Tải bản đầy đủ - 0 (trang)
8 Three Models to Organise Cooperation Between DPAs, Against the Background of the GDPR

8 Three Models to Organise Cooperation Between DPAs, Against the Background of the GDPR

Tải bản đầy đủ - 0trang


8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…

based on a rationale that is not fully shared between the EU institutions. For the

Commission it should be an instrument for the uniform application of EU data protection law, whereas for the European Parliament and the Council it is mainly a

conflict solving mechanism.

The three models discussed in this chapter do not fully coincide with the mechanisms introduced by the General Data Protection Regulation. The one-stop shop

mechanism with a lead authority is a specification of the first model (cooperation by

DPAs), but it also has elements of the second model (a structured network), if only

because of the role of the EDPB in deciding which DPA is competent.187 The envisaged consistency mechanism has elements of the second model (a structured network) and the third model (a European DPA).

The example of electronic communications – including BEREC – shows the difficulties in accepting a role of the central European level, leading to a model where

national authorities shall take the utmost account of opinions of BEREC, a model

that served as inspiration for the General Data Protection Regulation.

The integrated or composite administration in the European Union comprises

horizontal as well as vertical cooperation between authorities. This type of administration is characterised by considerations of common interest, good faith and good

administration. Material aspects of the composite administration comprise mutual

cooperation and mutual trust. Procedures of administrative law are, in our view, an

appropriate instrument to compensate for flaws in the democratic legitimacy. This

means precise rules, also on procedure and on the exchange of case-related information.188 A problem is the fragmentation of procedures in various areas of law.

8.8.1  Introduction of the Three Models of Cooperation

The following sections describe three models of cooperation: horizontal cooperation of DPAs, a structured network of DPAs and cooperation within a European

DPA. These three models are examples of the integrated or composite EU administration where competences are not divided but shared. The main differences between

these three models relate to the nature of coordination.

In the first model, the emphasis is on the horizontal cooperation. The two objectives of cooperation are achieved solely on the basis of a bottom-up approach, without any centralised structure. Horizontal cooperation of DPAs enhances the

legitimacy of the control, because it emphases political as well as public democratic

accountability at the level of the Member States.


 Article 65 (1)(b) GDPR.

 See Sect. 8.6 above, referring to Dariusz Kloza and Anna Moscibroda, Making the case for

enhanced enforcement cooperation between data protection authorities: insights from competition

law, International Data Privacy Law, Vol. 4, No. 2, 2014, at 135–137.


8.9 The First Cooperation Layer: Horizontal Cooperation Between DPAs


The two other models are more vertical in character with a top-down approach in

which an EU network or an EU body determines policies,189 although decision-­

making is often based on consensus between the partners. An important difference

between the second (a structured network) and the third model (a European DPA)

lies in the decision-making structure: the second model only leads to consensual

decisions, ensuring that each national authority remains effectively responsible vis-­

à-­vis its residents and the judiciary; the third model is based on the notion that effective privacy and data protection in an internet environment requires a decision-making

structure that may overrule a national authority.

This book presents the three models as complementary. The three models compose a layered structure for an independent, effective and accountable control of EU

data protection. An important notion behind this layered structure is the principle of

subsidiarity,190 in this context referring to decisions taken as closely as possible to

the citizen. Issues that can be addressed by horizontal cooperation between DPAs

should remain at that level, if this is not the case issues should be addressed by a

structured network of DPAs, and only if the latter option is not sufficient is there

need for involvement of a European DPA.

8.9  T

 he First Cooperation Layer: Horizontal Cooperation

Between DPAs

8.9.1  The Essence of Horizontal Cooperation

The first layer of enforcement cooperation is the horizontal cooperation between

DPAs, without a structured network laid down in law. Horizontal enforcement cooperation is essentially bilateral, with the aim of ensuring that the DPAs, which have a

stake in a specific data processing operation with cross-border elements, work

together in an efficient and effective manner. This stake can be the consequence of

the fact that a data subject, a data controller or a data processor has his residence in

the Member State where the DPA is established or that the data are stored in this

Member State. It may also happen that multiple DPAs need to investigate and prosecute similar or even identical issues as a result of overlapping jurisdictions. In these

cases, cooperation results in an efficient use of resources, inter alia by avoiding

duplication of effort.191

An essential feature of horizontal cooperation is the absence of hierarchy. The

cooperation is characterised by sharing of responsibilities, a common interest, good


 Referring to Contribution of Harlow in Paul Craig and Grainne de Búrca, The evolution of EU

Law (eds) (Second Edition), Oxford University Press, 2011, Chapter 15, in particular at 443, with

reference to Chiti and Cassese.


