Skip to main content
SpringerLink
Log in

Understanding the Role of Independent, Effective and Accountable DPAs: New Branches of Government in Between the Union and the Member States

  • Chapter
  • First Online:
The European Union as Guardian of Internet Privacy

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 31))

  • 1689 Accesses

Abstract

This chapter analyses the legitimate role of the independent data protection authorities (“DPAs”) in ensuring the control over the fundamental rights of privacy and data protection on the internet. It focuses on the constitutional position of the DPAs and on their tasks. The role of the DPAs is derived from primary law and recognised as being essential in an information society.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 23.

  2. 2.

    Recital (62) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, as confirmed, most recently, in Case C-362/14, Schrems, EU:C:2015:650, at 42. See also the preamble to Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, stating “Convinced that supervisory authorities, exercising their functions in complete independence, are an element of the effective protection of individuals with regard to the processing of personal data”.

  3. 3.

    Cases C-518/07, Commission v Germany, EU:C:2010:125, C-614/10, Commission v Austria, EU:C:2012:631 and C-288/12, Commission v Hungary, EU:C:2014:237, as explained below.

  4. 4.

    “The Political Accountability of EU Agencies: Learning from the US Experience”, M. Scholten (dissertation Maastricht, 2014), at 16.

  5. 5.

    To be complete, DPAs are also referred to in Article 39 TEU. This provision will not be discussed separately in this book, for the reasons mentioned in Chap. 4, Sect. 4.2, and Chap. 6, Sect. 6.2.

  6. 6.

    Explanations relating to the Charter of Fundamental Rights, OJ (2007) 303/17, Explanation on Article 8.

  7. 7.

    See footnote 9 of this chapter.

  8. 8.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 40.

  9. 9.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 36; Case C-288/12, Commission v Hungary, EU:C:2014:237, at 47.

  10. 10.

    E.g., M. Scholten, “The Political Accountability of EU Agencies: Learning from the US Experience”, (dissertation Maastricht, 2014), at 14. The metaphor is also used in the relation between the Member States (‘principals’) and the EU (‘agents’), Craig in: Paul Craig and Grainne de Burca (eds.), The evolution of EU Law, Second Edition, Oxford University Press 2011, at 27.

  11. 11.

    Case 9/56, Meroni, EU:C:1958:7, at 152.

  12. 12.

    E.g., Case 138/79, Roquette Frères, EU:C:1980:249, at 33.

  13. 13.

    Research Network on EU Administrative Law, ReNEUAL Model Rules on EU Administrative Procedure: Introduction to the ReNEUAL Model Rules, pp 14–18. The EU Administration will be explained in Chap. 8, Sect. 8.8.

  14. 14.

    In particular Chap. 3 of this book.

  15. 15.

    As is, e.g., claimed in relation to judicial oversight by Jack M. Balkin, “The Constitution in the National Surveillance State”, Minnesota Law Review 93/1, at 22.

  16. 16.

    Cases C-230/14, Weltimmo, EU:C:2015:639, at 52, and. C-362/14, Schrems, EU:C:2015:650, at 44.

  17. 17.

    Case C-230/14, Weltimmo, EU:C:2015:639, at 54.

  18. 18.

    The demarcation between these two chapters of this book largely follows the distinction between Chapters VI and VII of the GDPR.

  19. 19.

    The French Commission Nationale de l’Informatique et des Libertés exercises its functions in accordance with the French Data Protection Act of 6 January 1978 (source: www.cnil.fr).

  20. 20.

    G. González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU, Law, Governance and Technology Series 16, 2014, Chap. 3.

  21. 21.

    Under Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ 2001 L 8/1.

  22. 22.

    Some indications why these other approaches would have been less appropriate were given by P. Hustinx in Reinventing data protection? S. Gutwirth et al. (eds), Springer 2009, at 131

  23. 23.

    Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM (2010), 609 final, at 17–18.

  24. 24.

