With a set of more than 50 recommendations for the improvement of practical cooperation between data protection authorities, a multi-national research consortium – led by Prof. Dr. Paul De Hert of Vrije Universiteit Brussel – concluded a four-year research initiative in the framework of two projects named “PHAEDRA”. These studies were commissioned and financially supported by the European Union.
“Personal data no longer stay within one country. They are constantly being exchanged between jurisdictions and this elevates risks for both individuals as well as public and private organisations. When something goes wrong – for example a data breach – the consequences are not only often serious, but also these consequences equally often occur in more than one country. Given the importance of information for contemporary economy and national security, an adequate response to tackle this challenge is therefore critically needed. It is a global standard in data protection law that dedicated supervisory authorities have been set up not only to sanction violations of this branch of law, but also to work to prevent these violations from happening. These authorities normally have been busy with matters concerning their own countries. As these days personal data transcend boundaries, these authorities now need to work together efficiently to achieve this double end” – said Prof. De Hert.
Background to the research initiative
PHAEDRA II research project, or “Improving Practical and Helpful co-operAtion betweEn Data pRotection Authorities II”, was conducted between January 2015 and January 2017 by a European research consortium comprising Trilateral Research Ltd. (United Kingdom), the Inspector-General for Personal Data Protection (GIODO; Polish data protection authority), Universitat Jaume I (Spain) and led by Vrije Universiteit Brussel (VUB) – Research Group on Law, Science, Technology and Society (LSTS) (Belgium). The main objective was to advise relevant supervisory authorities, regulators and other stakeholders on the improvement of practical cooperation between European data protection authorities (DPAs) in three main areas: ensuring consistency of cooperation, sharing information and coordination of enforcement actions. In a natural way, the research project took into account the work on the new legal framework for the protection of personal data in the European Union (EU) – i.e. predominantly the General Data Protection Regulation (GDPR) – and the challenges it presents for the cooperation between EU DPAs. In parallel, the consortium closely followed the process of “modernisation” of the Council of Europe’s “Convention 108”.
The PHAEDRA II project has been a logical continuation of a previous research project under the same name, run by the same consortium between January 2013 and January 2015. While its predecessor aimed at advising on the improvement of DPAs’ cooperation on a global scale, the second project focused on cooperation between DPAs solely within the EU. Both research projects were co-funded by the European Union under its Fundamental Rights and Citizenship Programme. In the project’s second phase, a dedicated advisory board, comprising six leading experts in data privacy law, supported all research activities.
“The two PHAEDRA projects have been very timely. They witnessed both the negotiations and the conclusion of the reform of the data protection legal framework in the European Union. This reform has put a great emphasis on cooperation of data protection authorities, making it obligatory. Therefore, the preparations to give full effect to the GDPR are currently the most important challenge for all EU DPAs. One of the tasks within this process is to develop some operational guidelines for DPAs, aimed at efficient use of cooperation mechanisms in practice. The PHAEDRA projects, from their very beginning, strived at being a support for EU DPAs in this regard and I observed with great satisfaction that data protection authorities in Europe had noticed the work of project’s partners. The documents of PHAEDRA II related to comparison of cooperation mechanisms from other areas of law were particularly useful for all of us. This constitutes a great value of this project” – said Dr. Edyta Bielak-Jomaa, Inspector-General for Personal Data Protection.
Over the course of four years, the PHAEDRA consortium interacted with the main stakeholders – mainly DPAs and regulators at international, European and national levels – in workshops and roundtables it organised itself and by partaking in multiple external events, such as the annual Computers, Privacy and Data Protection (CPDP) conference. In particular, the consortium liaised with multiple international forums concerned with the protection of privacy and personal data, such as the International Conference of Data Protection and Privacy Commissioners (ICDPPC), Asia-Pacific Economic Cooperation (APEC), Global Privacy Enforcement Network (GPEN), the Article 29 Working Party and the European Conference of Data Protection Authorities (“Spring Conference”).
