Skip to main content
SpringerLink
Log in

Enforcing Privacy

  • Chapter
  • First Online:
Enforcing Privacy

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 25))

Abstract

This chapter describes the various enforcement powers at the disposition of data protection authorities, privacy commissioners and privacy enforcement authorities. Not all DPAs, PCs and PEAs have all these powers. Enforcement powers vary from one DPA to another, sometimes because of differences in law and sometimes because of differences in strategy. Some DPAs may prefer the “stick”, while others prefer “carrots” and still others may prefer a combination. DPAs clearly recognise the benefits of co-operation and co-ordination with their peers. The proliferation of DPA networks reflects this reality. Among the benefits of the Global Privacy Enforcement Network (GPEN) and other regional and international networks is that it sends a message to industry that regulators are working together. Presumably, it will be increasingly difficult for companies to play one regulator off against another or to engage in “forum shopping”. Despite goodwill among DPAs, they still face various barriers to co-operation and co-ordination, some of which are legal, but others include language capability and resource shortages. Efforts are, however, being made to overcome these barriers, as discussed in this chapter.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Council of Europe , Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows , Strasbourg , 8 November 2001. http://conventions.coe.int/Treaty/EN/Treaties/HTML/181.htm. See also Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28 January 1981. http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm

  2. 2.

    Hustinx , Peter, Cahiers du Centre de Recherches Informatique et Droit (CRID), No. 31, “Défis du droit à la protection de la vie privée/Challenges of privacy and data protection law”, Namur-Brussels, 2008, pp. 561–568.

  3. 3.

    This chapter draws on research conducted by Trilateral Research as a partner in the EU-funded PHAEDRA project (www.phaedra-project.eu). A PHAEDRA II project was launched in January 2015. PHAEDRA II is somewhat different from its predecessor in the sense that is focused on Europe and, in particular, practical implementation of the proposed Regulation , but it too will focus on improving co-operation between DPAs in the enforcement of privacy.

  4. 4.

    For a copy of the text agreed by the European Parliament, Council and Commission on 15 December 2015, see http://www.statewatch.org/news/2015/dec/eu-council-dp-reg-draft-final-compromise-15039-15.pdf

  5. 5.

    The UK Information Commissioner’s Office (ICO) lists the instruments at its disposition on its website. See ICO, “Taking action: data protection and privacy and electronic communications”. http://ico.org.uk/what_we_cover/taking_action/dp_pecr

  6. 6.

    Data provided by Adam Stevens in an e-mail dated 3 March 2015.

  7. 7.

    Hustinx , op. cit.

  8. 8.

    Hustinx , op. cit.

  9. 9.

    Version 2, released in December 2014, can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/data-sharing/

  10. 10.

    https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-practice .pdf

  11. 11.

    https://ico.org.uk/media/for-organisations/documents/1065/subject-access-code-of-practice .pdf

  12. 12.

    https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

  13. 13.

    An assessment notice, or compulsory audit , enables the ICO to determine whether a data controller is complying with data protection principles. https://ico.org.uk/media/for-organisations/documents/1534/assessment_notices_code_of_practice.pdf

  14. 14.

    https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf

  15. 15.

    https://ico.org.uk/media/for-organisations/documents/1541/big-data-and-data-protection.pdf

  16. 16.

    https://ico.org.uk/media/for-organisations/documents/1566/international_transfers_legal_guidance.pdf

  17. 17.

    https://ico.org.uk/for-organisations/guidance-index/data-protection-and-privacy-and-electronic-communications/

  18. 18.

    https://ico.org.uk/media/for-organisations/documents/1607/the_guide_to_data_protection.pdf

  19. 19.

    https://ico.org.uk/for-organisations/guide-to-pecr/

  20. 20.

    http://www.cnil.fr/fileadmin/documents/en/CNIL -ManagingPrivacyRisks-Methodology.pdf

  21. 21.

    http://www.cnil.fr/fileadmin/documents/en/CNIL -ManagingPrivacyRisks-Measures.pdf

  22. 22.

    http://www.pcpd.org.hk/english/resources_centre/publications/guidance/files/GN_crossborder_e.pdf

  23. 23.

    Hawkes, Billy, “Data Protection Enforcement: Challenges Facing Smaller Data Protection Authorities”, this volume.

  24. 24.

    Grant, Hazel, and Hannah Crowther, Chap. 13, this volume.

  25. 25.

    Kohnstamm, Jacob, Chap. 19, this volume.

  26. 26.

    ICO Corporate Affairs policy ‘Communicating enforcement activities’, 11 November 2010. https://ico.org.uk/media/about-the-ico/policies-and-procedures/1890/ico_enforcement_communications_policy.pdf

  27. 27.

    Grant and Crowther, Chap. 13, this volume.

  28. 28.

    See www.phaedra-project.eu

  29. 29.

    In January 2015, the College Bescherming Persoonsgegevens (CBP , the Dutch DPA) released a cease and desist order requiring Google to pay €60,000 per day, up to a maximum of €15 million, for violating Dutch data protection law. Google had until the end of February 2015 to change the way it handles personal data . The order requires Google to carry out three measures:

    • Ask for “unambiguous consent ” before it shares personal data of Internet users with its other services, such as Google Maps and YouTub e, the video-sharing site

    • Make it clear to users that Google is the owner of YouTube

    • Amend its privacy policy to clarify what data is collected and how the data is used.

    For more, see O’Donoghue, Cynthia, “Dutch data protection authority threatens Google with a €15 million fine”, Lexology, 8 Jan 2015.

  30. 30.

    Grant and Crowther, Chap. 13, this volume.

  31. 31.

    http://www.legislation.gov.uk/ukpga/1998/29/contents

  32. 32.

    Grant and Crowther, Chap. 13, this volume.

  33. 33.

    Grant and Crowther, Chap. 13, this volume.

  34. 34.

    Arthur, Charles, “European watchdogs order Google to rewrite privacy policy or face legal action”, The Guardian, 5 July 2013. http://www.guardian.co.uk/technology/2013/jul/05/google-privacy-policy-legal-action

  35. 35.

    For more on privacy seals as a means of enforcing privacy, see the chapter by Kirsten Bock in this volume.

  36. 36.

    http://ec.europa.eu/digital-agenda/en/eprivacy-directive-data-breach -notifications

  37. 37.

    DPAs can use a variety of tools to “harness” public opinion , such as press conferences, press releases, studies, etc.

  38. 38.

    http://www.privacyconference2014.org/media/16667/Enforcement-Cooperation-Agreement-adopted.pdf

  39. 39.

    The consortium comprised Vrije Universiteit Brussel (Belgium), Trilateral Research (UK), Universidad Jaume I (Spain ) and GIODO (the Polish data protection authority).

  40. 40.

    For the Law for Protection of Personal Data , see https://www.cpdp.bg/en/index.php?p=element&aid=373-. For the Rules on the activity of the Commission for Personal Data Protection and its administration, see https://www.cpdp.bg/en/index.php?p=element&aid=36-. For Ordinance 1 on the minimum level of technical and organisational measures and the admissible type of personal data protection, see https://www.cpdp.bg/en/index.php?p=element&aid=632-

  41. 41.

    http://www.datatilsynet.dk/english/the-act-on-processing-of-personal-data/read-the-act-on-processing-of-personal-data/compiled-version-of-the-act-on-processing-of-personal-data/

  42. 42.

    https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/DataProt/Legislation/Reg_45-2001_EN.pdf

  43. 43.

    http://www.aki.ee/en/inspectorate (also link “Overview and Details”)

  44. 44.

    Its enabling legislation is here: http://www.tietosuoja.fi/27305.htm. An unofficial translation of the legislation can be found at http://www.finlex.fi

  45. 45.

    http://www.pcpd.org.hk/english/ordinance/ordfull.html

  46. 46.

    http://inicio.ifai.org.mx/_catalogs/masterpage/English.aspx

  47. 47.

    http://wetten.overheid.nl/BWBR0011468/geldigheidsdatum_24-10-2013. There is no official translation into English.

  48. 48.

    Organisation for Economic Co-operation and Development, OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, Paris, 2007. http://www.oecd.org/internet/ieconomy/38770483.pdf

  49. 49.

    http://statutes.agc.gov.sg/aol/search/display/view.w3p;page=0;query=CompId%3A32762ba6-f438-412e-b86d-5c12bd1d4f8a;rec=0;whole=yes

  50. 50.

    The English version of the Act No. 122/2013 Coll. on personal data protection and about amendment of other acts can be found here: http://www.dataprotection.gov.sk/buxus/docs/Act_12213-en_1.pdf?buxus=10c21c1ce0bd7e9f41a003a939f76f0b

  51. 51.

    http://www.edoeb.admin.ch/org/00129/index.html?lang=en

  52. 52.

    The UK Data Protection Act 1998 and all its amendments can be found via the link below: http://www.legislation.gov.uk/all?title=data%20protection%20Act

  53. 53.

    The FTC enforces privacy protections based on several general consumer protection laws and several sectoral laws:

  54. 54.

    Hawkes, op. cit.

  55. 55.

    The office had 30 members of staff at the time of the Facebook audit , with no legal expert among them.

  56. 56.

    Dix, Alexander, Chap. 8, in this volume.

  57. 57.

    See the chapters by Jacob Kohnstamm, Chap. 19, and Jan Philipp Albrecht, Chap. 20, in this volume.

  58. 58.

    See especially the European Parliament resolution of 12 March 2014 on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI)). http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0230. See also the European Parliament Committee on Civil Liberties, Justice and Home Affairs (the “ LIBE committee” ), Report on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI)), 21 February 2014. http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A7-2014-0139+0+DOC+XML+V0//EN

  59. 59.

    Hawkes, op. cit.

  60. 60.

    OECD, op. cit., 2007. See fn 58.

  61. 61.

    http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/CAHDATA%282014%2901_En_%20Working%20doc_Convention_108.pdf

  62. 62.

    http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/CAHDATA-RAP03Abr_En.pdf

  63. 63.

    http://www.coe.int/en/web/human-rights-rule-of-law/-/data-protection-convention-the-cahdata-approved-the-modernisation-proposals

  64. 64.

