Post on 27-Mar-2015
1
Enforcement Powers of National Data Protection Authorities and Experiencegained of the Data Protection Directive
Safe Harbour ConferenceWashington 16 October
Gary DavisDeputy Data Protection Commissioner, Ireland
2
EU/EEA Directives
• Directive 95/46/EC Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data
• Directive 2002/58/EC Privacy and Electronic Communications
3
Presentation Outline
• Directive 95/46/EC Obligations
• Discretion to Member States
• National Differences
• Irish Case Study
• Issues
• International position
4
Directive 95/46/EC Obligations Enforcement Obligations on Members States
• Article 22 - judicial remedy for individuals• Article 23 - entitlement for person to receive compensation• Article 24 – effective sanctions for breach of provisions• Article 28 – Independent authority(s) in MS responsible
for monitoring national provisions• Article 27 – Codes of Conduct to be encouraged to
contribute to implementation
5
Powers for authorities - Article 28
• Investigative Powers – access to data and to collect information
• Prior checking of processing• Make decisions on complaints• Ordering of blocking, erasure or destruction of
data• Power to initiate legal action• Co-operation between supervisory authorities
6
Case Study - Role of the Irish DPA
• Ombudsman Role: resolution of disputes between data subjects and data controllers or processors
• Enforcer Role: compliance by data controllers & processors
• Educational Role: Promotes DP rights and good practice• Registration Authority: obligation on major holders of
personal data to be placed on public register
7
Powers of Irish DPA • Information notice (section 12)• Enforcement notice (section 10)• Compliance Audits (section 10)• Powers of entry and inspection (section 24)• Decision on complaints (section 10)• Codes of Practice (section 13)• Refusal to register (section 17)• Prohibition of non-EEA transfers (section 11)• Prosecute Offences (section 30)
8
National Differences?
• Yes within the margin for manoeuvre for implementation within the Directive
• All systems have the same objective of protecting the rights of individuals
• Varying approaches to complaints in some cases ability to levy sanctions or fines directly
• Interpretation of what constitutes personal data and sensitive personal data
• Power of entry and audit not uniform• Prior checking in some cases before can process certain
categories of data• Registration/Notification system varies widely
9
Issues
• Implementation respecting individual tradition of each MS causes difficulties for multi-jurisdictional entities.
• Is the focus on preventing breaches overly bureaucratic?
• Perhaps stronger powers to decide upon and deal with events after they happen also - Federal Trade Commission.
• Need for more consistency of interpretation across authorities
10
Harmonisation?
• Recent second European Commission Communication on implementation of Directive
• Infringement procedures by Commission planned to improve harmonisation
• Interpretative communications from the Commission on common provisions
• Enhanced focus of Article 29 Working Party in encouraging a harmonised approach to issues
11
Harmonisation?
• A29 Working Party has agreed on the principle of EU-wide, synchronized national enforcement actions, setting criteria to identify issues for investigations.
• March 2006 first joint investigation involving national Data Protection Authorities on the processing of personal data in the private healthinsurance sector. More to come
• Small point - Data Protection Authorities need to be adequately resourced also
12
Improved enforcement - International Context
• OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy adopted on 12 June 2007
• APEC efforts also assisting in exchange of knowledge among authorities
• Many other formal and informal fora dealing with electronic communications and other issues
13
Thank You
• www.dataprotection.ie
• Contact: gdavis@dataprotection.ie