    In an article on the EDPS (2006) the author gave five reasons for the establishment of the EDPS: the need for harmonisation, the need for effective data protection as fundamental right, the fact that this fundamental right is not protected by itself, the principle of good governance and the fact that existing bodies cannot sufficiently fulfil the necessary tasks, H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by an independent authority, CMLR 43 (2006), at 1323–1324. These five reasons are all valid in connection to DPAs in general, but there is more to say to it.

  25. 25.

    P. Hustinx in Reinventing data protection? S. Gutwirth et al. (eds), Springer, 2009, at 131–137.

  26. 26.

    Spiros Simitis, “Reviewing Privacy in an Information Society”, University of Pennsylvania Law Review, 135/3, 707–46, 1987, at 743.

  27. 27.

    Further read: Philip Schütz; (2012): Comparing formal independence of data protection authorities in selected EU Member States, Conference Paper, ECPR Standing Group on Regulation & Governance (Biennial Conference) <4, 2012, Exeter, at 9.

  28. 28.

    Explanatory Report to the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, at 4.

  29. 29.

    Explanatory Report to the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, at 9 and 10.

  30. 30.

    Colin J. Bennett and Charles Raab, The Governance of Privacy, Policy Instruments in Global Perspective, MIT Press, 2006, at 107.

  31. 31.

    Further read: P. Hustinx in Reinventing data protection? S. Gutwirth et al. (eds), Springer, 2009, at 131–137;, H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by an independent authority, CMLR 43 (2006), at 1323–1324.

  32. 32.

    Spiros Simitis, “Reviewing Privacy in an Information Society”, University of Pennsylvania Law Review, 135/3, 707–46, 1987, at 743.

  33. 33.

    E.g., Directive 95/46 equally applies to the public and private sector and the ‘comprehensive approach’ was a cornerstone for the Commission in the reform of the EU data protection laws, as is illustrated by Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A comprehensive approach on personal data protection in the European Union, COM (2010), 609 final.

  34. 34.

    See Sect. 7.9 below.

  35. 35.

    This will be explained in Sect. 7.6 below.

  36. 36.

    The first of the LITER principles in A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015, Chap. 3.

  37. 37.

    The first of the OECD Best Practice Principles, OECD (2014), The Governance of Regulators, OECD Best Practice Principles for Regulatory Policy, OECD Publishing.

  38. 38.

    Order of the Court of 17 March 2005, EU:C:2005:189 in Joined cases C-317/04 and C-318/04, European Parliament v Council Union (C-317/04) and Commission (C-318/04), EU:C:2006:346, at 16.

  39. 39.

    Foreword of Vassilios Skouris in The EU Charter of Fundamental Rights, A Commentary, Edited by Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward, Hart Publishing, 2014.

  40. 40.

    Recital (62) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, as confirmed in Case C-518/07, Commission v Germany, EU:C:2010:125, at 23.

  41. 41.

    As has been explained in this book, mainly in Chaps. 5 and 6.

  42. 42.

    This argument was used by the Court of Justice in admitting the EDPS to intervene before it. The power to intervene was “intended to ensure the practical effect” of (the former) Article 286 EC Treaty, Order of the Court of 17 March 2005, EU:C:2005:189 in Joined cases C-317/04 and C-318/04, European Parliament v Council Union (C-317/04) and Commission (C-318/04), EU:C:2006:346, at 15.

  43. 43.

    Further read: Herke Kranenborg on Article 8, The EU Charter of Fundamental Rights, A Commentary, Edited by Steve Peers, Tamara Hervey, Jeff Kenner and Angela Ward, Hart Publishing 2014, at 257–259, and also, Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010.

  44. 44.

    Explanations relating to the Charter of Fundamental Rights, OJ (2007) 303/17, Explanation on Article 8.

  45. 45.

    Wording based on Order of the Court of 17 March 2005, EU:C:2005:189 in Joined cases C-317/04 and C-318/04, European Parliament v Council Union (C-317/04) and Commission (C-318/04), EU:C:2006:346, at 15.

  46. 46.

    Further read: Antonella Galetta, Paul De Hert, “The Proceduralisation of Data Protection Remedies under EU Data Protection Law: Towards a More Effective and Data Subject-oriented Remedial System?” Review of European Administrative Law (REALaw), 2015/1, pp. 123–149.

