Abstract
This chapter describes the various enforcement powers at the disposition of data protection authorities, privacy commissioners and privacy enforcement authorities. Not all DPAs, PCs and PEAs have all these powers. Enforcement powers vary from one DPA to another, sometimes because of differences in law and sometimes because of differences in strategy. Some DPAs may prefer the “stick”, while others prefer “carrots” and still others may prefer a combination. DPAs clearly recognise the benefits of co-operation and co-ordination with their peers. The proliferation of DPA networks reflects this reality. Among the benefits of the Global Privacy Enforcement Network (GPEN) and other regional and international networks is that it sends a message to industry that regulators are working together. Presumably, it will be increasingly difficult for companies to play one regulator off against another or to engage in “forum shopping”. Despite goodwill among DPAs, they still face various barriers to co-operation and co-ordination, some of which are legal, but others include language capability and resource shortages. Efforts are, however, being made to overcome these barriers, as discussed in this chapter.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Council of Europe , Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows , Strasbourg , 8 November 2001. http://conventions.coe.int/Treaty/EN/Treaties/HTML/181.htm. See also Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28 January 1981. http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
- 2.
Hustinx , Peter, Cahiers du Centre de Recherches Informatique et Droit (CRID), No. 31, “Défis du droit à la protection de la vie privée/Challenges of privacy and data protection law”, Namur-Brussels, 2008, pp. 561–568.
- 3.
This chapter draws on research conducted by Trilateral Research as a partner in the EU-funded PHAEDRA project (www.phaedra-project.eu). A PHAEDRA II project was launched in January 2015. PHAEDRA II is somewhat different from its predecessor in the sense that is focused on Europe and, in particular, practical implementation of the proposed Regulation , but it too will focus on improving co-operation between DPAs in the enforcement of privacy.
- 4.
For a copy of the text agreed by the European Parliament, Council and Commission on 15 December 2015, see http://www.statewatch.org/news/2015/dec/eu-council-dp-reg-draft-final-compromise-15039-15.pdf
- 5.
The UK Information Commissioner’s Office (ICO) lists the instruments at its disposition on its website. See ICO, “Taking action: data protection and privacy and electronic communications”. http://ico.org.uk/what_we_cover/taking_action/dp_pecr
- 6.
Data provided by Adam Stevens in an e-mail dated 3 March 2015.
- 7.
Hustinx , op. cit.
- 8.
Hustinx , op. cit.
- 9.
Version 2, released in December 2014, can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/data-sharing/
- 10.
- 11.
- 12.
- 13.
An assessment notice, or compulsory audit , enables the ICO to determine whether a data controller is complying with data protection principles. https://ico.org.uk/media/for-organisations/documents/1534/assessment_notices_code_of_practice.pdf
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
Hawkes, Billy, “Data Protection Enforcement: Challenges Facing Smaller Data Protection Authorities”, this volume.
- 24.
Grant, Hazel, and Hannah Crowther, Chap. 13, this volume.
- 25.
Kohnstamm, Jacob, Chap. 19, this volume.
- 26.
ICO Corporate Affairs policy ‘Communicating enforcement activities’, 11 November 2010. https://ico.org.uk/media/about-the-ico/policies-and-procedures/1890/ico_enforcement_communications_policy.pdf
- 27.
Grant and Crowther, Chap. 13, this volume.
- 28.
- 29.
In January 2015, the College Bescherming Persoonsgegevens (CBP , the Dutch DPA) released a cease and desist order requiring Google to pay €60,000 per day, up to a maximum of €15 million, for violating Dutch data protection law. Google had until the end of February 2015 to change the way it handles personal data . The order requires Google to carry out three measures:
-
Ask for “unambiguous consent ” before it shares personal data of Internet users with its other services, such as Google Maps and YouTub e, the video-sharing site
-
Make it clear to users that Google is the owner of YouTube
-
Amend its privacy policy to clarify what data is collected and how the data is used.
For more, see O’Donoghue, Cynthia, “Dutch data protection authority threatens Google with a €15 million fine”, Lexology, 8 Jan 2015.
-
- 30.
Grant and Crowther, Chap. 13, this volume.
- 31.
- 32.
Grant and Crowther, Chap. 13, this volume.
- 33.
Grant and Crowther, Chap. 13, this volume.
- 34.
Arthur, Charles, “European watchdogs order Google to rewrite privacy policy or face legal action”, The Guardian, 5 July 2013. http://www.guardian.co.uk/technology/2013/jul/05/google-privacy-policy-legal-action
- 35.
For more on privacy seals as a means of enforcing privacy, see the chapter by Kirsten Bock in this volume.
- 36.
- 37.
