Tải bản đầy đủ - 0 (trang)
10 The Second Cooperation Layer: A Structured Network of DPAs, Taking the Article 29 Working Party as an Inspiration to Move Ahead

10 The Second Cooperation Layer: A Structured Network of DPAs, Taking the Article 29 Working Party as an Inspiration to Move Ahead

Tải bản đầy đủ - 0trang

426



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



delegation of tasks within the Member States to expert bodies. This was followed

by a further round of delegations to networks of expert bodies, triggered by the need

for coordination in the internal market. These networks perform tasks delegated by

the national expert bodies and also by the Commission.209

This explanation is interesting for the Article 29 Working Party (and other structured networks of DPAs), although the constitutional position of DPAs under EU

law is different from the status of most other expert bodies – such as the regulatory

agencies described by Coen & Thatcher – and the DPAs do not exercise their tasks

by delegation from the national governments or the Commission.

The parallel is the following: in the area of privacy and data protection there also

was an initial shift in responsibilities – the term delegation is avoided on purpose –

from the Member States to the European Union, in particular through the adoption

of Directive 95/46. Independent DPAs were first set up within the Member States to

take up the control of data protection. In some Member States the DPA already

existed before the adoption of Directive 95/46.210 The shift consists of the assumption of tasks by the network of DPAs, at present the Article 29 Working Party. The

Working Party provides for non-compulsory harmonisation through the exercise of

its advisory tasks and is only indirectly involved in enforcement.211

The network of DPAs is expected to further evolve under the General Data

Protection Regulation, with an EDPB assuming (certain) enforcement tasks. The

cooperation of DPAs as expert bodies should also enhance the uniform application

of EU data protection law within the European Union. The cooperation mechanisms

give effect to the task of DPAs to contribute to the control in the entire European

Union, but they are also an expression of democratic legitimacy, close to the

citizen.



8.10.1  D

 evelopment Towards a Closer Structured Network

of DPAs

Bignami notes that little powers have been transferred to the Article 29 Working

Party as the network of DPAs. She claims that one of the preconditions for the transfer of powers was not fulfilled, namely the existence of common preferences

amongst the Member States on the substance of privacy policy.212 She gives as an

example the difference of views between the United Kingdom and France at the

time of the negotiations in the Council on what became Directive 95/46 on data

protection. According to Bignami, the United Kingdom opposed the strong views of

209



 Coen and Thatcher call this “upwards” and “downwards” delegation.

 See Chap. 7, Sect. 7.3.

211

 See Sect. 8.4 above.

212

 Francesca E. Bignami, Transgovernmental Networks vs. Democracy: The Case of the European

Information Privacy Network, Michigan Journal of International Law, Vol. 26, pp. 807–868, 2005,

at 810 and 839–844.

210



8.10 The Second Cooperation Layer: A Structured Network of DPAs, Taking…



427



France on informational privacy, emphasising other values like the freedom of

expression and effective administration.213

Arguably, the preferences on data protection have converged, as a result of 20

years of cooperation in the Article 29 Working Party, of harmonised approaches

through soft law instruments and of common threats to privacy and data protection,

such as big data and mass surveillance. This convergence paves the way for the

transfer of further powers to a closer structured network of DPAs in the General

Data Protection Regulation.

At present, the network is not close, despite the important advisory role of the

Article 29 Working Party in the governance of data protection in the European

Union. To mention an example of the loose network: under Article 29(2) of Directive

95/46 the Working Party is composed of representatives of one DPA of each Member

State, but the representatives are not required to participate. Under Directive 95/46,

the DPAs do not have any other legal obligation vis-à-vis the Working Party either.

The EDPB is meant to be an instrument for more efficient cooperation, obliging

regulatory authorities to cooperate within the European structures, but also adding

a further layer of complexity. The EDPB will have a task in providing guidance on

general matters. This task is not contested and does, in itself, not complicate the

situation. It is a continuation of the work of the Article 29 Working Party that it is

intended to replace. This is also the way the European Union often works: experts

from the Member States sit together and give guidance. This is an effective way of

informal harmonisation of the application of EU law and is practiced in a large

number of areas. There may, however, be some competition with the role of the

Commission as the guardian of the Treaties.

