ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

Transcription

1 ENFORCEMENT POWERS The EU Perspective Olivier Proust Associate Hunton & Williams LLP

2 What is enforcement within the EU? Broad sense: Any action leading to better compliance Awareness raising activities Development of guidance Narrower sense: Undertaking of investigative actions Imposition of sanctions Enforcement aims to contribute to a more pro-active stance towards enforcement of data protection legislation within the EU, Article 29 Working Party. 2

3 WHAT DOES DIRECTIVE 95/46/EC SAY ABOUT ENFORCEMENT? Art. 28 (1): Member States must have data protection authorities (DPAs) = independent supervisory authorities in charge of monitoring data protection rules Art. 28 (3): DPAs must be endowed with power to - Investigate - Intervene - Sanction / Initiate legal proceedings Art. 28 (6): DPAs shall cooperate, by exchanging information + may be requested to exercise enforcement powers on request of another DPA 3

4 WHAT DOES DIRECTIVE 95/46/EC SAY ABOUT ENFORCEMENT? (CONT D) Art. 29: Working Party on the Protection of Individuals with regard to the Processing of Personal Data = Art. 29 Data Protection Working Party Independent advisory body Representatives of the EU Member States DPAs, EDPS & European Commission Art. 30: Role of Article 29 Working Party Interpret/apply the provisions of Directive 95/46/EC + contribute to a uniform application of the general principles of the Directive in all Member States Advise the EU Commission on any proposed amendment of the Directive Make recommendations on all matters relating to the protection of personal data Opinions are not legally binding, but often become the EU standard Not a pan-eu data protection authority (but comes close?) 4

5 EU NETWORK OF DPAs 5

6 DPA ENFORCEMENT PRACTICES IN THE EARLY DAYS EU Commission s First report on the implementation of the Data Protection Directive (2003) Declaration of the Article 29 Working Party on Enforcement (WP 101, 2004) Enforcement powers and resources vary Under-resourced DPAs with a wide range of tasks; enforcement actions have low priority For data controllers, the risks of getting caught seem low Apparently low level of knowledge among data subjects to enforce their rights Art. 29 WP promotes: exchange of best practices discussion around enforcement strategies that can be applied across countries EU wide synchronized national enforcement action in EU member states (see Report 1/2007 on the first joint enforcement action, WP 137) 6

7 CURRENT DPA ENFORCEMENT PRACTICES Divergent Member State approaches to enforcement ( educator vs. enforcer ) Some DPAs appear more active than others Some DPAs are more visible than others Lack of EU-wide statistics on all DPA enforcement action Still perception of low enforcement risk Except for data breach notification duties in limited circumstances, no DPA reporting duty Recent enforcement action seems to target financial, insurance and technology companies (Easycash; T-Mobile; Google; Hamb. Sparkasse) Wide spectrum of possible enforcement action Is the stick big enough? 7

8 ENFORCEMENT ACTION SPECTRUM A Guidance (Best Practices) B Soft Enforcement (Recommendations) Guidance (Best Practices) Investigations (Consensual/Compulsory Audits) C D Formal Warnings (Enforcement Notice) E F Administrative Sanctions (Fines) Public Admonishment ( Name and Shame ) G H Injunctive Measures (Block Data Processing/Transfers) Criminal Sanctions (Imprisonment) 8

9 EU CITIZENS PERCEPTION Special Eurobarometer 359 (June 2011) 9

10 All Europeans seem strongly in favor of a harmonization of the data protection laws within the EU 10

11 A relative majority of Europeans believe that the rules should be enforced at European level 11

12 Over half of Europeans say that imposing a fine on companies that use people s data without their knowledge should be the first priority of DPAs 12

13 RECENT DEVELOPMENTS & CHALLENGES EU Commission s Communication on A comprehensive approach on personal data protection in the EU (Nov. 2010) Strengthen existing provisions on sanctions to make them more effective and increase ex post enforcement (fines as a % of annual turnover?) Extend power to bring court action (class actions by consumer associations) Strengthen and clarify the role of DPAs At national level: - Complete independence - Necessary enforcement power + resources At EU level: - Improve cooperation and coordination between DPAs in cross-border enforcement cases - Art. 29 WP to play pivotal role? 13

14 RECENT DEVELOPMENTS & CHALLENGES (CONT D) Art. 29 WP s 82nd Plenary meeting (Oct. 2011) Need for a new mechanisms to ensure consistency in how DPAs apply EU data protection rules Proposals will shortly be sent to Commissioner Reding Art. 29 WP + ENISA have agreed to intensify cooperation on data breach notifications 14

15 RECENT DEVELOPMENTS & CHALLENGES (CONT D) 33rd International Conference of Data Protection and Privacy Commissioners (Mexico, 2011) Dealing with new challenges: DPAs as the policemen of big data Cooperation between DPAs and accountability agents: a new trend? EU vs. Rest-of-the-World: considerable differences to privacy and data protection enforcement in a globalized economy 15

16 RECENT DEVELOPMENTS (CONT D) GPEN (Global Privacy Enforcement Network) Initiative Discussions about the need for cross-border enforcement cooperation - Privacy has become a global issue APEC; WP 29; International Conference of Data Protection and Privacy Commissioners OECD Recommendation 2007 ( establishment of an informal network of Privacy Enforcement Authorities and other appropriate stakeholders ) Creation of GPEN Discussions in Fall 2009; March 2010 meetings (Paris) = official launch GPEN website launched on Sept. 21, GPEN s mission: Share information about enforcement issues, trends, experiences Participate in trainings Cooperate on outreach activities Facilitate effective cross-border privacy enforcement Engage in dialogue with relevant private sector organizations on privacy enforcement issues Does not create any new legally binding obligations among participants 16

17 Thank you Olivier Proust Associate, Hunton & Williams +32 (0) Visit 17