A report on PHAEDRA II events

Similar documents
ENFORCING PRIVACY: LESSONS FROM CURRENT IMPLEMENTATIONS AND PERSPECTIVES FOR THE FUTURE

Draft Resolution concerning the Establishment of a Steering Group on Representation at Meetings of International Organisations

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Opinion 6/2015. A further step towards comprehensive EU data protection

Judicial training in the framework of the Unified Patent Court as a prerequisite for the success of the Unitary Patent System

13345/14 BB/ab 1 DG G3

European Economic and Social Committee OPINION. of the

Working Document Setting Forth a Co-Operation Procedure for the approval of Binding Corporate Rules for controllers and processors under the GDPR

EDPS Opinion 7/2018. on the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents

Report on the Meeting of the APEC ECSG Information Privacy Subgroup. 3 June 2005 Hong Kong, SAR, China

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

EU Data Protection Law - Current State and Future Perspectives

Official Journal of the European Union. (Acts whose publication is obligatory) DECISION No 803/2004/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

Summary Progressing national SDGs implementation:

EUROPEAN COMMISSION Employment, Social Affairs and Equal Opportunities DG ADVISORY COMMITTEE ON FREE MOVEMENT OF WORKERS

Strategic framework for FRA - civil society cooperation

AGENDA ITEM 3 REPORT ON OTHER ASEM MEETINGS RELATED TO THE PWG MEETING

Adequacy Referential (updated)

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

A Modern European Data Protection Framework. Bruno Gencarelli DG JUSTICE and CONSUMERS

Results of regional projects under the Council of Europe/European Union Partnership for Good Governance 1

RULES OF PROCEDURE. The Scientific Committees on. Consumer Safety (SCCS) Health and Environmental Risks (SCHER)

EUROPEAN COMMISSION Employment, Social Affairs and Equal Opportunities DG. Social Dialogue, Social Rights, Working Conditions, Adaptation to Change

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Free and Fair elections GUIDANCE DOCUMENT. Commission guidance on the application of Union data protection law in the electoral context

Discussion paper. Seminar co-funded by the Justice programme of the European Union

MEMORANDUM. Internet Corporation for Assigned Names and Numbers. Thomas Nygren and Pontus Stenbeck, Hamilton Advokatbyrå

No. prev. doc.: 15819/13 PI 159 European Patent with Unitary Effect and Unified Patent Court - Information by the Presidency

Programming Document Amendment 2

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Data Protection Authorities in Central and Eastern Europe: Setting the Research Agenda

Minutes of the WORLD FORUM ADVISORY GROUP (WFAG) MEETING. Brussels, 19 October 2015

TRANSNATIONAL COLLECTIVE BARGAINING: PAST AND PRESENT. Final Report

(FRONTEX), COM(2010)61

SAFE HARBOR: STAYING ALIVE?

ADVISORY GROUP 1 EHEA INTERNATIONAL COOPERATION. BPF Draft Concept Note

European Commission contribution to An EU Aid for Trade Strategy Issue paper for consultation February 2007

Consultation on the General Data Protection Regulation: CAP s evaluation of responses

Coordinated Supervision of Eurodac. Activity Report

Peer Review The Belgian Platform against Poverty and Social Exclusion EU2020 (Belgium, 2014)

COUNCIL OF THE EUROPEAN UNION. Brussels, 4 May /10 MIGR 43 SOC 311

THE EU S ATTEMPTS AT SETTING A GLOBAL DATA PROTECTION NORM

FRAMEWORK FOR ADVANCING TRANSATLANTIC ECONOMIC INTEGRATION BETWEEN THE EUROPEAN UNION AND THE UNITED STATES OF AMERICA

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

The Berne Initiative. Managing International Migration through International Cooperation: The International Agenda for Migration Management

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Dr. Hielke Hijmans Special Advisor European Data Protection Supervisor

Report of the Justice in Wales Working Group

The UK s Migration Statistics Improvement Programme - exploiting administrative sources to improve migration estimates

Report on the national preparation for the implementation of the Eurodac Recast

6256/16 KR/tt 1 DG D 2C LIMITE EN

PROVISIONAL VERSION. REGULATION (EU) No.../2013 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Conference of the Polish Presidency of the Council of the EU

Official Journal of the European Union. (Non-legislative acts) REGULATIONS

Questions and Answers on the EU common immigration policy

Opinion 3/2016. Opinion on the exchange of information on third country nationals as regards the European Criminal Records Information System (ECRIS)

DRAFT International Code of Conduct for Outer Space Activities

Policy Paper on the Future of EU Youth Policy Development

on the proposal for a Regulation of the European Parliament and of the Council concerning customs enforcement of intellectual property rights

Protection of migrants in countries of origin, transit and destination: the point of view of the Council of Europe

Bitkom views on EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Promoting environmental mediation as a tool for public participation and conflict resolution