  47. 47.

    On this layered structure in relation to the EDPS, H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by an independent authority, CMLR 43 (2006), 1313–1343.

  48. 48.

    Article 12, sub b) of Directive 95/46. See also Article 58 GDPR.

  49. 49.

    Case C-192/15, Rease and Wullems. The case was repealed by Decision of the President of the Court of 9 December 2015, EU:C:2015:86, but the substantive issue remains relevant.

  50. 50.

    For instance, in its opinions on general concepts on data protection law, referred to at various places in this book.

  51. 51.

    Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010, mainly Chap. 4.

  52. 52.

    Regulation (EC) No 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ 2001 L 8/1, Articles 46–47.

  53. 53.

    As explained by H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by an independent authority, CMLR 43 (2006), at 1323–1324.

  54. 54.

    Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010, at 4.3.

  55. 55.

    Colin J. Bennett and Charles D. Raab, The Governance of Privacy, Ashgate Publishing, 2003 at 109–114.

  56. 56.

    H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by an independent authority, CMLR 43, 2006, at 1323–1324.

  57. 57.

    As listed by A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015, at 26.

  58. 58.

    Jóri describes this role as shaping data protection law, taking the perspective of a privacy advocate, András Jóri, Shaping vs applying data protection law: two core functions of data protection authorities, International Data Privacy Law, 2015, Vol. 5, No. 2.

  59. 59.

    A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015, at 164.

  60. 60.

    As Chiti formulates, in relation to EU agencies, it may make the authorities “excessively permeable” to private parties. E. Chiti, An important part of the EU’s institutional machinery: Features, problems and perspectives of European agencies, CMLR 46 (2009), at 1395–1442, at 1401.

  61. 61.

    See Chap. 6, Sect. 6.14 of this book.

  62. 62.

    Examples on https://www.informationpolicycentre.com/accountability-based_privacy_governance/

  63. 63.

    Nymity, Getting to Accountability, Maximizing Your Privacy Management Program, The Nymity Approach to Getting to Accountability, https://www.nymity.com/~/media/NymityAura/Resources/Getting%20to%20Accountability/Nymity-Getting-to-Accountability-Paper.ashx

  64. 64.

    OECD (2014), The Governance of Regulators, OECD Best Practice Principles for Regulatory Policy, OECD Publishing. http://dx.doi.org/10.1787/9789264209015-en, at 55–58.

  65. 65.

    As stated above, quoting Colin J. Bennett and Charles Raab, The Governance of Privacy, Policy Instruments in Global Perspective, MIT Press, 2006, at 107.

  66. 66.

    M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), at 183.

  67. 67.

    Communication from the Commission of 11 December 2002, The operating framework for the European Regulatory Agencies, COM (2002) 718 final.

  68. 68.

    Vos in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014.

  69. 69.

    Case 98/80, Romano, EU:C:1981:104.

  70. 70.

    As argued by the Council in Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council, EU:C:2014:18, at 60 of the ruling of 22 January 2014.

  71. 71.

    Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council, EU:C:2014:18, at 65–66.

  72. 72.

    See Sect. 7.1 above.

  73. 73.

    For an overview, Monika Kuschewsky (General Editor), Data Protection & Privacy, Jurisdictional Comparisons (Second edition), Thomson Reuters, 2014.

  74. 74.

    Privacy Act, 5 U.S.C. 552a.

  75. 75.

    G. González Fuster, “The Emergence of Personal Data Protection as a Fundamental Right of the EU”, Law, Governance and Technology Series 16, at 16.

  76. 76.

    James Rule, Douglas McAdam, Linda Stearns and David Uglow, The Politics of Privacy, Planning for Personal Data Systems as Powerful Technologies, Elsevier, New York, 1980, at 111.

  77. 77.

    This authority is laid down in Article 5 of the FTC Act. The FTC positions itself as the nation’s chief privacy policy and enforcement agency, http://www.ftc.gov/news-events/press-releases/2012/03/ftc-issues-final-commission-report-protecting-consumer-privacy

  78. 78.

