by Steve Peers
A guilty pleasure for fans of superhero comic books is the moment when our heroes pause in their valiant efforts to save the public from the nefarious plans of the supervillains – and start beating the hell out of each other instead. This is usually triggered by some trivial difference of opinion, perhaps concerning a continuity error or intellectual property rights.
Similarly, the EU vests its hopes for the effective enforcement of data protection law upon national data protection authorities (DPAs): the superheroes of the data protection world. They have considerable powers under the current data protection Directive, and the proposed Regulation would also give them more powers. But what if they disagree with each other? There’s nothing in the current legislation to settle this problem, which gives each DPA the power to regulate actions on its own territory without addressing the obvious complications that result in a digital age, when many forms of processing of personal data (most obviously via the Internet) take place across borders.
To deal with this problem, the Commission proposal contains a conflict rule to determine who is the lead regulator in cross-border cases, with the possibility that a ‘European Data Protection Board’ or the Commission itself can issue an opinion on the issue. This has been dubbed the ‘one-stop shop’ rule. However, due to legal concerns, both the Council (which is about to adopt its position on this part of the proposed Regulation: see the draft texthere), and the European Parliament (EP), which has already adopted its position on the entire text, propose instead that the Board must be able to make binding decisions to settle disputes.
So this is set to become one of the most significant innovations of the new legislation. Let’s take a look at what the future rules will likely say about the role of national DPAs, the one-stop-shop process and the powers of the Board.
National data protection authorities
The current Directive already provides for the existence of DPAs, and insists that they must exercise their powers in ‘complete independence’. CJEU case law (discussed here) has set out a very strong interpretation of this notion, ruling that Germany, Austria and Hungary breached it, because they provided for too much accountability to national parliaments (Germany), failed to separate the DPA from the ordinary civil service (Austria) and defenestrated the DPA boss before his normal term of office expired (Hungary).
The proposed Regulation would retain and elaborate upon this concept, and the Council and EP agree with most of the Commission’s suggestions. Admittedly, the DPAs have to be appointed by public authorities in the first place: after all, their powers don’t stem from being bitten by a radioactive spider, or orphaned in a bat-infested back alley. The Council would amend the proposal so that they don’t have to be appointed by the government or parliament, but could instead be appointed by the head of state or independent body. Only the last alternative would fully ensure their independence from the outset (although who appoints the ‘independent body’?)
Three points of concern here. First, the proposal would usefully require the national DPAs to be adequately funded. That is easier said than done, for most DPAs complain of an absence of sufficient funding. For instance, the Irish DPA occupies a small office next to a corner shop – but purports to regulate (among many other things) all of Facebook’s activities in the EU. Secondly, the Council would remove the proposed rule requiring that DPAs be independent ‘beyond doubt’ when they are appointed; but DPAs should not be a resting ground for political hacks and bagmen. Thirdly, the Council would remove most of the details concerning the loss of office of DPAs, retaining only the minimum rule of four years in office. As the termination of the Hungarian DPA showed, it’s hard to exercise your powers independently if you constantly fear that there may be Kryptonite in your coffee.
As for the powers of the DPAs, the Regulation would strengthen and elaborate upon their current advisory and enforcement roles. In particular, the current powers to investigate, intervene and engage in legal proceedings would be fleshed out, by adding powers concerning audits, access to the premises of the controller and processor, ordering compliance with a data subject’s request, the suspension of data flows, or the imposition of fines.
But with these great powers will come only limited accountability. DPAs will have to publish an annual public report (and the EP even wants to weaken this obligation). But that’s the only way that their decisions can be controlled, unless a cross-border complication means that other DPAs, or the European Data Protection Board (a sort of uber-DPA) gain jurisdiction, as discussed below. Otherwise, the only bodies which can watch these watchmen are the courts. Continue reading