Tải bản đầy đủ - 0 (trang)
8 Cooperation as an Element of Control, with a Layered Structure of Cooperation Mechanisms

8 Cooperation as an Element of Control, with a Layered Structure of Cooperation Mechanisms

Tải bản đầy đủ - 0trang

544



10  Making Article 16 TFEU Work: Analysis and Conclusions



DPAs should contribute to the control of data protection outside of the territory

of their constituent Member State, mutually cooperating with their peers across the

border. The duty for ensuring control in a cross-border context and for mutual cooperation follows from the system of EU law. Mutual enforcement cooperation consists of exchange of information, effectively assisting in supervision and – under the

General Data Protection Regulation – the carrying out of joint investigative tasks,

joint enforcement measures and other joint operations.

At present, the further task of contributing to a harmonised and effective level of

data protection within the wider territory of the European Union is mainly a task for

the Article 29 Working Party. The Working Party gives non-binding guidance, indirectly, yet significantly, influencing the supervision by the DPAs.

The General Data Protection Regulation brings two novelties. It introduces a

one-stop shop mechanism with a lead supervisory authority cooperating with its

peers in cases where DPAs in more than one Member State are concerned. The

involvement of all concerned DPAs must ensure that in a single case only one decision is taken and, at the same time, prevent that multinational companies have to

deal with divergent enforcement decisions. The system must also ensure that these

companies only have to deal with one sole interlocutor. Under the consistency

mechanism the EDPB, the successor of the Article 29 Working Party, will have a

formal role in enforcement. In the view of the Commission, this mechanism serves

as a conflict-solving mechanism between concerned DPAs and also as a mechanism

to ensure the correct and consistent application of the regulation within the wider

territory of the European Union. Other contributors to the legislative process consider that the role of the mechanism is limited to being a conflict-solving mechanism. This book concurs with the wide approach of the Commission.



10.8.2  T

 he Constitutional Safeguards Under EU Law:

Cooperation Mechanisms of DPAs, Legal Requirements

for Cooperation and a Cooperation Structure (The

Second Component)

The Court of Justice’s case law on the independence of DPAs63 directly affects the

cooperation mechanisms of DPAs under Article 16(1) TFEU. Cooperation mechanisms should respect the independence of the participating DPAs or, alternatively, a

cooperation mechanism having sufficient powers itself may become a DPA, subject

to the requirements of independence in the Court’s case law.

Furthermore, the principle of sincere cooperation under Article 4(3) TEU applies

to all governmental actors (EU and national) involved in the implementation of EU

law and policies. This principle acquires an additional dimension in a composite

 Cases C-518/07, Commission v Germany, EU:C:2010:125; C-614/10, Commission v Austria,

EU:C:2012:631, and C-288/12, Commission v Hungary, EU:C:2014:237.

63



10.8 Cooperation as an Element of Control, with a Layered Structure of Cooperation…



545



administration where cooperation between the different actors and levels is a condition for success. The principle of sincere cooperation extends to cooperation with

authorities in related policy areas. Cooperation in the domain of privacy and data

protection on the internet also involves non-governmental stakeholders. Where

DPAs cooperate with actors outside government, the latter should respect principles

of good governance, but Article 4(3) TEU does not apply to non-governmental

stakeholders.

Administrative cooperation under EU law is a matter of common interest. Rules

on administrative procedure should ensure the effective discharge of public duties

and the protection of individuals’ rights. Arguably, in the light of the fundamental

right of an individual to a good administration, as laid down in Article 41 Charter,

the DPA cooperation should meet both objectives. The structure of DPA cooperation should not compromise the independence of DPAs and should equally not

result in an incomplete – or extremely complex – system of remedies, in breach of

Article 47 Charter.

Procedural guarantees – such as those included in the ReNEUAL Model Rules

on EU Administrative Procedure64 – could deal with the disadvantages of fragmentation of administrative law in the European Union, also in the field of privacy and

data protection. These guarantees could empower the individual to invoke his or her

rights, in cases where a DPA hears a complaint, but lacks capacity to take an effective decision because of the cross-border nature of the case.

