 2012/0011 (COD), e.g. 18031/13 (19 Dec 2013, full version on lobbyplag.eu)

and 14788/1/14 (13-11-2014).

21

 Council of the European Union, various Council documents on Council Public Register, re

Interinstitutional file 2012/0011 (COD), e.g. 18031/13 (19 Dec 2013, full version on lobbyplag.

eu).

22

 Council of the European Union, various Council documents on Council Public Register, re

Interinstitutional file 2012/0011 (COD), e.g. 18031/13 (19 Dec 2013, full version on lobbyplag.

eu).



8.3 Cross-Border Enforcement and Mutual Cooperation Between DPAs: The State…



395



8.3  C

 ross-Border Enforcement and Mutual Cooperation

Between DPAs: The State of Play

8.3.1  T

 he EU-Wide Component of Control by National DPAs

and the Task of the Member States to Secure

the Effectiveness and Uniformity of EU Law

As was explained, the control by DPAs is an essential component of the right to data

protection itself.23 However, primary EU law is silent on the exercise of the tasks of

DPAs in a cross-border context and on their mutual cooperation, whether or not in

the context of institutional mechanisms. Article 16(2) TFEU and Article 8(3)

Charter provide that the DPAs shall ensure control, not how they shall do this.

The duty for ensuring control in a cross-border context and for mutual cooperation follows directly from the system of EU law. There is a parallel with the remedies that must be provided under national law to ensure the legal protection against

breaches of provisions of EU law.24 Dougan defines this as securing the effectiveness and uniformity of EU law,25 based on the requirements of equivalence and

effectiveness, established by the European Court of Justice in Rewe-Zentralfinanz.26

Enforcement cooperation between DPAs is a specification of the principle of sincere

cooperation under Article 4(3) TEU that obliges all national authorities to remedy

breaches of EU law.27 To put it simply, on the internet the DPAs must remedy

breaches of EU data protection law in an effective manner that necessarily comprises DPA cooperation in cross-border situations. Cooperation between DPAs is

also a tool to ensure the uniformity of EU law.



8.3.2  The State of Play in Data Protection Law

Various provisions of Directive 95/46 on data protection specify the general requirements under EU law for cross-border enforcement and mutual cooperation, albeit

not in a very precise manner. Recital (64) of the directive declares that the DPAs

must assist one another in performing their duties. A DPA may be requested to exercise its powers by a DPA of another Member State; the DPAs cooperate “to the

23



 See Chap. 7, Sects. 7.1 and 7.2.

 See on this: Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet &

Maxwell, 2010, at 7-045, and the contribution of Dougan in Paul Craig and Grainne de Burca

(eds), The evolution of EU Law (Second Edition), Oxford University Press, 2011, at 408–411.

25

 Dougan in Paul Craig and Grainne de Burca (eds) The evolution of EU Law (Second Edition),

Oxford University Press, 2011, at 409.

26

 Case 33/76, Rewe-Zentralfinanz, EU:C:1976:188

27

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 7-045

24



396



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



extent necessary for the performance of their duties, in particular by exchanging all

useful information”.28 The purpose of this all is “to ensure that the rules of protection are properly respected throughout the European Union”.29 The Article 29

Working Party mentions as a further purpose bridging the gap between applicable

law and supervisory jurisdiction.30

Council of Europe Convention 10831 is more explicit and contains a framework

for mutual assistance between the member states of the Council of Europe, which

are parties to the Convention, and the authorities within these states.32 This framework for assistance provides for instance that assistance must be given to data subjects residing abroad.33 Under the Additional Protocol to the Convention,34 the DPAs

must ensure “that people are able to exercise their rights on an international as well

as a national level”.35

The General Data Protection Regulation is even more specific on cross-border

enforcement and mutual cooperation. Although this chapter focuses on the current

state of EU law, many examples originate from this regulation, for a simple reason:

the regulation elucidates the main issues at stake. The regulation distinguishes –

under the heading of “cooperation”36 – between cross-border enforcement and

mutual cooperation. Equally, the regulation deals – under the heading of

“consistency”37 – with the institutional cooperation between the DPAs.



8.3.3  Three Types of Enforcement Cooperation of DPAs

This section distinguishes three types of enforcement cooperation of DPAs. These

types vary as far as the impact on the task of the DPAs is concerned.38

28



 Article 28(6) of Directive 95/46.

 Recital (64) of Directive 95/46.

30

 Article 29 Data Protection Working Party, Advice paper on the practical implementation of the

Article 28(6) of the Directive 95/46/EC, 20 April 2011, at 1.

31

 Convention for the Protection of Individuals with regard to Automatic Processing of Personal

Data, ETS No. 108.

32

 Chapter IV of the Convention, as described by Dariusz Kloza and Anna Moscibroda, Making the

case for enhanced enforcement cooperation between data protection authorities: insights from

competition law, International Data Privacy Law, Vol. 4, No. 2, 2014, at 121–122.

33

 Article 14 of Convention for the Protection of Individuals with regard to Automatic Processing

of Personal Data, ETS No. 108

34

 Article 1 (5) of Additional Protocol to the Convention for the Protection of Individuals with

regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder

data flows.

35

 Explanatory Report on Article 1 (5) of the Additional Protocol.

36

 Chapter VII, Section 1, GDPR.

37

 Chapter VII, Section 2, GDPR.

38

 This distinction is largely in line with Research Network on EU Administrative Law, ReNEUAL

Model Rules on EU Administrative Procedure: Introduction to the ReNEUAL Model Rules Book

29



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

2 A General Design of DPAs Cooperating with Each Other and in Composite Administrations or Trans-­governmental Networks

Tải bản đầy đủ ngay(0 tr)

×