Tải bản đầy đủ - 0 (trang)
5 Two Main Novelties in the GDPR: A One-Stop Shop Mechanism and a Consistency Mechanism

5 Two Main Novelties in the GDPR: A One-Stop Shop Mechanism and a Consistency Mechanism

Tải bản đầy đủ - 0trang

404



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



end of the day, all DPAs concerned are bound by the decision of the lead DPA.84

This is a novelty compared to the current regime under Directive 95/46, where the

same data processing operation may be subject to diverging enforcement actions

initiated by DPAs in various Member States.85 As an illustration, in 2015 the Belgian

DPA carried out an investigation in relation to the allegation that Facebook did not

only process the personal data of its members, but also of all internet users who

come into contact with it.86 One of the recommendations of the Belgian DPA was

that Facebook should refrain from systematically using data of non-Facebook

users,87 since this practice breaches Belgian data protection law. This investigation

was carried out in an informal cooperation with two other European DPAs (the

Netherlands and the German State of Hamburg), but without involvement of the

DPA of Ireland, the country where Facebook had its main establishment in the

European Union. The Irish DPA had earlier investigated the practices of this

company,88 without concluding that a breach of Irish data protection law had

occurred.89 Not surprisingly, Facebook denied the applicability of Belgian data protection law and the competence of the Belgian DPA.90

The rationale behind this structured cooperation mechanism is the need for consistent enforcement of data protection rules across Europe, and also to prevent that

multinational companies have to deal with divergent enforcement decisions. The

mechanism also ensures that the multinational companies deal with the lead authority as their sole interlocutor.91 The strong emphasis on the importance of the mechanism for private companies is confirmed by the link the Commission makes between

the one stop-shop mechanism – and the consistency mechanism discussed below –

and the digital single market.92 The advantages for the protection of the individual –

protection in an equal way, creating legal certainty, foregoing forum shopping by

84



 See mainly Articles 60 and 65 GDPR. The final decision of the lead DPA may result from dispoute resolution by the EDPB, in case a DPA raised a relevant and reasoned objection.

85

 Some cases of enforcement cooperation – e.g. in relation to Google and WhatsApp – are

explained in David Barnard-Wills & David Wright, Deliverable 1 – “Co-ordination and co-operation between Data Protection Authorities”, www.phaedra-project.eu.

86

 Recommendation No. 04/215 of the Belgian Privacycommission of 13 May 2015, http://www.

privacycommission.be/sites/privacycommission/files/documents/recommendation_04_2015_0.

pdf.

87

 Recommendation No. 04/215 of the Belgian Privacycommission of 13 May 2015, p.26.

88

 Further read: David Barnard-Wills & David Wright, Deliverable 1 – “Co-ordination and cooperation between Data Protection Authorities”, www.phaedra-project.eu, at 39–44.

89

 See Annual Report of the Data Protection Commissioner of Ireland 2014 published on its

website.

90

 Recommendation No. 04/215 of the Belgian Privacycommission of 13 May 2015, http://www.

privacycommission.be/sites/privacycommission/files/documents/recommendation_04_2015_0.

pdf, at 4.

91

 Article 56(6) GDPR.

92

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a

Connected World A European Data Protection Framework for the 21st Century, COM (2012) 9

final, at 7–8.



8.5 Two Main Novelties in the GDPR: A One-Stop Shop Mechanism…



405



data controllers and processors choosing the perceived most lenient DPA93 – seem

to be of less importance, at least in the justification given by the Commission.



8.5.2  A

 Consistency Mechanism, but Diverging Views on Its

Rationale

Another novelty of the General Data Protection Regulation is a consistency mechanism that involves the EDPB, which must be set up under the regulation as the successor to the Article 29 Working Party. The EDPB, consisting of representatives of

DPAs, is to play a formal role in the enforcement of EU data protection law, in

contrast with the Article 29 Working Party, as was explained. This formal role may

result in an opinion giving guidance to the DPAs and, in cases of disagreement

between DPAs, even in a binding decision. The Commission proposal does not

include any binding powers for the EDPB.94 The positions of the European

Parliament95 and the Council96 do introduce such binding powers, albeit limited to

strictly defined circumstances that differ in the positions of the European Parliament

and the Council.

