Embed Size (px)
Citation preview
PHAEDRA II
IMPROVING PRACTICAL AND HELPFUL CO-OPERATION BETWEEN DATA PROTECTION AUTHORITIES II phaedra-project.eu
A report on the PHAEDRA II blog
Deliverable D4.3 version 3 final
Cristina Pauner Jorge Viguri
Brussels – London – Warsaw – Castellon January 2017
A report prepared for the European Commission’s Directorate-General for Justice and Consumers
(DG JUST).
The PHAEDRA II (2015-2017) project is co-funded by the European Union under the Fundamental Rights and
Citizenship Programme (JUST/2013/FRAC/AG/6068).
The contents of this deliverable are the sole responsibility of the authors and can in no way be taken to reflect the
views of the European Commission.
Cover image
‘Privacy-padlock-hand-drawn-lined-paper-technology-DSC_8182’ by Matt Cornock, 2013;
https://www.flickr.com/photos/mattcornock/24853992565/
Licensed under Creative Commons CC BY-NC 2.0.
Permanent link:
http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA2_D43_final_20170113.pdf
Authors Name Partner Cristina Pauner UJI Jorge Viguri UJI Internal Reviewers Name Partner Dariusz Kloza VUB-LSTS Vagelis Papakonstantinou VUB-LSTS Institutional Members of the PHAEDRA II Consortium Member Role Website Vrije Universiteit Brussel (VUB) Research Group on Law, Science, Technology and Society (LSTS)
Project Coordinator vub.ac.be/LSTS
Trilateral Research Ltd. (TRI) Partner trilateralresearch.com Biuro Generalnego Inspektora Ochrony Danych Osobowych (GIODO) Partner giodo.gov.pl Universidad Jaume I (UJI) Partner uji.es
version 3 final 13 January 2017 12:45 CEST
Table of Contents
EXECUTIVE SUMMARY ................................................................................................................................... 4
LIST OF ABBREVIATIONS ............................................................................................................................... 5
1 REPORT ON THE PHAEDRA II BLOG ................................................................................................... 6 1.1 THE PHAEDRA BLOG .............................................................................................................................. 6
2 POSTS PUBLISHED ..................................................................................................................................... 8 2.1 WELTIMMO, SCHREMS AND THE REINFORCEMENT OF COOPERATION
BETWEEN EUROPEAN DATA PROTECTION AUTHORITIES ............................................................................. 8
2.2 THE CHALLENGE OF ENFORCEMENT IN THE PROPOSAL F
OR A GENERAL DATA PROTECTION REGULATION ..................................................................................... 9
2.3 CPDP PANEL ON THE ROLE AND POWERS OF DPAS BETWEEN CJEU & GDPR ....................................... 12
2.4 FURTHER FOOD FOR THOUGHT ON THE ROLE OF DPAS IN OUR EUROPEAN STRUCTURES:
SOME PERSONAL OBSERVATIONS ............................................................................................................. 15
2.5 PHAEDRA II SECOND ROUND-TABLE EVENT AT THE SPRING CONFERENCE OF EUROPEAN DPAS ......... 16
2.6 COOPERATION AMONG EU DPAS: CURRENT STATUS (2015-2016) ......................................................... 19
2.7 2017 THE YEAR OF MUTUAL ASSISTANCE TESTING .................................................................................. 21
Executive summary
The objective of Workstream 4 (WS4) of the PHAEDRA II project is to recommend measures for improving
practical co-operation between DPAs based on the results of this and the previous workstreams. A sub-objective
of this WS consists on the creation of a blog to complement the creation of the repository of DPA decisions.1
Both the repository and the blog are expected to deepen cooperation through sharing knowledge of what
authorities from sister jurisdictions are doing and of how they have addressed certain issues. Some of the most
frequent topics commented on the Repository have in PHAEDRA blog been analysed by different authors, all
experts in the field of data protection, including the PHAEDRA project partners. In addition to these core issues,
the blog has also become an important tool for providing information about activities developed by the project
and the outputs of these events.
This report is divided into two sections. The objectives and characteristics of the blog are presented in Section 1.
The full contents of the posts published is reproduced in Section 2.
1 See Pauner, Cristina and Jorge Viguri, Deliverable D4.2: A Report on a repository of European DPAs’ leading decisions
with cross-border implications, London-Brussels-Warsaw-Castellón, January 2017. http://www.phaedra-project.eu/wp-
content/uploads/PHAEDRA2_D42_final_20170112.pdf
List of abbreviations
5
List of abbreviations
AEPD Agencia Española de Protección de Datos (Spanish Data Protection Authority)
APEP Asociación Profesional Española de Privacidad (Spanish Privacy Professional Association)
CJUE Court of Justice of the European Union
CPDP Computers Privacy and Data Protection
DPA Data Protection Authority
DPO Data Protection Officer
DPC Data Protection Commissioner
EC European Commission
EDPB European Data Protection Board
EDPS European Data Protection Supervisor
EU European Union
Eurojust The European Union's Judicial Cooperation Unit
GDPR General Data Protection Regulation
GPEN Global Privacy Enforcement Network
LAP London Action Plan
MoU Memorandum of Understanding
PEAs Privacy Enforcement Authorities
PCs Privacy Commissioners
SME Small and Medium Enterprise
WP29 Article 29 Data Protection Working Party
WS Workstream
Report on the PHAEDRA II blog
6
1 Report on the PHAEDRA II blog
1.1 The PHAEDRA blog
The PHAEDRA blog was launched with the aim of disseminating some of the most relevant and up-to-date
topics regarding cooperation between DPAs in Europe and also as an initiative to complement the Repository of
leading decisions in individual cases with cross-border implications. The blog has been running since December
2015 and the latest post has been published in January 2017.
This blog provides a discussion forum, which consists of different text entries (‘posts’) that aim at offering
accessible information to the public at large about cooperation activities in the field of data protection. This
communication tool may contribute to deepen and broaden the level of knowledge on these thematic issues and
even to foster debate among interested parties.
The blog must also be considered an open space for contributions. At the current stage, quality of the inputs is
guaranteed not only by the expertise of the collaborators but also by the internal review of the content before
publishing. Finally, each post has been illustrated by a relevant artwork available predominantly under the
Creative Commons license.
From a technical point of view, the blog is hosted on the PHAEDRA website (http://www.phaedra-project.eu)
and it includes some common features of this type of websites:
Content is published in reverse chronological order,
Content is updated regularly,
Visitors have the possibility to leave comments about the articles,
Content is syndicated via RSS feeds.
Regarding the contents, the entries of the blog are focused on issues affecting cooperation among EU DPAs and
it proves to complete the information provided by the Repository. In this sense, the blog set out interesting
comments on some of the topics the most discussed by the EU DPAs (challenges posed by the novelties in the
GDPR, cross-border data transfers, impact of the CJEU’s decisions on data protection, and others).
A small extract of the articles published follows below:
1. Weltimmo, Schrems and the reinforcement of cooperation between European data protection
authorities (by Maciej Kawecki, GIODO and Dariusz Kloza, Vrije Universiteit Brussel). The authors
have fully explored the consequences of both judgements that abruptly changed the landscape of cross-
border data protection relationships.
2. The challenge of enforcement in the proposal for a General Data Protection Regulation (by Ricard
Martínez, President of the Spanish Privacy Professional Association). The comment examines the
model of enforcement followed in Spain for the compliance with data protection framework. The
Spanish Data Protection Agency’s strategy is based on what the author calls the power of “enforcing
fines” and he presents the lessons learnt from this approach.