The next topic concerns the need for structures for cooperation to respect the

constitutional safeguards under EU law. DPAs operating in multiple jurisdictions

create a further challenge for reconciling independence, effectiveness and accountability. This book distinguished three models of cooperation: horizontal cooperation

of DPAs, a structured network of DPAs and cooperation within a European

DPA. These three models are examples of the integrated or composite EU administration where competences are not divided but shared. The main differences between

these three models relate to the nature of coordination.

This book presented these three models as part of a layered structure for an independent, effective and accountable control of EU data protection. This layered

structure should guarantee that the two objectives of cooperation of DPAs are satisfied: the protection of individuals vis-à-vis entities established outside the national

territory, as well as the uniform interpretation of EU data protection law. The EDPB,

as will be set up under the General Data Protection Regulation, should function both

as a structured network and as a European DPA.

The added value of this layered structure is, in the first place, to clearly define

where cases could be handled in the first layer, horizontal cooperation. If a case

concerns data subjects in a large number of Member States, normally, horizontal

cooperation would not be sufficient. In the second place, this structure makes it pos-



64



 Research Network on EU Administrative Law, ReNEUAL Model Rules on EU Administrative

Procedure: Introduction to the ReNEUAL Model Rules /Book I – General Provisions, online version 2014; Book V – Mutual Assistance; Book VI- Administrative Information Management.



546



10  Making Article 16 TFEU Work: Analysis and Conclusions



sible to distinguish between the activities of the EDPB in a consistent manner,

whilst reconciling legitimacy and effectiveness.



10.8.3  L

 egitimacy as a Factor for Success for Cooperation

Mechanisms (The Third Component)

This book understood legitimacy in relation to the governance of privacy and data

protection under EU law as meaning that some degree of accountability towards

political institutions is ensured. Legitimacy as a factor for success of DPA cooperation requires a priori a degree of accountability vis-à-vis the political institutions of

the Member States. Fundamental rights protection is a subject that is close to the

citizen – the notion of proximity has been mentioned in this context – and this book

also explained the perceived democratic deficit of the European Union. The cooperation by DPAs also requires transparency, in order to ensure some degree of

accountability to the public.

Horizontal cooperation of DPAs is an expression of legitimacy in which the

emphasis is on democratic accountability – political as well as public – at Member

States level. Horizontal cooperation is characterised by the sharing of responsibilities, a common interest, good faith and good administration in the absence of hierarchy. Horizontal cooperation is not limited to two DPAs, but relates to all DPAs

concerned. Where goods or services are offered on the internet, this can be the

DPAs of all 28 Member States. Horizontal DPA cooperation requires specifying

procedural guarantees, in order to facilitate the cooperation and to further ensure the

guarantees at EU level.

The cooperation of DPAs as expert bodies should also enhance the uniform

application of EU data protection law within the European Union. The cooperation

mechanisms give effect to the task of DPAs to contribute to the control in the entire

European Union, but they are also an expression of democratic legitimacy, because

DPAs are situated in the Member States, close to the citizen.

This book argued that a structured network of DPAs – at present, essentially the

Article 29 Working Party – is also primarily an expression of legitimacy, leaving the

democratic accountability to a large extent at the national level. The structured network of DPAs will normally be strengthened with the setting up of the EDPB. In the

exercise of its advisory role, giving guidance to DPAs as well as to the EU institutions, the EDPB will act as structured network.

The increased duties and powers of the network in the EDPB will enhance the

requirements for its composition and for decision-making structures. In this context,

this book emphasised the composition of the EDPB by senior representatives of



10.8 Cooperation as an Element of Control, with a Layered Structure of Cooperation…



547



DPAs as well as decision-making procedures based on consensus. A close relationship between the Commission and the EDPB as a structured network is desirable

from the perspective of consistency, but direct influence of the Commission on the

decision-making process should be avoided. A structured network requires procedural rules.

Increased duties and powers set higher standards for the independence of the

EDPB, including a higher level of procedural guarantees and stronger requirements

concerning the participation by the DPAs. Increased duties and powers also have an

impact on the public and political accountability of DPAs. The European dimension

of the activities of the DPAs and – even more – of the structured network of DPAs

does not only require involvement of national parliaments, but also of the European

Parliament.