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL DIRECTIVE

Proposal for a COUNCIL DECISION

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

DRAFT International Code of Conduct for Outer Space Activities

ACTIVITY REPORT

FEE Seminar IFRS Convergence and Consistency ING Belgium Auditorium, Brussels 1 December 2005

Table of content What is data protection? Why was is necessary? Beginnings of Data Protection Development of International Data Protection Data Protec

EUROPEAN COMMISSION DIRECTORATE-GENERAL FOR HUMANITARIAN AID - ECHO FRAMEWORK PARTNERSHIP AGREEMENT WITH HUMANITARIAN ORGANISATIONS

FIRST DRAFT VERSION - VISIT

18 January Comments

BRIEF POLICY. EP-EUI Policy Roundtable Evidence And Analysis In EU Policy-Making: Concepts, Practice And Governance

Guidance for NGOs to report to GRETA La Strada International and Anti Slavery International

Report Template for EU Events at EXPO

Memorandum! 2014 EU-US Financial Regulation Dialogue!

Steering Group Meeting. Conclusions

Implementing the Patent Package Second progress report. 1. State of implementation of the EU regulations N 1257/2012 and 1260/2012

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE EUROPEAN COUNCIL AND THE COUNCIL

Data Processing Agreement

Sustainable measures to strengthen implementation of the WHO FCTC

COUNCIL DIRECTIVE 1999/70/EC of 28 June 1999 concerning the framework agreement on fixed-term work concluded by ETUC, UNICE and CEEP

9478/18 GW/st 1 DG E 2B

ARTICLE 29 DATA PROTECTION WORKING PARTY WORKING PARTY ON POLICE AND JUSTICE

Privacy and Protection of Personal Data in the EU Transfers of Personal Data to third Countries

Tilburg University. Ex ante evaluation of legislation Verschuuren, Jonathan; van Gestel, Rob. Published in: The impact of legislation

The 1995 EC Directive on data protection under official review feedback so far

Articles of Association of the. International Non Profit Association (AISBL) European Network of Transmission System Operators for Gas ENTSOG

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE COUNCIL

Prague Process CONCLUSIONS. Senior Officials Meeting

ARTICLE 29 Data Protection Working Party

General Rules of the International Transport Forum

IncoNet EaP: STI International Cooperation Network for the Eastern Partnership Countries

2. The CNUE welcomes the specification of the material scope in the main body of the Regulation.

Checklist for a Consortium Agreement for ICT PSP projects


How can NGOs and lawyers collaborate to increase the use of international human rights law in the courts? PILS/PILA Conference, 7 June 2012

Public access to documents containing personal data after the Bavarian Lager ruling

Transcription:

` PHAEDRA II IMPROVING PRACTICAL AND HELPFUL CO-OPERATION BETWEEN DATA PROTECTION AUTHORITIES II phaedra-project.eu A report on PHAEDRA II events Deliverable D4.4 version 3 final Jacek Saffell Paweł Makowski Brussels London Warsaw Castello n January 2017

A report prepared for the European Commission s Directorate-General for Justice and Consumers (DG JUST). The PHAEDRA II (2015-2017) project is co-funded by the European Union under the Fundamental Rights and Citizenship Programme (JUST/2013/FRAC/AG/6068). The contents of this deliverable are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission. Cover picture: Paweł Makowski, GIODO 2016. Photos: GIODO, 2015-2016 (#1-#2); David Barnard-Wills, 2016 (#3). Permanent link: http://www.phaedra-project.eu/wp-content/uploads/phaedra2_d44_final_20170117.pdf Authors Name Jacek Saffell Paweł Makowski Partner GIODO GIODO Contributors Name Cristina Pauner David Barnard-Wills Dariusz Kloza Partner UJI TRI VUB-LSTS Internal Reviewers Name Partner Sophie Kwasny Advisory Board Institutional Members of the PHAEDRA II Consortium Member Role Website Vrije Universiteit Brussel (VUB) Research Group on Law, Science, Technology and Society (LSTS) Project Coordinator vub.ac.be/lsts Trilateral Research Ltd. (TRI) Partner trilateralresearch.com Biuro Generalnego Inspektora Ochrony Danych Osobowych (GIODO) Partner giodo.gov.pl Universidad Jaume I (UJI) Partner uji.es version #3 final 17 January 2017 13:15 CEST

Table of Contents LIST OF ABBREVIATIONS... 4 1 INTRODUCTION... 5 1.1 OPENING REMARKS AND METHODOLOGY... 5 1.2 BACKGROUND TO THE PHAEDRA AND PHAEDRA II PROJECTS... 5 2 WORKSHOPS... 6 2.1 AMSTERDAM 2015... 6 2.1.1 Description... 6 2.1.2 Key issues addressed... 6 2.2 MARRAKESH 2016... 8 2.2.1 Description... 8 2.2.2 Key issues addressed... 9 3 ROUNDTABLES... 10 3.1 BRUSSELS 2016... 10 3.1.1 Description... 10 3.1.2 Key issues addressed... 10 3.2 BUDAPEST 2016... 11 3.2.1 Description... 11 3.2.2 Key issues addressed... 11 3.3 BRUSSELS (II) 2016... 12 3.3.1 Description... 12 3.3.2 Key issues addressed... 12 4 THIRD-PARTY EVENTS... 12 4.1 ART 29 WORKING PARTY MEETINGS... 12 4.2 OTHER EVENTS... 13

