A consortium of four partners from Belgium, the UK, Spain and
Poland has initiated a new European project aimed at helping data protection
authorities (DPAs) around the world to improve the enforcement of privacy laws.
The two-year research project, called PHAEDRA, started in
January 2013 and is co-funded by the European Union under its Fundamental Rights
and Citizenship programme. PHAEDRA is the acronym for “Improving Practical and
Helpful cooperAtion bEtween Data PRotection Authorities”. The four partners
include Vrije Universiteit Brussel (Belgium), Trilateral Research &
Consulting (UK), Universitat Jaume I (Spain) and the Inspector General for
Personal Data Protection (GIODO), the Polish data protection
authority.
“In the spirit of the ombudsman idea, Member States of the EU
have established data protection authorities, who operate de facto privacy help
desks that support citizens confronted with privacy and data protection
problems, be it spam, identity theft or black lists stored in third countries
without data protection. These data protection authorities became a recognisable
feature of Europe’s Information Society helping, on a no-cost basis, citizens,
companies and state institutions with legal advice or using their administrative
and police powers to fight data protection abuses,” says Prof. Paul De Hert, the
PHAEDRA project co-ordinator from VUB.
“Every individual today is a battle ground,” says David
Wright, Managing Partner of Trilateral Research. “Governments, companies,
hackers and other evil-doers are trying to strip away citizens’ privacy. Our
principal, poorly-armed defenders are data protection authorities and privacy
commissioners.”
Recent rapid development of information and communications
technologies have resulted in the increase of cross-border flows of personal
data and, in parallel, in elevating privacy and data protection risks. This
requires an adequate response to tackle privacy and data protection breaches of
a cross-border nature, and hence calls for co-operation amongst DPAs. Such a
need was observed as early as the 2000s, and although some efforts have been
undertaken, it still remains one of the weakest links in privacy and data
protection governance. “In a globalised Internet world, enforcement co-operation
among DPAs is vital to ensure the real protection of personal data,” says Artemi
Rallo, former director of the Agencia Española de Protección de Datos and
professor at Universitat Jaume I.
However, many DPAs, when it comes to international
co-operation, face legal and institutional constraints as well as human and
budgetary shortages. Looking only at the European context, the Article 29
Working Party, which brings together DPAs from all 27 EU Member States, in one
of its 2011 “advises” has identified a number of obstacles and concluded that
there is a need to develop rules on co-operation “in a more detailed and
specific way” and to “provide clarity on the extent to which information can be
shared between DPAs”, among others.
“Even the best-equipped data protection authorities cannot
meet all of the demands on their time,” adds Prof Rallo. “To make matters worse,
several DPAs have sometimes investigated the same issue, as was the case with
Google Street View.” Recently, however, DPAs have been trying to avoid a
duplication of effort, so that one DPA investigates an issue and shares the
results with his fellow regulators. Such was the case when CNIL, the French data
protection authority, investigated on behalf of the Art. 29 Working Party
Google’s combining and integrating its privacy policies across different
services.
The European Commission has recognised the need for improved
co-operation between DPAs. While the proposal for the General Data Protection
Regulation strengthens the mechanisms for co-operation between European DPAs,
its Article 45 is specifically focused on international co-operation. It says
the Commission and DPAs shall “develop effective co-operation mechanisms to
facilitate the enforcement of legislation for the protection of personal data”
and to “provide international mutual assistance in the enforcement of
legislation”.
“Worldwide flows of personal data and corresponding privacy
and data protection risks require an adequate global response in order to
effectively protect privacy of European citizens. Therefore, European DPAs
should not only focus on EU Member States, but also collaborate with countries
outside the EU to improve enforcement of data protection legislation against
multinational data controllers and others who violate data protection rights,”
says Dr. Wojciech Wiewiórowski, Inspector General for Personal Data Protection.
The first major initiative of the PHAEDRA project has been to
send a questionnaire to DPAs and privacy commissioners around the world aimed at
understanding their perceived needs for improved co-operation and co-ordination
and whether their empowering legislation encourages or constrains co-operation.
Second, the consortium will review the legislation establishing DPAs to identify
whether there are provisions that act as barriers or that inhibit international
co-operation and co-ordination and what measures could be taken to reduce such
barriers. Third, the PHAEDRA consortium will contact DPAs to determine how the
project could reinforce their efforts. The project will conclude with a set of
recommendations. The consortium intends to organise three workshops for
discussion of co-ordination efforts.
The PHAEDRA project follows several other international
initiatives aimed at improving co-operation and co-ordination between DPAs. In
2007, the OECD adopted a Recommendation on Cross-border Co-operation in the
Enforcement of Laws Protecting Privacy. The 29th International Conference of
Data Protection and Privacy Commissioners (ICDPPC) adopted a “Resolution on
International Co-operation” at its meeting in Montreal in 2007. In 2010, 11
privacy enforcement authorities launched the Global Privacy Enforcement Network
(GPEN) with a mission to “promote and support cooperation in cross-border
enforcement of laws protecting privacy”, primarily by exchanging information
between DPAs. The 33rd ICDPPC, held in Mexico City in 2011, adopted an even more
detailed Resolution, encouraging more effective co-ordination of cross-border
investigation and enforcement. The Article 29 Working Party also has on its
agenda enhancing enforcement and promoting international co-operation between
privacy authorities.
No comments:
Post a Comment