10.8.4  E

 ffectiveness as a Factor for Success for Cooperation

Mechanisms (The Fourth Component)

This book specified the general principle of effectiveness under EU law as ensuring

privacy and data protection by bridging the gap between principles and practice.

Arguably, the contribution to the effectiveness of ensuring privacy and data protection is the main raison d’être for cooperation mechanisms.

Where goods or services are offered on the internet, horizontal cooperation may

require the involvement of the DPAs of all 28 Member States. Hence, horizontal

cooperation is not always effective. Neither is a structured network – with special

responsibilities remaining with the national DPAs – sufficiently effective in all

circumstances.

Effectiveness of enforcement by DPAs requires a strong cooperation mechanism

that is able to deal with the challenges on the internet with big data, mass surveillance and loose governance structures. A priori, a strong European dimension in

enforcement enhances the effectiveness, particularly the enforcement vis-à-vis big

internet players. In addition, the mechanism itself should contain incentives for

effective protection. For example, the effective implementation by the individual

DPAs of the recommendations of the cooperation mechanism should be ensured. At

the same time, there should be a system for monitoring the effectiveness of the

cooperation mechanism itself.

Cooperation within a European DPA is an expression of effectiveness. It is

expected that the EDPB will have certain – binding – powers to ensure compliance

with data protection rules. Hence, when the EDPB exercises these powers, it

becomes a DPA and should fulfil the conditions of independence under the Court of

Justice’s case law.



548



10  Making Article 16 TFEU Work: Analysis and Conclusions



Where the EDPB exercises binding powers, one may assume that a decision of

the EDPB can be challenged before the Court of Justice, in accordance with Article

263 TFEU.

To the extent the EDPB acts as a European DPA, with decision-making power, it

must meet higher standards of independence increase. The EDPB should be bound

by the same standards of independence as national DPAs and procedural guarantees, comparable to the ReNEUAL Model Rules on EU Administrative Procedure,65

are required. Moreover, the EDPB, acting as a DPA, should have the possibility to

deliberate in enforcement cases without a European Commission representative

being present. The system of redress must be sufficiently coherent and clear.

Proximity, in the sense that an individual is entitled to redress in the Member State

where he or she resides, is not a prerequisite for legal protection under EU law.

Where the EDPB acts as a European DPA, the involvement of the European

Parliament as the body ensuring some degree of political accountability is obvious.

The EDPB acts as an EU body. However, the EDPB – which is largely composed of

national DPAs – should also incite involvement from national parliaments. This is a

further illustration of the complex relationship between control under Article 16(2)

TFEU and the public and political accountability.



10.8.5  Final Recommendation

This book presented three models of cooperation: horizontal cooperation of DPAs,

a structured network of DPAs and cooperation within a European DPA. These three

models compose a layered structure for an independent, effective and accountable

control of EU data protection.

At present, the control of the compliance with data protection rules is not centralised at the EU level. Although considerations of effectiveness plead in favour of a

uniform and harmonised approach of the control, this does not mean that centralisation of control would be the preferred option, at least not in the immediate future.

Centralisation of control is also not favoured in any of the contributions of the EU

institutions to the legislative process in the General Data Protection Regulation.

The book recommended elaborating the layered structure, as a structure for better governance of control of data privacy and data protection in the European Union.

This layered structure is not meant to centralise essential parts of the decision-­

making by DPAs at the European level, but to ensure that where the European level

is involved in the control of data protection rules, appropriate standards are in place.



65



 Research Network on EU Administrative Law, ReNEUAL Model Rules on EU Administrative

Procedure: Introduction to the ReNEUAL Model Rules /Book I – General Provisions, online version 2014; Book V – Mutual Assistance; Book VI- Administrative Information Management.