List of abbreviations ADR CJEU CFR CoE DPA DPIA EC ECHR EDPB EDPS ENISA EU GDPR GPEN ICDPPC IT MoU PbD PC PEA PIA PIL WP29 alternative dispute resolution Court of Justice of the European Union European Union Charter of Fundamental Rights Council of Europe Data Protection Authority Data protection impact assessment European Commission European Court of Human Rights European Data Protection Board European Data Protection Supervisor European Network and Information Security Agency European Union General Data Protection Regulation Global Privacy Enforcement Network International Conference of Data Protection and Privacy Commissioners information technology Memorandum of understanding Privacy by Design privacy commissioner privacy enforcement agency privacy impact assessment private international law Article 29 Data Protection Working Party

1 Introduction 1.1 Opening remarks and methodology During the two years of the PHAEDRA II project (2015-2017), there have been several important meetings aimed at fulfilling PHAEDRA s goals those being, among others, identifying and analysing obstacles (legal and non-legal) and areas of opportunity (improvement) as well as developing a set of recommendations for improving practical cooperation between European DPAs. As the work of the project has always been informed by a constant interaction with all European DPAs, there were two relevant public workshops provided, in which the project results were put at the disposition of European DPAs. However, equally important was the on-going dialogue between the project consortium and the EU DPAs, the European Commission and the European Data Protection Supervisor (EDPS) through three roundtables addressed solely to these stakeholders. The present report offers a succinct overview of these five events. It elaborates on the goals of each of them and highlights the key issues addressed. These points are reproduced here in a quite raw form i.e. as they were raised and thus remain rather unedited under the Chatham House Rule. 1 They are accurate and valid at the time of the event in question. This report is eventually meant to serve as a reference point for further research. The agendas of each of these meetings as well as supporting material (e.g. presentation slides, if available) have been published on the PHAEDRA s projects website. 2 The website is intended to run beyond the conclusion of the PHAEDRA II project (i.e. 14 January 2017). 1.2 Background to the PHAEDRA and PHAEDRA II projects The main goal of the PHAEDRA II project or Improving Practical and Helpful co-operation between Data protection Authorities II (2015-2017) is to identify, develop and recommend measures for improving practical cooperation between European Union DPAs. The PHAEDRA II project represents a natural continuation of an earlier project under the same name and builds on its results. The first PHAEDRA project (2013-2015) focused on cooperation and coordination mechanisms between DPAs, privacy commissioners (PCs) and privacy enforcement agencies (PEAs) ( supervisory authorities ) around the world. It was aimed at adding value, complementing and supporting the initiatives of these supervisory authorities to improve international cooperation and coordination among them. The project analysed the state-of-the-art on the matter and having interacted with supervisory authorities via interviews, surveys and workshops advised policy-makers and supervisory authorities themselves how to improve their practical cooperation and coordination, in parallel raising awareness about the problem at stake. The first PHAEDRA project concluded with two sets of recommendations: 1. Wright, David, David Barnard-Wills and Inga Kroener, Findings and recommendations, Deliverable D4, London 2015, 53 pp. 3 2. Dariusz Kloza and Antonella Galetta, Towards efficient cooperation between supervisory authorities in the area of data privacy law, in: De Hert Paul, Dariusz Kloza and Paweł Makowski (eds.) Enforcing privacy: lessons from current implementations and perspectives for the future, Wydawnictwo Sejmowe, Warszawa, 2015, pp. 77-108. 4 Whilst the first PHAEDRA project focused on supervisory authorities cooperation on a global scale, the core interest of the second phase lay in the practical cooperation of European Union DPAs. PHAEDRA II was focused on the challenges for cooperation arising both from the reform of the EU data protection framework as well as from the EU framework in force. The project tackled three of the biggest challenges facing EU DPAs: ensuring consistency, sharing different types of information (including confidential or otherwise privileged information) and coordination and cooperation regarding enforcement actions. 1 The Rule spells out: When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed. Cf. https://www.chathamhouse.org/about/chatham-house-rule. 2 Cf. http://www.phaedra-project.eu/events-and-workshops/. 3 Cf. http://www.phaedra-project.eu/wp-content/uploads/findings-and-recommendations-18-jan-2015.pdf. 4 Cf. http://www.phaedra-project.eu/wp-content/uploads/phaedra1_enforcing_privacy_final.pdf.

