Tải bản đầy đủ - 0 (trang)
3 Cross-Border Enforcement and Mutual Cooperation Between DPAs: The State of Play

3 Cross-Border Enforcement and Mutual Cooperation Between DPAs: The State of Play

Tải bản đầy đủ - 0trang

396



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



extent necessary for the performance of their duties, in particular by exchanging all

useful information”.28 The purpose of this all is “to ensure that the rules of protection are properly respected throughout the European Union”.29 The Article 29

Working Party mentions as a further purpose bridging the gap between applicable

law and supervisory jurisdiction.30

Council of Europe Convention 10831 is more explicit and contains a framework

for mutual assistance between the member states of the Council of Europe, which

are parties to the Convention, and the authorities within these states.32 This framework for assistance provides for instance that assistance must be given to data subjects residing abroad.33 Under the Additional Protocol to the Convention,34 the DPAs

must ensure “that people are able to exercise their rights on an international as well

as a national level”.35

The General Data Protection Regulation is even more specific on cross-border

enforcement and mutual cooperation. Although this chapter focuses on the current

state of EU law, many examples originate from this regulation, for a simple reason:

the regulation elucidates the main issues at stake. The regulation distinguishes –

under the heading of “cooperation”36 – between cross-border enforcement and

mutual cooperation. Equally, the regulation deals – under the heading of

“consistency”37 – with the institutional cooperation between the DPAs.



8.3.3  Three Types of Enforcement Cooperation of DPAs

This section distinguishes three types of enforcement cooperation of DPAs. These

types vary as far as the impact on the task of the DPAs is concerned.38

28



 Article 28(6) of Directive 95/46.

 Recital (64) of Directive 95/46.

30

 Article 29 Data Protection Working Party, Advice paper on the practical implementation of the

Article 28(6) of the Directive 95/46/EC, 20 April 2011, at 1.

31

 Convention for the Protection of Individuals with regard to Automatic Processing of Personal

Data, ETS No. 108.

32

 Chapter IV of the Convention, as described by Dariusz Kloza and Anna Moscibroda, Making the

case for enhanced enforcement cooperation between data protection authorities: insights from

competition law, International Data Privacy Law, Vol. 4, No. 2, 2014, at 121–122.

33

 Article 14 of Convention for the Protection of Individuals with regard to Automatic Processing

of Personal Data, ETS No. 108

34

 Article 1 (5) of Additional Protocol to the Convention for the Protection of Individuals with

regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder

data flows.

35

 Explanatory Report on Article 1 (5) of the Additional Protocol.

36

 Chapter VII, Section 1, GDPR.

37

 Chapter VII, Section 2, GDPR.

38

 This distinction is largely in line with Research Network on EU Administrative Law, ReNEUAL

Model Rules on EU Administrative Procedure: Introduction to the ReNEUAL Model Rules Book

29



8.3 Cross-Border Enforcement and Mutual Cooperation Between DPAs: The State…



397



The first type of cooperation is the exchange of information between DPAs,

which is explicitly mentioned in Article 28(6) of Directive 95/46 as an obligation for

DPAs. The exchange of information is – in a general sense – the essence of the procedural cooperation between authorities.39 The exchange may consist in the establishment, generation and sharing of information needed for decision-making.40 The

exchange of information on individuals was the subject matter of Commission v

Spain,41 relating to the Schengen Information System. The Court of Justice ruled

that the obligation of providing information to an authority in another Member State

as a basis for decision-making by the latter may not be satisfied by inserting an alert

on an individual in the system as was explicitly required by law, but that – under

certain circumstances – supplementary information must be provided.42 Commission

v Spain illustrates that the obligation is not fulfilled by merely implementing specific provisions of EU law, but that fulfilling the obligation requires an active

approach in assisting authorities in other Member States, where this is reasonably

expected.

A second type of cooperation consists in effectively assisting in supervision,

such as carrying out inspections or investigations at the request of a DPA in another

Member State.43 This cooperation takes place on a regular basis, for instance where

a complaint lodged by an individual in a Member State concerns a data controller

established in another Member State, where evidence needs to be gathered in the

jurisdiction of another Member State, or where a controller is established in several

Member States.44

An example is the cooperation between DPAs in enforcement actions against

internet companies. Kloza & Moscibroda45 describe the examination of Google’s

privacy policy in 2002–2013 by several DPAs, working together in an informal task

force initiated by the Article 29 Working Party. The initial investigations by this task

force were followed by further investigations by the participating DPAs, resulting in

separate decisions.

V – Mutual Assistance, (at 205). However, this chapter does not include “service of documents”

which does not seem relevant for data protection, whereas it does include the joint investigations,

which are not part of the ReNEUAL Model Rules.

39

 Herwig C.H. Hofmann, Herwig & Morgane Tidghi, “Rights and Remedies in Implementation of

EU Policies by Multi-Jurisdictional Networks”, European Public Law, 20, No.1, 147–164, 2014,

at 148.

40

 Herwig C.H. Hofmann, Herwig & Morgane Tidghi, “Rights and Remedies in Implementation of

EU Policies by Multi-Jurisdictional Networks”, European Public Law, 20, No.1, 147–164, 2014,

at 148.

41

 Case C-503/03, Commission v Spain, EU:C:2006:74.

42

 Case C-503/03, Commission v Spain, EU:C:2006:74, at 56.

43

 See, e.g., Articles 60-61 GDPR.

44

 Article 29 Data Protection Working Party, Advice paper on the practical implementation of the

Article 28(6) of the Directive 95/46/EC, 20 April 2011, at Addenda.