 Article 5(3) TEU.


 David Barnard-Wills & David Wright, Deliverable 1 – “Co-ordination and co-operation between

Data Protection Authorities”, www.phaedra-project.eu, at 7.


8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…

faith and good administration.192 In an internet environment horizontal cooperation

can be limited to two DPAs. This was the case in Weltimmo,193 where only the

Hungarian and the Slovak DPA were involved in relation to a data controller based

in the Slovak Republic who was offering services through the internet in Hungary.

However, horizontal cooperation involves all DPAs concerned. Where goods or

services are offered on the internet without territorial fragmentation, this can be the

DPAs of all 28 Member States. Generally speaking, horizontal cooperation between

concerned DPAs is not sufficient to meet the objectives of cooperation in an internet

environment. Horizontal cooperation should lead to a decision-making procedure

where all DPAs are entitled to give their views. Within a structure of horizontal

cooperation, enforcement decisions should, in principle, only be taken on the basis

of consensus between the DPAs of all 28 EU Member States. This is obviously not

a satisfactory perspective from the point of view that internet privacy and data protection require swift and effective responses.

8.9.2  D

 evelopments Towards a Closer Regime for Horizontal

Cooperation with Precisely Formulated Rules

Horizontal cooperation between DPAs should be framed in such a way as to ensure

effective cooperation, at the same time taking into consideration requirements of

independence and judicial and democratic accountability.

In the first place, a closer regime would be useful in light of the developments in

the information society where enforcement cooperation between DPAs in many

cases is becoming the rule rather than the exception. The need for a closer regime is

also the consequence of the inclusion of the control of the compliance with data

protection rules in primary EU law,194 mandating the DPAs with the duty to ensure

compliance. A closer regime of cooperation is in line with the developing integrated

administration within the European Union where powers are shared. This sharing of

powers may result in a situation where a DPA is no longer sovereign in taking decisions within its jurisdiction in individual cases, because the cooperation as laid

down by law requires decisions to be taken by another DPA or, as discussed in the

next section, by an institutional cooperation mechanism.

The one-stop shop mechanism in the General Data Protection Regulation is an

example of a closer regime. In this mechanism, a DPA can become dependent on a

decision taken by a DPA in another Member State, even where the decision concerns the protection of individuals within its own jurisdiction. This is the essence of


 As explained above in Sect. 8.7.

 Case C-230/14, Weltimmo, ECLI:EU:C:2015:639.


 Article 16 (2) TFEU and Article 8 (3) Charter.


8.9 The First Cooperation Layer: Horizontal Cooperation Between DPAs


the introduction of the concept of a lead authority in EU law, as refined in the legislative procedure by the European Parliament and the Council.195

Section 8.5 above underlined that the one-stop shop mechanism has a strong link

with the digital single market and also strengthens the effectiveness of the enforcement of data protection law within the European Union. Not everyone shares the

view that the mechanism is necessarily advantageous to the individual who is entitled to protection. The Legal Service of the Council even expressed the opinion that

the mechanism is essentially in the interest of businesses rather than in the interest

of the data subject whose right is infringed.196 The French DPA (CNIL), too, has

expressed concerns in relation to the one-stop shop mechanism. As Raynal explains,

the mechanism “would limit the ability of national DPAs to protect citizens effectively” and “impose the citizen to exercise their recourse action before a foreign


This criticism is in line with the argument that the one-stop shop – at least in the

version proposed by the Commission – involves the exclusive competence of one

DPA.198 This may also provoke forum shopping by data controllers and processors

locating their main establishment within the European Union in a Member State

where the enforcement is (perceived as being) weak.199

Precisely formulated rules providing procedural guarantees for the data subject

could address this criticism.200 A closer regime of cooperation would also avoid

competition between authorities as a result of overlapping jurisdictions.201


 Article 56 GDPR.

 Council document 18031/13, 19 Dec 2013, full version on http://lobbyplag.eu/governments/

assets/pdf/CD-18031_13.pdf, at 14.


