Jusletter IT

There is a critical need to improve the functioning of cross-border cooperation of supervisory authorities in the area of data privacy law (hereinafter: cooperation). Privacy violations in the present-day globalised and digitalised world often do not stop at the borders of a single jurisdiction. Consequently, these authorities more often need to work together closely: both to sanction such violations, should they occur and to develop policies and practices to minimise the risk of such violations occurring.

This necessity to improve the functioning of such cooperation has to do with its contemporary inefficiency. Nowadays cooperation faces numerous barriers and obstacles, both of legal (e.g. capacity, procedures, sharing information) and practical nature (e.g. resources, technical tools, languages, sharing costs), thus rendering it ineffective at best and at worst impossible. Building on the analysis of these impediments, in our previous works (Kloza & Galetta 2015) we have argued for efficient cooperation – i.e. «functioning or producing effectively and with the least waste of effort» – as in many Western liberal democracies there are fundamental rights at stake. And these rights need to enjoy «practical and effective» protection, to which efficient cooperation contributes.

We have subsequently offered recommendations for improving its efficiency and one of them was to look comparatively at parallel cooperation mechanisms as these might prove instructive. We have observed there exist other cooperation mechanisms that – having had faced similar barriers and obstacles much earlier – have eventually reached relative maturity, efficiency and success (Kloza & Mościbroda 2014). Tasked by a European research project,¹ we have therefore looked at numerous cooperation mechanisms in the laws and policies of the EU in order to identify best practices from these that could possibly be adapted to the needs and reality of EU data privacy law.

This exercise has resulted in the selection of twelve lessons drawn from areas ranging from border control to competition law and consumer protection to private international law and criminal law. Yet here we have not sought to be exhaustive. The said variety is an outcome of our selective reading of legal instruments and academic literature and of subsequent «cherry picking» those elements that we would find simply useful for improving the efficiency of cooperation.

One might argue that the arrival of the General Data Protection Regulation (GDPR) – the text of which has been agreed in December 2015 but not yet passed into law – would render our exercise belated. We argue quite on the contrary. While the GDPR would bring some significant yet sometimes controversial improvements – such as the mere obligation to cooperate, one-stop-shop and mechanisms for consistent decision making – it would also leave a number of open questions, pertaining predominantly to the practical aspects of cooperation, to be answered during the vacatio legis. Both these controversies and issues left open make our comparative exercise still timely. Therefore our lessons are split into two categories, i.e. «existential», attempting to reply to some controversies of the GDPR, and «practical», attempting to answer some of the questions this instrument leaves open.

1. Cooperation should be based on the presumption of the equal value, competence and standing of each supervisory authority and of the legal system in its jurisdiction and thus on the principle of mutual trust.
   
   We have observed that mutual trust in the administration of justice in the Member States is pivotal to the functioning of EU private international law (PIL). As early as 1968, such trust has enabled automatic recognition of judgments given in other Member States «without any special procedure being required». Some 40 years later, in 2012, it has further justified the abolition of the exequatur (i.e. declaration of enforceability), thus bringing the EU PIL closer to the ideal of the Full Faith and Credit Clause in the American Constitution.
    
2. Cooperation should be firmly based in law, at least when supervisory authorities enforce data privacy laws.
   
   Collective reading of all legal instruments analysed for the present exercise has revealed that each cooperation mechanism is based on a binding and comprehensive legal instrument, most often a regulation. In the areas of consumer protection and competition law, even a dedicated regulation has been enacted to that end.
    
3. Cooperation should respect national and regional differences of the jurisdictions involved.
   
   We agree with De Hert and Willems (2015) that cooperation in the area of criminal justice is often an expression of differences between national legal systems and cultures. Some jurisdictions will not give up control over aspects that they regard as fundamental and only by allowing exceptions – e.g. grounds for refusal – cooperation, and especially such sensitive aspect thereof as enforcement – would ever be possible.
    
4. Supervisory authorities should be able to exercise – to a reasonable extent – extraterritorial jurisdiction.
   
   Following Svantesson (2013), we have made this argument in our earlier works, but now our comparative exercise has confirmed our conviction. Perhaps the most pertinent example of extraterritorial jurisdiction is the Schengen system. If a person is presumed to have taken part in an extraditable criminal offence and he has moved from one Schengen state to another, the former state can keep conducting investigations on him «on the ground» and beyond its national borders, as long as authorised by the latter. Furthermore, for a number of violent and serious crimes, in a situation of urgency, such an authorisation is initially replaced by mere notification.
    
5. Cooperation should have as broad geographical scope as possible.
   
   There exist cooperation mechanisms that explicitly permit and oblige authorities to cooperate with their counterparts from third states and with international organisations, often offering an elaborated framework therefor. We see it as an acknowledgment that – due to the nature of objects these mechanisms seek to protect – it makes little sense to limit their protection solely to the EU borders. For example, «Eurojust may establish and maintain cooperative relations with […] third States [and] organisations such as […] the International Criminal Police Organisation (Interpol)». Due to the nature of the European single market, the consumer protection cooperation extends to Norway and Iceland.
    