3. CPDP panel on the role and powers of DPAs between CJEU & GDPR (by David Barnard-Wills,
Trilateral Research Ltd.). The participation of PHAEDRA partners in the CPDP with a roundtable event
has been the occasion to attend other panels with major relevance for the project. During one of this
talks, different experts discussed relevant topics such as the role and powers of EU data protection
authorities (EU DPAs) in the particular context that exists between the CJEU decisions and the
implementation of the General Data Protection Regulation (GDPR); an overview of the three most
relevant CJEU cases (Google Spain v AEPD case, Schrems v Data Protection Commissioner and
Weltimmo judgement); the increasing volume of text in EU regulation on data protection, some
arguments on the concept of the expansion of DPA powers as a power struggle, the daily practical
cooperation between DPAs and the importance of a proper balance between the autonomy of the board
and the independence of the DPAs.
4. Further food for thought on the role of DPAs in our European structures: some personal observations
(by Hielke Hijmans, Vrije Universiteit Brussel). The author presents some reflections on how the new
duties derived from the GDPR would add new dimensions to the DPAs’ roles and tasks. He focuses his
Report on the PHAEDRA II blog
7
comment on three questions: the essence of the DPA role serving the individual or the collective
interest, the extension of the DPAs' enforcement task and the degree of independence of the DPAs
boundaries.
5. PHAEDRA II Second round-table event at the Spring Conference of European DPAs (David Barnard-
Wills, Trilateral Research Ltd.). The post is devoted to the joint workshop held by PHAEDRA and the
cooperation sub-group of the Article 29 Data Protection Working Party (WP29). The round-table
offered an opportunity to identify synergies, to find ways for collaboration between both groups and for
discussion around two main topics in separated sessions. On the one hand, the presentation of the
conclusions of the last deliverable from the project – a study on the lessons for co-operation between
data protection supervisors that could be learnt by analogy with six other areas of cross-border
regulatory cooperation and coordination provided for within the law of the EU – and on the other hand,
a session to discuss on the room available to national lawmakers in the implementation of the now
adopted General Data Protection Regulation, and the impacts upon national data protection and freedom
of information norms.
6. Cooperation among EU DPAs: status during 2015-2016 (by Andrés Cuella Brenchat, University
Jaume I). The post is an overview of the main findings of the repository regarding the activity of
cooperation among EU DPAs developed during the last two years.
7. 2017 the year of mutual assistance testing (by Jacek Saffell, specialist, Bureau of the Inspector General
for Personal Data Protection, GIODO). This entry offers a critical assessment on the Guidelines created
by the WP29 in order to prepare for the upcoming changes with the GDPR. The comment is focused on
the working paper 244 devoted to the guidelines for the identification of the controller or processor’s
lead supervisory authority, an issue that directly relates to DPAs cooperation.
The posts published in the following section show that provisions and practices governing cooperation between
DPAs have been evolving by the effect of rulings and current actions from the supervisory authorities and
outline the centrality that cooperation come to play under the GDPR.
Posts published
8
2 Posts published
2.1 Weltimmo, Schrems and the reinforcement of cooperation between European data protection authorities
Maciej Kawecki, Bureau of the Inspector General for Personal Data Protection, Poland
Dariusz Kloza, Vrije Universiteit Brussel, Belgium
December 2015
Photo 1: ‘Cranes in St. Helier’ by Søren Øxenhave via Flickr (CC BY-ND 2.0)
While the work on the General Data Protection Regulation slowly comes to an end, recently causing both self-
reflection and worldwide heated debates on its prospects, there is no doubt two particular judgments of the Court
of Justice of the European Union from October 2015 gained no less attention. Obviously we have in mind
judgements in widely-debated Schrems and in yet-not-so-popular Weltimmo cases, whose influence on the
regulation of personal data protection in Europe and beyond is unprecedented. This influence is at least twofold.
First, both judgments have abruptly changed the landscape of cross-border data protection relationships. In
Schrems, the Court annulled Commission’s Decision of 26 July 2000 on the adequacy of the protection provided
by the safe harbour privacy principles. This has forced the majority of American data controllers, who had self-
certified to the US Department of Commerce their adherence to these principles, to search for another premise
for transfers of personal data, such as binding corporate rules, model contractual clauses or simply individual’s
consent. In Weltimmo, the Court – ‘in construing the coordinates of human rights protection in the digital age’
(as Zanfir puts it) – has further extended the range of competences of national supervisory authorities. They are
now authorised, so to speak, to exercise supervisory powers over even those data controllers and processors who
do not fall into their territorial jurisdiction due to lack of a ‘registered office or branch’ therein, but
exercise ‘through stable arrangements in the territory of that Member State, a real and effective activity’ (§41).
Second, although this will not be any obvious conclusion from reading the respective texts of these judgments,
these two cases have reinforced cooperation between European data protection authorities. This development
particularly interests the PHAEDRA project consortium.
I.
In Weltimmo, the Court made one of not-so-many such strong interpretations of Article 28(6) of Directive 95/46
(i.e. ‘supervisory authorities shall cooperate…’). The judges in Luxembourg argued that cooperation is
‘necessary in order to ensure the free flow of personal data in the European Union, whilst ensuring compliance
with the rules aimed at protection of personal data of natural persons’ (§53) and even spoke about ‘the duty of
cooperation laid down in Article 28(6)’ (§57; emphasis ours). But what struck our attention is that the Court not
only made a distinction between investigative and adjudicative/enforcement jurisdictions (see the writings of
Svantesson on this matter), but also reaffirmed that enforcement cooperation is an obligation. A supervisory
authority ‘may exercise its investigative powers irrespective of the applicable law and before even knowing
which national law is applicable to the processing in question’ (§57). However, in case ‘the law of another
Posts published
9
Member State is applicable, [the authority] […] must […] request the supervisory authority of that other
Member State to establish an infringement of that law and to impose penalties if that law permits’ (§57;
emphasis ours).
A reader would easily note the term ‘must’ was used in the context of the ‘duty of cooperation’. The fulfilment
thereof, in the still-old regime of Directive 95/46, is rather problematic. The list of troubles is long, but one of
the most pertinent is the absence of explicit and detailed legal provisions on cooperation at the European Union
level or at a domestic one. Can supervisory authorities rely solely on Article 28(6)? This question should rather
be rephrased as whether this provision had a vertical direct effect. Were it found unconditional, sufficiently clear
and precise, its direct applicability could mean, inter alia, that an authority from one Member State must request
its counterpart from another Member State to cooperate on a cross-border case and the latter must not refuse.
(The Weltimmo decision tends to confirm so. The judgement concludes with a sentence that a supervisory
authority ‘should […] request the supervisory authority within the Member State whose law is applicable to
act’.) Or, speaking more bravely, a data subject might demand her supervisory authority to cooperate with the
counterpart of the latter and none of them might refuse either.
II.
Few readers would disagree that the Schrems judgment does not concern any aspect of cooperation between
supervisory authorities. Yet, its ramifications simply constitute another impeccable example of the need to
cooperate between supervisory authorities on a “general” or “abstract” level. (While in Weltimmo we analysed
enforcement cooperation, this does not exhaust the range of cooperation activities supervisory authorities may
engage in.) After each important data protection judgement arriving from Luxembourg – be it Digital Rights
Ireland, Costeja or Schrems – the necessity to develop a common position both on the forum of the Article 29
Working Party and by all and every supervisory authority forced them to act. Concerning the latest ruling, in its
statement of 16 October 2015 the Working Party directly indicated ‘it is absolutely essential to have a robust,
collective, and common position on the implementation of the judgment’ (emphasis ours). A reader would easily
note a plea for more unity.
III.