What makes it more complicated is that the EDPB will have a task in the enforcement in individual cases. This task may be advisory (to give wider expertise, assisting the DPA in charge), more coercive (aimed at reaching consensus; the formula in

which the DPA in charge has to take the utmost account of the opinion of the EDPB

as foreseen in the Commission Proposal), binding upon a national DPA or even taking over decision-making powers. As was explained above, limited binding powers

for the EDPB are included in the General Data Protection Regulation.214



8.10.2  T

 he Relation Between the Duties and Powers

of a Structured Network and the Requirements

for Composition and Decision-Making Structures

Where stronger duties and powers are given to a structured network of national

authorities the requirements in relation to the composition and decision-making

structures should be stricter. The stronger duties and powers the network has, the

213



 Francesca E. Bignami, Transgovernmental Networks vs. Democracy: The Case of the European

Information Privacy Network, Michigan Journal of International Law, 2005, Vol. 26, pp. 807–868,

at 844.

214

 See Sect. 8.5 above.



428



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



more it will be exercising elements of the tasks of the authorities it is composed of,

with the consequence that the network itself will have to comply more with the

requirements of independence, effectiveness and accountability.

Fairly light requirements are acceptable where the involvement of a structured

network is limited to coordination, planning and guidance through soft law instruments, in short the current tasks of the Article 29 Working Party. The requirements

are higher where the network plays a role in the enforcement in individual cases.

The highest requirements apply where decision-making powers are given to the

structured network. In this latter option, the network has features of a European

DPA, which will be the subject of the next section.



8.10.3  C

 omposition of Structured Networks with Senior

Representatives of DPAs and Consensual Decision-­

Making Enhances Legitimacy

The structured networks within the European Union are often composed of senior

representatives of regulatory authorities. Where EU agencies are set up, a common

construction is to have two boards: a management board composed of representatives of ministries215 and a regulatory board with representatives of national regulatory authorities. This is, for instance, the case in the field of financial supervision.216

The regulatory board of BEREC consists of the head or nominated high-level representative of the national authorities.217 However, interestingly enough the management committee of BEREC is composed of the same group of

representatives.218

A structured network of DPAs is slightly different, since the requirement of independence precludes the setting up of a management board of representatives of the

national ministries. The Article 29 Working Party is composed of senior representatives of DPAs, normally the heads of the national DPAs,219 although this is not

required by Directive 95/46. This composition and the actual involvement of leaders

of DPAs in the network connects the EU level with the national level, and is intended

to contribute to the effect that the positions of the network have on the application

215



 See Chap. 7, Sect. 7.6 of this book.

 Mark Thatcher, The creation of European regulatory agencies and its limits: a comparative

analysis of European delegation, Journal of European Public Policy, 18, 790–809, 2011, at 798.

217

 Article 4(1) of Regulation (EC) No 1211/2009 of the European Parliament and of the Council of

25 November 2009 establishing the Body of European Regulators for Electronic Communications

(BEREC) and the Office, OJ L (2009), 337/1.

218

 Article 7(1) of Regulation (EC) No 1211/2009 of the European Parliament and of the Council of

25 November 2009 establishing the Body of European Regulators for Electronic Communications

(BEREC) and the Office, OJ L (2009), 337/1

219

 List of members available on http://ec.europa.eu/justice/data-protection/article-29/structure/

members/index_en.htm

216



8.10 The Second Cooperation Layer: A Structured Network of DPAs, Taking…



429



of EU data protection law on the national level. It enhances the legitimacy of the

network.

