240 likes | 350 Views
Roles and Relationships of Data Protection Authorities Charles D. Raab University of Edinburgh. Presentation at the Conference on ‘The Hungarian Parliamentary Commissioner for Data Protection and Freedom of Information 1995 – 2011’ Budapest, 28 September 2011. This Presentation.
E N D
Roles and Relationships of Data Protection AuthoritiesCharles D. RaabUniversity of Edinburgh Presentation at the Conference on ‘The Hungarian Parliamentary Commissioner for Data Protection and Freedom of Information1995 – 2011’ Budapest, 28 September 2011
This Presentation • To look at the various roles or functions that data protection authorities perform in carrying out their responsibility to protect information privacy • To consider the way in which their activities involve co-operative relationships across jurisdictional and national boundaries
Az ombudsmanok tíz éve Ten years of ombudsmen 1995–2005 Országgyűlési Biztos Hivatala Parliamentary Commissioner’s Office 2005
European Convention on Human Rights • Article 8 – Right to respect for private and family life • 1 Everyone has the right to respect for his private and family life, his home and his correspondence. • 2 There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well‑being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
EU Charter of Fundamental Rights(2000/C 364/01) Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
Challenges to Privacy • Information and communication technologies • Policies and practices of states and governments • Commercial interests • Individual and social behaviour
Data Protection Authorities: Roles (I) • What are their roles, and what is their relationship to the state and the private sector, and to citizens themselves? • How do these commissioners or ombudsmen comprehend or influence the technologies that are shaping the situation, and comprehend the changes in the way states and governments provide public services, enforce law and order, and combat terrorism?
Data Protection Authorities: Roles (II) • How do regulatory bodies such as data protection agencies deal with political, public and media attitudes that do not necessarily support the tasks that these agencies have been designed to carry out, and that regard privacy as a needless or even dangerous luxury in the face of the dangers perceived by fearful, security-minded individuals and states? • What resources do these regulators have to fall back upon for support, and how do they defend and promote their mission?
Data Protection Authorities: Roles (III) • ‘oversight, auditing, monitoring, evaluation, expert knowledge, mediation, dispute resolution, and the balancing of competing interests.’ (Flaherty, 1997) • ‘ombudsmen, auditors, consultants, educators, negotiators, policy advisers and enforcers.’ (Bennett and Raab, 2006) Enforcement is only one of the roles, but should it be more prominent?
Factors Affecting DPA Effectiveness • Legal powers • Resources and understanding of information technology and systems • Management of work pressures • Organisation for response, initiative, efficiency • Opportunities to intervene in practice and policy • Commissioner’s leadership • Public awareness and support/criticism from society and groups • Independence [for some of these, see: FRA - European Union Agency for Fundamental Rights, Data Protection in the European Union: the role of National Data Protection Authorities, 2010] But it is not clear how the effectiveness or performance of a data protection regime should be measured
Independence: Directive 95/46/EC Article 28 Supervisory authority • Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive. • These authorities shall act with complete independence in exercising the functions entrusted to them.
Independence (I): ECJ C-518/07 (2010) - Commission v. Germany • The case involved the meaning of ‘complete independence’ (not defined in the Directive) • ECJ said: ‘In relation to a public body, the term “independence” normally means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. Contrary to the position taken by the Federal Republic of Germany, there is nothing to indicate that the requirement of independence concerns exclusively the relationship between the supervisory authorities and the bodies subject to that supervision. On the contrary, the concept of “independence” is complemented by the adjective “complete”, which implies a decision-making power independent of any direct or indirect external influence on the supervisory authority’ (paras. 18-19).
Independence (II): ECJ C-518/07 (2010) - Commission v. Germany • ECJ said: ‘[t]he guarantee of the independence of national supervisory authorities is intended to ensure the effectiveness and reliability of the supervision of compliance with the provisions on protection of individuals with regard to the processing of personal data and must be interpreted in the light of that aim. It was established not to grant a special status to those authorities themselves as well as their agents, but in order to strengthen the protection of individuals and bodies affected by their decisions. It follows that, when carrying out their duties, the supervisory authorities must act objectively and impartially. For that purpose, they must remain free from any external influence, including the direct or indirect influence of the State or the Länder, and not of the influence only of the supervised bodies’ (para. 25).
