Préposé fédéral à la protection des données et à la transparence PFPDT

Federal Data Protection and Information Commissioner FDPIC

Les impératifs d’une mise en œuvre efficace par les régulateurs

Regulator’s Do’s and Must’s for Effective Enforcement

Jean-Philippe Walter

Deputy Commissioner

Chair of the Consultative Committee Convention 108

2

Conditions for an Effective Enforcement ?

• Regulator Definition

• Legal framework

• Independence

• Human, financial, technical ressources and professionnal / technical competences

• Powers and Tasks

3

Definition

• “regulatory agency, independent governmental commission established by legislative act in order to set standards in a specific field of activity, or operations, in the private sector of the economy and to then enforce those standards” (Encyclopaedia Britannica)

• “Privacy Enforcement Authority” means any public body, as determined by each Member country, that is responsible for enforcing Laws Protecting Privacy,and that has powers to conduct investigations or pursue enforcement proceedings” (OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy)

4

Legal Framework I

• International law

• UN-Guidelines for the Regulation of Computerized Personal Data Files (Resolution 45/95 of 14 December 1990)

• Additional Protocol to the Convention for the protection of individuals with regard to automatic processing of personal data regarding supervisory authorities and transborder data flows

• OECD Guidelines governing the protection of privacy and transborder flows of personal data

5

Legal Framework II

• Directive 95/46/EC on the protection of individual with regards to the processing of personal data and on the free movement of such data

• International Standards on the Protection of Personal Data and Privacy (Madrid Resolution)

• Convention de l’Union africaine sur la cybersécurité et la protection des données à caractère personnel (27 juin 2014)

• National legislation, e.g.Swiss Federal Act on Data Protection, …

6

Independence

• This authority shall offer guarantees of impartiality, independence vis-a-vis persons or agencies responsible for processing and establishing data

(UN-Guidelines)

• The supervisory authorities shall exercise their functions in complete independence ….

(CoE-Convention)

7

Adequate and Sufficient Resources

Data Protection in the European Union: the role of National Data Protection Authorities, EU Agency for fundamental Rights, 2010:

“The absence of sufficient human and financial resources represents a significant challenge to the effectiveness of the national supervisory systems that might jeopardize the protection of the fundamental rights of data subjects.”

The Guardian, 3rd sept. 2014, Christopher Graham protests about budget cuts:

“Our grant-in-aid from the Ministry of Justice, which has been cut in every year since I became Information Commissioner in 2009, is simply not adequate for us to do the work we could and should be doing to promote greater efficiency and accountability in the public service.”

8

Powers and Tasks

• Investigation• Intervention• Decision and Sanction• Engaging in legal proceedings or bring to the attention of the

competent judicial violations• Hearing claims • Promoting public awareness of the rights of data subjects and

exercise of such rights• Awareness of controllers• Advice• Taking position concerning proposals of any legislative or

administrative measures involving the processing of personal data• Cooperation• Information, Activities report

9

Conclusion I

• Guarantees for effective enforcement of data protection are in particular:• Existence of PEA or DPA• Fully independent• Necessary and adequate human, financial, technical

resources• Full powers to investigate, intervene, offer legal advice,

engage in legal proceedings and to informe and promote awareness

• Cooperation between DPAs

10

Conclusion II

European Union Agency for Fundemental rights, Data Protection in the EU: the role of National Data Protection Authorities:

PEA or DPA “play a crucial role as guardians of data protection in the eyes of the public. The whole data protection system depends on public trust of the authorities. It will be difficult to convince citizens that their data protection and privacy concerns are taken seriously, if doubts about the independence of data protection authorities persist or if there authorities are not seen to be ressourced in such a way as to allo them to discharge their duties effectively and efficiently. ” 

11

DPAs or PEA are essential for an effective enforcement

but

Are they sufficient to achieve an effective Data and Privacy Protection in an globalised World ?