    PHAEDRA Deliverable D1, p. 105.

  65. 65.

    http://www.priv.gc.ca/information/conf2013/res_04_coordination_e.asp

  66. 66.

    PHAEDRA Deliverable D1, p. 106.

  67. 67.

    https://www.privacyenforcement.net

  68. 68.

    A “Sweep ” is a co-ordinated investigation by Data Protection Authorities from around the world. For more information, see https://www.priv.gc.ca/media/nr-c/2013/nr-c_130506_qa_e.asp

  69. 69.

    For a list of GPEN members, see https://www.privacyenforcement.net/about_the_network

  70. 70.

    http://www.coe.int/t/dghl/standardsetting/dataprotection/european-conference/

  71. 71.

    http://ec.europa.eu/justice/data-protection/article-29/index_en.htm

  72. 72.

    http://www.coe.int/t/dghl/standardsetting/DataProtection/default_en.asp

  73. 73.

    www.ceecprivacy.org

  74. 74.

    http://www.apec.org/Home/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group

  75. 75.

    http://www.appaforum.org

  76. 76.

    http://www.redipd.org/index-ides-idphp.php

  77. 77.

    http://www.afapdp.org

  78. 78.

    http://www.datenschutz-berlin.de/content/europa-international/international-working-group-on-data-protection-in-telecommunications-iwgdpt

  79. 79.

    The 26th Case Handling Workshop was held in Skopje, Macedonia. http://www.privacy.mk/en/CHW

  80. 80.

    European Privacy and Data Protection Commissioners’ Conference, “Case Handling Workshop – Framework of activities”, March 2005. www.giodo.gov.pl/data/filemanager_pl/665.pdf

  81. 81.

    European Privacy and Data Protection Commissioner’ Conference, “The future of the case handling workshops”, Edinburgh, 23–24 April 2009. https://secure.edps.europa.eu/EDPSWEB/webdav/shared/Documents/Cooperation/Conference_EU/09-04-23_Edinburgh_case_handling_wk_EN.pdf

  82. 82.

    An example of the cases considered by the Workshop can be found here: http://www.azlp.gov.ba/workshop/documents/?id=923

  83. 83.

    The International Complaints Handling Workshop, “The International Complaints Handling Workshop: Evolution & Consolidation”, Presented to the Spring Conference of European Data Protection Authorities, Rotterdam, 2004. http://www.giodo.gov.pl/data/filemanager_pl/667.pdf

  84. 84.

    Loi Informatique et Libertés Act N° 78–17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, amended by the following laws:

    • Act of 6 August 2004 relative to the protection of individuals with regard to the processing of Personal Data

    • Act of 13 May 2009 relative to the simplification and clarification of law and lighter procedures

    • Law No. 2009-526 dated 13/05/2009

    • Organic Law No. 2010-704 dated 28/06/2010

    • Law No. 2011-334 dated 29 March 2011 relative to the défenseur des droits

    • Ordinance No. 2011-1012 dated 24/08/2011

    http://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf

  85. 85.

    Incorporating US SAFE WEB Act amendments of 2006, § 57b-2 Confidentiality (Sec. 21). http://www.ftc.gov/sites/default/files/documents/statutes/federal-trade-commission-act/ftc_act_incorporatingus_safe_web_act.pdf

  86. 86.

    Hawkes, op. cit.

  87. 87.

    http://www.statewatch.org/news/2014/nov/eu-dp-reg-one-stop-shop-14788-rev1-14.pdf

  88. 88.

    See Kohnstamm, Jacob, “Getting our act together: European Data Protection Authorities face up to Silicon Valley ” in this volume.

  89. 89.

    Article 29 Data Protection Working Party, “Promoting Cooperation on Data Transfer Systems Between Europe and the Asia-Pacific”, press release, 26 March 2013.

  90. 90.

    Article 29 Data Protection Working Party, Opinion 02/2014 on a referential for requirements for Binding Corporate Rules, 27 February 2014. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp212_en.pdf

  91. 91.

    Hawkes, op. cit.

  92. 92.

    Hustinx , op. cit. Hustinx further observes that “no other fundamental right – except the right to a fair trial – is structurally associated with the role of an independent body to ensure its respect and further development. This right is special in the sense that it is considered to be in need of ‘structural support’ through the establishment of an independent authority with adequate powers and resources.”

References

Download references

Author information

Authors and Affiliations

  1. Trilateral Research, London, UK

    David Wright

Authors
  1. David Wright
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Wright .

Editor information

Editors and Affiliations

  1. Trilateral Research, London, United Kingdom

    David Wright

  2. Vrije Universiteit Brussel Law, Science, Technology & Society (LSTS), Brussels, Belgium

    Paul De Hert

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Wright, D. (2016). Enforcing Privacy. In: Wright, D., De Hert, P. (eds) Enforcing Privacy. Law, Governance and Technology Series(), vol 25. Springer, Cham. https://doi.org/10.1007/978-3-319-25047-2_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25047-2_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25045-8

  • Online ISBN: 978-3-319-25047-2

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation