Data protection authorities

Download this position paper in .pdf format

EDRi welcomes the strengthened framework created by the Regulation for independent supervisory authorities i.e. data protection authorities (DPAs). In order to effectively protect personal data, it is important to have a competent, adequately resourced and independent supervisory authorities.

Currently there are excessive disparities between national DPAs and the Regulation must ensure that these differences are eliminated. The legal and technical resources available to DPAs need to be strengthened and equivalent resources need to be given to all DPAs. These resources need to be sufficient to enable DPAs to fulfil their role properly.

While the Regulation does represent a significant step forward, EDRi believes that the Regulation needs additional improvements to ensure that DPAs have sufficient powers and capacity to undertake their role effectively.

Transnational enforcement (Article 56)

Joint investigation is essential when dealing with EU transnational enforcement or with large-scale cases, i.e. involving big companies or when individual DPAs do not have enough resources to adequately deal with certain cases, due to their size or geographic spread. Joint investigation and strong cooperation would create a positive incentive to deal appropriately with large-scale, complex and/or multi-territorial cases. Such a procedure is also needed to ensure that smaller DPAs are not excessively burdened by cases where large companies fall under their jurisdiction. In addition, it would help to prevent the danger of forum shopping when it comes to the enforcement of the new data protection standards, i.e. choosing the place of establishment for the sake of being under the authority of a DPA that does not have the capacity to undertake large-scale investigations on its own.

EDRi therefore welcomes the provisions contained in the Article 56 and recommends that the rights and respective obligations of DPAs in this context be further strengthened. In particular, the wording of Article 56(2) could be improved to the effect that DPAs from all Member States where there are data subjects likely to be affected by processing operations in question, are obliged to participate in joint investigative tasks or joint operations. This is, however, a significant logistical challenge and therefore it may be worth considering whether coordination of such investigative tasks or joint operations when at least half of all Member States are involved could be entrusted to the European Data Protection Board. Finally, it is essential that not only other DPAs are involved in the investigation process but are also consulted when it comes to the final decision being made by the host supervisory authority. An appeal procedure involving the European Data Protection Board should also be introduced if other DPAs involved in the process of investigation question the final decision made by the host supervisory authority.

It is also worth considering the possibility of entrusting both investigatory and decision-making powers to the European Data Protection Board (or equivalent central body) when it comes to dealing with transnational corporations that operate in the whole (or most) of the EU.

Regardless of how this is achieved, the practical effect of Article 56 of the Regulation must be effective enforcement in cases of cross-border or pan-European data processing.

Independence

In accordance with the EU Charter of Fundamental Rights (article 8), the enforcement of data protection laws should be supervised by an independent authority. Independence of DPAs cannot be assured if these authorities are susceptible to political pressure.

The principle of independence of DPAs was nominally imposed by Directive 95/46/EC, which requires DPAs to act fully independently. Section 28(1) of Directive 95/46/EC states that DPAs “shall act with complete independence in exercising the functions entrusted to them”.

On 9 March 2010, the ECJ ruled that ‘complete independence’ means that DPAs may not be subject to state oversight or scrutiny. They must be ‘free from any external influence’. The court also stated that any directions or any other external influence, whether direct or indirect, which could call into question the performance by those authorities consisting of establishing a fair balance between the protection of the right to private life and the free movement of personal data must be avoided (paragraph 30 of the judgement). Also, the risk that other authorities could exercise a political influence over the decisions of the supervisory authorities is enough to hinder the latter authorities’ independent performance of their tasks (paragraph 36 of the judgement) and thus not consistent with the requirement of independence.

Chapter VI of the draft Regulation states in section 47 that DPAs shall act in complete independence. However, section 48(1) leaves open the possibility for appointment of DPA by the government. In EDRi’s opinion this does not ensure full independence as it leaves the door open to political pressure being exerted on DPAs. From the perspective of ensuring full political independence of DPAs, it would be advisable to introduce an explicit clause in the Regulation that would forbid the appointment of members of the supervisory authority by the government. National parliaments should be the only political bodies allowed to appoint DPAs due to their representative nature. There is also one procedure that could be recommended for selecting the candidates for this position (i.e. before the election), namely the system of academic (or scientific) recommendations. In this system the candidates running for the position of a member of supervisory authority are nominated by supervisory or scientific boards of all academic institutions that can confer a degree of the professor of law. This or a similar system would increase the independence of DPAs even more.

The consistency mechanism, introduced in section 2 of chapter VII, gives a lot of power to the Commission in individual cases. According to article 59, the Commission may adopt, in order to ensure correct and consistent application of this Regulation, an opinion in relation to matters raised pursuant to the consistency mechanism. While EDRi acknowledges that the mere competence to issue an opinion does not limit independence of the DPAs, we are very concerned with the potential implications of article 59(2), which states that: “where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take utmost account of the Commission’s opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure.”

This provision clearly aims at placing the Commission at the same level as the European Data Protection Board, when it comes to the level of legal authority and gives the Commission the power to exert significant pressure on DPAs to comply with its recommendations. In order to limit political influence on DPAs, EDRi recommends that article 59(2) be deleted or rephrased to the effect that opinions issued by the Commission are treated in the same way as any other opinions received by DPAs in the course of their work. The only body that might be endowed with a power to issue semi-binding opinions in given cases is the European Data Protection Board.

Resources

Financial resources, capacity and skills are necessary to assure the efficiency of the independent supervisory authorities. These resources should include sufficient technical expertise and equipment to ensure that full audits of data processors and controllers are possible. Since data processing is inherently connected to the use to digital and other technologies it is essential that DPAs be endowed with strong and competent technical departments. Moreover, their budget should allow for recruitment of high quality specialists with skills and experience necessary to perform audits in cutting-edge technological companies. Having these prerequisites for effective operation of DPAs in mind, EDRi recommends that an additional clause is added in chapter VI section 1 that will explicitly require that supervisory authority be endowed with a technical department of an adequate size and adequate standard of technical competence.

We suggest adding a provision specifically referring to adequate technical skills of staff the following sentence to the end of Recital 94.

Accountability

EDRi welcomes the right to a judicial remedy against a supervisory authority stated in Article 74. However, it is difficult to imagine the efficiency or even likelihood of the scenario foreseen in Article 74(4), where DPAs are prosecuted by other DPAs.

EDRi would prefer to see the problem approach through some systematic methods, such as reporting or an ombudsman system.

European Data Protection Board – Term of office

Article 69 of the Regulation provides that the European Data Protection Board shall elect a chair and two deputy chairpersons from amongst its members and that their term of office shall be five years and be renewable. In EDRi’s opinion, this provision should be reconsidered on the basis of what terms of office of DPAs prevail in the EU. It seems very likely that not all the Member States have DPAs elected for at least five years. The five year long term of service will become even more problematic if the election process held by the European Data Protection Board does not coincide with the start of the term of a given DPA. Therefore, in our opinion, the term of service of the chair and two deputy chairpersons in the European Data Protection Board should be limited by their term of service as national DPAs.

We suggest adding a provision specifically referring to adequate technical skills of staff the following sentence to the end of Recital 94.

  • eu logo The launch and upkeep (until December 31, 2013) of this website received financial support from the EU's Fundamental Rights and Citizenship Programme.
%d bloggers like this: