Desktop version

Home arrow Law

  • Increase font
  • Decrease font


<<   CONTENTS   >>

: Independent and effective data protection authorities (DPAs) and the GDPR

The GDPR is a long legal act (173 recitals and 99 articles and almost half of it focusses on the independence, collaboration duties, tasks and powers of the data protection authorities. What are they?

Chapter VI (Articles 51-59) and Chapter VII (Articles 60-76) discuss respectively the general job-description of DPA’s and their collaborations in the EU context.

In the line of EU primary law provisions discussed above, the GDPR requires that each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of those rules to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (Article 51(1) GDPR). These authorities, - DPAs - are independent public authorities that supervise the application of the data protection law in the Member States. Each supervisory authority shall contribute to the consistent application of the GDPR. In order to exercise their power in an effective way they have investigative and corrective powers. Where more than one authority is established in a State, this state shall designate the lead supervisory authority (Article 51(3) GDPR).

The GDPR distinguishes between the “members” and the staff working within these agencies. A DPA can be directed by one, two or more “members” and be tailored taking into account legal and organization culture of a given Member State. Required is proper ‘staffing’ and members with the qualifications, experience and skills required to make a DPA work. Choice and design of the DPA is left rather open in the GDPR and is partly a non-legal matter. Law has a lot to say on “independence of DPAs” (see below), but there is so far little case law on design and effectiveness of DPAs.29

Article 52 GDPR defines the idea of independence and should be read together with other related GDPR-provisions that complement the main idea. Needed is “complete independence” in performing tasks and exercising powers (Article 52(1) GDPR), which requires remaining free from external influence, whether directly or indirectly, and not seeking or taking instructions from anybody (Article 52(2) GDPR); self-restraint from the DPAs’ members (“refraining from actions incompatible with their duties and incompatible occupations”) (Article 52(3) GDPR); proper resources, with financial control that does not affect its independence, and proper staffing, with a staff that needs to be self-appointed (Article 52(4-6) GDPR). Article 53 GDPR adds further with, more or less, traditional requirements about how to appoint members of DPA’s, what conditions (integrity, experience and skills) they need to fulfill to be eligible, and what kind of legal basis is needed to organize dismissals and retirements.

All these elements read as a handbook chapter on protecting these agencies against authoritarian political interventions. For that the GDPR-drafters were able to fall back on important Court of Justice of the European Union (CJEU) judgements that defined and clarified the notion of independence already incorporated in the 1995 Directive.[1] With political developments towards more authoritarian types of governance within Europe, these provisions nicely anticipate all kinds of tricks to tame supervision and to reduce supervisory authorities to mere enforcers, cutting of their more political advocacy tasks.31

As we observed above there is a lack of legal clarification of effectiveness of DPAs. There is abundant case law by the CJEU on the notion of independence, but there is less on the more complex notion of effectiveness. This will be a challenge for the legal apparatus, but not an impossible one. We remind that both Article 13 ECHR and Article 47 Charter provide for a right to an effective (and not “independent”) remedy.52 From a human rights perspective, effectiveness is the key target of a remedy. Independence can contribute to effectiveness but does not equal it. American observers are critical of the many differences that persist in the organization of DPAs within Europe and rightly argue for more research on European privacy practices “on the ground” to learn from what works and what does not work within Europe.55 This kind of literature is now being produced within Europe,54 and will undoubtedly benefit from case law on the matter and self-reporting by DPAs about their performance.

Vranaki emphasizes the complex nature of some of the investigations and controls by DPAs that often involve different co-operative relationships between various actors.55 She opposes an understanding of the regulatory roles of EU DPAs solely in terms of a “top-down” exercise of authority by the EU DPAs over the data controller. A dominant focus on the enforcement powers of DPAs, blinds us from seeing broader, multifaceted, and non-normative roles played by DPAs. Looking at concrete relationships between DPAs and other actors with a broad understanding of possible compliance attitudes and regulatory enforcement styles (beyond “punish” or “persuade” categories), Vranaki points at different co-operative relationships between all the various actors, with the DPAs’ mixing deterrence and persua- [2]

sion depending on factors such as compliance attitude and technological complexities to carry out the investigation. These entanglements and the interactivity observed in the practice of data protection law enforcement explain why actors are required to talkwith each other or discuss actions and controls together, and why the picture of top-down DPA enforcement is far from accurate.56 The GDPR is in fact a product of this development and proposes not only sanctions, but also facilitative instruments and foresees interactions between diverse stakeholders, such as lawmakers, EU DPAs, European Data Protection Board (EDPB), European Commission, data controllers, data processors, and quasi-regulators (e.g. third-party certification bodies).57 For Asma Vranaki effective enforcement will depend on the regulatory relationship management of the parties involved, with the DPA’s picking the right enforcement style and with the firms working harder on their relationships with the EU DPAs.58

Hijmans develops a framework for understanding the effectiveness of DPAs.59 He acknowledges that no cases have been brought before the CJEU focusing on this requirement and labels effectiveness as "not an obligation that, under current law, can easily be quantified or challenged in legal proceedings”,[3] not only because DPAs are free to set their own agendas, but also because it is for the Member States, not the EU, to foresee that they are provided with adequate resources, and also accountability requirements about their effectiveness which might endanger their independence in the long run. Overall Hijmans’ tone is optimistic. The GDPR is designed to streamline these authorities and a main element is to allocate more effective sanctioning powers. These new powers, together with the detailed GDPR provisions on for instance proper staffing and activity reports (Article 59 GDPR), will make some European controls (and possible case law) on the effectiveness of national DPAs possible. Moreover, various soft tools could enhance the effectiveness of DPAs without prejudice to their independence,

Hijmans concludes, and gives the following examples: peer reviews, impact assessments or engaging with external experts.

