1.
Introduction ^
2.1.
International level ^
The Council of Europe was one of the first to express interest in co-operation in enforcing privacy and data protection laws. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is a binding instrument ratified by almost all CoE Member States and open for accession by non-member states (Art 23).1 A detailed framework for mutual assistance between the parties has been set forth in Arts 13-17, dealing with an obligation to furnish information (Art 13), at no fees except for costs incurred for experts and interpretation (Art 17), subject to conformity with domestic legislation [Art 13(3)(b)] and certain safeguards [Art 15]; grounds for refusal are limited, e.g. incompatibility of powers of DPAs (Art 16). Furthermore, Art 1(5) of the Additional Protocol2 stipulates that the supervisory authorities «shall co-operate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.»
It has been relatively recent that co-operation between DPAs has been raised as an issue by other international forums. In 2006, the Organization for Economic Cooperation and Development (OECD) issued a report on the cross-border enforcement of privacy laws, favouring continued information exchange and co-ordination between DPAs.3 Further, in 2007 OECD issued a recommendation on cross-border co-operation in the enforcement of privacy laws, calling at its member economies to «foster the establishment of an informal network […] to discuss the practical aspects of privacy law enforcement co-operation, share best practices […], work to develop shared enforcement priorities, and support joint enforcement initiatives and awareness raising campaigns.»4 In 2010 eleven privacy enforcement authorities launched the Global Privacy Enforcement Network (GPEN) with a mission to «promote and support cooperation in cross-border enforcement of laws protecting privacy», primarily by exchanging information between DPAs.5 The GPEN was later joined by 16 additional DPAs. OECD provides administrative support to GPEN.
Next, the International Conference of Data Protection and Privacy Commissioners (ICDPPC), an annual multi-stakeholder gathering for exchange of best practice and shaping policies, on a number of occasions called for increased international co-operation.6 Most importantly, the 33rd ICDPPC (2011) adopted a resolution urging DPAs to «share experience», «participate in the cross-border enforcement cooperation networks» and «use the cross-border enforcement cooperation tools already developed, and to enhance and supplement these tools as experience grows».7
On a bilateral level, in 2005 a memorandum of understanding was signed between the Spanish DPA and the US Federal Trade Commission on mutual enforcement assistance in commercial email matters.8 Similar arrangements have been established, among others, between Australia and New Zealand (2008)9 as well as between Germany and Canada (2012).10 Regional conferences,11 networks12 and associations often facilitate conclusion of such arrangements. All such arrangements usually deal with information sharing and joint investigations.
2.2.
Regional level ^
2.3.
Observations ^
3.1.
The reform of the EU data protection framework ^
In January 2012 the Commission proposed a reform of the EU data protection framework.24 With regard to enforcement, the proposal makes the reference to the WP29’s advice (cf. supra) and further notices that «experience has shown that the progressive increase in cross-border transfers and of data controllers operating across several Member States did not lead, by itself, to increased cooperation […]. The legal uncertainty caused by inconsistent – and sometimes contradictory – decisions taken by DPAs will therefore increase, as will related costs.»25
As a result, the reform devotes considerable attention to the need for co-operation between DPAs in order to ensure «consistent enforcement of data protection rules».26 In particular, the Commission aimed «to ensure stronger powers and adequate levels of resources [to DPAs] for enforcement and control» and to «develop binding cooperation procedures and effective mutual assistance between DPAs» (emphasis added).27 The draft Regulation foresees that such co-operation would have two dimensions: (1) regional, among the EU DPAs [Arts 52 and 55-72], and (2) international, with third countries» authorities [Art 45].
3.2.
The modernization of the Council of Europe ^
3.3.
Observations ^
4.1.
Introduction ^
Frameworks for co-operation in antitrust investigations may also vary. It may be based on purely informal contracts between the staff of the enforcement agencies. Informal co-operation is facilitated and structured by multilateral forums such as OECD (which promotes its soft laws in competition matters, including recommendations on international co-operation)30 or International Competition Network (ICN), an international forum devoted exclusively to competition policies. The European Competition Network (ECN), operating within the EU, is a unique form of tight and more formalized co-operation in the enforcement of competition law.31
4.2.