Independence (III): ECJ C-518/07 (2010) - Commission v. Germany • ECJ said: ‘the mere risk that the scrutinising authorities could exercise a political influence over the decisions of the supervisory authorities is enough to hinder the latter authorities' independent performance of their tasks. First, as was stated by the Commission, there could be “prior compliance” on the part of those authorities in the light of the scrutinising authority's decision-making practice. Secondly, for the purposes of the role adopted by those authorities as guardians of the right to private life, it is necessary that their decisions, and therefore the authorities themselves, remain above any suspicion of partiality’ (para. 36).
Independence (IV): ECJ C-518/07 (2010) - Commission v. Germany • ECJ said: ‘Admittedly, the absence of any parliamentary influence over those authorities is inconceivable. … [T]he management of the supervisory authorities may be appointed by the parliament or the government. Secondly, the legislator may define the powers of those authorities (para. 44). Furthermore, the legislator may impose an obligation on the supervisory authorities to report their activities to the parliament. … [C]onferring a status independent of the general administration on the supervisory authorities … does not in itself deprive those authorities of their democratic legitimacy (para. 46).’
Independence: Austria • The European Commission has referred Austria to the ECJ on similar grounds • ‘Although Austrian data protection legislation … spells out that the authority exercises its functions independently and takes no instruction in their performance, the Commission considers that “complete independence,” … is not guaranteed because: • the authority remains under the supervision of the Federal Chancellery because it is integrated into the Chancellery in terms of organisation and staff: it controls neither its own staffing nor its equipment and it does not have its own budget • … the authority has been run by a senior official of the Chancellery as executive member …, subject to the supervision of the Chancellery • the right of the Chancellor to be informed at all times by the chair and the executive member on all subjects concerning the daily management of the authority potentially hinders the members of the supervisory authority in the independent performance of their tasks.’ [EUROPA Press Release IP/10/1430, 28 October 2010]
Independence or ‘Arm’s-Length’ Relationship? • A matter for negotiation and constant vigilance, e.g., in the United Kingdom • Depends upon the length of the arm • Depends on the implications of large-scale changes in the constitutional position • Depends on the voice and pressure of external groups, privacy advocates, and other critics
Data Protection Authorities: RelationshipsEU Directive 95/46/EC Article 28 Supervisory authority 6. The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information. But ‘co-operation’ has gone further, in Europe and elsewhere
Data Protection Authorities: RelationshipsInternational groups and networks (I) • The global level • The International Conference of Data Protection and Privacy Commissioners Will this become more important, with a corporate ‘presence’ in the world and with influence over global information privacy issues? Will this become a more permanent institution, with a useful infrastructure?
Data Protection Authorities: RelationshipsInternational groups and networks (II) • The sub-global level • Europe • Article 29 Working Party • European Data Protection Supervisor (EDPS) • The ‘Spring Conference’ • Central and Eastern European Data Protection Authorities (CEEDPA) • British, Irish and Islands Data Protection Authorities (BIIDPA) • Asia Pacific Privacy Authorities (APPA) • Ibero-American Data Protection Network (RedIPD) • Association of Francophone Data Protection Authorities (AFAPDP) There is therefore an elaborate ‘international relations’ of data protection in various places in the world
Data Protection Authorities: RelationshipsInternational groups and networks (III) Interactions within federal countries Germany Canada Switzerland Spain Australia Other examples of activity across levels or jurisdictions Netherlands-Ontario work on Privacy-Enhancing Technologies (PETs) OECD Working Party on Information Security and Privacy (WPISP) Towards a Global Privacy Standard (the Madrid Resolution)
The Madrid Resolution (2009) 23. Monitoring ‘[The] supervisory authorities shall be impartial and independent…’ 24. Cooperation and coordination ‘1. The Authorities shall try to cooperate … to achieve a more uniform protection of privacy …at both national and international level. … ‘…[M]ake every effort to ‘Share reports, investigation techniques, communication and regulatory strategies… ‘Conduct co-ordinated investigations … ‘Take part in associations … that contribute to adopting joint positions… ‘2. States should encourage the negotiation of co-operation agreements among supervisory authorities … that contribute to a more effective observance of this section.’
Final Questions • How important are all these relationships? Some are more important than others, and some are closer than others. How they will evolve is not yet certain, and whether they will be of any practical use will have to be evaluated. • Is the independence of DPAs necessary for developing working relationships across boundaries? Mutual trust seems best promoted where DPAs can be seen to be independent of the state and governmental organisations of their home countries, so that their activities in protection privacy do not become an extension of, or controlled by, the foreign policies of states which may have other international and economic priorities.
A végénKöszönöm a figyelmet! c.d.raab@ed.ac.uk