Tải bản đầy đủ - 0 (trang)
11 The Third Layer Where Independence Must Be Ensured: Cooperation Within a European DPA

11 The Third Layer Where Independence Must Be Ensured: Cooperation Within a European DPA

Tải bản đầy đủ - 0trang

8.11 The Third Layer Where Independence Must Be Ensured: Cooperation…



433



As a result of the data protection reform the consistency mechanism will contain

elements of a European DPA, in particular where decision-making powers are given

to the EDPB.244 To be more precise: the EDPB will have features of an EU body,

functioning within the EU legal structure, although the EDPB will be (mostly, the

EDPS will also be a member)245 composed of representatives of national authorities. This status as EU body with legal personality is recognised in Article 68 (1) of

the General Data Protection Regulation.

Under these conditions, the EDPB would – in the exercise of these powers – no

longer qualify as a structured network of national authorities. To the extent that the

EDPB, as an EU body, has binding powers to ensure the compliance with data protection rules, it qualifies as a DPA within the meaning of Article 16(2) TFEU and

Article 8(3) Charter. Under these circumstances, the EDPB must fulfil the requirements of independence as laid down in the case law of the Court of Justice.246

Hence, a first requirement of a model of cooperation that includes elements of a

European DPA is that its independence must be guaranteed, similarly to the independence of the (national) DPAs and under the same conditions laid down in the

Courts’ case law.

A role of the EDPB as a European DPA should be considered from the perspective of the principle of subsidiarity. This role has advantages and disadvantages. In

theory, a European DPA is the best way to ensure the functioning of the internal

market, and to ensure the efficiency of the protection. This also creates legal certainty, since the judicial review would be a task for the Court of Justice of the

European Union, applying EU law. However, a European DPA is not necessarily

best placed to consider national specificities or to carry out the balancing with other

fundamental rights and essential interests of Member States in an area that is closely

linked to core tasks of Member States to protect (other) fundamental rights and to

ensure the security of its citizens.247 Considerations of democratic legitimacy and

accountability plead against giving decision-making powers in individual cases to

the EDPB.

Against this background, the model of European agencies, as described in Chap.

7 of this book, can be of help. A key feature of the European agency is that it operates in between the Union and the Member States.248 The Member States have a

guaranteed influence on the performance of the agency, for instance because the

management board of the agencies is normally composed of Member States’ representatives, who are usually experts in the field.249 This is a means to ensuring respect

for what Vos calls a wide definition of an institutional balance: the balance between

244



 As in Article 65 GDPR.

 Article 68 (3) GDPR.

246

 Cases C-518/07, Commission v Germany, EU:C:2010:125, C-614/10, Commission v Austria,

EU:C:2012:631, and C-288/12, Commission v Hungary, EU:C:2014:237.

247

 As explained in Chap. 4 of this book.

248

 See Chap. 7, Sect. 7.8.

249

 M. Shapiro in Paul Craig and Grainne de Búrca (eds), The evolution of EU Law (Second

Edition), Oxford University Press, 2011, at 111.

245



434



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



the Union and the Member States, in addition to the balance between the institutions

of the European Union.250

Consequently, the second requirement of a model of a European DPA deciding

in individual cases is that not only the full involvement of national DPAs in its

operation must be guaranteed, but also of the European level. This mirrors the situation described by Vos.



8.11.2  Towards a Closer Cooperation Within a European DPA

The negotiations on the General Data Protection Regulation have resulted in an

EDPB having features of a European DPA, because it will have certain binding

powers in individual cases. To the extent the EDPB is allotted binding powers, this

consequence is evident, because, where the EDPB uses these powers, the national

DPAs are no longer sovereign to ensure the control of the EU rules on data

protection.

Parallels exist with the granting of binding powers in other areas of EU law

where European agencies are endowed with decision-making powers, thereby centralising the governance of EU law in specific areas. This centralisation happens in

particular in the financial sector where agencies have been set up as a result of the

financial crisis. An example is the European Banking Authority, which has direct

intervention powers, including the power to take decisions that are binding upon

national authorities251 in case of breach of EU law by a national authority. In this

mechanism the national authorities are initially given the possibility to comply voluntarily with a recommendation of the European agency.252 The European Banking

Authority also has the task to take binding decisions to settle a disagreement

between two or more national authorities.253

A further step in the centralisation of governance is giving supervisory powers to

a European agency. EU law attributes supervisory powers to the European Securities

and Markets Authority (ESMA).254 Where this authority establishes that a credit

250



 E. Vos in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in

between Institutions and Member States, Kluwer Law International 2014, at 29–30.