DPAs can use a variety of tools to “harness” public opinion , such as press conferences, press releases, studies, etc.
- 38.
- 39.
The consortium comprised Vrije Universiteit Brussel (Belgium), Trilateral Research (UK), Universidad Jaume I (Spain ) and GIODO (the Polish data protection authority).
- 40.
For the Law for Protection of Personal Data , see https://www.cpdp.bg/en/index.php?p=element&aid=373-. For the Rules on the activity of the Commission for Personal Data Protection and its administration, see https://www.cpdp.bg/en/index.php?p=element&aid=36-. For Ordinance 1 on the minimum level of technical and organisational measures and the admissible type of personal data protection, see https://www.cpdp.bg/en/index.php?p=element&aid=632-
- 41.
- 42.
- 43.
http://www.aki.ee/en/inspectorate (also link “Overview and Details”)
- 44.
Its enabling legislation is here: http://www.tietosuoja.fi/27305.htm. An unofficial translation of the legislation can be found at http://www.finlex.fi
- 45.
- 46.
- 47.
http://wetten.overheid.nl/BWBR0011468/geldigheidsdatum_24-10-2013. There is no official translation into English.
- 48.
Organisation for Economic Co-operation and Development, OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, Paris, 2007. http://www.oecd.org/internet/ieconomy/38770483.pdf
- 49.
- 50.
The English version of the Act No. 122/2013 Coll. on personal data protection and about amendment of other acts can be found here: http://www.dataprotection.gov.sk/buxus/docs/Act_12213-en_1.pdf?buxus=10c21c1ce0bd7e9f41a003a939f76f0b
- 51.
- 52.
The UK Data Protection Act 1998 and all its amendments can be found via the link below: http://www.legislation.gov.uk/all?title=data%20protection%20Act
- 53.
The FTC enforces privacy protections based on several general consumer protection laws and several sectoral laws:
-
FTC Act: http://www.ftc.gov/ogc/ftcact.shtm;
-
The C hildren’s Online Privacy Protection Act: http://www.law.cornell.edu/uscode/text/15/chapter-91;
-
Fair Credit Reporting Act: http://www.law.cornell.edu/uscode/15/1681.shtml;
-
Gramm-Leach-Bliley Act : http://www.law.cornell.edu/uscode/uscode15/usc_sec_15_00006801--000-.html [Title V, subtitle A, of this Act requires the FTC, along with several other agencies, to issue regulations (see 16 CFR Part 313) ensuring that financial institutions protect the privacy of consumers’ personal financial information];
-
Do Not Call Registry Legislation. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ010.108.pdf;
-
Fair and Accurate Credit Transactions Act of 2003. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ159.108.pdf;
-
Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act). http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ187.108.pdf;
-
Health Information Technology (“HITECH”) Provisions of American Recovery and Reinvestment Act of 2009, Title XIII, Subtitle D. http://www.ftc.gov/ogc/stat3/hitech-pub-l-111-5.pdf
-
- 54.
Hawkes, op. cit.
- 55.
The office had 30 members of staff at the time of the Facebook audit , with no legal expert among them.
- 56.
Dix, Alexander, Chap. 8, in this volume.
- 57.
- 58.
See especially the European Parliament resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI)). http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0230. See also the European Parliament Committee on Civil Liberties, Justice and Home Affairs (the “ LIBE committee” ), Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI)), 21 February 2014. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A7-2014-0139+0+DOC+XML+V0//EN
- 59.
Hawkes, op. cit.
- 60.
OECD, op. cit., 2007. See fn 58.
- 61.
- 62.
- 63.
- 64.
PHAEDRA Deliverable D1, p. 105.
- 65.
- 66.
PHAEDRA Deliverable D1, p. 106.
- 67.
- 68.
A “Sweep ” is a co-ordinated investigation by Data Protection Authorities from around the world. For more information, see https://www.priv.gc.ca/media/nr-c/2013/nr-c_130506_qa_e.asp
- 69.
For a list of GPEN members, see https://www.privacyenforcement.net/about_the_network
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
The 26th Case Handling Workshop was held in Skopje, Macedonia. http://www.privacy.mk/en/CHW
- 80.
European Privacy and Data Protection Commissioners’ Conference, “Case Handling Workshop – Framework of activities”, March 2005. www.giodo.gov.pl/data/filemanager_pl/665.pdf
- 81.
European Privacy and Data Protection Commissioner’ Conference, “The future of the case handling workshops”, Edinburgh, 23–24 April 2009. https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Cooperation/Conference_EU/09-04-23_Edinburgh_case_handling_wk_EN.pdf
- 82.