10.9 External EU Action on the Internet: Solving Conflicting Jurisdictional Claims…



549



10.9  E

 xternal EU Action on the Internet: Solving Conflicting

Jurisdictional Claims and Substantive Divergences,

with a Powerful EU in the International Domain

10.9.1  A

 rticle 16 TFEU and the Claim of Extraterritorial

Jurisdiction (The First Component)

As a rule, any intervention by the European Union with the purpose of protecting

privacy and data protection on the internet has extraterritorial effect. In addition,

giving extraterritorial effect to EU data protection law is an explicit objective of the

EU legislator, resulting from the general ambitions of the Union to promote its

essential values, also in the wider world. A further point of departure for the Union’s

role in the external domain is that, due to the pervasiveness of the internet in our

daily lives, the internet should not be governed by a separate body of law.

The global nature of the internet requires that in the external domain solutions

should be found for two types of issues: conflicting jurisdictional claims and divergences in substantive law. The book proposes an active role of the European Union

in the external domain, based on an appropriate mix of different strategies, and

addressing both types of issues.

The overlapping of jurisdictions is no longer an exception on the internet. Under

public international law, there is no generally accepted solution for internet jurisdiction. General public international law implies that states (and the European Union)

are precluded from enforcing their laws in another state’s territory. However, states

may prescribe rules for persons and events outside their borders. In accordance with

public international law, the European Union – acting as if it were a state – should

claim extraterritorial jurisdiction, even if it lacks enforcement power, for instance to

stimulate voluntary compliance in third countries.



10.9.2  T

 he Constitutional Safeguards Under EU Law Where

the EU Acts as an Organisation Sui Generis

in the External Domain (The Second Component)

The European Union itself is an organisation sui generis, also in the international

domain. International competence of the European Union, under international law,

is similar but not equal to that enjoyed by a state. The European Union is not a

member of international organisations such as the UN, the OECD and the Council

of Europe. It must be assumed that the Union has, under Article 16 TFEU, exclusive

competence in respect of the external dimension of data protection, because effective protection on the internet requires the widest possible geographical scope.

Arguably, the Member States lost their external competence in the domain of privacy and data protection. In any event, the Member States are expected to lose their

external competence as a result of the General Data Protection Regulation, at least

in the areas covered by this instrument.



550



10  Making Article 16 TFEU Work: Analysis and Conclusions



Where the European Union uses its external competence, it acts under international law. The Court of Justice determines the limits of the Union’s external competence and of the primacy of international law in the EU legal order. It is the Court

itself that ultimately – and in last resort exclusively – interprets the Charter and,

more generally, EU law. Provisions of international agreements have direct effect

within the EU legal order, but subject to the nuance that international law cannot

have the effect of prejudicing the constitutional principles of the Treaties (the Kadi

case law).66

The qualification of DPAs as new branches of government also has institutional

consequences in the external domain. In the areas of their competence, the DPAs

represent the European Union externally. However, they must respect the consistency of external EU policy. The principle of sincere cooperation binds the DPAs,

but also commits the EU institutions to involve the DPAs where they take positions

in the external domain on policies touching upon privacy and data protection, for

instance in negotiations with third countries in this area, conducted according to the

procedure of Article 218 TFEU. DPAs should not commit the European Union to

international obligations, but they are empowered to engage in enforcement

arrangements.

This brings us to the external strategies in the light of the constitutional safeguards under EU law. This book distinguishes three strategies for the European

Union operating in the external domain: a unilateral, a bilateral and a multilateral

strategy. The unilateral strategy basically means exporting the EU standards. The

bilateral strategy involves seeking arrangements with relevant, like-minded jurisdictions such as the US and, by doing so, building bridges between these jurisdictions.

The multilateral strategy aims at developing global standards.

These strategies should deal with the two types of issues mentioned above: conflicting jurisdictional claims and divergences in substantive law. Reconciling

­legitimacy and effectiveness means in relation to jurisdictional claims: ensuring

effective protection of individuals in the European Union and, at the same time, basing the legitimate claim of jurisdiction on the internet on a meaningful link with the

Union. Divergences in substantive laws could be addressed by allowing practical

arrangements with third countries and international organisations at an effective

level of protection, but not by lowering the legitimate level of protection of individuals in the European Union.



66



 Mainly, Joined cases C-402/05P and 415/05P, Kadi and Al Barakaat, EU:C:2008:461.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

8 Cooperation as an Element of Control, with a Layered Structure of Cooperation Mechanisms

Tải bản đầy đủ ngay(0 tr)

×