In the second phase of the PHAEDRA project, the consortium interviewed senior officials of more than 20 European DPAs and informally interacted with many more. The PHAEDRA II researchers identified the existing best practices on cooperation between EU DPAs and subsequently conducted a first systematic analysis on the new provisions in the GDPR on such cooperation, only few months after the release of the text of the Regulation, and therein have identified both shortcomings and areas in need of further work. The researchers furthermore looked at cooperation in other areas of EU law – such as competition law or migration and border control – that have proven to be mature, efficient and successful enough and that could offer valuable input how to increase efficiency of cooperation between DPAs in the EU. Finally, the consortium ran a blog gathering short inputs on cooperation from leading experts in the field.
These research activities allowed the PHAEDRA consortium to picture the state-of-the-art of cooperation at both international and European levels, identify both weak points and best practices, and to gather stakeholder’s views on the ideal shape of such cooperation. This led to a set of more than 50 recommendations for the improvement of practical cooperation between DPAs.
The recently published final recommendations (14 January 2017) suggest optimal conditions for cooperation between DPAs within the EU in general terms as well as tackling three specific areas: complaints handling, the consistency mechanism under the newly enacted GDPR and information technology (IT) platforms for supporting cooperation.
“The majority of our recommendations are practical. They are about choosing a language to deal in cross-border case, or about necessary functionalities of a secure on-line platform to exchange the relevant information needed to cooperate” – said Dr. David Barnard-Wills, Senior Research Analyst at Trilateral Research Ltd.
In parallel, the PHAEDRA consortium built a repository of annotated leading documents and decisions on the protection of privacy and personal data with cross-border implications. The repository identified more than 110 such documents and cases in 18 out of 28 Member States of the European Union. In September 2015, the PHAEDRA consortium reached an agreement with the International Privacy Law Library (IPLL), coordinated by Prof. Dr. Graham Greenleaf of the University of New South Wales (Australia), to include the contents of PHAEDRA repository in the IPLL. The link offered by the Library provides a one-stop gateway to all of the databases specialising in data privacy law available on any of the Legal Information Institutes (LIIs) that are part of World Legal Information Institute (WorldLII).
“PHAEDRA II project had its own, small contribution to bettering the access to legal information” – said Prof. Dr. Cristina Pauner, Professor of Constitutional Law at Universitat Jaume I.
The PHAEDRA projects finished with diverse outputs. The consortium organised six workshops, three roundtables and a final conference concluding its first phase – gathering altogether more than 500 participants – and took part in almost a dozen external events. It printed one book, issued 16 reports (deliverables) and published eight scholarly articles, the majority of which are available under open access licences. The project’s website, together with its Twitter account, became a principal gateway to communicate with stakeholders. In the last quarter of the project lifetime, its website received on average more than 300 unique visits a month. (The consortium intends to keep on-line the archived website for a few more years.)
In its second phase, the PHAEDRA consortium turned to art to illustrate its output. Particularly, Alexandre Cabanel’s “Phèdre” (1880), used on the cover of a book printed after the PHAEDRA I final conference, was not only a clin d’oeil to the project’s acronym, but also an allegory of the future of data protection in which there was no cooperation between supervisory authorities. Subsequently, the majority of project’s reports bore on their covers pieces of art aiming at conveying a report’s main conclusion.
“Both PHAEDRA projects achieved notable successes. They first and foremost highlighted the importance of cooperation of supervisory authorities for the efficient protection of privacy and personal data, they diagnosed that the state-of-the-art of such cooperation does not live up to the expectations and eventually suggested very practical, and sometimes even technical, recommendations for improvement. The subject-matter of our research has proven to be vast and complex, and definitely such studies as ours need to be continued in the future” – concluded Prof. De Hert.
The output of both PHAEDRA projects is available at http://www.phaedra-project.eu.
press release [PDF 169 kb]
Brussels – London – Warsaw – Castellón de la Plana
9 February 2017