Jusletter IT

Recent rapid development of information and communications technologies have resulted in the increase of cross-border flows of personal data and, in parallel, in elevating privacy and data protection risks. This requires an adequate response allowing tackling privacy and data protection breaches of a cross-border nature, and hence calls for co-operation amongst data protection authorities (DPAs). Such a need was observed as early as the 2000s, and although some efforts have been undertaken, it still remains one of the weakest links in privacy and data protection governance.

It is desirable to look at the experience of co-operation in other areas of law. In this paper we attempt to see how the functioning of the co-operation networks in competition law provide insight for improving co-operation between DPAs, in particular in the field of enforcement.

We start with a brief overview of the status quo of the co-operation between DPAs (section 2). Then we look how the two proposed reforms of data protection frameworks, i.e. of the European Union (EU) and of the Council of Europe (CoE), address the need for co-operation (section 3). In section 4 we look at the co-operation within competition law, using the examples of International- and European Competition Networks (ICN; ECN). Finally, we attempt to draw the very first lessons on what the co-operation between DPAs can learn from its counterpart in competition law, paving the way for further research. Due to its limitations, in this paper we omit the question of data protection in police and judicial co-operation as well as jurisdictional issues.

The Council of Europe was one of the first to express interest in co-operation in enforcing privacy and data protection laws. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data is a binding instrument ratified by almost all CoE Member States and open for accession by non-member states (Art 23).¹ A detailed framework for mutual assistance between the parties has been set forth in Arts 13-17, dealing with an obligation to furnish information (Art 13), at no fees except for costs incurred for experts and interpretation (Art 17), subject to conformity with domestic legislation [Art 13(3)(b)] and certain safeguards [Art 15]; grounds for refusal are limited, e.g. incompatibility of powers of DPAs (Art 16). Furthermore, Art 1(5) of the Additional Protocol² stipulates that the supervisory authorities «shall co-operate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.»

It has been relatively recent that co-operation between DPAs has been raised as an issue by other international forums. In 2006, the Organization for Economic Cooperation and Development (OECD) issued a report on the cross-border enforcement of privacy laws, favouring continued information exchange and co-ordination between DPAs.³ Further, in 2007 OECD issued a recommendation on cross-border co-operation in the enforcement of privacy laws, calling at its member economies to «foster the establishment of an informal network […] to discuss the practical aspects of privacy law enforcement co-operation, share best practices […], work to develop shared enforcement priorities, and support joint enforcement initiatives and awareness raising campaigns.»⁴ In 2010 eleven privacy enforcement authorities launched the Global Privacy Enforcement Network (GPEN) with a mission to «promote and support cooperation in cross-border enforcement of laws protecting privacy», primarily by exchanging information between DPAs.⁵ The GPEN was later joined by 16 additional DPAs. OECD provides administrative support to GPEN.

Next, the International Conference of Data Protection and Privacy Commissioners (ICDPPC), an annual multi-stakeholder gathering for exchange of best practice and shaping policies, on a number of occasions called for increased international co-operation.⁶ Most importantly, the 33^rd ICDPPC (2011) adopted a resolution urging DPAs to «share experience», «participate in the cross-border enforcement cooperation networks» and «use the cross-border enforcement cooperation tools already developed, and to enhance and supplement these tools as experience grows».⁷

On a bilateral level, in 2005 a memorandum of understanding was signed between the Spanish DPA and the US Federal Trade Commission on mutual enforcement assistance in commercial email matters.⁸ Similar arrangements have been established, among others, between Australia and New Zealand (2008)⁹ as well as between Germany and Canada (2012).¹⁰ Regional conferences,¹¹ networks¹² and associations often facilitate conclusion of such arrangements. All such arrangements usually deal with information sharing and joint investigations.