45

 Dariusz Kloza and Anna Moscibroda, Making the case for enhanced enforcement cooperation

between data protection authorities: insights from competition law, International Data Privacy

Law, Vol. 4, No. 2, 2014, at 125–127.



398



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



Neither Directive 95/46 nor any other instrument of EU data protection law provide a clear legal basis for this type of cooperation. However, this does not imply

that this type of cooperation purely takes place on an informal basis or based on

bilateral arrangements between Member States. An obligation to cooperate can be

deduced from Article 28(6) of Directive 95/46, read in combination with recital (64)

thereof, which emphasise the need for Member States and for DPAs to assist one

another. Furthermore, under the principle of sincere cooperation46 the DPAs are

required to cooperate with each other in enforcement actions.

Article 62 of the General Data Protection Regulation introduces a third type of

enforcement cooperation. This type consists of the carrying out of joint investigative

tasks, joint enforcement measures and other joint operations. This is a further step

towards empowering DPAs to ensure the control of EU data protection law where

individuals are affected by acts relating to the processing of personal data outside

the jurisdiction where they have their usual residence. This type of cooperation is

not regulated under present EU law, although it is reported that DPAs have experiences with joint investigations.47



8.4  I nstitutional Arrangements: Article 29 Working Party

and Other Mechanisms for Institutional Cooperation

Between DPAs

Under present EU law, several mechanisms for institutional cooperation of DPAs

have been set up. The core mechanism is the Article 29 Working Party, which operates in a broad area of privacy and data protection. Other mechanisms have been set

up for restricted areas within EU data protection, in particular in the area of freedom, security and justice (Title V of the TFEU).

Within the mandates of these mechanisms for institutional cooperation a distinction can be made between advisory and supervisory roles, or to remain closer to the

terminology of Article 16(2) TFEU and Article 8 Charter: giving advice and

­guidance on how to ensure control on the one hand and effectively ensuring control

on the other hand.

The Article 29 Working Party is an advisory mechanism, set up under Article

29(1) of Directive 95/46 on data protection. The Article 29 Working Party is composed of representatives of national DPAs and of the European Data Protection

Supervisor. The European Commission is also a member, albeit without voting

rights.48



46



 Article 4(3) TEU.

 Article 29 Data Protection Working Party, Advice paper on the practical implementation of the

Article 28(6) of the Directive 95/46/EC, 20 April 2011, at 1.

48

 This follows from Article 29(2) and (3) of Directive 95/46.

47



8.4 Institutional Arrangements: Article 29 Working Party and Other Mechanisms…



399



The Article 29 Working Party is a body that establishes a connection between

tasks of the national DPAs and tasks of the Commission,49 in particular by contributing to the uniform application of the national rules adopted pursuant to Directive

95/46.50 The task of contributing to the uniform application is directly connected to

the task of the DPAs to monitor the application of Directive 95/46,51 which, as was

explained above, implies contributing to the consistent application of EU data protection law. This task is made explicit in Article 51(2) of the General Data Protection

Regulation. The task is also directly connected to the role of the Commission as

guardian of the Treaty, in which capacity it is committed to EU integration.52

The Article 29 Working Party focuses on coordination, planning and guidance

through soft law instruments and has no powers to intervene in individual cases. As

a result, data protection is not applied in a fully harmonised manner in the Member

States. The differences between the enforcement practices in the Member States

were an underlying reason for the Commission to propose the reform of the EU data

protection law.53 Jóri gives an illustrative example based on his experience as head

of a DPA in Hungary, where he argues that differences between Member States

relate to the advisory role of the DPAs, and that, where this advisory role – he calls

this the role of privacy advocate – is less developed, the independence of the DPAs

is at risk.54

In short, a core task of the Working Party is to contribute to the uniform application of the national rules adopted pursuant to Directive 95/46.55 The further task of

contributing to a harmonised and effective level of data protection within the wider

territory of the European Union is also mainly attributed to the Working Party. The

contribution of the Working Party consists of non-binding, soft law instruments

aimed at harmonisation in a non-coercive way.56

Although the Article 29 Working Party does not have a formalised role in supervision of data protection, it indirectly influences the supervision by the DPAs in a

significant manner, because it gives guidance for enforcement. This guidance is in

some occasions quite precise, as is illustrated by the guidelines of the Working Party

for the implementation of the ruling of the Court of Justice in Google Spain and



49



 As mentioned in relation to regulatory agencies by David Coen and Mark Thatcher, Network

Governance and Multi-level Delegation: European Networks of Regulatory Agencies, Journal of

Public Policy, Vol. 28, Issue 01, April 2008, pp 49–71, at 52.

50

 Recital 65 and Article 30 (1) (a) of Directive 95/46, as explained in Section 3.

51

 Article 28(1) of Directive 95/46.

52

 Paul Craig and Grainne de Búrca, EU Law, Text, Cases and Material (Fifth Edition), Oxford

University Press, 2011, at 40. See also Chap. 6, Sect. 6.3.

53

 As was explained above in Chap. 7, Sect. 7.11.

54

 András Jóri, Shaping vs applying data protection law: two core functions of data protection

authorities, International Data Privacy Law, Vol. 5, No. 2, 2015.

55

 Recital 65 and Article 30 (1) (a) of Directive 95/46.

56

 Terminology taken from E. Chiti, An important part of the EU’s institutional machinery: Features,

problems and perspectives of European agencies, CMLR, 46, pp. 1395–1442, 2009, at 1409.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

3 Cross-Border Enforcement and Mutual Cooperation Between DPAs: The State of Play

Tải bản đầy đủ ngay(0 tr)

×