2 Workshops 2.1 Amsterdam 2015 Photo 1: Panel I at the first PHAEDRA II workshop (Amsterdam, the Netherlands, 27 October 2015). From the left: Piotr Drobek (GIODO), Wojciech R. Wiewiórowski (EDPS), Karolina Mojzesowicz (EC), Jacob Kohnstamm (Dutch DPA) and Paul De Hert (VUB). 2.1.1 Description The first workshop entitled "Cooperation between DPAs under the GDPR: prospects, practicalities and a to-do list" was held in Amsterdam, the Netherlands on 27 October 2015 in the framework of the 37 th International Conference of Data Protection and Privacy Commissioners (ICDPPC). The goal of the first workshop, addressed to DPAs and selected policy-makers, was to present the first results of the project as well as to discuss several urgent issues concerning the new model of cooperation under the General Data Protection Regulation (GDPR), overcoming the barriers for efficient cooperation between DPAs and the upcoming agenda for data protection reform. The workshop consisted of the following panels: Panel I Are we ready for the new model of cooperation under the GDPR? The purpose was to share views and thoughts regarding the then-pending trilogue on the GDPR, as well as discuss main issues arising from the GDPR devoted to DPA cooperation, namely: the efficiency of the onestop-shop mechanism, key roles for the future European Data Protection Board (EDPB) and the impact of national procedures on effective DPA cooperation. Panel II Costs, languages, human resources how to overcome practical barriers for efficient cooperation between DPAs? The conclusion of the Deliverable D1 of the PHAEDRA II project "Authorities views on the impact of the data protection framework reform on their cooperation in the EU" 5 stated that most DPAs anticipated a significant, strong impact from the passing of the GDPR in general, and particularly for cooperation between European DPAs. Apart from these, still the linguistic and budgetary barriers remain a key topic of discussion. Therefore, the panel focused on practical examples showing how to overcome those barriers, by e.g. presenting already developed improvement solutions for cooperation and introducing best practices form other fields of law. Panel III What would be at the reform agenda after 2015? The final panel was devoted to the upcoming agenda for the data protection reform and conclusions resulting therefrom. How to prepare for the GDPR and when should certain steps be taken? 2.1.2 Key issues addressed 1) Shadows and lights of the GDPR. The majority of data protection professionals are quite enthusiastic with regard to the GDPR. Harmonised rules for the processing of personal data to avoid forum shopping, the consistency mechanism as a remedy for the lack of efficiency in handling transnational cases and reinforced competences of DPAs across the EU all these legal facilities cannot be underestimated. On the other hand, the GDPR seems to be a huge challenge for DPAs, since a wide spectrum of issues is likely to be accompanied by practical and operational 5 Barnard-Wills, David and David Wright, Authorities views on the impact of the data protection framework reform on their co-operation in the EU, PHAEDRA II Deliverable D1: London-Brussels-Warsaw-Castellón, July 2015. http://www.phaedraproject.eu/wp-content/uploads/phaedra2_d1_20150720.pdf. 6

arrangements. The choice of an official language for cooperation purposes can serve as a great example here. 2) GDPR an instrument directly binding, but demanding national legislative actions. There is a huge challenge for Member States how does the GDPR affect national laws? The whole community of EU DPAs recognised the need to adapt their national law systems to the requirements of the GDPR and since personal data protection rules touch upon several sectors and fields of law a scale of this work is a challenge. Moreover, there is a need for greater cooperation between DPAs while adapting new procedural rules (including those regarding the functioning of national DPAs). With respect to the procedural autonomy of Member States, each EU country is expected to provide new procedural rules for DPAs, so as to be corresponding to new duties and powers of EU DPAs. To make it in comprehensive way, DPAs should inform each other about developments in this matter. 3) Solidarity. How to achieve consistent application of the GDPR throughout Europe? Cooperation between DPAs based on solidarity can come to rescue. The GDPR brings legal grounds for cooperation, but at the end of the day it seems that the success of this collaborations depends equally on the willingness to work for the common good, both jointly and separately. The principle of solidarity would minimise the risk of DPAs working at two speeds. 4) Soft elements. Cooperation between EU DPAs would not be grounded only on the GDPR and alike texts complementing the reform of the EU data protection framework. Some soft elements would constitute equally important grounds for cooperation, for example trust, solidarity among authorities (above mentioned), inter-personal relations as well as as one of the panellists pointed out emotions within the EDPB. 5) Role of the European Data Protection Board. A key point of discussion was the extent to which the EDPB, created as a legal entity by the GDPR, would be a functional organisation or simply a collective body of DPAs in a manner similar to the Article 29 Working Party (WP29). Similarly, the extent and frequency with which the Board is expected to act was also debated. 6) As of 2015, the Council of Europe awaits the conclusion of the EU reform of the data protection law to conclude its modernisation of Convention 108. It should be recalled that on the European soil (and beyond) there is another pending reform of data protection law: the one of the sole international legally binding instrument, Convention 108. Next to the GDPR and the Police and Judicial Cooperation Data Protection Directive in the EU, there is since 2010 a pending reform of the Convention 108 at the Council of Europe (CoE). (As this instrument is open for accession to non-european countries, and already gathers some 50 countries, this reform transcends the European frontiers.) The CoE awaits the final text of these two instruments before concluding its own reform, notably to preserve the consistency of both frameworks. The Convention, by its nature, is an instrument at a greater level of generality than the very detailed and prescriptive GDPR. Thus it can require the same data protection goals to be achieved and at the same time it can avoid resorting to some concrete solutions that have proven to be controversial. 7) An action plan beyond the GDPR. As a concluding question, the panellist were asked what else not mentioned earlier at the panel needs to be done to conclude the reform of both European legal frameworks for personal data protection. The panellists mentioned the need to update eprivacy Directive and Regulation 45/2001 to live up to the GDPR standards. 7