 Raynal in Carine Dartiguepeyrou (ed.), The Futures of Privacy, Cahier de prospective, Think

Tank Futur Numérique, at 72.


 Rethinking the one-stop-shop mechanism: Legal certainty and legitimate expectation, Paolo

Balboni, Enrico Pelino, Lucio Scudiero, Computer law & security review, 30, 392–402, 2014.


 Antonella Galetta, Paul De Hert, The Proceduralisation of Data Protection Remedies under EU

Data Protection Law: Towards a More Effective and Data Subject-oriented Remedial System?,

Review of European Administrative Law (REALaw), 2015/1, pp 123–149, at 142. See on forum

shopping also Sects. 3 and 5.


 In line with Dariusz Kloza and Anna Moscibroda, Making the case for enhanced enforcement

cooperation between data protection authorities: insights from competition law, International Data

Privacy Law, Vol. 4, No. 2, 2014, at 135–137. See Sect. 8.6 above.


 See on this, E. Chiti, An important part of the EU’s institutional machinery: Features, problems

and perspectives of European agencies, CMLR, 46, pp. 1395–1442, 2009, at 1412.



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…

8.9.3  P

 rocedural Guarantees as Compensation for Democratic


Procedural guarantees are related to the right to good administration laid down in

Article 41 Charter.202 This right includes the right of every person to be heard before

any individual measure that would adversely affect him or her is taken, the right of

every person to have access to his or her file, while respecting the legitimate interests of confidentiality and of professional and business secrecy, as well as the obligation of the administration to give reasons for its decisions (Article 41(2) Charter).

Procedural guarantees apply to DPAs when they operate within their national

jurisdictions, on the basis of national administrative law. Moreover, this book argues

that the DPAs as actors in an integrated or composite administration are bound by

Article 41 Charter, in line with the ruling in M.M.203 Furthermore, the Member

States should respect Article 41 Charter where they lay down rules for the establishment and functioning of DPAs, as required by Directive 95/46 on data protection.

However, where DPAs cooperate it should be specified which procedural guarantees apply and, in order to facilitate the cooperation, it makes sense to further specify the guarantees at EU level. Examples of specified procedural guarantees can be

found in the ReNEUAL Model Rules on EU Administrative Procedure.204

The effectiveness of remedies is an issue that requires specific attention in the

composite administration in which the DPAs operate. A good example of the complexity is the procedure for complaints. It is the task of the DPAs to hear complaints

of individuals, but the DPAs do not necessarily have jurisdiction for taking an effective decision on the complaint, in cases where the company against whom the decision needs to be enforced is not established within the national borders of the

Member State, where the DPA is established. Procedural guarantees – as included

in the ReNEUAL Model Rules on EU Administrative Procedure – could empower

the individual to effectively invoke his rights also in this situation.

Obviously, precise procedural rules surrounding the horizontal cooperation of

DPAs facilitate the judicial accountability. A closer regime with precisely formulated rules would also compensate for flaws in the democratic accountability of a

horizontal cooperation mechanism. Procedural guarantees could enhance the democratic accountability, indirectly through general requirements of transparency, and

more directly through reporting mechanisms to majoritarian bodies,205 on the horizontal cooperation.


 As discussed in Sect. 8.7 above.

 Case C-277/11, M.M., EU:C:2012:744, at 84.


 Research Network on EU Administrative Law, ReNEUAL Model Rules on EU Administrative

Procedure: Introduction to the ReNEUAL Model Rules /Book I – General Provisions, online version 2014; Book V – Mutual Assistance; Book VI- Administrative Information Management.


 See Chap. 7, Sects. 7.13 and 7.14.


8.10 The Second Cooperation Layer: A Structured Network of DPAs, Taking…


8.9.4  H

 ow to Ensure That DPAs Give Sufficient Priority

to Horizontal Cooperation

Guarantees must exist to ensure that resources are dedicated to cooperation and that

priority is not given to national preoccupations. As explained above, cooperation is

a means to ensuring that resources are used in a more efficient way, because it

allows DPAs to join forces and avoids double work. However, it is not obvious that

this is the perspective in which requests for cooperation are assessed in practice.