An example of the cases considered by the Workshop can be found here: http://www.azlp.gov.ba/workshop/documents/?id=923
- 83.
The International Complaints Handling Workshop, “The International Complaints Handling Workshop: Evolution & Consolidation”, Presented to the Spring Conference of European Data Protection Authorities, Rotterdam, 2004. http://www.giodo.gov.pl/data/filemanager_pl/667.pdf
- 84.
Loi Informatique et Libertés Act N° 78–17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, amended by the following laws:
-
Act of 6 August 2004 relative to the protection of individuals with regard to the processing of Personal Data
-
Act of 13 May 2009 relative to the simplification and clarification of law and lighter procedures
-
Law No. 2009-526 dated 13/05/2009
-
Organic Law No. 2010-704 dated 28/06/2010
-
Law No. 2011-334 dated 29 March 2011 relative to the défenseur des droits
-
Ordinance No. 2011-1012 dated 24/08/2011
-
- 85.
Incorporating US SAFE WEB Act amendments of 2006, § 57b-2 Confidentiality (Sec. 21). http://www.ftc.gov/sites/default/files/documents/statutes/federal-trade-commission-act/ftc_act_incorporatingus_safe_web_act.pdf
- 86.
Hawkes, op. cit.
- 87.
- 88.
See Kohnstamm, Jacob, “Getting our act together: European Data Protection Authorities face up to Silicon Valley ” in this volume.
- 89.
Article 29 Data Protection Working Party, “Promoting Cooperation on Data Transfer Systems Between Europe and the Asia-Pacific”, press release, 26 March 2013.
- 90.
Article 29 Data Protection Working Party, Opinion 02/2014 on a referential for requirements for Binding Corporate Rules, 27 February 2014. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp212_en.pdf
- 91.
Hawkes, op. cit.
- 92.
Hustinx , op. cit. Hustinx further observes that “no other fundamental right – except the right to a fair trial – is structurally associated with the role of an independent body to ensure its respect and further development. This right is special in the sense that it is considered to be in need of ‘structural support’ through the establishment of an independent authority with adequate powers and resources.”
References
Arthur, Charles, “European watchdogs order Google to rewrite privacy policy or face legal action”, The Guardian, 5 July 2013. http://www.guardian.co.uk/technology/2013/jul/05/google-privacy-policy-legal-action
Article 29 Data Protection Working Party, Opinion 02/2014 on a referential for requirements for Binding Corporate Rules, 27 February 2014. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp212_en.pdf
Article 29 Data Protection Working Party, “Promoting Cooperation on Data Transfer Systems Between Europe and the Asia-Pacific”, press release, 26 March 2013.
Council of Europe, Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, Strasbourg, 8 November 2001. http://conventions.coe.int/Treaty/EN/Treaties/HTML/181.htm
Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28 January 1981. http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm
European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, Brussels, 25 January 2012. http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
European Parliament and the Council, Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23/11/1995, pp. 0031–0050
European Parliament Committee on Civil Liberties, Justice and Home Affairs (the “LIBE committee”), Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI)), 21 February 2014. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A7-2014-0139+0+DOC+XML+V0//EN
European Privacy and Data Protection Commissioners’ Conference, “Case Handling Workshop – Framework of activities”, March 2005. www.giodo.gov.pl/data/filemanager_pl/665.pdf
European Privacy and Data Protection Commissioner’ Conference, “The future of the case handling workshops”, Edinburgh, 23–24 April 2009. https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Cooperation/Conference_EU/09-04-23_Edinburgh_case_handling_wk_EN.pdf
Hustinx, Peter, Cahiers du Centre de Recherches Informatique et Droit (CRID), No. 31, “Défis du droit à la protection de la vie privée/Challenges of privacy and data protection law”, Namur-Brussels, 2008, pp. 561–568.
International Complaints Handling Workshop, “The International Complaints Handling Workshop: Evolution & Consolidation”, Presented to the Spring Conference of European Data Protection Authorities, Rotterdam, 2004. http://www.giodo.gov.pl/data/filemanager_pl/667.pdf
O’Donoghue, Cynthia, “Dutch data protection authority threatens Google with a €15 million fine”, Lexology, 8 Jan 2015.
Organisation for Economic Co-operation and Development, OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, Paris, 2007. http://www.oecd.org/internet/ieconomy/38770483.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Wright, D. (2016). Enforcing Privacy. In: Wright, D., De Hert, P. (eds) Enforcing Privacy. Law, Governance and Technology Series(), vol 25. Springer, Cham. https://doi.org/10.1007/978-3-319-25047-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-25047-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25045-8
Online ISBN: 978-3-319-25047-2
eBook Packages: Law and CriminologyLaw and Criminology (R0)