251

 Further read: A. Ottow in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU

Agencies in between Institutions and Member States, Kluwer Law International 2014, Chapter 6.

252

 This is a simplified description of Article 17 of Regulation (EU) No 1093/2010 of the European

Parliament and of the Council of 24 November 2010 establishing a European Supervisory

Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing

Commission Decision 2009/78/EC, OJ L 331/12.

253

 Article 19 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of

24 November 2010 establishing a European Supervisory Authority (European Banking Authority),

amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC, OJ L

331/12.

254

 Set up under Regulation (EU) No 1095/2010 of the European Parliament and of the Council of

24 November 2010 establishing a European Supervisory Authority (European Securities and



8.11 The Third Layer Where Independence Must Be Ensured: Cooperation…



435



r­ ating agency has committed a certain infringement, it must impose a fine.255 In this

procedure there is no role for national authorities.

This further step is not included in the legislative documents on the

EDPB. However, these documents allot a binding role vis-à-vis the national authorities that to a certain extent is comparable to the power of the European Banking

Authority. The European Parliament is reticent concerning the grant of binding

powers to the EDPB.256 The European Parliament introduces this power as an ultimum remedium that only becomes effective in case various previous consultations

between DPAs – within and outside the framework of the EDPB – do not lead to

consensus. Moreover, this binding power is presented as only binding on the DPA

concerned. The Council, too, shows reticence.257 In the contribution of the Council,

the EDPB will take a decision and on that basis the DPA will take the “final decision”. This distinction between a decision and a final decision is kept in the final

text.258 This formula suggests that decisions of the EDPB do not give rights and

obligations to others than DPAs.

This suggestion is rebuttable and also contradicted by recital 143 of the General

Data Protection Regulation. Where the EDPB exercises binding powers, one may

assume that a decision of the EDPB can be challenged before the Court of Justice

under Article 263 TFEU, which provides that a “natural or legal person may […]

institute proceedings against an act addressed to that person or which is of direct

and individual concern to them”. This provision must be interpreted under the

Plaumann case law. Persons may be individually concerned by a decision even if

they are not the addressees thereof.259 It is safe to say that where the EDPB will take

a binding decision in individual cases, the data controllers and processors, as well

as probably the data subjects, are directly affected, even though this decision is not

addressed to them.260

Possibly, also certain opinions based on Article 64 of the General Data Protection

Regulation will have such a strong legal nature which equals them with a decision

as meant in Article 263 TFEU.

Furthermore, arguably, also where the EDPB will only have advisory powers in

individual cases, it will be fulfilling tasks of a DPA in ensuring control, and will

have characteristics of a DPA. Advices by the EDPB will have strong persuasive

power and are expected to play an important role in the subsequent enforcement by

Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision

2009/77/EC, OJ L 331/84.

255

 Article 36a of Regulation (EU) No 513/2011 of the European Parliament and of the Council of

11 May 2011 amending Regulation (EC) No 1060/2009 on credit rating agencies.

256

 Article 58a (7) of European Parliament legislative resolution of 12 March 2014 on the proposal

for a GDPR (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)).

257

 Article 58a (7) of Council general approach (Council document 9565/15 of 11 June 2015).

258

 Article 65(5) and (6) GDPR.

259

 Case 25/62, Plaumann v Commission, EU:C:1963:17.

260

 Further read: Paul Craig and Grainne de Búrca, EU Law, Text, Cases and Material (Fifth

Edition), Oxford University Press, 2011, at 491–510.



436



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



a DPA. This is the rationale behind the advice: that it is followed by DPAs and hence

contributes to the uniform application of EU data protection law. A national DPA

that does not follow an advice of the EDPB will be under a heavy obligation to state

the reasons for its decision, and to defend this decision before a tribunal. Obviously,

there is a difference with the situation of binding powers, if only because a non-­

binding advice cannot be the subject of proceedings before the Court of Justice. It

can only be challenged indirectly in a Member State’s court where a decision is

taken by a DPA, implementing the advice of the EDPB. Hence, from the perspective

of legal certainty, a binding power of the EDPB is the preferred option.