Consensual decision-making is an element in many structured networks in the

European Union. Authorities deliberate with their peers in an endeavour to reach

consensus. This makes the authorities to a certain extent accountable to these

peers.220 Another method to enhance legitimacy is to require a qualified majority for

the decision-making, as has been done in the case of several networks of regulatory

agencies.221 For example, the regulatory board of BEREC normally acts by a two-­

thirds majority of its members.222

The rules of procedure of the Article 29 Working Party do not make any reference to consensual decision-making or a required qualified majority. Decisions are

taken by simple majority. However, all members may request that their views are

included in the decisions.223

The Commission Proposal for a General Data Protection Regulation requires

neither a qualified majority, nor consensus in the EDPB.224 However, the contributions of the European Parliament and the Council to the legislative process include

provisions requiring that decisions in individual cases by the EDPB be taken by a

two-thirds majority.225 Moreover, these contributions aim at avoiding that individual

cases are too often stepped up to the EDPB. Therefore, the lead supervisory authority has to cooperate with the other concerned supervisory authorities “in an endeavour to reach consensus”.226 Furthermore, the various provisions that require taking

account of or taking utmost account of the positions of other entities227 may be seen

in the light of the goal of reaching consensus, instead of determining that the position of one entity binds the other.

The consensual decision-making process ensures the widest support for the positions of the structured network of authorities. However, it also carries risks from the

220



 Lavrijssen, Saskia & Ottow, Annetje. “Independent Supervisory Authorities: A Fragile Concept”,

Legal Issues of Economic Integration, 39, No. 4, 419–446, 2012, at 431.

221

 Mark Thatcher, The creation of European regulatory agencies and its limits: a comparative

analysis of European delegation, Journal of European Public Policy, 18, 790–809, 2011, at 798.

222

 Article 4(9) of Regulation (EC) No 1211/2009 of the European Parliament and of the Council of

25 November 2009 establishing the Body of European Regulators for Electronic Communications

(BEREC) and the Office, OJ L (2009), 337/1.

223

 Article 12 of the Rules of Procedure of the Working Party, 15 February 2010, http://ec.europa.

eu/justice/policies/privacy/docs/wpdocs/rules-art-29_en.pdf

224

 Article 58(7) of Commission Proposal for a GDPR, COM (2012), 11 final, mentions a simple

majority of the members of the EDPB.

225

 Article 58a (7) of European Parliament legislative resolution of 12 March 2014 on the proposal

for a GDPR (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)). Article 58a(2) of Council

general approach (Council document 9565/15 of 11 June 2015). In the final text of the GDPR

simple majority remains the rule. See however Article 65 (2) thereof.

226

 Article 60 (1) GDPR.

227

 E.g., Article 64 (7) GDPR.



430



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



perspective of democratic accountability, as has been explained by Curtin.

Representatives of authorities deliberating with their peers may become socialised

and may strive to reach consensus within the network of experts without taking

other perspectives into account. This carries the risk that they do not take national

interests into account.228

This is not necessarily a negative development in view of the importance of consistency of the decision-making in an internet environment. However, this

­development also may increase the fragmentation of EU policies,229 by not taking

other fundamental rights and societal interests sufficiently into consideration in a

comprehensive manner. Furthermore, the lack of openness of consensual decisionmaking processes is a risk from the perspective of democratic accountability.230



8.10.4  T

 he Role of the Commission in the Structured Network:

How to Combine Two Contradicting Demands

It is beyond doubt that structured networks of national authorities assume responsibilities closely connected to the role of the Commission as the guardian of the treaties.231 The establishment of European networks and agencies was mentioned as a

solution for problems in the implementation of EU law in the Member States with a

view to improving the application and enforcement of EU law across Europe.232 The

Commission assumes a big role in the functioning of EU agencies, also to promote

agencies focusing on the EU perspective, which, as was explained in relation to

BEREC, is not self-evident.233 This role of the Commission is not easily to reconcile

with the autonomy of agencies.

228



 As explained by Curtin in relation to expert committees in the EU in general, “Challenging

executive dominance in European democracy” in: C. Joerges and C. Glinski (eds.), The European

Crisis and the Transformation of Transnational Governance: Authoritarian Managerialism versus

Democratic Governance, Hart Publishing, 2014, 203–226, at the section on “Challenging lowlevel secrecy.”

229

 Deirdre Curtin “Challenging executive dominance in European democracy” in: C. Joerges and

C. Glinski (eds.), The European Crisis and the Transformation of Transnational Governance:

Authoritarian Managerialism versus Democratic Governance, Hart Publishing, 2014, 203–226, at

the section on “Fragmented EU governments.