2.2 Marrakesh 2016 Photo 2: Panel I at the second PHAEDRA II workshop (Marrakesh, Morocco, 18 October 2016). From the left: Stephen Wong (DPA Hong Kong), Dariusz Kloza (VUB), Zuzana Zoláková (Slovakian DPA) and Florence Raynal (French DPA). 2.2.1 Description 18 October 2016 in Marrakesh brought about the second workshop: In cooperation we (will) trust. The workshop used a successful formula of combining a PHAEDRA event with the ICDPPC. During the PHAEDRA II project meetings in 2015 and 2016, one particular issue gained special significance the notion of trust. It was the discussion on the grounds of DPAs cooperation where the importance of trust appeared in each of three scheduled panels: Panel I: Legal rules for cooperation limited power? Is the new legal framework enough to establish efficient cooperation? The first panel was focused on the practical aspects of DPAs cooperation. Participants tried to establish whether forms of soft regulation and practical agreements would benefit DPAs more. Examples from other fields of law (e.g. competition or consumer protection law) were given to bring new ideas while establishing cooperation between DPAs. Panel II: Bases for cooperation what options do we have? Searching for real commitment to cooperation In the second panel, participants tackled the question of the bases and the options for cooperation that DPAs have in practice. How exactly can DPAs cooperate? What possibilities and tools will the GDPR grant them? (One-stop-shop, mutual assistance, joint operations, etc.) How to fully use the potential these mechanisms give? The question arises does the GDPR allow DPAs to develop cooperation in other modes? If so, under what circumstances? Can we go beyond the GDPR while establishing cooperation and can we thus cooperate on a basis of some non-binding agreements? The panellists also considered the possibilities provided by Convention 108 with its own cooperation mechanisms. Panel III: IT tools for enhanced cooperation the power of technology. Building confidence in the quality of information The third panel continued this practical trend of examining the IT tools available to support enhanced cooperation. When DPAs share information between themselves (sometimes confidential information), they have to be sure that it is dealt with in a trusted and safe way. In an attempt to develop DPAs collaboration, information technology resources (such as specialized databases) may be highly beneficial in providing knowledge of other DPAs decisions, comparative analysis of legislation, data privacy jurisprudence or international agreements, among other significant documents. This is why building a secure IT platform could be a milestone in developing efficient cooperation in general. This aligns with the call in the Resolution on International Enforcement Cooperation, adopted at the 38 th Conference. 6 Following on from the conclusions of the 2016 annual International Enforcement Cooperation event, the resolution recommends exploring the feasibility of creating a database of each authority s legal powers to cooperate, evidence-gathering requirements, definitions of personal data and confidential data, which can help the Conference members to easily identify partner authorities in a case. 6 Cf. https://icdppc.org/wp-content/uploads/2015/02/7._resolution_on_international_enforcement_cooperation.pdf. 8