It is worth to mention that the 2010 amendment to the New Zealand’s Privacy Act 1993 added provisions on the «referral of complaint to overseas privacy enforcement authorities», in case the complaint relates to a matter that is more properly within the latter’s jurisdiction (Sec 72C).¹³

On a regional level, first, in the framework of the Asia-Pacific Economic Cooperation (APEC), the Cross-border Privacy Enforcement Arrangement (CPEA; 2010) encourages, on a voluntary basis (§§ 6.1), information sharing among DPAs both in and outside the APEC economies (§§ 9.4-9.5). The agreement offers extensive co-operation mechanisms dealing with, among others, an obligation to assist (§9.1), prioritisation (§ 9.2), a procedure to follow (§§ 9.6-9.12), protection of confidential information (§ 10) and contact point designation (§ 11).¹⁴

Second, several platforms have been established for exchange and co-operation, such as the Asia-Pacific Privacy Authorities (APPA),¹⁵ the Ibero-American Data Protection Network (RIPD),¹⁶ the French-speaking Association of Personal Data Protection Authorities (AFAPDP),¹⁷ the Central and Eastern European Data Protection Authorities (CEEC)¹⁸ as well as an annual conference gathering authorities from the majority of ex-USSR countries.¹⁹

Third, within the EU, the only provision on co-operation is found in Art 28(6) of the Directive 95/46/EC requiring the supervisory authorities to «cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.’²⁰ This very general provision was subject to scrutiny of the Art 29 Working Party (WP29) who has identified a number of obstacles in its practical application. WP29 has pointed out that in the new data protection framework such provisions should be developed «in a more detailed and specific way», especially rules for practical cooperation («such as time limits or translation of documents») and – what is of crucial importance – rules for the exchange of information («duty to inform each other»). There is a need to «provide clarity on the extent to which information can be shared between DPAs»;²¹ the question of information sharing is essential and has been already posed several times on various forums.²²

It seems that the states and DPAs have already acknowledged the need for a closer co-operation in enforcing privacy and data protection laws. To that end, a patchwork of formal and informal arrangements on various levels has been developed to facilitate such co-operation.²³ However, the example of shortcomings identified by WP29 and similar forums proves that still more work is needed to ensure efficient co-operation (e.g. specific rules on information sharing). In the following section we will look how the two proposed reforms of data protection frameworks, i.e. of the EU and of the CoE, address the need for co-operation.

In January 2012 the Commission proposed a reform of the EU data protection framework.²⁴ With regard to enforcement, the proposal makes the reference to the WP29’s advice (cf. supra) and further notices that «experience has shown that the progressive increase in cross-border transfers and of data controllers operating across several Member States did not lead, by itself, to increased cooperation […]. The legal uncertainty caused by inconsistent – and sometimes contradictory – decisions taken by DPAs will therefore increase, as will related costs.»²⁵

As a result, the reform devotes considerable attention to the need for co-operation between DPAs in order to ensure «consistent enforcement of data protection rules».²⁶ In particular, the Commission aimed «to ensure stronger powers and adequate levels of resources [to DPAs] for enforcement and control» and to «develop binding cooperation procedures and effective mutual assistance between DPAs» (emphasis added).²⁷ The draft Regulation foresees that such co-operation would have two dimensions: (1) regional, among the EU DPAs [Arts 52 and 55-72], and (2) international, with third countries» authorities [Art 45].

First, with regard to co-operation within the EU, the proposed Regulation strengthens the obligations and powers of DPAs. Among their duties, the DPAs shall «share information with and provide mutual assistance to other supervisory authorities» [Art 52(1)(c)] and shall «conduct investigations […] on request of another supervisory authority» [Art 52(1)(d)]. They would be empowered to advise, upon request, «any data subject […] and, if appropriate, co-operate with the supervisory authorities in other Member States to this end» [Art 52(3)]. DPAs should be provided with sufficient resources (human, technical and financial) to perform their tasks, including those to be carried out in context of international co-operation [Art 47(5)].

The Regulation further specifies binding modalities of co-operation. First, Art 55 (mutual assistance) imposes an obligation to respond, by providing, free of charge, relevant information and assistance, to a request from another DPA without delay; grounds for refusal are limited. Second, Art 56 provides for joint operations (e.g. joint investigative tasks), including a right of relevant DPAs to participate therein. Third, Art 57 introduces a detailed procedure (consistency mechanism) to ensure co-ordination among the various DPAs involved and to consult each other before adopting a measure. Finally, Art 64 reincarnates WP29 into the European Data Protection Board.

Second, when it comes to international co-operation, the proposal acknowledges its importance but does not go into further detail. Art 45 only states that the Commission and DPAs should take appropriate steps to, inter alia, «develop effective international co-operation mechanisms to facilitate the enforcement» and – to that end – «provide international mutual assistance», favouring those jurisdictions offering an adequate level of protection.

