: Independent and effective data protection authorities (DPAs) and the GDPR
The GDPR is a long legal act (173 recitals and 99 articles and almost half of it focusses on the independence, collaboration duties, tasks and powers of the data protection authorities. What are they?
Chapter VI (Articles 51-59) and Chapter VII (Articles 60-76) discuss respectively the general job-description of DPA’s and their collaborations in the EU context.
In the line of EU primary law provisions discussed above, the GDPR requires that each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of those rules to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (Article 51(1) GDPR). These authorities, - DPAs - are independent public authorities that supervise the application of the data protection law in the Member States. Each supervisory authority shall contribute to the consistent application of the GDPR. In order to exercise their power in an effective way they have investigative and corrective powers. Where more than one authority is established in a State, this state shall designate the lead supervisory authority (Article 51(3) GDPR).
The GDPR distinguishes between the “members” and the staff working within these agencies. A DPA can be directed by one, two or more “members” and be tailored taking into account legal and organization culture of a given Member State. Required is proper ‘staffing’ and members with the qualifications, experience and skills required to make a DPA work. Choice and design of the DPA is left rather open in the GDPR and is partly a non-legal matter. Law has a lot to say on “independence of DPAs” (see below), but there is so far little case law on design and effectiveness of DPAs.29
Article 52 GDPR defines the idea of independence and should be read together with other related GDPR-provisions that complement the main idea. Needed is “complete independence” in performing tasks and exercising powers (Article 52(1) GDPR), which requires remaining free from external influence, whether directly or indirectly, and not seeking or taking instructions from anybody (Article 52(2) GDPR); self-restraint from the DPAs’ members (“refraining from actions incompatible with their duties and incompatible occupations”) (Article 52(3) GDPR); proper resources, with financial control that does not affect its independence, and proper staffing, with a staff that needs to be self-appointed (Article 52(4-6) GDPR). Article 53 GDPR adds further with, more or less, traditional requirements about how to appoint members of DPA’s, what conditions (integrity, experience and skills) they need to fulfill to be eligible, and what kind of legal basis is needed to organize dismissals and retirements.
All these elements read as a handbook chapter on protecting these agencies against authoritarian political interventions. For that the GDPR-drafters were able to fall back on important Court of Justice of the European Union (CJEU) judgements that defined and clarified the notion of independence already incorporated in the 1995 Directive. With political developments towards more authoritarian types of governance within Europe, these provisions nicely anticipate all kinds of tricks to tame supervision and to reduce supervisory authorities to mere enforcers, cutting of their more political advocacy tasks.31
As we observed above there is a lack of legal clarification of effectiveness of DPAs. There is abundant case law by the CJEU on the notion of independence, but there is less on the more complex notion of effectiveness. This will be a challenge for the legal apparatus, but not an impossible one. We remind that both Article 13 ECHR and Article 47 Charter provide for a right to an effective (and not “independent”) remedy.52 From a human rights perspective, effectiveness is the key target of a remedy. Independence can contribute to effectiveness but does not equal it. American observers are critical of the many differences that persist in the organization of DPAs within Europe and rightly argue for more research on European privacy practices “on the ground” to learn from what works and what does not work within Europe.55 This kind of literature is now being produced within Europe,54 and will undoubtedly benefit from case law on the matter and self-reporting by DPAs about their performance.
Vranaki emphasizes the complex nature of some of the investigations and controls by DPAs that often involve different co-operative relationships between various actors.55 She opposes an understanding of the regulatory roles of EU DPAs solely in terms of a “top-down” exercise of authority by the EU DPAs over the data controller. A dominant focus on the enforcement powers of DPAs, blinds us from seeing broader, multifaceted, and non-normative roles played by DPAs. Looking at concrete relationships between DPAs and other actors with a broad understanding of possible compliance attitudes and regulatory enforcement styles (beyond “punish” or “persuade” categories), Vranaki points at different co-operative relationships between all the various actors, with the DPAs’ mixing deterrence and persua- 
sion depending on factors such as compliance attitude and technological complexities to carry out the investigation. These entanglements and the interactivity observed in the practice of data protection law enforcement explain why actors are required to talkwith each other or discuss actions and controls together, and why the picture of top-down DPA enforcement is far from accurate.56 The GDPR is in fact a product of this development and proposes not only sanctions, but also facilitative instruments and foresees interactions between diverse stakeholders, such as lawmakers, EU DPAs, European Data Protection Board (EDPB), European Commission, data controllers, data processors, and quasi-regulators (e.g. third-party certification bodies).57 For Asma Vranaki effective enforcement will depend on the regulatory relationship management of the parties involved, with the DPA’s picking the right enforcement style and with the firms working harder on their relationships with the EU DPAs.58
Hijmans develops a framework for understanding the effectiveness of DPAs.59 He acknowledges that no cases have been brought before the CJEU focusing on this requirement and labels effectiveness as "not an obligation that, under current law, can easily be quantified or challenged in legal proceedings”, not only because DPAs are free to set their own agendas, but also because it is for the Member States, not the EU, to foresee that they are provided with adequate resources, and also accountability requirements about their effectiveness which might endanger their independence in the long run. Overall Hijmans’ tone is optimistic. The GDPR is designed to streamline these authorities and a main element is to allocate more effective sanctioning powers. These new powers, together with the detailed GDPR provisions on for instance proper staffing and activity reports (Article 59 GDPR), will make some European controls (and possible case law) on the effectiveness of national DPAs possible. Moreover, various soft tools could enhance the effectiveness of DPAs without prejudice to their independence,
Hijmans concludes, and gives the following examples: peer reviews, impact assessments or engaging with external experts.
In a next section we will discuss the long list of tasks for DPAs. Compared to the 1995 Directive this list has grown considerably (including more stringent ‘European tasks’), a fact that provoked a comment by the Belgian DPA whether overtasking could affect the desired effectiveness of the national authorities.44 The comment is straightforward and easy to understand. If we expect a DPA to deal with every single complaint of ‘its’ citizen, and thus identify with its role as ombudsperson (=complaints handling), other roles and tasks might be jeopardized. Lack of clear choices or, on the contrary, clear choices against, for example, the ombudsperson-role (in order to concentrate on other tasks, such as shaping policy), might fire back negatively in the face of a DPA in the public eye perception.3