The consistency mechanism is intended to apply to a number of specific situations, such as data protection impact assessments, codes of conduct, accreditation

and certification, as well as transfer mechanisms. Moreover, the scope of activity

potentially extends to all activities on the internet within the European Union. This

does not mean that all activities are finally scrutinised by the EDPB, but in all these

cases the EDPB may be informed and it may be called upon to act.97 This mechanism – as amended during the legislative process – is a further instrument to regain

control over data processing operations on the internet. Article 64 of the General

Data Protection Regulation, which does not result in a binding decision of the EDPB

but in an opinion which is meant to have a strong convincing value, contains the

main elements for ensuring consistency. Only in cases where no consensus will be

reached between the DPAs, Article 65 may be applied. This is a mechanism of binding dispute resolution by the EDPB. To be complete, Article 66 provides for an

urgency procedure.

The consistency mechanism as originally proposed by the Commission aims at

contributing to the mandate of Article 16 TFEU, in compliance with requirements

93



 See on this Sect. 8.2 above, with reference to E. Chiti, An important part of the EU’s institutional

machinery: Features, problems and perspectives of European agencies, CMLR, 46, pp. 1395–

1442, 2009, at 1412.

94

 Article 58 of the Commission Proposal for a GDPR, COM (2012), 11 final, only mentioning

opinions.

95

 Amendment 167 introducing a new Article58a (7), European Parliament legislative resolution of 12

March 2014 on the proposal for a GDPR (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)).

96

 Article 58a of Council general approach (Council document 9565/15 of 11 June 2015).

97

 Article 64 (2) GDPR.



406



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



of effectiveness. However, as the negotiations in the European Parliament and the

Council reveal, the legitimacy of the envisaged mechanism raises questions relating

to the absence of a communis opinio regarding its rationale.

The need for clear and uniform rules for businesses providing legal certainty and

minimising the administrative burden was a reason for the Commission to propose

the reform of the legal framework for data protection, which is expected to stimulate

economic growth, create new jobs and foster innovation. The proposed regulation

must do away with the fragmented legal environment resulting not only from divergences between the rules themselves, but also from the diverging control of the

rules.98 This is the rationale of the internal market.

However, for the Commission the rationale of the consistency mechanism is

wider and has two additional goals. First, consistency serves as a conflict-solving

mechanism where the views of the DPAs in a specific case may possibly diverge.99

Second, consistency is intended as an instrument to ensure the correct and uniform

application of the regulation within the wider territory of the European Union.100

The difference between these two goals is explained as follows. The first goal

ensures that a specific processing operation – for instance an internet application –

is not judged in divergent manners in the Member States and that the supplier of this

application is confronted with one decision applicable in the whole European

Union. The second goal must ensure that a decision taken is also consistent with

decisions taken in other cases and hence contributes to the uniform (and correct)

application of EU data protection law.101 The second goal is connected to the obligation of DPAs to contribute to a harmonised and effective level of protection in the

European Union, mentioned in the introduction of this chapter. In our view, the

consistency mechanism would only succeed in neutralising the fragmented legal

environment, as intended by the Commission, if both goals are achieved.

However, this is not the view taken in other contributions to the legislative process. To start with, the Article 29 Working Party is critical of the Commission proposal: the “mechanism should ensure consistency in matters only there where it is

necessary, should not encroach upon the independence of national supervisory

authorities and should leave the responsibilities of the different actors where they

belong”.102 The Working Party considers that the consistency mechanism should

only be triggered where the DPAs do not reach consensus on the assessment of the



98



 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a

Connected World A European Data Protection Framework for the 21st Century, COM (2012), 9

final, at 2, 7–9.

99

 See in particular the procedure foreseen in Article 58(3) of the Commission proposal.

100

 See in particular the procedure foreseen in Article 58(4) of the Commission proposal.