Closer cooperation within a European DPA also requires that the European DPA

is enabled to fulfil its task. For this reason legal personality as a EU body is relevant,

as well as the availability of sufficient budget, staff and other resources, and independence in using these resources.



8.11.3  And the Role of the Commission?

The role of the Commission in the EDPB – as was explained before in relation to

the structured network – requires consideration, and even more so where the EDPB

has binding powers and acts as a European DPA. The right of the Commission to

participate in the activities and meetings of the EDPB261 without any exceptions is

not in line with the requirement of independence of DPAs where this is understood

as meaning the absence of “any direct or indirect external influence on the supervisory authority”,262 as further specified in Commission v Austria.263 The EDPB acting

as a DPA should have the possibility to deliberate in enforcement cases without the

Commission representative being present.



8.11.4  Procedural Guarantees

Paradoxically, it would be easier to guarantee the accountability of a European

DPA – especially where it has binding powers – than in the case of a structured

network of DPAs.

Assuming that a European DPA qualifies as an EU body, it is part of the EU

administration and for this reason subject to the same administrative requirements

as other EU institutions and bodies. This means, for instance,264 that complaints on

261



 Article 68(4) GDPR.

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 19.

263

 Case C-614/10, Commission v Austria, EU:C:2012:631, at 62–64. See Chap. 7, Sect. 7.9.

264

 Further read: Ellen Vos in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU

Agencies in between Institutions and Member States, Kluwer Law International 2014, at 42.

262



8.11 The Third Layer Where Independence Must Be Ensured: Cooperation…



437



maladministration can be made to the European Ombudsman, that the rules on

audits and fraud apply and that the European DPA is subject to the EU regulations

on public access to documents265 and on data protection.266 These administrative

requirements enhance the democratic accountability of the European DPA. The

judicial review of its decisions is a task of the Court of Justice.267



8.11.5  Further Conditions

The General Data Protection Regulation does not provide for any role for the EDPB

in relation to EU bodies such as Europol and Eurojust, nor in relation to the information systems where the mechanism of coordinated supervision is applied. It was

suggested in the ReNEUAL Model Rules on EU Administrative Procedure to give

such a role to the EDPB.268 This suggestion is useful considering the main perspective of the EDPB, which is formulated as ensuring the consistency of the application

of the proposed regulation. This perspective could also be interpreted as ensuring

the consistent application of EU data protection law in general, because, as was

explained above,269 the reform of the data protection rules is based on a comprehensive approach.270



265



 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001

regarding public access to European Parliament, Council and Commission documents, OJ 2001 L

145/43.

266

 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December

2000 on the protection of individuals with regard to the processing of personal data by the

Community institutions and bodies and on the free movement of such data, OJ L 8/1.

267

 The Legal Service of Council gives arguments why review by the CJEU complies with Article

47 Charter. Council document re Interinstitutional file 2012/0011 (COD), e.g., 18031/13 (19 Dec

2013, full version on lobbyplag.eu), at 43.

268

 Research Network on EU Administrative Law, ReNEUAL Model Rules on EU Administrative

Procedure, Article VI-39.

269

 In Chap. 6, Sect. 6.3.

270

 Communication from the Commission to the European Parliament, the Council, the European

Economic and Social Committee and the Committee of the Regions, A comprehensive approach

on personal data protection in the European Union, COM (2010), 609 final.



438



8  Understanding the Role of Cooperation Mechanisms of DPAs: Towards a Layered…



8.12  C

 ooperation Between DPAs: Ensuring Independence,

Effectiveness and Accountability of DPAs

and the Cooperation Mechanisms, a Final Assessment

and a Proposal

8.12.1  T

 he Layered Structure of Cooperation Mechanisms

Should Not Compromise the Independence of DPAs

Primary EU law provides that compliance with data protection rules shall be subject

to control by independent DPAs. This starting point does not preclude that, where

DPAs cooperate, they share the powers to ensure control within their own jurisdiction with DPAs in other jurisdictions or within an institutional mechanism for cooperation, in a composite administration. Where a cooperation mechanism has features

of a European DPA, it must itself fulfil the requirements of independence as laid

down in the Court of Justice’s case law.