    15 USC § 1681 et seq.

  79. 79.

    15 U.S.C. §§ 6501–6506 (Pub.L. 105–277, 112 Stat. 2681–728.

  80. 80.

    Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, OJ L 215/7. The role of the FTC is clarified in Annex V of the Commission Decision.

  81. 81.

    Case C-362/14, Schrems, EU:C:2015:650.

  82. 82.

    DJ Solove, W Hartzog, “The FTC and the new common law of privacy”, Columbia Law Review, 2014, Vol. 114:583, at 603.

  83. 83.

    Lee A. Bygrave, Data Privacy Law, An International Perspective, Oxford University Press, 2014, at 110.

  84. 84.

    See below, Substantive standards of protection.

  85. 85.

    Preliminary FTC Staff Report, Protecting Consumer Privacy in an Era of Rapid Change: A proposed framework for business and policymakers, 1 December 2010.

  86. 86.

    This is well described by Julie Brill, “Bridging the divide”, in: Hijmans and Kranenborg, Data protection anno 2014: how to restore trust? Contributions in honour of Peter Hustinx, European Data Protection Supervisor (2004–2014), pp. 179–190.

  87. 87.

    FTC Report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers”, 26 March 2012.

  88. 88.

    E.g., Kenneth A. Bamberger, Deirdre K. Mulligan, “Privacy on the Books and on the Ground”, 2011, Stanford Law Review, Vol. 63, January 2011; Ira Rubinstein, “Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes”, NYU School of Law, Public Law Research Paper No. 10–16.

  89. 89.

    See David C. Vladeck, “A U.S. Perspective on Narrowing the U.S.-EU Privacy Divide”, in: Artemi Rallo Lombarte, Rosario García Mahamut (eds), Hacia un Nuevo derecho europea de protección de datos, Towards a new European Data Protection Regime, Tirant Lo Blanch, at II.

  90. 90.

    www.epic.org, on FTC complaints. See also Rotenberg in Privacy in the Modern Age, The Search for Solutions, Marc Rotenberg, Julia Horwitz, Jeramie Scott (eds), at 10–13.

  91. 91.

    See: https://www.pclob.gov/

  92. 92.

    Van den Bergh (1952) already takes the view that the trias politica should not be understood as a static concept, requiring a strict separation between the three powers, but moreover reflects the need for checks and balances. Adding a new branch of government would be in line with this view, Bergh, G. van den 1952, “Montesquieu en het Staatsrecht”, in: Verzamelde Staatsrechtelijke opstellen, Alphen aan den Rijn: Samsom.

  93. 93.

    A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015, at 21.

  94. 94.

    A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015, at 21.

  95. 95.

    Busuioc & Groenleer in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014.

  96. 96.

    Other authors, such as Ottow, qualify agencies as independent, A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015.

  97. 97.

    An example that will not be further explored here is the European Union Agency for Network and Information Security (ENISA), currently based on Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013, repealing Regulation (EC) No 460/2004, OJ L 165/41.

  98. 98.

    Under Article 8 of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive)

  99. 99.

    Further read on BEREC: Zinzani in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, Chap. 7.

  100. 100.

    Article 3 of Regulation (EC) No 1211/2009 of the European Parliament and of the Council of 25 November 2009 establishing the Body of European Regulators for Electronic Communications (BEREC) and the Office, OJ L (2009), 337/1.

  101. 101.

    Article 16(2) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), OJ L 108, 24.4.2002, and provisions referred to in that article.

  102. 102.

    Article 3(2) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), OJ L 108, 24.4.2002

  103. 103.

    Article 3(3) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive), OJ L 108, 24.4.2002, as interpreted by the Court of Justice in Case C-424/07, Commission v Germany, EU:C:2009:749, at 54.

  104. 104.

    Case C-389/08, Base and Others, EU:C:2010:584, at 28.

  105. 105.

    Saskia Lavrijssen and Annetje Ottow, “Independent Supervisory Authorities: A Fragile Concept”, Legal Issues of Economic Integration, 39, no. 4, 419–446, 2012, at 428.