Weltimmo and Schrems judgements are yet another set of decisions that have unprecedented consequences for
the data protection landscape in Europe and beyond. The former case underlined both the significance of
enforcement cooperation and the duty to cooperate between supervisory authorities. The consequences of the
latter case once again forced these authorities to speak with one voice. In our opinion, both judgements
reinforced cooperation mechanisms and pleaded towards their efficiency. Using the narrative of human rights,
such efficiency is a means of practical and effective protection of personal data. What is now left on the agenda
is to ensure efficiency of cooperation between supervisory authorities under the future regime of General Data
Protection Regulation. Weltimmo and Schrems remain instructive here.
2.2 The challenge of enforcement in the proposal for a General Data Protection Regulation
Ricard Martínez, President of the Spanish Privacy Professional Association (APEP)
January 2016
Photo 2: Judge gavel and Euro banknotes (licensed via UJI).
Posts published
10
The coming into effect of the Regulation of the European Parliament and of the Council on the protection of
individuals with regard to the processing of personal data and on the free movement of such data will be a
Copernican revolution for many data protection authorities. In many cases the actions of DPAs are focused on
developing strategies for awareness and promotion of the fundamental right to data protection, the promotion of
compliance through incentives to sectors and/or the publication of Guidelines. Although it is true that in many
Member States, such as France or Great Britain the powers of enforcement have been growing significantly, it is
probably in Spain where such powers have reached their maximum in the whole of the European Union.
From this point of view, a reading of the future Regulation from the Spanish experience might prove rewarding.
The best-known feature of Spanish Data Protection Law (Organic Law 15/1999, 13 December) is the provision
of fines of up to €600.000. This sanction regime is accompanied by powers of inspection and investigation since
the DPA officials are considered a public authority in the execution of its powers.
The Spanish reality thus offers a measure of what can lead to a high level of enforcement. The figures offered by
the Annual reports of the Spanish Agency of Data Protection can illustrate what the practical results of the
deployment of their powers are. Since the power of "enforcing fines" affects the private sector, we will examine
some comparative figures provided by the Annual report 2014 in this area.
First, a significant and repeated phenomenon is the persistence of very specific sectors in the top places among
the entities sanctioned, both by number of procedures and the monetary value of the fines imposed.
ACTIVITY 2012 2013 2014 % RELATIVE Δ % 2013/2014
Telecommunications 289 317 270 32,65 – 14,83
Video surveillance 276 176 158 19,11 – 10,23
Finance companies 77 62 98 11,85 58,06
Electronic Commercial Communications – spam
(LSSI)
39 59 74 8,95 25,42
Supply and marketing of energy/water 29 48 52 6,29 8,33
Internet services (except spam) 39 44 50 6,05 13,64
Advertising and commercial prospection (except
spam)
10 29 30 3,63 3,45
The total amount of penalties imposed in the last decade has fluctuating figures from 15 to 20 million euros with
different oscillations.
2012 2013 2014 Δ % 2013/2014
TOTAL NUMBER OF SANCTIONS 21.054.656,02 22.339.440 17.002.622 – 23,89
A very basic reading of this brief overview highlights some interesting phenomena. First of all, among these is
that the fine does not necessarily act as a crucial deterrent. The Top-Five sectors are always the same. And this is
probably produced by the volume of processing operations, and therefore, by the statistical risk of making a
mistake or the ability to absorb the volume of infringements in the annual budget.
Posts published
11
Whatever the cause of this constant, what we also learned in Spain is how a rigid disciplinary system in the
fixation of the amounts of the fines, which does not take into account the economic situation of the offender or
the profit made, generates asymmetries. Therefore, to limit the perverse effect on small and medium-sized
enterprises the legislator had to refine the criteria for modulation of sanctions and provide a symbolic
punishment of "warning" in the case of the first violation.
But as significant as the result of the action of the DPA, has been the volume of complaints and procedures
handled.
A B C D E
Year Claim protection Complaint Dismissed Withdrawal of cases Infringement statements
20112 2.230 7.648 2.993 4.396 898
2012 2.193 8.594 4.756 6.461 896
2013 1.997 8.607 5.114 6.738 874
2014 2.099 10.074 5.692 7.571 872
In practice it can be seen that the volume of complaints procedures, which may lead to a fine, is constantly
raising from year to year increasing from 7.648 procedures in 2011 to 10.704 procedures in 2014. However, the
statements of infringement remain constant in a magnitude that never exceeds from 900.
Article 52 of the future Regulation attributes a wide range of competencies to the DPAs. The first among them,
attends to the enforcement (“monitor and enforce the application of this Regulation”). This is joined by dealing
with complaints and the development of investigations and audits. The exercise of these powers must be made
within a complex framework in which the determination of the responsible DPA (lead authority), co-operation
between DPAs and the fixing of common criteria through the mechanisms of cooperation and consistency, will
be essential not only for the fundamental right to data protection, but also for the whole of the single market and
the European digital economy.
This power of enforcement will be displayed with a sanctioning structure which includes fines up to €20.000.000
or, in case of an enterprise, up 4% of its annual worldwide turnover. There is no doubt that they are clearly
dissuasive quantities and they ensure that all sectors must align with the objectives of compliance.
But the lessons learned in Spain show that even this is not enough. In our experience every story about the
imposition of a fine, or the simple knowledge of the annual volume of sanctions, attracts new complaints
immediately. This constant increase saturates the work of DPA and blocks its capabilities in practice. In this
context, the temptation to raise the threshold of requirement to process a complaint can offer counterproductive
results. One of them would be the systematic rejection of complaints to eliminate those of citizens whose skills
and knowledge are limited and therefore present a poorly elaborated claim. Similarly, the high processing
volume can certainly contribute to causing errors that generate lack of protection and, incredible as it may seem,
the temptation to discard those cases that would have a pull effect.
For this reason, and always with the respect due to all the DPAs of the Member States, it is necessary to provide
a space for further reflection. Positively, enforcement will be the best tool for the promotion of the fundamental
right to data protection. In this regard the Regulation provides multiple possibilities of action.
Although the Regulation has blurred the figure of the Data Protection Officer, the promotion of this figure will
certainly contribute to its deployment and avoid painful decisions. On the other hand, the implementation of
Guidelines, the development of codes of conduct, the generalization and promotion of privacy by design and
privacy impact assessment tools will be key strategies. The real success of the enforcement shall reside in the
development of proactive and agreed strategies with the sectors and adding value to a "European privacy mark".
The EU must promote Privacy in the European digital economy as a competitive advantage that may raise the
confidence of the citizens. It is a challenge that is possible and affordable for the DPAs, and privacy
professionals will contribute decisively to this goal.
2 On page 67, under the concept "According to the resolution" 4396 full resolutions are shown.
Posts published
12
In my view, this state of affairs should force the consideration of the deployment of very specific actions both in
the field of EU law and the Member States. And not only this, but also to consideration of strategies of
cooperation between authorities.
Firstly, Member States should deploy the regulatory powers to design the figure of the DPO. It is not to impose a
duty of having the DPO as a compulsory full time post. I propose a DPO of variable geometry which, at least in
the case of the SME, develops his task in the deployment of treatments, in his review of the compliance audits.
The presence of professionals would certainly help prevent breaches.
Secondly, the Spanish experience shows to what extent the application and modulation of sanctions can be a
sensitive issue and one that requires a high degree of legal certainty. This is due both to the variability in the
interpretation of the occurrence of any wrongdoing, even of the concurrence of various types in a same incident,
as in the modulation of the administrative fine that is imposed. In a European context this can lead to two types
of risks. One, the legal uncertainty for decision-makers when it comes to modulating their behaviour of
compliance. Two, the possibility that a kind of "dumping penalties" arises, a situation in which institutions
choose the territory of the more benevolent authority.