230

 Deirdre Curtin “Challenging executive dominance in European democracy” in: C. Joerges and

C. Glinski (eds.), The European Crisis and the Transformation of Transnational Governance:

Authoritarian Managerialism versus Democratic Governance, Hart Publishing, 2014, 203–226, at

the section on “Challenging low-level secrecy.”

231

 Under Article 17 TEU, Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell, 2010, at 13-063.

232

 M. Keading & E.W. Versluis in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014,

EU Agencies in between Institutions and Member States, Kluwer Law International 2014, Chapter

4, e.g. at 74.

233

 Study on the Evaluation of BEREC and the BEREC Office, carried out for the European

Commission by PricewaterhouseCoopers, 2012, at 7.



8.10 The Second Cooperation Layer: A Structured Network of DPAs, Taking…



431



This role is even more complicated in relation to networks of independent DPAs.

On the one hand, the Commission is the natural ally of the structured networks of

DPAs that must ensure the consistent application of EU data protection law. On the

other hand, independence, as interpreted by the Court of Justice as the absence of

“any direct or indirect external influence on the supervisory authority”,234 excludes

influence from the executive branch of government. In Commission v Austria, the

Court of Justice specified that a right of the executive to be informed of the activities

of a DPA is only incompatible with the requirement of independence, inasmuch as

this right covers all aspects of the work of the DPA and is unconditional.235

Hence, a close relationship between the Commission and the structured network of

DPAs is desirable from the perspective of consistency. The network would benefit from

a strong information position of the Commission. However, direct influence on the

decision-making process should be avoided. There is a thin line between both effects.

As was explained above, the requirements of independence are stricter where the

network plays a role in the enforcement in individual cases. From this perspective,

the status quo under Directive 95/46 would be in line with the independence of

DPAs and the independence of the Article 29 Working Party itself, as stipulated by

Article 29(1) of the directive. Under this directive, the Commission is a member of

the Article 29 Working Party, albeit without voting rights. It also provides the secretariat. These roles of the Commission – a part of the executive branch – do not fit

naturally within the independence of the Article 29 Working Party, but they are not

per se in contradiction with EU law.

It is not self-evident that these roles can be continued under the regime of the

General Data Protection Regulation, although this will depend on the powers the

EDPB will assume under this regulation. The Regulation limits the role of the

Commission to the right to participate in the activities and meetings of the EDPB.236

However, this right is not subject to any conditions. It is questionable whether this

right of the Commission is in line with the case law of the Court of Justice, as was

explained above. An unconditional right to participate in the activities and meetings

goes even further than an unconditional right to be informed, which the Court did

not accept in Commission v Austria.

Furthermore, the Commission proposal includes more invasive mechanisms for

influencing the independence of the EDPB; in particular it provides for the

Commission suspending certain decisions of the EDPB.237 These mechanisms –

heavily criticised238 and removed by the European Parliament and the Council239 –

would not fulfil the requirements relating to the independence of DPAs.

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 19.

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 62–64.

236

 Article 68 (5) GDPR.

237

 Article 60 of Commission Proposal for a GDPR, COM (2012), 11 final.

238

 E.g., European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection

reform package; Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection

reform proposals – WP 191 (23.03.2012).

239

 European Parliament legislative resolution of 12 March 2014 on the proposal for a GDPR

(COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)). Council general approach (Council document 9565/15 of 11 June 2015).

234

235



432



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



8.10.5  Procedural Guarantees

What was observed above on procedural guarantees in relation to the horizontal

cooperation of DPAs applies mutatis mutandis to a structured network of DPAs.

Procedural guarantees are linked to Article 41 Charter on the right to good administration. Specification of the guarantees may be needed, also to make up for flaws in

democratic accountability.

However, a structured network of DPAs requires specific procedural rules for

two additional reasons. First, national administrative law does not apply to structured networks set up under EU law. Therefore, an EU instrument should lay down

a full set of procedural guarantees in the absence of general rules of EU administrative law. Second, in a structured network, the responsibility for opinions and decisions may be of a hybrid nature and may not necessarily be clear. As was explained

above, responsibilities are shared, not divided.240 However, a clear division of

responsibilities based on specific procedural rules enhances democratic accountability, whilst it is even the basic condition for an effective remedy under the rule of

law. By way of illustration, a provision requiring a national DPA to take utmost

account of an opinion of the EDPB may lead to legal uncertainty.241 Where an individual challenges the decision of a national DPA, the latter can refer the responsibility to the EDPB.