6. Cooperation should be developed gradually and its functioning should be reviewed periodically.
   
   Many of these cooperation mechanisms have been introduced step-by-step, thus acknowledging their experimental nature. The development of EU PIL looks like a stepping stone rather than a stumbling block. The early areas to harmonise were selected very carefully and such harmonisation was first achieved in 1968 by a means of an international treaty under the auspices of then-European Economic Community. The most controversial element – the exequatur in civil matters – has been gradually abolished from 2004: first for the uncontested claims and only in 2012 for all civil matters. In parallel, many of the instruments analysed contain some form of a revision clause, be it the need for an external review or simply a report on the functioning of the instrument.

7. The need for translation and interpretation should be reduced to absolute minimum. The type of information exchanged should determine the very need for translation and interpretation. Supervisory authorities should have a right to waive such a need. Supranational legal provisions should govern the linguistic regime.
   
   We have first observed the problem of multilingualism in cooperation is not of a uniform nature. In some instances, for example in border protection databases, the use of multiple languages is not likely to pose any barriers as the information exchanged consist merely of alphanumeric data, e.g. names or car plates. Similarly, the EU PIL works on standardised certificates, which might require translation in exceptional situations. In other instances, when the need to share some documentation occurs, the problem of its translation might arise. (We said «might» as we do not expect the need for translation of a document issued by an authority in e.g. Salzburg intended to be sent to a counterpart authority in e.g. Munich.) In customs cooperation, a request for assistance should be accompanied by translation to a language of the state being asked, but this state can waive this requirement. In consumer protection cooperation, «the languages used […] shall be agreed […] before requests have been made». If no agreement can be reached, each jurisdiction uses its own language. What links these diverse solutions is the governance of the linguistic regime on a supranational level.
    
8. Stakeholders should share the costs of cooperation.
   
   As there are various solutions for dealing with multilingual nature of the EU, so there are different solutions for sharing the costs of cooperation. For example, in border control databases, due to their technical design, the costs of running national units are borne by the Member States concerned, while the general EU budget covers the costs of the central unit of each database. Conversely, in consumer protection cooperation «all claims for the reimbursement of expenses incurred» shall normally be waived.
    
9. Cooperation should maximise the use of information and communication technologies.
   
   The majority of cooperation mechanisms analysed relies on sharing information. And such sharing occurs with the help of technology. Well known examples are border control databases, but consumer protection and competition law cooperation too have their own platforms for sharing relevant case-related information. Such infrastructure ensures secure, reliable, permanent, real-time and up-to-date provision of information.
    
10. Cooperation should pay equal attention to the development of policies and practices preventing data privacy violations from occurring.
    
    In the majority of cooperation mechanisms analysed, due to their nature, much attention is paid to ex post cooperation. However, the ex ante counterpart is often neglected. The European Consumers Centres Network (ECC-Net) is perhaps a standalone example of a mechanism explicitly tasked with coordinated «surveillance and enforcement actions» (sweeps), i.e. sets of checks carried out simultaneously by competent authorities to identify breaches of relevant laws in a given sector.
     
11. Supervisory authorities should support alternative dispute resolution (ADR) methods for data subjects and controllers/processors, this including ADR by electronic means.
    
    Out-of-court dispute resolution is usually easier, faster and cheaper. From 2016 Europeans will enjoy a possibility to solve their consumer disputes regarding a product or service they bought using an on-line platform. We see no reason to exclude cross-border disputes between data subjects and controllers/processors from using such possibilities.
     
12. Supervisory authorities should be both empowered and obliged to act speedily on cross-border data privacy violations.
    
    Time is of essence, especially in a digitalised and globalised world. In the cooperation toolbox, we have found a number of impeccable tools for urgent reaction to violations of relevant laws. Many instances provide for single liaison officers and Eurojust, for instance, has launched the On-Call Coordination (OCC) mechanism.

De Hert, P. & Willems, A., 2015. Dealing with overlapping jurisdictions and requests for mutual legal assistance while respecting individual rights. What can data protection law learn from cooperation in criminal justice matters? In P. De Hert, D. Kloza, & P. Makowski, eds. Enforcing privacy: lessons from current implementations and perspectives for the future. Warszawa: Wydawnictwo Sejmowe, pp. 48–76. http://www.phaedra-project.eu/wp-content/uploads/phaedra1_enforcing_privacy_final.pdf.

Kloza, D. & Galetta, A., 2015. Towards efficient cooperation between supervisory authorities in the area of data privacy law, Brussels Privacy Hub Working Papers, Vol. 1, No. 3, Brussels. http://www.brusselsprivacyhub.org/Resources/BPH-Working-Paper-VOL1-N3.pdf.

Kloza, D. & Mościbroda, A., 2014. Making the case for enhanced enforcement cooperation between data protection authorities: insights from competition law. International Data Privacy Law, 4(2), pp. 120–138. http://idpl.oxfordjournals.org/cgi/doi/10.1093/idpl/ipu010. 

Svantesson, D.J.B., 2013. Extraterritoriality in Data Privacy Law, Copenhagen: Ex Tuto Publishing.