On the other hand, the discretionary application of sanctions to the Administration can have dangerous
consequences because it may constitute a discrimination from a comparative point of view. Besides, it also
means losing the effect of induced compliance due to public-private interactions in cases of outsourcing and
administrative concession.
To redress these issues, it seems essential to consider the action of the DPAs at the local level. In this sense, the
exercise of the corrective and advisory powers should be done with a more repairing function than sanctioning
power. That is, its essential aim, at least in the first years of the new General Data Protection Regulation, should
serve to promote the learning of the offenders aimed at improving compliance and rewarding proactive
behaviour by applying the lowest scale of possible sanctions.
In addition, both the Commission and the European Data Protection Board should promote the use of the
mechanisms for cooperation, consistency and mutual support for harmonizing the application of the penalties
law throughout the territory of the European Union. In particular, the experience purchased in this matter could
serve to promote two actions in the short and the medium term. First, to develop comparative analysis that can
serve to promote the homogeneity of the sanctioning regime. Second and finally, to consider the chapter on
enforcement as part of the Regulation that should be checked not less than five years after its entry into force by
incorporating lessons learned.
2.3 CPDP panel on the role and powers of DPAs between CJEU & GDPR
David Barnard-Wills, Trilateral Research Ltd.
March 2016
Photo 3: ‘Light blue planet Earth against technology background’ (licensed via UJI).
Posts published
13
Members of the PHAEDRA II project had the fortune to attend the Computers Privacy and Data Protection
(CPDP) conference in Brussels in January 2016. Whilst we were mainly there to conduct a PHAEDRA II
roundtable event on cooperation between DPAs both within and outside the EU, and to present the findings from
the project's first report, several panels and talks were relevant to the activities of the PHAEDRA II project.
We had the fortune to observe a panel organised by the University of Luxembourg and the National Commission
for Data Protection (CNPD). The panel, chaired by Mark Cole from the University of Luxembourg and
moderated by Andra Giurgiu of the Interdisciplinary Centre for Security explored the role and powers of EU
data protection authorities (EU DPAs) in the particular context that exists between the Court of Justice of the
European Union decisions on the Weltimmo, Google Spain and Schrems cases and the implementation of the
General Data Protection Regulation (GDPR), of which a consensus version now exists following the trialog
process.
Franziska Boehm (Karlsruhe Institute of Technology, and a member of PHAEDRA II's advisory board) gave an
overview of the three CJEU cases, and in particular, the elements that applied to the powers of DPAs. Her
argument was that these cases expanded the role of the DPAs.
In the Google Spain vs AEPD case, the court recognised that search engines process personal data and qualify as
data controllers. This was seen as a wide application of EU law regarding the territorial scope of the directive -
Google Spain is an establishment within the DP directive. According to court if a data processor does not grant
the request for deletion from a data subject, then the subject may bring the matter before the DPA, must handle
this like a normal complaint to DPA and must check if the refusal is valid. Additionally Dr Boehm suggested
that the judgement gave DPAs the task of developing codes of conducts together with the search engines, and
that they would therefore need to find a way of cooperating. This is manifested in the Guidelines from Article 29
Working Party on how to handle complaints with the right to be forgotten.
In the case of Schrems vs Data Protection Commissioner the CJEU declared the Commission decision on the
Safe Harbor agreement invalid and decided that DPAs have a role to play in this judgement. The existence of a
Commission decision cannot eliminate or even reduce the powers of the DPAs. DPAs must independently
examine if a data transfer to a third country aligns with the requirements of the directive. Third, in the Weltimmo
judgement the court responded to a request for a preliminary ruling from the from Hungarian court on a dispute
between a Slovak company and the Hungarian DPA. For Dr Boehm, the role of DPA was described in more
detailed manner in this judgement. Hungarian law is applicable if an establishment in Hungary but the court
gave wide criteria for establishment - having stable arrangements and real and effective activity, a website in
Hungarian, and activity (e.g. advertising) directed at that Member State. Sanctions of DPAs apply only within
their territory, but they have a duty to cooperate with other DPAs. She concluded that court really went into
details in adding to the tasks of the DPAs, with wide understanding of establishment, duties to investigate and
enforce (even if they have to cooperate with other DPAs). These cases are remarkable for DPAs task. They need
to comply with these tasks and they will need the personnel resources to do that.
Bart Van der Sloot (IViR-UvA) spoke primarily about the increasing volume of text in EU regulation on data
protection. He stated that early council texts were really concise, but have most of the same rights in them as
now. The proposed GDPR is enormous. Van der Sloot questioned if this situation is really desirable and
expressed concern about the ability of DPAs to enforce such a long and detailed text. He felt the increase is not
in the core principles, but rather on articles of enforcement of the principles (resolutions in the 70's had no
clauses on enforcement). He identified two main problems of enforcement - different levels of enforcing in
countries, and between different international countries and the EU -. He felt that we are seeing an increase in
the EU claiming territorial application of its instruments, as part of an explicit power struggle. The Data
Protection Directive focused on the controller's location, whilst under jurisprudence this has been widened to
establishment, in the GDPR this is even wider context relating to the collection and processing of personal data
of EU citizens regardless of location. On cooperation between DPAs, Van der Sloot spoke about how the 1981
Convention No. 108 had some clauses on cooperation, Directive 95/46/EC ignored it, but in the GDPR the tasks
and powers are very specified in the regulation in a detailed manner.
Hielke Hijmans from the European Data Protection Supervisor argued against the concept of the expansion of
DPA powers as a power struggle, instead that the EU has a role to play because worldwide companies have to be
adequately covered by regulation and that it doesn't make sense if every Member State makes their own
decisions. Hijmans spoke about the key differences that the GDPR will make to the role of the DPA particularly
in relation to the one-stop-shop and the establishment of the European Data Protection Board. In his opinion,
enforcement of the GDPR will be the key to its success and in this case the GDPR puts in place a layered system
of enforcement. This must lead to one decision in international cases, which will help against forum shopping.
Strong enforcement also requires good judicial redress mechanism and Hijmans feels that the CJEU will play a
Posts published
14
bigger role in this. He also expected the emphasis of DPA work to change, becoming more European. He
welcomed this shift because the internet cannot be regulated at a national level and it is good that the EU takes
this subject on board and protects fundamental rights as recognised in the European Charter of Fundamental
Rights. In his view, EU DPAs become no longer simply national authorities but organisations somewhere
between the EU and national levels, with EU law deciding what they will do – Including lots of tasks and duties
and cooperation mechanisms. There are issues with this situation - DPAs remain national authorities, covered by
national administrative law – so there may be two sets of law they need to comply with. In many EU countries,
national administrative law says what organisations can and can't do, which may be overruled by the Regulation.
He argued that there would need to be some further reflection on the role of the DPA, which would impact upon
selection and prioritisation of its activity. Is the main role contributing towards a high level of privacy and data
protection in European society, or are they an administrative body, are they an advocate or a body for pre-
judicial administrative review and individual remedy?