The current wording of the Convention 108 and the Additional Protocol thereto already provide for mutual assistance (Arts 13-17). The proposed modernisation only strengthens these provisions. To the existing rules on «exchanging useful information» [Art 1(5)], the modernization adds «coordinating […] investigation or interventions or conducting joint actions» as well as «providing information on […] law and administrative practice relating to data protection» [Art 12bis(7)(b)-(c)]. Next, the Convention Committee, an advisory body composed of representatives of all parties, would be obliged to «facilitate, where necessary, the friendly settlement of all difficulties related to the application of [the] Convention» [Art 19(i)]. Last but not least, the DPAs, in order to organize their co-operation and to perform their duties, should «form a conference/network» [Art 12bis(8)].²⁸

If adopted, and if in the current reading, the proposed Regulation would introduce mechanisms for a regional co-operation among the DPAs within the EU. Such co-operation would be based on a single and uniform set of substantive rules imposing certain modalities for co-operation, aiming at ensuring consistency. This would be an essential development in comparison with the current state-of-the-art, i.e. Art 28(6) of the Directive. However, the proposal is not precise as regards the co-operation with third countries» authorities as well as international organizations: only «appropriate steps» to «develop» should be undertaken. Some clue to the shape of such co-operation might come from the explanatory note to the proposal where the Commission explicitly stated that such international co-operation should take into account the OECD Recommendation (cf. supra).

The Council of Europe’s Convention 108 already provides for certain modalities of international co-operation. While its modernization, in the current reading, foresees no major changes with regard to the mutual assistance,²⁹ the revised Convention would offer certain novelties, like co-ordination of investigations. Notably, the proposed modernisation foresees the creation of a «conference/network» to «organize co-operation» of DPAs. Thanks to the fact that the Convention is open for accession to non-Member States of the Council of Europe as well as international organizations, the revision of the Convention would offer a possibility of global co-operation, based on a set of harmonised, yet not unified, substantive rules.

While these proposals would improve co-operation, we observe that a few issues, such as the question of sharing confidential information, are still not addressed. Assuming that it is likely that both DPAs and competition authorities would face similar obstacles, we now turn to competition law to see how the question of co-operation is addressed therein.

As in the fields of privacy and data protection, growing globalization increased the likelihood of cross-border competition cases. Thus, there is a risk of inconsistent outcomes for cases dealt concurrently across different jurisdictions or the risk of the under-enforcement (e.g. due to inability to deal with cross-border cases by one jurisdiction only). All these called for the international co-operation in the competition field.

Co-operation between antitrust enforcement agencies may take different forms: from general discussions on the points of law and co-ordination of the procedural or investigatory measures (e.g. co-ordination of simultaneous inspections) to assistance in evidence gathering (e.g. making inspection or interviewing the witness on behalf of other agency). Such co-operation will often require exchange of information between agencies.

Frameworks for co-operation in antitrust investigations may also vary. It may be based on purely informal contracts between the staff of the enforcement agencies. Informal co-operation is facilitated and structured by multilateral forums such as OECD (which promotes its soft laws in competition matters, including recommendations on international co-operation)³⁰ or International Competition Network (ICN), an international forum devoted exclusively to competition policies. The European Competition Network (ECN), operating within the EU, is a unique form of tight and more formalized co-operation in the enforcement of competition law.³¹

In 2001, sixteen competition agencies established the International Competition Network (ICN). Today, the ICN is the most extensive network of competition authorities worldwide, with 114 member agencies from 100 jurisdictions (2011).³² The ICN is an informal and voluntary network of national or multinational antitrust agencies. While being largely a virtual network (no premises, or secretariat),³³ it remains structured: overseen by the Steering Group of elected members, the majority of its work is undertaken within Working Groups, discussed and approved on the broader platform of an annual conference. Its work is project-oriented and consensus-based.³⁴

The ICN aims to promote convergence of competition laws and practices across the world, to disseminate expertise and best practices, and seeks to facilitate co-operation between enforcement agencies.³⁵ To this effect, the ICN compares antitrust legislations (recording its results in e.g. charts); hosts thematic workshops; issues non-binding recommendations and best practices, both on substantive and procedural issues; produces case-handling and enforcement manuals, reports, toolkits,³⁶ and templates (e.g. a model waiver of confidentiality).

