European Union Agency for Fundamental Rights,Vienna. Wikicommons/GuentherZ. Some rigths reservedIn EU data protection law, an essential part of the enforcement is assigned to the Data Protection Authorities (DPAs) of the EU Member States.
These DPAs are independent public authorities with a variety of roles. They have strictly supervisory tasks and are – or should be – empowered with investigative and enforcement powers, yet they also have an advisory role in the public debates on privacy and data protection.
Their role is embedded in EU primary law, particularly in Article 16(2) of the Treaty on the Functioning of the European Union and in Article 8 (3) of the EU Charter for fundamental rights. The embedding of their role in primary law gives them constitutional status under EU law. This is a status that does not exist in other areas of EU law.
In the information society, their role is justified by the size of the issues at stake, and by the fact that traditional methods of governance by the executive, legislative and judicial branches are not considered sufficient. The oversight role of DPAs is even more important to counterbalance mass surveillance by governments and by the big internet companies, for commercial purposes or in support of government action. The oversight role of DPAs is even more important to counterbalance mass surveillance by governments and by the big internet companies.
The DPAs are fairly unique. They exist for various reasons. First, their existence has historical reasons. The first DPAs were set up in the 70s of the last century as a reaction to the start of an age of widespread use of computers; second, there is need for structural support in the area of data protection, an area where individuals do not easily challenge the use of their personal data without support; third, the nature of data processing which quite often takes place in a non transparent- manner, requires skills for understanding data processing; fourth, there is need for control of the private sector and, equally, of governments in their capacities of controllers or processors of personal data; fifth, there is need for independence from political preferences, as will be explained below; sixth, DPAs are supposed to have capability to combine expertise and flexibility, and to dedicate their resources fully to data protection.
The DPAs are completely independent, as has been confirmed by the EU Court of Justice. Complete independence implies not only independence from the – public or private – organisations under supervision, but also from political decision-making. The Court of Justice also underlines in its case law on DPA independence that the DPAs cannot be part of or closely related to the executive branch of government, even if certain measures are taken to guarantee that DPAs function autonomously. In the recent Schrems case, the Court underlines this all once more. Independence is supposed to make the supervision more reliable.
The complete independence of the DPAs differs from the autonomy of EU agencies operating in areas of economic governance. For these agencies autonomy from the influence of market forces is sufficient. A company subject to oversight by an agency should be prevented from being in a position to influence the performance of the agency. But, that is all.
The essence of DPA independence is much stronger. Their independence should prevent any political influence on the performance of DPAs.
Why that matters
The following example illustrates the importance of this strong independence. There is a permanent need in our democratic societies to balance between preserving the rights to privacy and data protection on the one hand and the demand to maximise the use of technology in response to serious threats to the security of society on the other hand. However, this balancing act takes place in a context where consensus on the outcome is not a given fact.
There exists societal pressure on limiting the rights of privacy and data protection in an internet environment, for instance where extending the surveillance powers of governments must respond to threats to the security of society. The reactions to the terrorist attacks in Paris are a clear example. The attacks triggered the revitalisation of the European Passenger Name Record (PNR) framework. This EU PNR system had been blocked by the European Parliament, out of concerns relating to privacy, but after the Paris attacks the legislative proposal was quickly adopted. This EU PNR system had been blocked… out of concerns relating to privacy, but after the Paris attacks the legislative proposal was quickly adopted.
More generally, the demand for maximising technology use and extending surveillance powers is highly time- and place-dependent. One can see a tendency in policy-making whereby during periods of threat to physical security the emphasis is on maximisation of use of personal data for law enforcement purposes, whereas, in relatively calmer periods, there is much more emphasis on protection of fundamental rights, particularly privacy and data protection.
For example, the data retention directive which was annulled by the Court of Justice in 2014 can be seen as a direct reaction on the attacks on the London metro in 2005; whereas the renewed interest in strong data protection hit a peak around 2010, when the perceived public security risks were relatively low. It is interesting, in this context, to read the Stockholm programme of the European Union of 2010. This multiannual programme includes models for information management systems in the law enforcement sector, fully based on responsible approaches to personal data processing, including selective data collection.
Protecting our values
My argument is that threats to security may require restrictions to the exercise of fundamental rights, but one should also consider evaluating the potential harm a limitation of the fundamental right would cause for the values a right aims to protect. This is why DPA independence is so important. This independence is even more important in an age where surveillance of individuals takes place on a mass scale, also benefiting from the potential in big data use.
Independence of DPAs increases the checks and balances in our society. Of course, it is up to the political institutions to adopt the laws they consider necessary to protect society against imminent threats. Of course, views of political majorities may change, in reaction to serious security threats, but also as a result of elections for completely different reasons. Of course, in our constitutional systems with a separation of powers, it is primarily the task of courts to ensure that political decision-making respects fundamental rights of citizens. The EU Court of Justice played this role in recent times, particularly where it invalidated the EU data retention directive and the Safe Harbour Decision of the European Commission.
However, the model of independent DPAs definitely has added value, because courts are by definition reactive. Their involvement depends on the cases brought before them.
‘Privacy by Design’
The DPAs are empowered to play a role in the political debate on legislative instruments and, moreover, they have the power to investigate on own motion when they become aware of possible breaches of data protection law. They also give the citizen an easy and low threshold entrance to a remedy. Finally, they can develop – together with public and private controllers of personal data – privacy friendly solutions for data processing. Privacy by Design is the current buzzword. Finally, they can develop… privacy friendly solutions for data processing. Privacy by Design is the current buzzword.
This also means that DPAs should have effective powers, particularly in the developing age of surveillance. EU Member States should guarantee that individuals receive protection by DPAs, in accordance with the general EU principles of equivalence and effectiveness. The powers of the DPAs should also fully be applicable in relation to law enforcement authorities, as well as to national security, of course taking into account justified – but, only justified – needs for confidentiality for these two categories of authorities.
What’s not good enough
The Fundamental Rights Agency of the European Union reported that there is a great variety of, as well as significant deficiencies in, the powers and resources of DPAs. The Agency reported on understaffing and lack of adequate financial resources of DPAs, with the result that in many Member States the DPAs do not carry out all their tasks. As a rule, sanction powers are limited and not suited to effectively address infringements by big internet companies, although the sanctioning powers are gradually changing.
The effectiveness of DPAs is a major issue in the reform of the EU data protection framework. The General Data Protection Regulation aims at addressing a number of shortcomings, ensuring strong powers – including sanctioning powers – of the DPAs.
Effectiveness is also reflected in the working methods of the relatively small DPAs. They are free to set their own agenda, but this also means that it is their responsibility to avoid devoting their energy to smaller issues and not addressing the big questions raised by the information society.
This article is published in association with the Criminal Justice Centre at the Department of Law, Queen Mary University of London. The CJC’s members are drawn from both the legal profession and academia, researching the impact of securitisation on human rights. The Centre is one of the coordinating institutions of the European Criminal Academic Network.
Get our weekly email