Georges Weiland from the National Commission for Data Protection, Luxembourg, spoke about practical
cooperation between DPAs on a day to day basis. He spoke about how Luxembourg had received many
cooperation requests and information request, and that in 90% of the requests they were involved in they were
the recipient of a request - given the number of international companies headquartered in the country. In this
domain he identified an absence of detailed legal provision, but that cooperation was still a very practical matter
and that even based on experience and best practice 20 years after the Directive there are issues pending. These
issues included an increasing number of cross border complaints and cooperation requests, limited number of
staff, difference in expectations, language barriers, confidentiality issues, experience issues, duplication of
efforts, administrative burden, and unsuccessful coordination efforts in the past. Citizen's making cross border
complaints can sometimes invoke their own laws. Complaints may be forwarded by DPAs whilst at the same
time failing to informing citizens of the applicable laws. He noted that they don't get too many requests from
anybody other than their near neighbours, possible based upon the lack of awareness of cross-border data
processing or the possibility of making a complaint. He also pointed out that Luxembourg applied strict criminal
sanctions for confidentiality, placing some strong limitations upon the information that can be shared. Other EU
DPAs have a longer experience of complaints (Luxembourg is newish) could not share common positions in
others (e.g. monitoring of employees). Weiland expressed the opinion that it would have been helpful if these
key judgements, detailed by Franziska Boehm had come earlier in the lifespan of the 95/46/EC Directive.
He spoke about how the Article 29 Working Party cooperation subgroup was set up because of these issues, but
that it now intends to work on implementation of cooperation with regard to the GDPR. This preparation
includes organising workshops on specific topics, and looking into the creation of an electronic platform to share
information. For Weiland, the GDPR resolves several issues. Under the Directive a company in several EU
countries has to deal with several DPAs, creating uncertainly. For example, in the Google Street View case,
DPAs faced the same technical issues but had very different response. The PHAEDRA project examined the
Google Street View case as one of eleven case studies of cooperation between DPAs. With the GDPR
cooperation is a requirement. It establishes a new system of supervision for controllers and processes. One DPA
determined by main establishment is responsible for legally binding decisions (one-stop-shop) and required
cooperation in practical terms. Weiland expects cooperation will increase, become routine and part of the daily
work of DPAs. Further, increased cooperation will smooth interaction and create a culture over time. Data
subjects and business will have increased expectations. For Weiland, the GDPR will also increase harmonisation
and equivalent powers and roles, producing a single regime of data protection rather than 28 different sets of
practices. He did still have some concerns. A spirit and attitude of cooperation might take some time to develop
properly. Differences are not swept away and additional work is inevitable. He envisaged that the number of
complaints is likely to increase, that the obligation to cooperate will also provide additional weight to requests
for cooperation, that common approaches to complaint handling will need to be developed, and that joint
operations will require the reassignment of staff and de-prioritise other activities. What counts as "necessary
information" to be shared between DPAS still needs to be agreed and some DPAS will still be bound to
professional secrecy (particularly in audit and inspection functions). Whilst non-compliance with mutual
assistance and joint operations can be reported to the EDPB there is still uncertainty about how this will work it
practice. There might be misuse of this mechanism. Weiland concluded by stating that it will be important in
practice to achieve a balance between the autonomy of the board, and the independence of the DPAs.
PHAEDRA II would like to congratulate the organisers on a content-rich and informative panel that touched on
several issues of key importance. In particular, the practical issues raised by Georges Weiland, as well as the
structural/political questions of "Europeanised" DPAs raised by Hielke Hijmans are worthy of further policy
attention by EU DPAs and the Article 29 Working Party, and will inform our work and our resulting
recommendations.
Posts published
15
2.4 Further food for thought on the role of DPAs in our European structures: some personal observations
Hielke Hijmans, VUB-LSTS
April 2016
Photo 4: ‘Big Brother of London’ by Carlos ZGZ, 2008 via Flickr (public domain)
The PHAEDRA project focuses on the cooperation of DPAs, a highly topical subject, if only because the GDPR
will significantly change and intensify the nature of this cooperation. Presently, the cooperation is based on some
general notions of cooperation, laid down in Article 28 (6) of Directive 95/46. DPAs should help each other,
when requested. An earlier blog post on this website quoted the case Weltimmo where the Court (in Para 57)
mentioned more or less in passing a duty to cooperate. It is not evident to deduct from this mere statement of the
Court the precise of extent of the need for cooperation. Is this a legal obligation, binding the DPAs? It is even
less evident what such a legal obligation would entail and how this should be reconciled with the position of a
DPA within the national jurisdictions, as national authorities ensuring control within national territory.
Under the GDPR, this situation will change, with the applicability of the one stop shop mechanism and the
consistency mechanism. These new mechanisms are widely discussed. However, in the debate, there is less
attention for the new Article 46 (2) of the GDPR, which stipulates that a "supervisory authority shall contribute
to the consistent application of this Regulation throughout the Union." Article 46 (2) gives the DPAs a European
responsibility, exceeding their basic task of ensuring control in the national jurisdiction.
This duty adds a new dimension to the wide variety of duties the DPAs already have and which are not always
easy to reconcile. An authoritative source is Bennet & Raab’s ‘Governance of Privacy’, which qualifies DPAs as
ombudsmen, auditors, consultants, educators, negotiators, policy advisers and enforcers. In my doctorate thesis, I
distinguished DPAs' roles varying from policy oriented tasks, such as advising on new laws and policies, to
quasi-judicial functions, such as deciding on individual complaints (in section 7.4). The position the DPA took in
its advisory role should in principle not influence a decision about compliance with the same law, after its
adoption. However, one can imagine a potential conflict of roles. Another conflict of roles may arise where a
DPA engages intensively with the supervisee and advises on accountability schemes. Afterwards, the DPA
might not be in a position to enforce, where the compliance of the schemes with the law is put into question.
The accumulation of roles thus raises questions. However, it is precisely this accumulation that gives the DPAs
legitimacy, or, in the words of Bennett & Raab, qualifies them as authoritative champions.
In short, the DPAs should cooperate, they have a national as well as a European responsibility, and have to
execute potentially conflicting roles. In this context, it would make sense to base DPA cooperation on a common
understanding of what the main role of an individual DPA is.
Let me give three telling examples of issues that could benefit from further thinking, for instance in the context
of the Phaedra project.
First, is the essence of the DPA role serving the individual interest or the collective interest? The case law of the
EU Court of Justice does not give a clear answer: on the one hand, the Court emphasises the link of the control
Posts published
16
by a DPA with the individual's fundamental right to data protection, and qualifies the control even as an essential
component of this right. This is logical, also in view of the fact that control by DPAs is included in Article 8
Charter. On the other hand, the Court reiterates the importance of serving the interest of the free flow of
information, which is of a collective nature. To make it even more complicated, also privacy and data protection
are societal interests. Our democratic societies cannot properly function without a sufficiently high level of
privacy and data protection. This dilemma between an individual or a collective emphasis was very well
illustrated by a case (Reese and Wullems) involving the Dutch DPA, which made it to the Court of Justice, but
which was then withdrawn. Is a DPA entitled to abstain from investigating a complaint which is extremely
important for the complainant's privacy but does not represent any wider societal interest?
Second, to what extent is enforcement the essence of the DPAs' task? If one considers the DPAs as public
authorities put in place to promote a high level of privacy and data protection in our societies, then enforcement
of the law is only one of their tasks. This relates to a discussion often heard in The Netherlands where the DPA -
already a few years ago - has chosen to dedicate its resources to enforcement, and, as a result, it is no longer
available to advise data controllers on how to best implement privacy. Data controllers did not always support
this choice. They argued that, since data protection law is of a general nature and therefore imprecise, a DPA
should give guidance on how the law should be applied to specific situations. One cannot subject controllers to
enforcement measures, if the obligations arising from the law are not sufficiently precise. The counter argument
is that controllers are responsible and they are, for seeking advice, not depending on DPAs.