The ICN is a valuable, practice-oriented forum, regarded as particularly successful for sharing knowledge and best practices. Its informal character prevents the «minimum» harmonization approach and enables looking for optimal solutions, which then can be propagated. At the same time, it is purely voluntary with no binding output. The ICN itself is not a forum to co-operate on cases, however practical aspects of enforcement co-operation are at the core of its interests. Above all, it provides a forum for regular contacts between the agencies» staff.

The European Competition Network (ECN) is a forum for co-operation of European competition authorities in the application of the EU competition law. Established in 2004 under Regulation 1/2003,³⁷ the ECN consists of the Commission and Member States» National Competition Authorities (NCAs). Both the Commission and NCAs are equally empowered and obliged to apply Arts 101 and 102 of the Treaty on the Functioning of the EU (TFEU) in full.³⁸ The provisions are typically applicable to cross-border cases and thus a mechanism of allocation of cases between the ECN members was needed, enabling the best-placed agency to deal with the case and discharging other agencies from the obligation to act.³⁹ However, a parallel investigation by more than one agency of the same conduct is not entirely precluded.

It was therefore necessary to ensure that competition authorities avoid contradictory decisions and apply the EU competition law in a consistent manner, ensuring the coherent development of the competition law and policy. To this effect, Regulation 1/2003 provides for the mechanisms of consultation and assistance amongst the ECN authorities, in particular by the obligation imposed on an NCA to inform the Commission on the envisaged decision based on the EU competition law no later than 30 days before its adoption, thus giving the Commission the possibility to make observations on a draft decision. In turn, the Commission consults the Advisory Committee, composed of the representatives of NCAs, before using enforcement tools [Arts 11 and 14]. Regulation 1/2003 also confirms that Commission’s decisions take precedence over those of NCAs, as well as obliges NCAs to stay their proceeding should the Commission decide to act on the case [Arts 16 and 11(6)].

Another objective of the ECN is an efficient division of work between participating NCAs and overall effective enforcement of the EU competition law. Regulation 1/2003 allows for the co-operation and assistance between the authorities as regards the evidence-gathering and information exchange, in particular by: (1) exchange of information on the initiation of the investigations (obligatory),⁴⁰ (2) exchange of information, including confidential information, which may be shared without the consent of the parties concerned; such information may be used as evidence (subject to some guarantees, e.g. limiting their use in criminal proceeding) [Art 12], (3) assistance in inspections: the Commission is obliged to inform an NCA on planed inspection in its jurisdiction; on the other hand, an NCA is obliged to assist the Commission and the latter may also request an NCA to carry out inspection on its behalf [Art 22(2)], and (4) an NCA may assist another NCA and undertake on its behalf fact-finding measures (e.g. inspections and interviews) [Art 22(1)].

The ECN is an example of co-operation between NCAs based on a clear legal basis and allowing closer co-operation (including exchange of confidential information) than traditional international instruments. For that reason it became the reference point for co-operation in antitrust enforcement. The co-operation within the ECN applies only to the enforcement of the EU competition law and is largely driven by the need to ensure consistency of a unified framework. Still, the ECN co-operation faces certain impediments, such as those connected with the administrative burden of co-operation (e.g. language issues and related costs). Also, remaining differences between the Member States as regards leniency programs⁴¹ or differences as regards criminal liability for antirust infringement may render the exchange of information more complex and subject to certain additional safeguards.

In recent years both the ICN and OECD looked more closely and methodically into the issues of enforcement co-operation between agencies, and conducted several project related thereto.⁴² These projects looked at the available instruments for international enforcement co-operation (such as treaties dealing with enforcement issues), aimed at identifying remaining obstacles and, ultimately, proposing recommendations for closer co-operation. Currently, the ICN and OECD run common surveys on related issues. The next OECD Global Forum on Competition will present its results.⁴³

Based on preliminary findings of the above-mentioned projects, one of the main obstacles to efficient co-operation is sharing information between agencies, especially if it concerns confidential or otherwise protected information. Informal co-operation has its limits: it does not allow for exchange of such information. Therefore, agencies need to resort to: (1) confidentiality waivers, where the provider of confidential information to one enforcement agency agrees to sharing it with another agency; (2) national legislation permitting exchange of information (yet it is rather rare),⁴⁴ and (3) international agreements, such as mutual legal assistance treaties (MLAT),⁴⁵ regional economic co-operation agreements,⁴⁶ free trade agreements, including regional ones,⁴⁷ or competition-specific co-operation agreements.⁴⁸

