Desktop version

Home arrow Law

  • Increase font
  • Decrease font


<<   CONTENTS   >>

: Creating supervisory convergence without creating new EU institutions (reflection 1)

Data processing today is often a trans-border activity. Territoriality concepts and proximity of ‘your’ DPA are pleasant consumer-friendly features, but they cannot hide the trans-border reality behind data flows and e-commerce. The GDPR serves not only fundamental rights protection, but also “the accomplishment of an economic union, convergence of the economies within the internal market, and free flow of personal data between Member States” (Recitals 2 and 3 GDPR). With this in mind, the proposal from the Belgian DPA to create a single European Data Protection Authority that would handle trans-/international issues at European level without interfering with the work and internal organization of the DP As in Member States, makes some sense and is respectful of the principle of subsidiarity: “multinational and transnational” data processing operations (data processing operations that are carried out in a similar manner across borders of Member States or carried out by a single controller in different Member States) can be isolated and deserve a harmonized European set of rules at the highest level.

The proposal did not find much support and does not fit the more general trends within the EU regarding sanctioning administrative law. The trend is currently towards a system of rather detailed EU laws imposing administrative sanctions to be enforced by Member States with the purpose of levelling the “playing field” amongst national authorities and fostering supervisory convergence without creating new institutions.[1] This trend first occurred in sectors with a strong global urgency. Mateo highlights sectors such as financial markets and securities market after the 2008 bank-crisis, but also mentions in a footnote the GDPR, that was partly the outcome of the Snowden surveillance revelations.

In both areas, a policy was gradualy developed with more harmonization of sanctions but with a reliance on national authorities to enforce them. This experimentally developed system of “cooperative federalism” could be rolled out further in the future if it proves its value. If not, further centralization, “neither possible nor desirable at this stage”, could be expected in future years with a sort of single supervisory mechanism at the European level.

Note that, in principle, several different supervisory models can be selected at European level, but in the case of data protection this will require some gymnastics around Article 16 TFEU and Article 8 of the Charter, which both impose national authorities and, hence, seem to anchor firmly the supervisory model of a network of supervisors.

The current success of cooperative federalism and its network idea of this governance model has also to do with its avoidance of more centralization. It needs to be understood in the light of struggles between “Brussels” and the Member States and has the capacity of addressing irritations from Eurosceptics. Moreover, there are technical and pragmatic reasons for its success. Creating independent EU structures might be contrary to the Meroni and Romano case-law, restricting the delegation of powers to avoid a weakening of the European Commission’s powers. This is avoided by setting up in different areas of EU law networks of supervisors, made up of different independent national authorities, coordinated by a Union body, also endowed with a statute of independence.

This flexible model of network supervisors (from the perspective of the delicate political power balances between EU and Member States) has one obvious weakness: “it may give rise to significant differences in the transposing provisions among Member States, so as to create genuine inequality in identical substantive community laws, for which disciplinary measures play an instrumental role”.[2] Mateo rightly emphasizes how this confrontation with inequalities triggered a development towards stronger harmonization (even unification) of sanctioning systems. This will be discussed in a next section.

  • [1] F. Pascua Mateo, ‘Harmonising National Sanctioning Administrative law: An Alternative to a Single Capital-Markets Supervisor’, (2018) 24 European Law Journal 321-348. 2 Ibidem. 3 Ibidem. 4 M. Scholten, A. Ottow, 'Institutional Design of Enforcement in the EU: The Case of Financial Markets’, (2014) 10 Utrecht Law Review 80. 5 For a broader analysis of obstacles in EU primary law for creating a single EU supervisory system, see Pascua Mateo, supra note 69, 334. 6 More in detail, Pascua Mateo, supra note 69, 326. However, the Court of Justice interpreted the Meroni conditions very generously in the ESMA case (C-270/12). The issue is dealt with in Jacopo Alberti’s chapter in this book. 7 Ibidem, 326-327 (“In this way, the Union has been able to exercise an increasing intervention in the markets, whilst national supervisors have reinforced their role by reducing the regulatory arbitrage that entails the coordination of supervisory practices, as well as being double-hatted as internal supervisors and also enforcing EU laws in direct interaction with the European Commission. An additional advantage is the spread of knowledge about the different national situations that this governance by networks model provides for”). See also Pascua Mateo, supra note
  • [2] Pascua Mateo, supra note 69, 327-328. 2 Supra, section 14.8. 3 7ST. Seals, 'Google Fined $57M in Largest GDPR Slap Yet’, posted on 22 January 2019, https://threatpost.com/google-fine-privacy-gdpr/141055/. 4 See also T. Seals, 'GDPR: A Compliance Quagmire, for Now’, posted on 7 June 2018, https://threatpost.com/gdpr-a-compliance-quagmire-for-now/132644/. 5 E. Chivot, D. Castro, ‘GDPR Penalties Prove Why Compliance isn’t Enough. And Why Companies Need Clarity’, 8 May 2019, https://www.techdirt.com/articles/20190506/10401242147/gdpr-penalties-prove-why-compliance-isnt-enoughand-why-companies-need-clarity.shtml.
 
<<   CONTENTS   >>

Related topics