International ^
4.3.
European Competition Network (ECN) ^
4.4.
Recent projects relating to enforcement cooperation in competition law ^
Based on preliminary findings of the above-mentioned projects, one of the main obstacles to efficient co-operation is sharing information between agencies, especially if it concerns confidential or otherwise protected information. Informal co-operation has its limits: it does not allow for exchange of such information. Therefore, agencies need to resort to: (1) confidentiality waivers, where the provider of confidential information to one enforcement agency agrees to sharing it with another agency; (2) national legislation permitting exchange of information (yet it is rather rare),44 and (3) international agreements, such as mutual legal assistance treaties (MLAT),45 regional economic co-operation agreements,46 free trade agreements, including regional ones,47 or competition-specific co-operation agreements.48
5.
Concluding remarks ^
This paper is based on the research project PHAEDRA (Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities), co-funded by the European Union under its Fundamental Rights and Citizenship Programme. The contents are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission. This paper does not present the final position of the PHAEDRA research consortium.
Dariusz Kloza, Anna Mościbroda, Gertjan Boulet, Vrije Universiteit Brussel (VUB) – Research Group on Law, Science, Technology and Society (LSTS).
The authors would like to thank Urszula Góral, Paul De Hert and Auke Willems for their useful comments.
- 1 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28 January 1981, ETS 108 (hereinafter: Convention 108).
- 2 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, Strasbourg, 8 November 2001, ETS 181.
- 3 OECD, Report on the cross-border enforcement of privacy laws, Paris, 2006, p. 22. http://www.oecd.org/internet/interneteconomy/37558845.pdf
- 4 OECD, Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, Paris, 2007 (hereinafter: the OECD Recommendation). http://www.oecd.org/internet/interneteconomy/38770483.pdf.
- 5 GPEN, Action Plan for the Global Privacy Enforcement Network (GPEN), 15 June 2012. http://www.privacy enforcement.net/public/activities
- 6 Among others, the 29th ICDPPC (2007) adopted the Resolution on International Co-operation. http://www.priv.gc.ca/information/conf2007/res_coop_01_e.pdf. The 31st ICDPPC (2009), in its resolution on Standards on the Protection of Personal Data and Privacy, set forth proposals co-operation and co-ordination (Art 24). http://www.privacyconference2009.org/media/Publicaciones/ common/estandares_resolucion_madrid_en.pdf. The 34th ICDPPC (2012) hosted a panel on cooperation tools among DPAs. http://privacyconference2012.org
- 7 ICDPPC, Resolution on Privacy Enforcement Co-ordination at the International Level, 2011/GA/RES/001, Mexico City, 1 November 2011. http://www.privacyconference2011.org/htmls/adoptedResolutions/2011_Mexico/2011 _GA_ RES_001_%20Intl_Priv_Enforc_ENG.pdf.
- 8 Federal Trade Commission, Memorandum of understanding on mutual enforcement assistance in commercial email matters between the Federal Trade Commission of the United States of America and the Agencia Espanola de Proteccion de Datos, 2005. http://www.ftc.gov/os/2005/02/050224memounderstanding.pdf.
- 9 Office of the Privacy Commissioner, Memorandum of Understanding between the Office of the Australian Privacy Commissioner and the Office of the New Zealand Privacy Commissioner, 28 August 2008. http://privacy.org.nz/assets/Files/Australia-New-Zealand-signed-Memorandum-of-Understanding-27-August-2008.pdf; Office of the Privacy Commissioner of Canada, Memorandum of Understanding between the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, and the Office of the Information and Privacy Commissioner of British Columbia with respect to Co-operation and Collaboration in Private Sector Privacy Policy, Enforcement, and Public Education. http://www.priv.gc.ca/au-ans/mou_e.pdf.
- 10 The Federal Commissioner of Data Protection and Freedom of Information, German and Canadian data protection authorities establish a basis for enhanced cooperation, Bonn/Berlin, 15 October 2012, http://www.bfdi.bund.de/EN/PublicRelations/PressReleases/2012/21_ DCANEstablishABasisForEnhancedCooporation.html?nn=410156.