All those solutions have their limits: confidentiality wavers are subject to the will of the parties, and are mostly used in cases where the parties have interests to share and facilitate co-operation between various jurisdictions (e.g. in a merger review). As regards MLATs, these agreements are usually restricted to co-operation in criminal investigations and require the underlying offence to be a crime in at least the requesting country or in both (i.e. requesting and requested jurisdictions). However, in most countries competition infringement are not criminal offences, which may impede the applicability of MLATs.⁴⁹ Competition policy might also be excluded from the scope of a MLAT. Finally, competition-specific co-operation agreements are becoming more frequent, but it is still far from being a universal solution. More importantly, they often include a clause allowing an agency to decline to communicate information if national confidentiality provisions protect it. The so-called «second generation» agreements allow for exchange of confidential information, however those agreements remain rare.⁵⁰ The ECN (cf. supra) remain a unique example of co-operation where exchange of confidential information has been to large extent resolved.

There are also other factors that might impede exchange of confidential information, including limits on admissibility as evidence of exchanged information and lack of transparency on the scope of protection of confidential information in different agencies. Also, problems are caused by different understandings of what confidential and/or privileged information is. Such ambiguity also affects what can be shared informally. Trust (personal, institutional) also plays a major role.

Amongst other factors affecting international enforcement co-operation, usually mentioned are: (1) differences in timetables and investigation procedures generally; (2) lack of systematic notification/ information on cases in other jurisdictions; (3) complexity and duration of formal cooperation mechanisms; (4) little available written guidance on co-operation; (5) limits to agencies» resources to devote to international enforcement co-operation; and (6) linguistic concerns and time zone differences.

There are certain similarities between enforcement of privacy and data protection laws and competition law. In both, certain basics already exist. In this regard, various formal and informal arrangements, of various geographical reach (i.e. international, regional and bilateral), coexist. In both fields, the convergence of legal frameworks facilitates co-operation, and vice versa. When it comes to trans-border cases, DPAs and competition authorities have comparable needs: in both situations, efficient enforcement requires closer co-operation between authorities, such as assistance in evidence gathering and exchange of case-related information. It is also likely they would face similar obstacles. It would thus be advisable to examine the obstacles identified in the context of competition law enforcement and ways the competition authorities tackle them.

Let us draw the preliminary conclusions. First, co-operation in competition law enforcement takes a very practice-oriented approach. For example, the ICN – being a global, informal yet structured forum for exchange of best practice and shaping policies – pays a lot of attention to the creation of manuals for co-operation, templates, reports, toolkits, thematic workshops, etc. The existing international DPAs forums could follow that example more closely.

Second, we have noticed that (legal) limits in sharing confidential information constitute a serious obstacle in efficient enforcement in competition law, but also in data protection law. The antitrust agencies have found certain solutions, such as waivers based on consent to share information, relevant provisions in national laws unilaterally allowing transmitting information, and – finally – relevant provisions in international agreements; these solutions still have their own limits (cf. supra). Nevertheless, again, the co-operation between DPAs could be inspired by the best elements of these solutions.

Third, in the EU, the enforcement of competition law takes place within the ECN which is a framework encompassing a detailed set of mandatory rules (dealing with e.g. notification and allocation of cases as well as sharing of confidential information) and ensuring consistent application of the EU competition law. The ECN is usually given as a model for co-operation in competition context and it could equally provide inspiration for efficient enforcement co-operation between DPAs.

In addition, we observe that competition law has chosen informal mechanisms for sharing experience and shaping policies and more formal ones for the purposes of enforcement, and in particular for sharing confidential information. Experience in co-operation in competition law also teaches that trust and good communication play a crucial role.

 

---

 

This paper is based on the research project PHAEDRA (Improving Practical and Helpful cooperAtion bEtween Data PRotection Authorities), co-funded by the European Union under its Fundamental Rights and Citizenship Programme. The contents are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission. This paper does not present the final position of the PHAEDRA research consortium.

 

Dariusz Kloza, Anna Mościbroda, Gertjan Boulet, Vrije Universiteit Brussel (VUB) – Research Group on Law, Science, Technology and Society (LSTS).

 

The authors would like to thank Urszula Góral, Paul De Hert and Auke Willems for their useful comments.

 

---