2.2.2 Key issues addressed 9) Enforcement cooperation. A keynote presentation brought up an overview of on-going efforts in enforcement cooperation and in particular the Enforcement Cooperation Handbook presented by the ICO (UK DPA). 7 Significant progress has been made in recent years to enhance arrangements for cross-border enforcement cooperation. Several DPAs have already signed up as participants to the Global Cross-Border Enforcement Cooperation Arrangement (i.e. Mauritius Arrangement), 8 which promotes a common understanding and approach to cooperation. This emphasises the importance DPAs attach to improving international cooperation. The Enforcement Cooperation Handbook takes a practical view as to how we can all better work internationally and it demonstrates that there are already several positive practical examples. 10) Learning by example. Whilst the GDPR sets out very precise rules for DPAs cooperation, it seems, however, that in some circumstances the legal framework for cooperation needs to be accompanied by practical solutions. Are, therefore, some soft regulation or practical arrangements needed to facilitate this process and to build more and more trusted cooperation? As the PHAEDRA II project showed in its second deliverable, 9 examples from other fields of law (e.g. competition or consumer protection law) can also bring new ideas while establishing cooperation between DPAs. The discussion also covered existing forms of cooperation outside of the GDPR such as the International Conference itself, the Council of Europe's Convention 108 and the platform provided by its Committee, and the activities of the Baltic group of DPAs. 11) Semantics matter. The question posed in the title of the first panel is the new legal framework enough to establish efficient cooperation? contains at least three notions that require further consideration: new, legal and efficient. The new framework is not the ultimate remedy for all data protection problems in the EU. This is not because it would be out-dated in a decade or so, but also because there already exist sets of law in place (i.e. old laws) that can equally achieve data protection goals. Next, legal framework does not exhaust the picture of personal data protection framework. There exist in the popular Lessig s classification 10 at least three other modalities of regulation that can produce desired goals: market forces ( we can pay DPAs to enforce privacy ), social norms ( tradition in my country obliges me to solve a privacy case, we ve always been doing so ) and architecture (code) ( we can lock DPAs in a room until they issue together an enforcement decision ). Finally, and it was repeated on many occasions throughout the lifetime of the PHAEDRA project, efficient is one step further than effective. Effective produces results, but efficient production of these results involves the least waste of resources. All these three criteria cannot escape the attention of both the DPAs themselves and regulators while these stakeholders are trying to fill in the gaps. 12) IT tools necessary for efficient DPAs cooperation. This aligns with the call in the Resolution on International Enforcement Cooperation adopted at the 38 th International Conference. 11. The discussion on this topic built upon previous discussions to which PHAEDRA II had been a party, going into some detail on the required levels of interoperability, and highlighting other technological platforms and standards that could be suitable for the IT platform being developed by the EDPS. 7 Cf. https://icdppc.org/wp-content/uploads/2015/03/enforcement-cooperation-handbook.pdf. 8 Cf. http://www.privacyconference2014.org/media/16667/enforcement-cooperation-agreement-adopted.pdf. 9 Galetta, Antonella, Dariusz Kloza and Paul De Hert, Cooperation among data privacy supervisory authorities by analogy: lessons from parallel European mechanisms, PHAEDRA II Deliverable D2.1: Brussels-London-Warsaw-Castellón, April 2016. http://www.phaedra-project.eu/wp-content/uploads/phaedra2_d21_final_20160416.pdf. 10 Lawrence Lessig, Code and Other Laws of Cyberspace, Basic Books, New York 1999. 11 Cf. supra, note 6. 9

3 Roundtables 3.1 Brussels 2016 3.1.1 Description During the first roundtable, entitled Cooperation of data protection authorities, inside and outside Europe, which took place in Brussels, Belgium on 28 January 2016 in the framework of 9 th Computers, Privacy and Data Protection (CPDP) Conference 12 further important issues have been discussed. This roundtable was split into two parts. The first discussed DPAs views on the impact of the data protection framework reform on their cooperation in the EU. The PHAEDRA II project had interviewed European DPAs regarding: the main developments of the GDPR including the consistency mechanism, one-stop shop, the EDPB and their impact on cooperation between European DPAs; challenges to cooperation and coordination between European DPAs; cooperation on enforcement, and the perspectives of the DPAs on the activities of the PHAEDRA II project. The resulting report 13 provided an overview of the perspectives of European DPAs at that key stage in the data protection reform process, and in particular of areas where further work was required, and identified issues that will need to be debated in more detail. Therefore, the first part summarized the findings of PHAEDRA II research thus far and moved onto deeper discussion of key outstanding areas, including the practical debate about the extent to which structure and formalisation are necessary or desirable for more effective cooperation and coordination between European DPAs, issues of language use and translation costs in cross-border cases, and the requirements for future tools and platforms. The second part was devoted to the notion of cooperation of European DPAs with their counterparts from outside the EU in the reformed framework. Furthermore, two issues have been raised during the roundtable. First, the participants discussed the issues arising from the invalidation of the Safe Harbour Agreement by the CJEU. Second, after the conclusion of the 37 th ICDPPC (Amsterdam 2015), a possibility for DPAs arrived to adhere to the Global Cross Border Enforcement Cooperation Arrangement, adopted at the 36 th ICDPPC (Mauritius 2014). The said Arrangement, however, raises a number of practical problems worth debating and these concern its legal nature and efficiency, among others. The roundtable s aim was to contribute towards the PHAEDRA II project s recommendations and identification of best practice. The event was addressed to DPAs from the EU and worldwide, policymakers, privacy advocates and academics. 3.1.2 Key issues addressed 13) Global scene of DPAs cooperation. During the event this aspect gained significant importance. Given the uncertainty of adequacy decisions (cf. the Safe Harbour case), legal obstacles in many EU countries for accessing the Global Cross-Border Enforcement Cooperation Arrangement and limited regulation of this aspect in the GDPR (one and only Article 50), the roundtable participants agreed on the need to establish (or develop existing ones) informal practical fora of cooperation among DPAs all around the world. 14) Language issues around EU DPA cooperation. Relating to challenges of different linguistic requirements in mutual assistance, the fairness (or otherwise) of any resulting system, requirements of national laws, and how costs are likely to fall upon DPAs, concerns around quality assurance of translated documents, the rights of data subjects to documentation in their own languages, and the potential for standardised forms and templates to assist with some language issues. 15) IT platforms and requirements. Requirements for trusted electronic communication and potential benefits from shared platforms, status of on-going EDPS work on platforms for the EDPB, challenges of getting DPAs to use any given IT tool, and the differences between tools and platforms for collaboration and those for joint public communication. 12 Cf. http://www.cpdpconferences.org. 13 Barnard-Wills & Wright, Authorities views, op. cit. 10

