A consortium of four partners from Belgium, the UK, Spain and Poland has initiated a new European project aimed at helping data protection authorities (DPAs) around the world to improve the enforcement of privacy laws.
The two-year research project, called PHAEDRA, started in January 2013 and is co-funded by the European Union under its Fundamental Rights and Citizenship programme. PHAEDRA is the acronym for “Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities”. The four partners include Vrije Universiteit Brussel (Belgium), Trilateral Research & Consulting (UK), Universitat Jaume I (Spain) and the Inspector General for Personal Data Protection (GIODO), the Polish data protection authority.
“In the spirit of the ombudsman idea, Member States of the EU have established data protection authorities, who operate de facto privacy help desks that support citizens confronted with privacy and data protection problems, be it spam, identity theft or black lists stored in third countries without data protection. These data protection authorities became a recognisable feature of Europe’s Information Society helping, on a no-cost basis, citizens, companies and state institutions with legal advice or using their administrative and police powers to fight data protection abuses,” says Prof. Paul De Hert, the PHAEDRA project co-ordinator from VUB.
“Every individual today is a battleground,” observes David Wright, Managing Partner of Trilateral Research, adding: “Governments, companies, hackers and other evil-doers are trying to strip away citizens’ privacy. Our principal, poorly-armed defenders are data protection authorities and privacy commissioners.”
Recent rapid development of information and communications technologies have resulted in the increase of cross-border flows of personal data and, in parallel, in elevating privacy and data protection risks. This requires an adequate response to tackle privacy and data protection breaches of a cross-border nature, and hence calls for co-operation amongst DPAs. Such a need was observed as early as the 2000s, and although some efforts have been undertaken, it still remains one of the weakest links in privacy and data protection governance. “In a globalised Internet world, enforcement co-operation among DPAs is vital to ensure the real protection of personal data,” notes Artemi Rallo, former director of the Agencia Española de Protección de Datos and professor at Universitat Jaume I.
However, many DPAs, when it comes to international co-operation, face legal and institutional constraints as well as human and budgetary shortages. Looking only at the European context, the Article 29 Working Party, which brings together DPAs from all 27 EU Member States, in one of its 2011 “advises” has identified a number of obstacles and concluded that there is a need to develop rules on co-operation “in a more detailed and specific way” and to “provide clarity on the extent to which information can be shared between DPAs”, among others.
“Even the best-equipped data protection authorities cannot meet all of the demands on their time,” adds Prof. Rallo. “To make matters worse, several DPAs have sometimes investigated the same issue, as was the case with Google Street View.” Recently, however, DPAs have been trying to avoid a duplication of effort, so that one DPA investigates an issue and shares the results with his fellow regulators. Such was the case when CNIL, the French data protection authority, investigated on behalf of the Art. 29 Working Party Google’s combining and integrating its privacy policies across different services.
The European Commission has recognised the need for improved co-operation between DPAs. While the proposal for the General Data Protection Regulation strengthens the mechanisms for co-operation between European DPAs, its Article 45 is specifically focused on international co-operation. It says the Commission and DPAs shall “develop effective co-operation mechanisms to facilitate the enforcement of legislation for the protection of personal data” and to “provide international mutual assistance in the enforcement of legislation”.
“Worldwide flows of personal data and corresponding privacy and data protection risks require an adequate global response in order to effectively protect privacy of European citizens. Therefore, European DPAs should not only focus on EU Member States, but also collaborate with countries outside the EU to improve enforcement of data protection legislation against multinational data controllers and others who violate data protection rights,” declares Dr. Wojciech Wiewiórowski, Inspector General for Personal Data Protection.
The first major initiative of the PHAEDRA project has been to send a questionnaire to DPAs and privacy commissioners around the world aimed at understanding their perceived needs for improved co-operation and co-ordination and whether their empowering legislation encourages or constrains co-operation. Second, the consortium will review the legislation establishing DPAs to identify whether there are provisions that act as barriers or that inhibit international co-operation and co-ordination and what measures could be taken to reduce such barriers. Third, the PHAEDRA consortium will contact DPAs to determine how the project could reinforce their efforts. The project will conclude with a set of recommendations. The consortium intends to organise three workshops for discussion of co-ordination efforts.
The PHAEDRA project follows several other international initiatives aimed at improving co-operation and co-ordination between DPAs. In 2007, the OECD adopted a Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy. The 29th International Conference of Data Protection and Privacy Commissioners (ICDPPC) adopted a “Resolution on International Co-operation” at its meeting in Montreal in 2007. In 2010, 11 privacy enforcement authorities launched the Global Privacy Enforcement Network (GPEN) with a mission to “promote and support cooperation in cross-border enforcement of laws protecting privacy”, primarily by exchanging information between DPAs. The 33rd ICDPPC, held in Mexico City in 2011, adopted an even more detailed Resolution, encouraging more effective co-ordination of cross-border investigation and enforcement. The Article 29 Working Party also has on its agenda enhancing enforcement and promoting international co-operation between privacy authorities.
(Press release, Brussels, 20 February 2013). Further information will be available soon at http://www.phaedra-project.eu.