101

 This was also a reason for the Commission itself to claim a role in this procedure.

102

 Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals – WP 191 (23.03.2012), at 20.



8.5 Two Main Novelties in the GDPR: A One-Stop Shop Mechanism…



407



case and/or measures to be taken.103 This position underscores the first goal, mentioned above. The second goal does not seem relevant for the Working Party. This is

also due to the fact that the Working Party is opposed to a role of the Commission

in the procedure104 and seeks to limit the caseload.105

The view that the consistency mechanism should be limited to cases of disagreements between authorities in a specific case seems to be shared by the European

Parliament. One of the amendments of the European Parliament limits the consistency mechanism to cases of serious objections of an authority to a draft measure of

another authority, the ‘lead authority’.106 A similar approach is taken by the Council.

In individual cases, relevant and reasoned objections and conflicting views may

trigger the consistency mechanism.

The final result is a system consisting of two layers. If DPAs have different views

on enforcement issues, the EDPB may be involved under Article 64 (2) of the

General Data Protection Regulation, the first layer. Only if the application of Article

64 does not lead to consensus, there will be a binding mechanism of dispute resolution, the second layer.

The main weakness of the system is that, generally, a DPA is free to involve – or

not to involve – the EDPB. Practice will show how important the consistency mechanism will become in enforcement of data protection law.107



8.5.3  F

 rom the Citizens’ Perspective: The Rationale

Behind a Consistency Mechanism Is Not Clear

The need for uniformity of the control is not evident from the perspective of the

exercise of the individual’s right to data protection. The Commission mentions “uneven

protection for individuals” as an issue,108 but without further elaborating on it.

EU law requires that an individual is protected in an effective manner, but not

that the level of protection is identical in all Member States or parts of Member

States, despite the fact that the principle of equal treatment is widely interpreted

103



 Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals – WP 191 (23.03.2012), at 20.

104

 In the same sense, European Data Protection Supervisor, Opinion of 7 March 2012 on the data

protection reform package, at 248–255.

105

 In the same sense, European Data Protection Supervisor, Opinion of 7 March 2012 on the data

protection reform package, at 245.

106

 Amendment 167, introducing a new Article 58a, European Parliament legislative resolution of 12

March 2014 on the proposal for a GDPR (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)).

107

 See also Article 57 (3) (a) and (b) of Council general approach (Council document 9565/15 of

11 June 2015).

108

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a

Connected World A European Data Protection Framework for the 21st Century, COM (2012), 9

final, at 7.



408



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



under EU law.109 This principle even has the character of a constitutional norm,110

also because Article 20 Charter provides that everyone is equal before the law. This

principle ensures that within the jurisdiction of a Member State there is equal treatment between that state’s own nationals and nationals of other Member States.111

However, the principle of equal treatment does not ensure that the individual is

entitled to expect that the enforcement of EU law is the same in each Member State,

unless this is required by a specific arrangement under EU law. The standard formula in the case law is that enforcement of EU law by Member States should be

effective, proportionate and dissuasive,112 meaning that enforcement is not necessarily identical in each Member State. The alternative view – enforcement should be

harmonised or unified – would even be contrary to the principle of subsidiarity, as

far as this expresses a preference for decision-making by the Member States.113

Of course, individuals benefit indirectly from the uniformity of the control.

Uniformity – provided it is based on a high standard of protection – ensures that

weak enforcement practices are abolished. Chapter 7 of this book referred to existing inadequacies in the powers and resources of the DPAs.114 Moreover, a uniform

enforcement renders forum shopping by data controllers115 – choosing the DPA of

the country requiring the lowest level of compliance – meaningless.

However, this argument does not compensate for the fact that the mechanism is

not based on a clear view of its benefits for the exercise of the individual’s right to

data protection. Had this been the case, this could have contributed to enhancing the

legitimacy of the mechanism.