- 11 Russian Federal Service for Supervision of Communications, Information Technology and Mass Media, First conference on protection of personal data, 2010. http://www.rsoc.ru/personal-data/p450/p531.
- 12 Ibero-American Data Protection Network, http://www.redipd.org/documentacion/acuerdos_convenios/index-iden-idphp.php.
- 13 Privacy Act 1993. http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html.
- 14 APEC, Cooperation Arrangement Cross-border Privacy Enforcement, 2010/SOM1/ECSG/DPS/013, 28 February 2010. http://aimp.apec.org/Documents/2010/ECSG/DPS1/10_ecsg_dps1_013.pdf.
- 15 Asia-Pacific Privacy Authorities (APPA). http://www.appaforum.org.
- 16 Ibero-American Data Protection Network (Red Iberoamericana de Protección de Datos; RIPD). http://www.redipd.org.
- 17 French-speaking Association of Personal Data Protection Authorities (Association francophone des autorités de protection des données personnelles; AFAPDP). http://www.afapdp.org
- 18 Conference of Central and Eastern Europe Personal Data Protection Authorities (CEEC). www.ceecprivacy.org.
- 19 Russian Federal Service for Supervision of Communications, Information Technology and Mass Media, Third conference on protection of personal data, 2012. http://www.pd-forum.ru.
- 20 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- 21 Art 29 Working Party, Advice paper on the practical implementation of the Article 28(6) of the Directive 95/46/EC, Brussels, 4 April 2011, pp. 10-11. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/others/2011_04_20_ letter_artwp_mme_le_bail_directive_9546ec_annex3_en.pdf.
- 22 E.g. the 33rd ICDPPC in its Resolution (cf. footnote NOTEREF _Ref221711498 \h 9) resolved to «encourage privacy enforcement authorities to assess their legal authority to share information and cooperate with their counterparts in relation to appropriate standards of best practice […] and, if necessary, discuss with their governments proposals to amend existing legislation to facilitate greater cooperation».
- 23 OECD, Report on the Cross-Border Enforcement of Privacy Laws, Paris, 2006, p. 3. http://www.oecd.org/internet/interneteconomy/37558845.pdf.
- 24 European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25 January 2012, COM(2012) 11 final (hereinafter: the Regulation).
- 25 European Commission, Impact Assessment [accompanying the proposal for the General Data Protection Regulation], Brussels, 25 January 2012, SEC(2012) 72 final, p. 36.
- 26 Idem, p. 41.
- 27 Idem, p. 43.
- 28 Council of Europe, Modernisation of Convention 108, Strasbourg, 29 November 2012, T-PD(2012)4Rev3_en.
- 29 Council of Europe, Modernisation of Convention 108: new proposals, Strasbourg, 27 April 2012, T-PD-BUR(2012)01Rev2_en, p. 6.
- 30 Cf. OECD, Recommendation of the Council concerning Cooperation between Member Countries on Anticompetitive Practices affecting International Trade, Paris, 25 July 1995 (hereinafter: OECD 1995 Recommendation); Recommendation of the Council on Merger Review, Paris, 23 March 2005; Best practices for the formal exchange of information between competition authorities in hard core cartel investigations, Paris, October 2005. http://www.oecd.org/daf/competition/recommendations.htm.
- 31 Cf. ICN, Cartels Working Group, Report on Cooperation Between Competition Agencies in Cartel Investigations, Office for Official Publications of the European Communities, Luxembourg, May 2007, http://www.internationalcompetitionnetwork.org/working-groups/current/cartel.aspx; OECD, Policy Roundtable Improving International Co-operation in Cartel Investigations, Paris, 30 November 2012. http://www.oecd.org/daf/competition/ImprovingInternationalCooperationIn CartelInvestigations2012.pdf.
- 32 ICN, Statement of Achievements 2001-2011, May 2011. http://www.internationalcompetitionnetwork.org/uploads/ library/doc757.pdf.
- 33 Secretarial support is provided by one of the member agencies.