Third, the DPAs act in complete independence, but what are the boundaries of this independence? It is clear that
under the rule of law their decisions are subject to judicial control, but the DPAs' accountability towards
democratic bodies is less clear. As the Court of Justice already underlined in Commission/Germany: "the
absence of any parliamentary influence over those authorities is inconceivable" (para 43). But, what does this
mean? It definitely does not mean that the performance of a DPA in individual cases is subject to parliamentary
scrutiny. But, how to avoid that a parliament considers the performance where it has to decide on (additional)
resources, using its budgetary powers? Also, the DPAs themselves will be confronted with limitations to
independence where they cooperate with their peers in other Member States. Their duty to cooperate - which will
undoubtedly exist under the GDPR - is in potential conflict with the independence in setting priorities. A
potential limitation to independence is even more obvious, where DPAs will be under an obligation to take
utmost account, in their enforcement practice, of opinions of the European Data Protection Board.
In short, I suggest the Phaedra project develops views on a common understanding of the roles of the DPAs.
2.5 PHAEDRA II Second round-table event at the Spring Conference of European DPAs
David Barnard-Wills, Trilateral Research Ltd.
July 2016
Photo 5: PHAEDRA II Roundtable in Budapest, 25 May 2016; photo: David Barnard-Wills.
In May the PHAEDRA II project conducted its second round-table event. This workshop took place just in
advance of the Spring Conference of European Data Protection authorities, this year held in Budapest and hosted
by the Hungarian DPA. We were very pleased that this roundtable was a joint meeting between the PHAEDRA
II project partners, and the cooperation sub-group of the Article 29 Data Protection Working Party. The two
groups are devoted to working on similar issues and PHAEDRA II is committed to providing research-based
Posts published
17
support and guidance to the cooperation sub-group. The workshop was therefore an opportunity to identify
synergies and to find ways for the two groups to work together.
The workshop was divided into two parts. The first part built up on the last deliverable from the PHAEDRA II
project, our study on the lessons for co-operation between data protection supervisors that could be learnt by
analogy with six other areas of cross-border regulatory cooperation and coordination provided for within the law
of the EU. The second session attempted to define and understand the room available to national lawmakers in
the implementation of the now adopted General Data Protection Regulation, and the impacts upon national data
protection and freedom of information norms. Two invited speakers started the discussions by giving their
detailed perspectives upon these issues: Wilbert Tomesen from the Autoriteit Persoonsgegevens, the Dutch
DPA, and Tamás Bendik , legal advisor in the Hungarian Ministry of Justice, Department of Constitutional Law.
Tomesen made the argument that practical cooperation on a case by case basis is just the starting point, and that
it will be followed by structural cooperation, leading to a common responsibility for the protection of the
fundamental right to privacy. He spoke about his personal experience prior to joining the DPA as a public
prosecutor in the Netherlands and in Aruba, including his experiences of cross border cooperation across the
Netherlands-German border, and with the United States. When he was Chief public prosecutor structural
cooperation between the Netherlands and Germany was limited, with prosecutors reaching out only when there
was immediate need. He said this was now changing rapidly, with lots of joint investigation teams, and the
important work of Eurojust. He also spoke about his experience of one-side cooperation meetings with a
dominant player, where true common ground was lacking. From these experiences, as well as the positively
regarded Dutch DPA's cooperation with Canadian DPAs during its investigation of WhatsApp, Tomesen
extracted lessons for EU DPAs. He argued that cooperation needs to be based on common interests and
necessity. If DPAs want to develop more structural ways of cooperation, DPAS will need to find a common
necessity. This needs to be deeply rooted in the organisations themselves - staff members need to value
cooperation, not just have it imposed at a policy level. The lessons he extracted were:
1. When embarking on a joint initiative, first get comfortable - take time to establishing trust and
positive communication on a human level with occupational counterparts. Get used to the idea that you
will be sharing information, but that some information will rightfully be withheld. Have respect for each
other's way of doing things. In the WhatsApp case, after some initial discussions the two authorities
kept in touch by standing teleconferences, with team leads in communication daily by telephone and
encrypted email. He said it felt like working with colleagues on the next floor.
2. Recognise each other strengths and weaknesses, and take account of this when allocating work (e.g.
geographical location, pre-existing relationships, tech capacity). In the WhatsApp investigation the
Canadian system allowed more contact with the data controllers under investigation, whilst the Dutch
threat of punitive enforcement encouraged compliance with the investigation as a whole.
3. Simple importance of showing solidarity – spreading a message within organisations that
commissioners are strongly committed to the project, making sure that teams were told they would be
supported in making it work. Investigative teams need to be creative and adaptive, and with support of
senior management this is easier.
For Tomesen these lessons can already by seen in current EU cooperation as case-by-case cooperation evolves
into a more structural cooperation. The WhatsApp lessons are already put into practice by EU DPAs. This legal
obligation in the Data Protection Directive has been put into structural practice in the art 29 Working Party, both
at Commissioner and staff level. Structural cooperation can have important practical benefits to common
investigations. Tomesen's example for this was the Labour intensive assessment of the privacy shield. DPA
analysis of the Privacy Shield is a prime example of structural cooperation, making use of existing structures and
relationships, and expertise. Work was divided between national experts, two Working Groups, one on
commercial, and other on surveillance and law enforcement. Most of the lessons learned from WhatsApp are
also recognisable in the drafting sessions on Privacy Shield. For Tomesen, this saw DPAs operating as one team
which had the support of their commissioners.
He argued that the third stage of the evolution of cooperation will be the emergence of truly shared
responsibility. As DPAs have more and more common interests, and with the GDPR, structural cooperation will
have to develop into something more. No longer think of cooperating with other DPAs but accept that they have
a shared responsibility for the consistent application of the new regulation. This will require more trust and will
not be without obstacles.
Several sub-groups are already analysing implications of the GDPR, and new policies. Tomesen saw a need for
common responsibility in article 51 – each national DPA shall contribute to the consistent application of the
Posts published
18
regulation throughout the union (not only in their own states). The European Data Protection Board (EDPB) will
play an important part in this. Regulation codifies a number of procedures for mutual assistance on cross-border
investigations, intensified cooperation between DPAS, and common responsibility will have profound
consequences on both policy and personal levels. Tomesen felt that the mindset needs to change, with
cooperation needing to be starting point. He acknowledged that this will cost time and energy, but saw it as an
exciting project for DPA.
DPA need to find common interpretation of the Regulation. Both for consistency and improved relationships. In
particular, what exactly will "mutual assistance" be? This needed to be sorted out before the Regulation enters
into force, otherwise Tomasen feared this would be counterproductive and inconsistent. He argued that
agreements need to be made between DPA on how to deal with national obligations. E.g. if the Dutch was DPA
obliged to share information as part of common responsibility, would the other DPAs be obliged to keep it
confidential even when no obligation on them to do so. He envisaged that cultural differences will remain. The
implication he drew from this was not that DPAs shouldn't try to collaborate, instead he advocated for a certain
humbleness, and letting go of the mentality that a particular DPA is the sole possessor of the truth, consensus
might be mean accepting decisions that are not "the best" but the "not worst".
The discussion that followed Tomesen’s speech included topics such as the length of time available for
implementation of the GDPR, respecting the intentions of other authorities, curiosity about others' ways of
working, the importance of human-to-human contact for international cooperation, and the challenges created for
this by staff turnover, and the fundamental issue of language challenges. Participants also reflected positively
upon the contribution that PHAEDRA I and II deliverables had made to this shared learning. An encouraging
message for those of us working on the project.