When a request arrives, especially for complicated (technical) investigations,

resources should be made available. Legal instruments can provide guarantees, for

instance because they oblige a DPA to cooperate and specify the general obligation

of sincere cooperation under Article 4(3) TEU. Additionally, a culture of cooperation is developing, for instance based on the successes of informal procedures of

cooperation. An example is the informal cooperation coordinated by the French

DPA on the investigation of the privacy policy of Google (2012–2014).206

8.10  T

 he Second Cooperation Layer: A Structured Network

of DPAs, Taking the Article 29 Working Party

as an Inspiration to Move Ahead

The second layer of cooperation consists of a structured network of DPAs. Under

present EU law, the Article 29 Working Party has a central role in this structured

network. As explained above,207 the contribution of the Working Party consists of

non-binding, soft law instruments aimed at harmonisation in a non-coercive way,

contributing to the uniform application of the national rules adopted pursuant to

Directive 95/46 on data protection. Its task relates to the second objective of cooperation, mentioned above: the uniform interpretation of EU data protection law. The

Working Party has no direct task in connection with the first objective: ensuring

cross-border protection. This will change under the General Data Protection

Regulation, which will replace the Article 29 Working Party by the EDPB.

Structured networks of expert bodies are a well-known phenomenon in the

European Union, as may be illustrated by the example of the electronic communications sector. Coen and Thatcher explain these structured networks as being the

result of different patterns of delegation.208 Initially, there were two parallel tendencies: the delegation of tasks of the Member States to the European Union and the


 As described by David Barnard-Wills & David Wright, Deliverable 1 – “Co-ordination and cooperation between Data Protection Authorities”, www.phaedra-project.eu, at 25–34.


 See Sect. 8.4 above.


 David Coen and Mark Thatcher, Network Governance and Multi-level Delegation: European

Networks of Regulatory Agencies, Journal of Public Policy, Vol. 28, Issue 01, pp 49–71, April

2008, at 49–50.


8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…

delegation of tasks within the Member States to expert bodies. This was followed

by a further round of delegations to networks of expert bodies, triggered by the need

for coordination in the internal market. These networks perform tasks delegated by

the national expert bodies and also by the Commission.209

This explanation is interesting for the Article 29 Working Party (and other structured networks of DPAs), although the constitutional position of DPAs under EU

law is different from the status of most other expert bodies – such as the regulatory

agencies described by Coen & Thatcher – and the DPAs do not exercise their tasks

by delegation from the national governments or the Commission.

The parallel is the following: in the area of privacy and data protection there also

was an initial shift in responsibilities – the term delegation is avoided on purpose –

from the Member States to the European Union, in particular through the adoption

of Directive 95/46. Independent DPAs were first set up within the Member States to

take up the control of data protection. In some Member States the DPA already

existed before the adoption of Directive 95/46.210 The shift consists of the assumption of tasks by the network of DPAs, at present the Article 29 Working Party. The

Working Party provides for non-compulsory harmonisation through the exercise of

its advisory tasks and is only indirectly involved in enforcement.211

The network of DPAs is expected to further evolve under the General Data

Protection Regulation, with an EDPB assuming (certain) enforcement tasks. The

cooperation of DPAs as expert bodies should also enhance the uniform application

of EU data protection law within the European Union. The cooperation mechanisms

give effect to the task of DPAs to contribute to the control in the entire European

Union, but they are also an expression of democratic legitimacy, close to the


8.10.1  D

 evelopment Towards a Closer Structured Network

of DPAs

Bignami notes that little powers have been transferred to the Article 29 Working

Party as the network of DPAs. She claims that one of the preconditions for the transfer of powers was not fulfilled, namely the existence of common preferences

amongst the Member States on the substance of privacy policy.212 She gives as an

example the difference of views between the United Kingdom and France at the

time of the negotiations in the Council on what became Directive 95/46 on data

protection. According to Bignami, the United Kingdom opposed the strong views of


 Coen and Thatcher call this “upwards” and “downwards” delegation.

 See Chap. 7, Sect. 7.3.


 See Sect. 8.4 above.


 Francesca E. Bignami, Transgovernmental Networks vs. Democracy: The Case of the European

Information Privacy Network, Michigan Journal of International Law, Vol. 26, pp. 807–868, 2005,

at 810 and 839–844.


Tài liệu bạn tìm kiếm đã sẵn sàng tải về

8 Three Models to Organise Cooperation Between DPAs, Against the Background of the GDPR

Tải bản đầy đủ ngay(0 tr)