3.2 Budapest 2016 Photo 3: Participants at the second roundtable of the PHAEDRA II project (Budapest, Hungary, 25 May 2016). 3.2.1 Description On 25 May 2016 the second roundtable was held, this time focusing on the Cooperation between DPAs under the GDPR: the issue of the diversity of national legal systems. This workshop took place just in advance of the Spring Conference of European DPAs, held in Budapest and hosted by the Hungarian DPA. This roundtable was also a joint meeting between the PHAEDRA II project partners, and the Cooperation Sub-Group of the WP29. During the meeting in Budapest, the participants focused on the following issues: Panel I Criminal justice and police cooperation national differences The main question set forth during this panel was about practical instruments serving as examples for enhanced cooperation between DPAs. The panel focused on different levels of cooperation between DPAs. The most basic one being the case-by-case cooperation. As it was pointed out, once cooperation on a caseby-case basis is successful and when there are sufficient common interests, cooperation on a case-by-case basis may be followed by a next level of cooperation: structural cooperation. This is the case in the EU, for instance within the WP29, where EU DPAs jointly work on large projects, such as the recent opinion on the Privacy Shield. Finally, a form of cooperation proposed by the GDPR has been discussed cooperation based on a truly common responsibility. Panel II The challenges of a consistent application. How level the playing field would be? Since the DPAs currently play and pursuant to the new regulatory framework will keep on playing a key role in ensuring the uniform application of European data protection law, it seems obvious that the set of applicable rules, including both Union and Member State law, fundamentally affects DPAs cooperation, in particular with regard to cross-border processing situations. One of the targets of the panel was to map the relevant provisions of the GDPR in order to define the room for manoeuvre national lawmakers may make use of when implementing the Regulation in their respective legal systems. In addition, the panel endeavoured to explore the potential impact of national data protection legal norms on the cooperation of DPAs. 3.2.2 Key issues addressed 16) Truly shared responsibility. As DPAs have more and more common interests, and with the GDPR structural cooperation will have to develop into something more. No longer think of cooperating with other DPAs but accept that they have a shared responsibility for the consistent application of the new Regulation. This will require more trust and will not be without obstacles. 17) Best practices for joint investigations and operations. Using experiences in criminal justice cooperation, as well as experiences from previous EU and extra-eu joint investigations, the panel participants discussed existing best practices and success factors in join investigations, including in particular the importance of recognising strengths and weaknesses, and taking time to build working, sustainable relationships. 18) Human resources issues relating to international cooperation. The roundtable participants discussed the ways in which internal organisational structures had an impact upon international cooperation, including language skills of case-handling staff, maintaining personal contact networks and international cooperation expertise during staff changes. 19) Threats for consistent application of the GDPR. DPAs need to find common interpretation of the Regulation, both for consistency and for improved relationships. In particular, what exactly will mutual assistance be? This needs to be sorted out before the Regulation enters into force, 11