In the second session of the roundtable, Tamás Bendik presented on the challenges of a consistent application of
the GDPR and the extent to which it would really create a level playing field in the EU data protection, based
upon his experience in drafting Hungarian legislation, but also from his involvement in the DAPIX working
group. He explored provisions where GDPR provides the member states legislature with certain room for
manoeuvre to adopt/maintain national legislation. He also Explored how these pieces of legislation might affect
cooperation of DPAs, and tried to identify and discuss practical tools and techniques to facilitate future
cooperation. He addressed those elements excluded from the material scope of the GDPR (particularly those
things outside the scope of Union law that remained in Member State competencies, elements outside the scope
of the GDPR such as in the Police Directive, and under Common Foreign and Security Policy, and the elements
in the GDPR that provide for Member State leeway). His examples of the latter were Article 6(2) and 6(3) -
lawfulness of processing, Article 8(1) - conditions applicable to a child's consent in relation to information
services, Article 9(2) and (4) processing of special categories of personal data, Article 23 - restrictions, and
Article 85 – processing and freedom of expression and information.
The challenges for a consistent application of the GDPR, as Bendik summarised them, are that Member State
legislations are entitled and obliged to maintain and adoption national rules (both sectorial and general), that
Member State law forms an integral part of the data protection acquis, DPAS and the EDPB apply Member State
law, and therefore, the lawfulness of the same data processing activity may vary by Member States.
Finally, Bendik spoke about two ways that lawmaker can assist to the DPAs. At the level of the EU this meant
having harmonised rules adopting the sector-specific legislation harmonised beyond the GDPR, and at the
national level, those involved in preparing national legislation should keep an eye on each other's activity and on
the product of national lawmakers. In addition he reiterated the importance that Tomesen had placed upon
developing cooperation tools, including formal (consistency, mutual assistance, joint operations) and informal
mechanisms (including workshops, symposia, etc.). Aim is to identify those tools and techniques will facilitate
the work of DPAs and make them able together to apply the law together.
The PHAEDRA II project partners would like to thank all participants at the roundtable for taking the time to
discuss these issues with us, and for taking the time to engage with our research activity. Information about
future PHAEDRA II roundtables and events can be found on the relevant pages of the PHAEDRA II website.
Posts published
19
2.6 Cooperation among EU DPAs: current status (2015-2016)
Andrés Cuella Brenchat, consultant for the Data Protection and Fundamental Rights Group (PRODADEF),
University Jaume I (Spain)
October 2016
Photo 6: A New Resource For Educators, Practitioners & Researchers (via CaseRe3: Case Report Research Repository)
The PHAEDRA II project has been devoted to improving practical cooperation and coordination between Data
Protection Agencies (DPAs), Privacy Commissioners (PCs) and Privacy Enforcement Authorities (PEAs) in the
European Union (EU), especially with regard to the enforcement of privacy and data protection laws. In order to
follow up and assess cooperation among EU DPAs, PHAEDRA II created a commented repository of leading
decisions in individual cases with cross-border implications among national DPAs in the EU. Since its
beginnings, a shortage of “pure” cases of cooperation was noted. Not surprisingly though, as under the current
Data Protection Directive 95/46/EC the obligation to cooperate in Article 28 is rather imprecise. From May
2018, the 28 European Union (EU) Member States will have to abide to the recent reform of the basic EU data
protection legal framework. The new General Data Protection Regulation (GDPR) 2016/679 introduces major
changes in how data protection law is applied and enforced among the EU Member States. It also introduces
major changes in the character and scope of cooperation between EU DPAs. Cooperation will not merely be a
possibility, but an obligation under EU law. Intensified cooperation among authorities at the European level will
be necessary to adequately address cross-border issues.
The repository has shown that cooperation among EU DPAs has actually taken place during the last two years. It
has identified cases of cooperation that have taken very different forms and degrees.
The most relevant one, under the current regime, might be the joint investigation teams created by different
DPAs. For instance, in 2015 Facebook faced numerous privacy-related investigations in Europe in order to
verify if the company was complying with EU and national law. DPAs from France, Spain, the Netherlands,
Belgium and Germany (Hamburg’s DPA) joined efforts and created a Working Group to tackle potential
breaches or shortcomings in Facebook’s policies. The Article 29 Data Protection Working Party (WP29) also
participated in the investigation exercise. We consider this initiative to be one of the most important forms of
cooperation and collaboration among EU DPAs.
International platforms have also acquired a major role in the cooperation among DPAs. The PHAEDRA II
repository has focused in the activity of two key networks. The first is the International Cybersecurity
Enforcement Network (or the so-called LAP-London Action Plan), which seeks to promote international spam
enforcement cooperation and address spam related issues (such as online fraud and deception, phishing or
dissemination of viruses). Both private sector representatives and government and public agencies are
represented. DPAs from Ireland, Spain and the UK are part of this network. Moreover, other EU Member States
– Belgium, Finland, Hungary, Latvia, the Netherlands, Portugal and Sweden – are represented through other
governmental bodies, mainly consumer agencies. The latest form of cooperation occurred in June 2016, when 11
enforcement authorities across the globe, including those from the UK and the Netherlands, signed a
Memorandum of Understanding (MoU) to provide a framework for information and intelligence sharing and to
reinforce cross-border cooperation to address unwanted messages and calls. This MoU strengthens the
international fight against a global problem.
Posts published
20
The second network is more globally represented: the Global Privacy Enforcement Network (GPEN), which
aims at facilitating cross border cooperation in the enforcement of privacy laws. The Network enables privacy
regulators worldwide to work and cooperate as they address risks to the personal information of their citizens. 17
out of the 28 EU DPAs are members to the GPEN. An example of recent cooperation where the GPEN had the
coordinating role is the “Privacy Sweep” or international evaluation dedicated to verify the respect of privacy in
the Internet of Things. In this Sweep, which took place on 11-15 April 2016, participated, among others, DPAs
from France, Ireland, Italy and Belgium. This exercise is a continuation of the good collaboration between DPAs
(in May 2014, 26 DPAs conducted an “Internet Sweep Day” that analysed information related to mobile
application; in September 2015, another “Sweep Day” focused on online services for children). Another example
is the MoU signed in October 2015 between the Dutch DPA with seven other privacy regulators for exchange of
information in the GPEN Alert System or the “Sweeps”. In general terms, DPAs participate, to a greater or lesser
extent, to different conferences and seminars organized worldwide where they have the opportunity to share
about good practices or new policies, present new projects or to formalize bilateral agreements.
The soon to be replaced WP29 configures itself also as an important actor for cooperation. Indeed, it meets about
multiple times a year in Brussels and its latest position in a specific matter was adopted in June through the
“Opinion 03/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC)”. The Working Party
will be replaced by the European Data Protection Board (EDPB) and will become a EU body with legal
personality. It will be composed of national data protection authorities and the European Data Protection
Supervisor (EDPS).
This non-exhaustive description of forms of cooperation allows us to conclude that EU DPAs share common
activities and goals and do engage in mutual cooperation. However, there are areas where cooperation could be
increased to better achieve their mutual goals. For instance, guidelines are one of the favored instruments of
DPAs. Positions papers or guidelines on different aspects of the General Data Protection Regulation (GDPR)
have been released by, among others, the UK, Spain, Germany or Belgium. The WP29 has also released an
Action plan concerning the implementation of the new Regulation. Other topics have brought the attention of
many DPAs and have published their own guidelines, for instance, the implications of the Schrems Judgement,
the implications of the right to be forgotten (France, Spain, Denmark, WP29) or the data protection issues
relating to the utilization of drones (Sweden, WP29, Ireland). Moreover, the same issue may be tackled through
different channels. For instance, video surveillance has raised interrogations in Spain (the Supreme Court has
ruled and clarified data protection issues), France (guidelines have been issued) and Italy (the Italian DPA notes
in its Annual Report that it handled more than 30.000 queries concerning, among others, video-surveillance).