Under Article 16(2) TFEU and Article 8(3) Charter, an individual is entitled to

effective control by a DPA. As will be explained below, ‘proximity’ is not a prerequisite for legal protection under EU law. Hence, an individual has no entitlement to

protection being provided by the DPA in the Member State where he or she resides.

However, even where the DPA in the Member State where he or she resides is not

capable of delivering effective protection, the individual must be protected, either

by the DPA in another Member State or by an institutional mechanism that itself

fulfils the criteria of independence under the case law of the Court of Justice.271



8.12.2  T

 he Layered Structure Should Contain Incentives for

Effective Protection and Should Not Result in an

Incomplete – or Extremely Complex – System of

Remedies

Cooperation mechanisms are to a large extent justified by considerations of effectiveness, particularly in an internet environment, because these mechanisms should

contribute to ensuring privacy and data protection by bridging the gap between principles and practice. Arguably, the contribution to the effectiveness of ensuring privacy and data protection is the main raison d’être for cooperation mechanisms.

Effectiveness of enforcement by DPAs requires a strong cooperation mechanism

that is able to deal with the challenges in an internet environment with big data,

mass surveillance and loose governance structures. A priori, a strong European

dimension of the enforcement enhances the effectiveness, particularly the

 Cases C-518/07, Commission v Germany, EU:C:2010:125, C-614/10, Commission v Austria,

EU:C:2012:631, and C-288/12, Commission v Hungary, EU:C:2014:237.

271



8.12 Cooperation Between DPAs: Ensuring Independence, Effectiveness…



439



e­ nforcement vis-à-vis big internet players. In addition, the mechanism itself should

contain incentives for effective protection.

In a composite administration where multiple partners are involved in processes,

the effectiveness of control requires appropriate decision-making structures, within

this administration. In an internet environment prompt responses may be needed,

for example in the case of a notification of a personal data breach.272 Consensual

decision-making, with the involvement of all concerned DPAs, does not necessarily

guarantee the most prompt and, hence, effective response.

Furthermore, the effective implementation by the individual DPAs of the recommendations of the cooperation mechanism should be ensured. At the same time,

there should be a system for monitoring the effectiveness of the cooperation mechanism itself.

More generally, the layered structure should not result in an incomplete – or

extremely complex – system of remedies, which would not only be ineffective, but

would also be contrary to the right to an effective remedy in Article 47 Charter.



8.12.3  D

 emocratic Accountability: The European Parliament

Has a Role to Play

The involvement of authorities of the Member States in the control of privacy and

data protection increases the legitimacy of the protection of these fundamental

rights. Chapter 7 explained the advantages in terms of legitimacy, where national

DPAs operate in between the Union and the Member States.

In all three models of cooperation, there is a complex relationship with the public

and political accountability of DPAs before democratically elected bodies.273 The

link with these bodies is by definition link. DPAs are not only a separate branch of

government, they also have responsibilities for the protection of personal data outside the jurisdiction of the Member State in which they are established. It is a part

of their duty under EU law to contribute to the uniform application of EU data protection law.

The independence of DPAs limits their democratic accountability. However, the

Court of Justice underlined in Commission v Germany274 that some democratic

accountability exists. The control by a DPA – albeit independent – remains linked

272



 As required under current EU law for providers of publicly available electronic communications

services under Article 3 of Directive 2002/58/EC of the European Parliament and of the Council

of 12 July 2002 concerning the processing of personal data and the protection of privacy in the

electronic communications sector (Directive on privacy and electronic communications), OJ L

201/37, as amended by Directive 2009/136, OJ L 337/11.

273

 See, in relation to agencies: F. Jacobs, in: Everson, Michelle, Cosimo Monda, and Ellen Vos

(eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International

2014, Ch9.

274

 Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46, see Chap. 7, Sect. 7.9, of

this book.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

11 The Third Layer Where Independence Must Be Ensured: Cooperation Within a European DPA

Tải bản đầy đủ ngay(0 tr)

×