otherwise this could be counterproductive and inconsistent. The issue of administrative fines for public sector was also raised, in the context of consistent application. Since the GDPR states that each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State, there is a crucial need for coordinated application of this provision in national law. 20) GDPR derogations might affect cooperation between DPAs. There are over 60 provisions where the GDPR provides the EU Member States legislatures with certain room for manoeuvre to adopt/maintain national legislation. These pieces of legislation might affect cooperation of DPAs. They should try to identify and discuss practical tools and techniques to facilitate future cooperation, making them able to apply the law together such as developing cooperation tools, including formal (consistency, mutual assistance, joint operations) and informal mechanisms (workshops, symposia, etc.). David Barnard-Wills provided a detailed account of the debate at the Budapest roundtable on the PHAEDRA II blog. 14 3.3 Brussels (II) 2016 3.3.1 Description Finally, on 13 December 2016 in Brussels, Belgium the third and the final roundtable took place. After receiving confirmation from the Chairman of the WP29 that there will be time allocated for PHAEDRA during the second day of the WP29 plenary meeting, PHAEDRA representatives introduced the latest updates of the project (including the DPA Cooperation Scorecard) 15 and opened the floor for discussion. This integrated roundtable allowed for an opportunity provide input on PHEADRA s activity and to consult its work within the representative group of DPAs attending the plenary meeting. 3.3.2 Key issues addressed 21) Key element of the presentation was the DPA Cooperation Scorecard as a visualisation accessory that may be used as a metric for the efficiency of both regulation and practice. The scorecard identifies and evaluates existing and planned DPAs cooperation networks against a set of efficiency criteria. The list of criteria, for the time being, was tentative. The meeting with DPAs was a great opportunity to face these criteria and get some feedback form DPAs. 4 Third-party events 4.1 Art 29 Working Party meetings While preparing documents (guidelines, opinions, FAQs) of the WP29 regarding the GDPR, European DPAs recognised the need to examine in practice the cooperation mechanisms laid down in the GDPR. To this end, a set of practical workshops was held in Brussels on 31 August 2 September 2016. Among tested tools were: Imposing administrative fines to reach a common understanding on the criteria which are relevant in the assessment of whether to impose an administrative fine and to create the foundation of a consistent practice to calculate the amount of fine to impose, Mutual assistance procedure a relevant template was examined, Joint operations to test case flow diagrams through various scenarios of joint operations, One-stop-shop mechanism to test and improve the proposed procedure for cooperation between lead supervisory authority and concerned authority on draft decisions. 14 Cf. http://www.phaedra-project.eu/phaedra-ii-second-round-table-event-at-the-spring-conference-of-european-dpas. Reproduced as Sect. 2.5 in: Pauner, Cristina and Jorge Viguri, A report on the PHAEDRA II blog, PHAEDRA II Deliverable D4.3: London-Brussels-Warsaw-Castellón, January 2017. http://www.phaedra-project.eu/wpcontent/uploads/phaedra2_d43_final_20170113.pdf. 15 Cf. Annex II in: Barnard-Wills, David, Vagelis Papakonstantinou, Cristina Pauner and José Díaz Lafuente, Recommendations for improving practical cooperation between European Data Protection Authorities, PHAEDRA II Deliverable D4.3: London-Brussels-Warsaw-Castellón, January 2017. http://www.phaedra-project.eu/wpcontent/uploads/phaedra2_d41_final_20170114.pdf. 12

PHAEDRA II consortium was invited to take part in these workshops and the representative of the consortium played an active role therein. 4.2 Other events PHAEDRA II project consortium partners were also present on the following third-parties events: David Barnard-Wills represented PHAEDRA II at a roundtable event The model of the completely independent DPAs: main tensions and usefulness in other domains, held on 5 February 2016 in the Law Faculty at University of Amsterdam, the Netherlands. The roundtable compared and contrasted the actual practices of DPAs with the abstract requirements of EU law, and was attended by several representatives of the EDPS as well as academic and practitioners experts in European data protection law. 2015 European Conference of Data Protection Authorities [Spring Conference] in Manchester, England (UK), 18-20 May 2015, where Paul De Hert (VUB-LSTS) offered a presentation on Ulrich Beck, mutual and societal trust in a globalised world. On 18 July 2016 in Seoul, Republic of Korea during the Korea-EU Personal Data Protection Seminar, Dariusz Kloza (VUB-LSTS) presented on The new European framework for cooperation between data protection authorities and its relevance to Korea s enforcement system An internal seminar at the Office of Privacy Commissioner of New Zealand on 3 June 2016. Wellington was a venue of another presentation by Dariusz Kloza (VUB-LSTS), entitled International cooperation of data privacy supervisory authorities: European and New Zealand perspectives. It was stated by that in the reformed EU data privacy legal framework, there is only a single provision (Art 50 GDPR) dealing with cooperation of European data privacy supervisory authorities with their counterparts from other jurisdictions. (Whereas intra-eu cooperation is provided with a lengthy and comprehensive procedure therefor.) In parallel, the modernisation proposals for Convention 108 of the Council of Europe provide the possibility for the supervisory authorities from the Contracting Parties to form a network. These two developments open a path for a genuine cooperation in making data privacy protection practical and effective. In this interactive talk, views were exchanged as to the future shape of cooperation of European authorities with the Office of Privacy Commissioner of New Zealand. Paul De Hert (VUB-LSTS) introduced The Role of Regulatory Authorities in the Governance of Data Protection: Workshop series on the governance of privacy and data protection at Alexander von Humboldt Institute for Internet and Society (HIIG) in Berlin, Germany on 20 May 2016. Internationales Rechtsinformatik Symposion IRIS 2016: Networks/Netzwerke, held in Salzburg, Austria, 25-27 February 2016. Antonella Galetta and Dariusz Kloza (VUB-LSTS) presented Cooperation among data privacy supervisory authorities by analogy: lessons from parallel European mechanisms. 8ème Conférence de l Association francophone des autorités de protection des données personnelles (AFAPDP) in Brussels, Belgium, 25 June 2015. Antonella Galetta and Dariusz Kloza (VUB-LSTS) took part. 13

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback