Desktop version

Home arrow Law

  • Increase font
  • Decrease font


<<   CONTENTS   >>

: EU Sanctioning Powers and Data Protection: New Tools for Ensuring the Effectiveness of the GDPR in the Spirit of Cooperative Federalism

Paul De Hert*

ABSTRACT: The Chapter deals with the use of sanctioning powers in the context of EU data protection law and reflects on the thorny relationship between different typologies of sanctions (criminal and administrative) in the light of the new administrative sanctioning powers of the Data Protection Authorities. The analysis starts form short historical presentation of the EU (secondary) laws dealing with data protection and, then it looks at changes to EU primary law brought about by the Treaty of Lisbon with an explicit imperative to improve EU data protection. The core of the analysis discusses the system of remedies in the GDPR and some examples of recent sanctioning practices by the national DPAs. The analysis is followed by three more reflective sections about supervisory convergence without creating new EU institutions, the administrative enforcement fray and defence rights and the role of criminal law in EU data protection law. The chapter also offers some guidance observations about the operationalisation of the threefold system of enforcement set up by EU data protection law.

KEYWORDS: sanctions - administrative law - criminal law - data protection - GDPR -supervisory authority

SUMMARY: 14.1. Introduction: the enforcement of EU data protection relies on a criminal justice model, a civil justice model, and an enforcement agency model. - 14.2. EU secondary laws on data protection. - 14.3. EU primary law provisions on data protection and the imperative to improve EU data protection. - 14.4. Independent and effective data protection authorities (DPAs) and the GDPR. - 14.5. Responsibilities, tasks and powers of DPAs (Articles 57-58-59 GDPR). - 14.6. European and trans-border tasks and cooperation between DPAs (one-stop-shop and EDPB). - 14.7. Remedies. - 14.8. Overview of recent sanctioning practices. - 14.9. Creating supervisory convergence without creating new EU institutions (reflection 1). - 14.10. The administrative enforcement fray and defence rights (reflection 2). - 14.11. The role of criminal law in EU data protection law (reflection 3). - 14.12. Conclusion: boost in administrative enforcement partly on cooperative federalist arrangements with open questions about how the GDPR will be put into practice.

’Professor at the Vrije Universiteit Brussels (VUB-LSTS). Associated-Professor at Tilburg University (TILT). Coordinator of the EU project Supporting Training Activities on the Data Protection Reform” (STAR), http://www.project-star.eu/ The author would like to thank Sara Roda for her help.

: Introduction: the enforcement of EU data protection relies on a criminal justice model, a civil justice model, and an enforcement agency model

Very much like EU equality and non-discrimination law,[1] EU data protection law proposes a mixture of remedies provided by civil, administrative or criminal law. In 2013, under the regime of the 1995 Data Protection Directive (below), the European Union Fundamental Rights Agency (FRA) found with regard to data protection that “in almost all member states criminal sanctions can be imposed, in the form of a fine or imprisonment.” Some states (e.g. the UK and the Netherlands) only criminalized some data protection wrongs and mainly used civil law or administrative sanctions, others opted for an extensive set of data protection crimes. Some countries like Belgium in that period exclusively opted for criminal law. ’

The 1995 Directive left the choice of the enforcement regime to the discretion of the Member States. This explains why in Italy the remedial system relies mainly on administrative sanctions, while the criminal path was favoured in Belgium. This also explains why most, but not all Member States, on the basis of the Directive mandated national agencies (‘Data Protection Authorities’) to sanction data protection violations with administrative fines and entrusted them with investigatory powers.

Most Member State laws, again like most non-discrimination laws, emphasized in one way or another the use of civil remedies. Civil court procedures are not as much about the erosion of the social fabric, but deal with the dignity of the victim, and are aimed at bringing data protection violations to an end, restoring the status quo antes and ensuring compensation and damages for harm incurred as well as for future loss of earnings.

In the past years the EU, based on the Lisbon acquis, has implemented an impressive reform of its data protection laws. It has amended the foregoing enforcement system, without fundamentally altering its three building blocks: a criminal justice model, a civil justice model, and an enforcement agency model. Citizens can still have some of their data protection complaints treated under criminal law. They can still bring cases before civil law courts or rely on what McCrudden calls the enforcement agency model - individual grievances are remedied with the assistance of a specialised body that has investigator}' powers in assisting victims of data protection infringements. [2] New is the requirement in EU law that all Member States equally empower their Data Protection Authorities to impose administrative fines.

In the following we will mainly deal with the use of sanctioning powers in the context of EU data protection law and reflect on the thorny relationship between different typologies of sanctions (criminal and administrative) in the light of the new administrative sanctioning powers of the Data Protection Authorities. Rather than a conceptualization of the authorities as such, we intend to offer a conceptualization of the exercise of sanctioning powers by these authorities.

After a short historical presentation of the EU (secondary) laws dealing with data protection (section 1), we look at changes to EU primary law brought about by the Treaty of Lisbon with an explicit imperative to improve EU data protection (section 2). Both the EU Charter and the Treaty on the Functioning of the European Union require the presence of independent and effective data protection authorities (DPAs). We look at the relevant provision on these requirements in the 2016 General Data Protection Regulation or GDPR (section 3), followed by brief discussion of the responsibilities, tasks and powers of DP As (section 4), their duties to cooperate at the European and international level (one-stop-shop and EDPB) (section 5).

We then turn to the core of the analysis, discussing the system of remedies in the GDPR (section 6) and some examples of recent sanctioning practices by the national DP As (section 7). The analysis is followed by three more reflective sections about supervisory convergence without creating new EU institutions (section 8), the administrative enforcement fray and defence rights (section 9) and the role of criminal law in EU data protection law (section 10). The chapter is followed by conclusions and some guidance observations about the operationalisation of the threefold system of enforcement set up by EU data protection law.

  • [1] R. lordache, I. lonescu, 'Discrimination and its Sanctions - Symbolic vs. Effective Remedies in European Anti-discrimination Law’, (2014) 19 European Anti-discrimination Law Review, 11; A. Galetta, P. De Hert, 'The Proceduralisation of Data Protection Remedies under EU Data Protection Law: Towards a More Effective and Data Subject-Oriented Remedial System?’, (2015) 8 Review of European Administrative Law (REALaw) 125, 132-134. 2 European Union Agency for Fundamental Rights, Access to data protection remedies in EU member states, Publications Office of the European Union, Luxembourg, 2013, 7. http://fra.eu ropa.eu/en/publication/2014/access-data-protection-remedies-eu-member-states; the FRA added that “[s]anctions that data protection authorities are empowered to impose differ between member states. [...] The duration of a sentence and the amount of a fine also vary across member states” (Ibidem, p. 7). 3 * If a country opts for criminal law sanctions, these are almost always to be found in the respective data protection acts, with the exception of France. A 1992 French law moved the sanctions of the 1978 general data protection law to the criminal code, more particularly to a section on “Des atteintes aux droits de la personne résultant des fichiers ou des traitements informatiques”. 4 Compare lordache, lonescu, supra note 1, 12 & 14.
  • [2] C. McCrudden, ‘National Legal Remedies for Racial Inequality’, in S. Fredman, P. Alstone (eds) Discrimination and Human Rights: The Case of Racism (Oxford University Press, 2001), 253-259. Compare L. Farkas, ‘Collective actions under European anti-discrimination law’, (2014) 19 European Anti-discrimination Law Review, 25.
 
<<   CONTENTS   >>

Related topics