- 34 ICN, International Competition Network – Operational Framework, 13 February 2012. http://www.international competitionnetwork.org/uploads/library/doc784.pdf.
- 35 Cf. http://www.internationalcompetitionnetwork.org/about.aspx.
- 36 Cf. ICN, Recommended Practices for Merger Notification and Review Procedures (2004); Anti-Cartel Enforcement Manual (2008-2012); Report on Trends and Developments in Cartel Enforcement (2010). http://www.internationalcompetitionnetwork.org/ Cf. also ICN, Advocacy and Implementation Network (AIN), 2012. http://www.internationalcompetitionnetwork.org/uploads/library/doc770.pdf.
- 37 Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty (hereinafter: Regulation 1/2003).
- 38 Such decentralised enforcement has been established under Regulation 1/2003. Previously, only the European Commission could grant the exemption from the prohibition of the anticompetitive agreements in cases the conditions for such exception laid down in Art 101(3) were fulfilled. All undertaking wishing to benefit from the exemption were obliged to notify their agreements to the Commission
- 39 NCAs and the Commission may reject the complaint and/or suspend the proceeding on the ground that other authority is dealing with the case. Art 13 of Regulation 1/2003.
- 40 In practice, a standardised information is shared via common case-management system. ICN, Cartels Working Group, Report on Cooperation Between Competition Agencies in Cartel Investigations, op. cit., p. 20.
- 41 Leniency refers to the immunity from fines offered to cartelist who denounces the cartel and submits evidence to a competition agency. To minimize the problems with different leniency standards and procedures, the ECN developed the ECN Model Leniency Programme (2006, revised 2012), aiming at further harmonization within the EU.
- 42 Between 2005-2007 the ICN Cartel Working Group ran a project on co-operation between competition agencies. ICN, Cartels Working Group, Report on Cooperation between Competition Agencies in Cartel Investigations, op. cit. In March 2011 the ICN held a roundtable on enforcement co-operation, later followed by the establishment of the International Enforcement Cooperation Project (June 2011). ICN Steering Group, International Enforcement Cooperation Project (Proposal), 2012. http://www.internationalcompetitionnetwork.org/uploads/library/doc794.pdf; OECD, on its part, held in February 2012 a Global Forum on Competition discussing improving international cooperation in cartel investigations. OECD, Global Forum on Competition, Policy Roundtable Improving International Co-operation in Cartel Investigations, op. cit. See also OECD, Global Forum on Competition, Improving International Co-operation in Cartel Investigations – Background Note, OECD, DAF/COMP/GF(2012)6, February 2012; OECD, Limitations and Constraints to International Co-operation, DAF/COMP/WP3(2012)8, October 2012.
- 43 OECD, Global Forum on Competition. http://www.oecd.org/competition/globalforum.
- 44 Such provisions have been identified for Germany, the US, Canada, Romania.
- 45 Although such treaties regulate mechanisms of co-operation in criminal matters, they might be relevant for antirust enforcement co-operation in cases were antirust infringement is also qualified as criminal offence under national laws. In the context of criminal proceedings, the resource could also be made to extradition treaties or letters rogatory (i.e. a formal request for co-operation by judiciary of one country to an other, often involving diplomatic co-operation).
- 46 These include, among others, MERCOSUR (Mercado Común del Cono Sur [Southern Common Market]), NATFA (North American Free Trade Agreement), UEMOA (Union économique et monétaire ouest-africaine [West African Economic and Monetary Union]).
- 47 Currently there seem to be in place 214 Regional Trade Agreements in force, of which 98 contain competition provisions. OECD, Global Forum on Competition, Policy Roundtable, Improving International Co-operation in Cartel Investigations, op. cit.
- 48 The latter often concluded on the basis of the OECD 1995 Recommendation.
- 49 OECD, Global Forum on Competition, Policy Roundtable, Improving International Co-operation in Cartel Investigations, op. cit., p. 29.
- 50 The parties to such agreements may not refuse to share information with the exception of cases when such assistance would not be permitted by law or be against the public interest. See ICN, Cartels Working Group, Report on Cooperation Between Competition Agencies in Cartel Investigations, op. cit.