Finally, the European Data Protection Day, held every year on 28 January, is an event seeking to raise awareness
and promote privacy and data protection. In 2016, 22 out of the 28 EU DPAs participated in the event.
Nevertheless, the activities were not especially coordinated and were addressed to domestic audience.
PHAEDRA's study on best practices of cooperation found that the benefits of coordination in this area are
however limited by the need for DPAs to communicate with the media and the public in the relevant Member
State languages and to be responsive to local contexts, media usage and channels, and public attitudes.
Apart from the novel joint investigation teams, the rest of the cooperation activities were organized in the
framework of existing platforms and bodies. The Investigations Teams therefore constitute the most telling
example of spontaneous cooperation among DPAs. Moreover, it can be inferred from the above that DPAs
collaborate mainly in three issues: investigation of common threats (Facebook, Sweeps), tackling very specific
issues (MoU) and participation in common approaches (WP29).
Even if the new GDPR changes how data protection law is applied and enforced among the EU Member States,
uncertainties persist as to how this new legal framework will be applied in practice and how it will impact the
day-to-day activities of EU DPAs. The recent GDPR makes cooperation among DPAs mandatory but does not
provide comprehensive rules on the modalities and procedures involved. As the recently published PHAEDRA
study shows, there is a need for supplementary operational and legal guidance. Be that as it may, many questions
arise: are there other circumstances hampering a more enhanced cooperation (different national legislation,
political willingness…)? Are DPAs in a position to reinforce their cooperation? Will the entry into force of the
GDPR boost cooperation? The extent and purpose of this entry in this blog cannot cover in these many issues but
two main remarks may be added. Firstly, with the entering into force of the GDPR in less than two years,
cooperation will be granted the importance it deserves. Indeed, Chapter VII of the GDPR boosts many aspects of
cooperation (most notably, the consistency or the one-stop-shop mechanisms) that are missing in the Data
Protection Directive. Secondly, cooperation is not circumscribed to a single chapter or provision acting
independently of the rest of the Regulation. Quite the contrary, cooperation is predicated throughout the rest of
the text, present in the tasks and duties carried out by each EU DPA. Consequently, a multiplication of “pure”
cooperation cases in a very near foreseeable future should not be surprising. In order to follow-up, just check
PHAEDRA’s repository!
Posts published
21
2.7 2017 the year of mutual assistance testing
Jacek Saffell, specialist, Department of Social Education and International Cooperation, Bureau of the
Inspector General for Personal Data Protection (GIODO)
January 2017
Photo 7: ‘Introducing Lensbaby’ by Daniel Horacio Agostini, 2008 via Flickr (CC BY-ND 2.0).
The year 2016 came to an end and people are turning their heads towards 2017 with new energy and hope. And
as we all know there is significant change on the horizon of European data protection. Regulation 2016/679 of
the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation; GDPR), is slowly yet unavoidably approaching. It won’t get here quite yet
in 2017 but that doesn’t mean this upcoming year will be less important for that. On the contrary, we are facing a
year of important decisions and tests. How Europe manages to handle these tasks will have a direct influence on
the future of data protection under the GDPR.
In order to prepare data protection authorities (DPAs) for the upcoming changes the Article 29 Working Party
(WP29) has been keeping busy, creating guidelines and FAQs that will aid DPAs during the transition. During
the December 2016 plenary meeting, WP29 discussed certain critical matters with regard to the implementation
GDPR and consistent with its 2016 Action Plan decided in February 2016, the WP29 adopted during the
December plenary:
Guidelines on the right to data portability (WP 242),
Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244), and
Guidelines on Data Protection Officers (DPOs) (WP 243).
As the PHAEDRA project’s main goal is to identify, develop and recommend measures for improving practical
co-operation EU DPAs we believe that the abovementioned guidelines are worth summarising. However, since
the issues of DPOs as well data portability don’t relate so directly to DPAs co-operation, we’ll skip it in the
following article.
Lead Supervisory Authority
One of the key topics discussed and agreed upon by the WP29 is the issue of cross-border processing of personal
data in connection to identifying a lead supervisory authority. As Article 4(23) GDPR clearly states, there are
two scenarios in which we’ll be dealing with ‘cross-border processing’. Out of these two cases, one’s “cross-
border” character is based on the vague term of “substantial affect”.
A question may arise – what does the Regulation mean by “substantially affects”? Now we won’t find a direct
answer in the text of the GDPR so, according to the Opinion WP 244, DPAs will have to determine this on a
case-by-case basis. The intention of the wording was to ensure that not all processing activities, with any effect
and that take place within the context of a single establishment, fall within the definition of “cross-border
processing”. But if we look at a general definition of the word “affect”, we’ll see that there must be influence,
that the data processing must impact someone in some way. That way being of “substantial” nature.
Posts published
22
So once we establish that we are in fact dealing with cross-border processing, it is mandatory to identify the lead
supervisory authority.
Ok, so why do we need this lead supervisory authority? To put it in simple terms, a ‘lead supervisory authority’
is the authority with the primary responsibility for dealing with a cross-border data processing activity, for
example when a data subject makes a complaint about the processing of his or her personal data and the
controller/processor is established in more than one EU Member State. The lead supervisory authority will
coordinate any investigation, involving other supervisory authorities, according to the consistency mechanism.
Although Article 56 GDPR gives means of determining the lead supervisory authority, often things won’t be so
clear and it might be up to data controllers to establish clearly where decisions on the purposes and means of
personal data processing activities are being made, thus allowing the lead authority to be appointed. The process
of determining where the main establishment is may require active inquiry and co-operation by the supervisory
authorities. Conclusions cannot be based solely on statements by the organization under review. The burden of
proof ultimately falls on controllers and processors. They should be able to demonstrate to supervisory
authorities where decisions about data processing are actually taken and implemented. Effective records of data
processing activity would help both organizations and supervisory authorities to determine the lead authority.
One may ask what about other DPAs? Are they excluded from any operations once the lead supervisory
authority is established? Well no, quite the contrary. As Article 4(22) GDPR states, other supervisory authorities
can be “concerned”. The concept of a concerned supervisory authority is meant to ensure that the ‘lead authority’
model does not prevent other supervisory authorities having a say in how a matter is dealt with when, for
example, individuals residing outside the lead authority’s jurisdiction are substantially affected by a data
processing activity.
The GDPR requires lead and concerned supervisory authorities to co-operate, with due respect for each other’s
views, to ensure a matter is investigated and resolved to each authority’s satisfaction – and with an effective
remedy for data subjects. Supervisory authorities should endeavor to reach a mutually acceptable course of
action. The formal consistency mechanism should only be invoked where co-operation does not reach a mutually
acceptable outcome.
Mutual acceptance of decisions can apply to substantive conclusions, but also to the course of action decided
upon, including enforcement activity (e.g. full investigation, investigation with limited scope, a warning or a
press statement). It can also apply to a decision not to handle a case in accordance with GDPR, for example
because of a formal policy of prioritisation, or because there are other concerned authorities as described above.
The development of consensus and good will between supervisory authorities is essential to the success of the
GDPR co-operation and consistency process.
To summarise this post, we would like to point out that although the GDPR creates a framework for co-operation
and goals which are to be achieved, success depends solely on the DPAs co-operation. With further guidelines
from WP29 and enough time to implement, the GDPR can have a positive impact on the data protection in
Europe. We will closely follow the WP29’s work and assist DPAs in their difficult task.
![4 Uji Dua Sampel Dependen - Uji Tanda [Compatibility Mode]](https://img.pdfslide.us/doc/110x75/577c7ab51a28abe05495f440/4-uji-dua-sampel-dependen-uji-tanda-compatibility-mode.jpg)