More generally, procedural guarantees – such as included in the ReNEUAL

Model Rules on EU Administrative Procedure242 – could also empower the individual to invoke his rights in this situation in an effective manner.



8.11  T

 he Third Layer Where Independence Must

Be Ensured: Cooperation Within a European DPA

8.11.1  The Essence of Cooperation Within a European DPA

The third model of cooperation of DPAs consists of a structured network that itself

qualifies as a DPA, because it exercises tasks of the DPAs to ensure compliance with

the data protection rules of the European Union. In this model, the network of cooperating DPAs is transformed into a European DPA. This model does not exist under

Directive 95/46. There are however examples of this model under current EU data

protection law in specific domains, namely the Joint Supervisory Bodies for Europol

and Eurojust.243

240



 See Sect. 8.2 above.

 As in Article 64 (7) GDPR.

242

 Research Network on EU Administrative Law, ReNEUAL Model Rules on EU Administrative

Procedure, Article VI-39.

243

 See Sect. 8.4 above.

241



8.11 The Third Layer Where Independence Must Be Ensured: Cooperation…



433



As a result of the data protection reform the consistency mechanism will contain

elements of a European DPA, in particular where decision-making powers are given

to the EDPB.244 To be more precise: the EDPB will have features of an EU body,

functioning within the EU legal structure, although the EDPB will be (mostly, the

EDPS will also be a member)245 composed of representatives of national authorities. This status as EU body with legal personality is recognised in Article 68 (1) of

the General Data Protection Regulation.

Under these conditions, the EDPB would – in the exercise of these powers – no

longer qualify as a structured network of national authorities. To the extent that the

EDPB, as an EU body, has binding powers to ensure the compliance with data protection rules, it qualifies as a DPA within the meaning of Article 16(2) TFEU and

Article 8(3) Charter. Under these circumstances, the EDPB must fulfil the requirements of independence as laid down in the case law of the Court of Justice.246

Hence, a first requirement of a model of cooperation that includes elements of a

European DPA is that its independence must be guaranteed, similarly to the independence of the (national) DPAs and under the same conditions laid down in the

Courts’ case law.

A role of the EDPB as a European DPA should be considered from the perspective of the principle of subsidiarity. This role has advantages and disadvantages. In

theory, a European DPA is the best way to ensure the functioning of the internal

market, and to ensure the efficiency of the protection. This also creates legal certainty, since the judicial review would be a task for the Court of Justice of the

European Union, applying EU law. However, a European DPA is not necessarily

best placed to consider national specificities or to carry out the balancing with other

fundamental rights and essential interests of Member States in an area that is closely

linked to core tasks of Member States to protect (other) fundamental rights and to

ensure the security of its citizens.247 Considerations of democratic legitimacy and

accountability plead against giving decision-making powers in individual cases to

the EDPB.

Against this background, the model of European agencies, as described in Chap.

7 of this book, can be of help. A key feature of the European agency is that it operates in between the Union and the Member States.248 The Member States have a

guaranteed influence on the performance of the agency, for instance because the

management board of the agencies is normally composed of Member States’ representatives, who are usually experts in the field.249 This is a means to ensuring respect

for what Vos calls a wide definition of an institutional balance: the balance between

244



 As in Article 65 GDPR.

 Article 68 (3) GDPR.

246

 Cases C-518/07, Commission v Germany, EU:C:2010:125, C-614/10, Commission v Austria,

EU:C:2012:631, and C-288/12, Commission v Hungary, EU:C:2014:237.

247

 As explained in Chap. 4 of this book.

248

 See Chap. 7, Sect. 7.8.

249

 M. Shapiro in Paul Craig and Grainne de Búrca (eds), The evolution of EU Law (Second

Edition), Oxford University Press, 2011, at 111.

245



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

10 The Second Cooperation Layer: A Structured Network of DPAs, Taking the Article 29 Working Party as an Inspiration to Move Ahead

Tải bản đầy đủ ngay(0 tr)

×