8.6  E

 xperience in a Related Area: Governance in Electronic

Communications Through a Network of Authorities

with a Task for BEREC to Ensure Consistent Application

Electronic communications – or in the old terminology: telecommunications – is an

example of a domain with a strong role for governance by European networks of

regulatory agencies.116 This is, for different reasons, an interesting domain for the

109



 Mark Bell in Paul Craig and Grainne de Búrca (eds), The evolution of EU Law (Second Edition),

Oxford University Press, 2011, Chapter 20.

110

 Mark Bell in Paul Craig and Grainne de Búrca (eds), The evolution of EU Law (Second Edition),

Oxford University Press, 2011, Chapter 20, at 637.

111

 Because of the prohibition of discrimination on grounds of nationality in Article 18 TFEU and

in Article 21(2) Charter.

112

 Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell,

2010, at 17-005.

113

 On subsidiarity, see Chap. 4, Sect. 4.4.

114

 See Chap. 7, Sect. 7.11.

115

 See also Sects. 8.3 and 8.5.

116

 David Coen and Mark Thatcher, Network Governance and Multi-level Delegation: European

Networks of Regulatory Agencies, Journal of Public Policy, Vol. 28, Issue 01, pp 49–71, April 2008.



8.6 Experience in a Related Area: Governance in Electronic Communications…



409



subject of this chapter not in the least because the Body of European Regulators for

Electronic Communications (BEREC) served as a model for the consistency mechanism in the Commission Proposal for a General Data Protection Regulation.117

Recital (3) of Regulation 1211/2009 establishing BEREC reveals the main

dilemma, which will be elaborated upon, further in this chapter, in relation to the

DPAs. On the one hand, the consistent application of the EU framework in all Member

States is essential for the successful development of the internal market for electronic

communications. The national regulatory authorities in electronic communications

have as a task to contribute to the internal market, inter alia by cooperating with each

other, so as to ensure consistency.118 On the other hand, national authorities must be

granted flexibility to apply the rules in the light of national conditions.119 They remain

national authorities, operating within the national jurisdictions.

This section explains relevant elements of the (legislative) history of BEREC, its

main tasks and its relationship with the national authorities and the Commission.

Supervision in the area of electronic communications is – under the model of

Framework Directive 2002/21120 (as amended by 2009/140)121 and Regulation

1211/2009122 – a task of the national regulatory authorities. BEREC ensures the

regulatory coordination and national authorities have to take the utmost account of

the views of BEREC.123 BEREC itself is composed of a board of national regulators124 and has an unspecified institutional status. The recitals of Regulation

1211/2009 explain the status in the negative: it should neither be an EU agency nor



117



 Commission Proposal for a GDPR, COM (2012), 11 final, at Chapter VII.

 Articles 7(2) and 8 (3) (d) of Directive 2002/21/EC of the European Parliament and of the

Council of 7 March 2002 on a common regulatory framework for electronic communications

networks and services (Framework Directive), OJ L 108, 24.4.2002, as amended by Directive

2009/140.

119

 To be complete, flexibility is only needed “in certain areas”. Zinzani explains that this recital

reflects the conflicting views in the negotiations process, Marco Zinzani in: Everson, Michelle,

Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member

States, Kluwer Law International 2014, Ch 7.

120

 Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a

common regulatory framework for electronic communications networks and services (Framework

Directive), OJ L 108, 24.4.2002.

121

 Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009

amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic

communications networks and services, OJ L 337, 18.12.2009, p. 37.

122

 Regulation (EC) No 1211/2009 of the European Parliament and of the Council of 25 November

2009 establishing the Body of European Regulators for Electronic Communications (BEREC) and

the Office, OJ L (2009), 337/1.

123

 Further read on BEREC: Marco Zinzani, in: Everson, Michelle, Cosimo Monda, and Ellen Vos

(eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International

2014, Ch7.

124

 Article 4 of Regulation (EC) No 1211/2009 of the European Parliament and of the Council of 25

November 2009 establishing the Body of European Regulators for Electronic Communications

(BEREC) and the Office, OJ L (2009), 337/1.

118



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

5 Two Main Novelties in the GDPR: A One-Stop Shop Mechanism and a Consistency Mechanism

Tải bản đầy đủ ngay(0 tr)

×