In a next section we will discuss the long list of tasks for DPAs. Compared to the 1995 Directive this list has grown considerably (including more stringent ‘European tasks’), a fact that provoked a comment by the Belgian DPA whether overtasking could affect the desired effectiveness of the national authorities.44 The comment is straightforward and easy to understand. If we expect a DPA to deal with every single complaint of ‘its’ citizen, and thus identify with its role as ombudsperson (=complaints handling), other roles and tasks might be jeopardized. Lack of clear choices or, on the contrary, clear choices against, for example, the ombudsperson-role (in order to concentrate on other tasks, such as shaping policy), might fire back negatively in the face of a DPA in the public eye perception.3

  • [1] 2 See C-518/07 Commission v. Germany, ECLI:EU:C:2010:125 (violation of the requirement of independence by making the authorities responsible for monitoring personal data processing outside the public sector in the different Lander subject to State oversight); C-614/10 Commission v. Austria, ECLI:EU:C:2012:631 (violation of the requirement of independence by integrating the DPA within the departments of the Federal Chancellery, and placing DPA staff under the authority of the Federal Chancellery and subject to its supervision); C-288/12 Commission v. Hungary, ECLI:EU:C:2014:237 (violation of the requirement of independence by prematurely ending the term of a member of the DPA); C-362/14 Schrems v. Data Protection Commissioner, ECLI: EU:C:2015:650 (adequacy decisions by the Commission bind Member States but cannot eliminate or reduce the powers of the DPAs accorded by Article 8(3) of the CFR). For a short discussion see L. Laudati, Summaries of ED Court Decisions Relating to Data Protection 2000-2015 (Olaf Publishing, 2016) 51-53, 59; Hijmans, supra note 23, pp. 354-360; Jori, supra note 26, 137-139; Galetta, De Hert, supra note 1, 132-134. 3 Galetta, De Hert, supra note 1, 133-143.
  • [2] See for an analysis of the Schrems and Leander judgements, and a short reflection about Article 13 ECHR, P. De Hert, J. Sajfert, ‘The role of the data protection authorities in supervising police and criminal justice authorities processing personal data’, in C. Briere, A. Weyembergh (eds), The Needed Balances in EU Criminal Law: Past, Present and Future (Hart, 2018), 243-255, 252-253. 2 K.A. Bamberger, D.K. Mulligan, ‘Privacy in Europe: Initial Data on Governance Choices and Corporate Practices’, (2013) 81 George Washington Law Review, 1529. 3 See C. Raab, I. Szekely, ‘Data Protection Authorities and Information Technology’, (2017) 33 Computer Law & Security Review, 421-433; F. Bieker, ‘Enforcing Data Protection Law - the Role of the Supervisory Authorities in Theory and Practice’, in A. Lehmann, D. Whitehouse, S. Fischer-Htibner, L. Fritsch, C. Raab (eds.), Privacy and Identity Management: Facing up to Next Steps (Springer, 2017), 125-139; D. Barnard-Wills, ‘The Technology Foresight Activities of European Union Data Protection Authorities’, (2017) Technological Forecasting and Societal Change 116; A. Vranaki, ‘Social Networking Site Regulation: Facebook, Online Behavioral Advertising, Power and Data Protection Laws’, (2017) 43 Rutgers Computer & Technology Law journal 169; A. Vranaki, ‘Learning Lessons from Cloud Investigations in Europe: Bargaining Enforcement and Multiple Centers of Regulation in Data Protection’, (2016) 2 journal of Law, Technology and Policy 245-275; A. Vranaki, ‘Cloud Investigations by European Data Protection Authorities: An Empirical Account’ in J.A. Rothchild (ed.), Research Handbook on Electronic Commerce Law (Edward Elgar, 2016), 518-544; P- De Hert, D. Kloza, P. Makowski (eds) Enforcing Privacy: Lessons from Current Implementations and Perspectives for the Future (Wydawnictwo Sejmowe, 2015), 146. 4 Vranaki, Cloud Investigations, supra note 34.
  • [3] 56 See on horizontal style of supervision, focusing on cooperation with the supervisee and the risks that engaging in a dialogue with the private sector may complicate enforcement in the event of a later - alleged - breach of data protection law, Hijmans, supra note 23, 337-338 with ref. to A. Ottow, Market & Competition Authorities, Good Agency Principles (Oxford, 2015), 164. ’'A. Vranaki, ‘Smart Regulation and the General Data Protection Regulation’, (2016) Computers & Law, 9-11. 58 Ibidem, 11. ’’Hijmans, supra note23, 365-374. 2 Ibidem, 370. 3 See section 7. 4 About the very positive image the UK DPA was able to present via its activity report, see ‘ICO Publishes First Annual Report Since GDPR’s Implementation’, posted on 18 July 2019, https://www.huntonprivacyblog.com/2019/07/18/ico-publishes-first-annual-report-since-gdprs-implementation/#more-17750.
 
<<   CONTENTS   >>

Related topics