  106. 106.

    See also L. Hancher, P. Larouche and S. Lavrijssen, “Principles of Good Market Governance”, Tijdschrift voor Economie en Management, Vol. XLIX, 2, 339–374, 2004, at 344.

  107. 107.

    Saskia Lavrijssen and Annetje Ottow, “Independent Supervisory Authorities: A Fragile Concept”, Legal Issues of Economic Integration, 39, no. 4, 419–446, 2012 at 432, referring to Case C-424/07, Commission v Germany, EU:C:2009:749.

  108. 108.

    Case C-389/08, Base and Others, EU:C:2010:584, at 30.

  109. 109.

    Paul Craig and Grainne de Burca, EU Law, Text, Cases and Material (Fifth Edition), Oxford University Press, 2011, at 107.

  110. 110.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 19. It is in this context remarkable that the Commission initially wished to address the consequences of the ruling in Schrems “with clear guidance for national data protection authorities on how to deal with data transfer requests to the U.S., in the light of the ruling”, statement of First Vice-President Timmermans, http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm

  111. 111.

    Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive).

  112. 112.

    See mainly Case C-614/10, Commission v Austria, EU:C:2012:631.

  113. 113.

    Regulation (EC) No 2006/2004 of the European Parliament and of the Council of 27 October 2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (the Regulation on consumer protection cooperation), OJ L 364/1.

  114. 114.

    E.g., by comparing the roles of DPAs mentioned in Sect. 7.4 with the roles of agencies, as listed by A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press 2015, at 26.

  115. 115.

    See: Giandomenico Majone, “Europe’s ‘Democratic Deficit’: The Question of Standards”, European Law Journal, Vol. 4, No.1, March 1998.

  116. 116.

    : E.g., in the annotation to Case C-518/07, Commission v Germany, on the independence of data protection authorities by Jiří Zemánek, CMLR 49 (2012), 1755–1768, at 1756.

  117. 117.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press. His book and its title served as inspiration for this chapter. For the purposes of the chapter we assume that the main institutions of the EU (European Parliament, Council and Commission) do not qualify as unelected.

  118. 118.

    http://europa.eu/about-eu/agencies/index_en.htm

  119. 119.

    Opinion of AG Jääskinen in Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council,, at 19. See also A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015, at 21.

  120. 120.

    Although this term was criticised for not adequately representing the task of the agencies, E. Vos in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, at 19 + references in footnote 45 of Chap. 2.

  121. 121.

    See Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council, EU:C:2014:18 (on ESMA), and note Carl Fredrik Bergström, CMLR 52 (2015), pp. 219–242.

  122. 122.

    E.g., the Aviation Safety Agency, mentioned by Shapiro, Independent agencies, in:, Paul Craig and Grainne de Burca (eds), The evolution of EU Law (Second Edition), Oxford University Press, 2011, at 112.

  123. 123.

    Source: http://europa.eu/about-eu/agencies/index_en.htm

  124. 124.

    The national regulatory authorities in the area of electronic communications are the obvious example.

  125. 125.

    See Sect. 9 below.

  126. 126.

    Schütz mentions the UK and Germany as the first European countries establishing these authorities. Philip Schütz; (2012): Comparing formal independence of data protection authorities in selected EU Member States, Conference Paper, ECPR Standing Group on Regulation & Governance (Biennial Conference) <4, 2012, Exeter, at 4.

  127. 127.

    The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), at 180–182.

  128. 128.

    http://www.ftc.gov/about-ftc/our-history

  129. 129.

    M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), at 170.

  130. 130.

    Further read: M. Scholten The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), at Chap. 3.

  131. 131.

    Communication from the Commission of 25 July 2001 “European governance - A white paper”, COM (2001) 428 final, OJ C 287, at C 287/20.

  132. 132.

    Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council, EU:C:2014:18, at 85.

  133. 133.

    Schütz, with a reference to G. Majone, Philip Schütz; (2012): Comparing formal independence of data protection authorities in selected EU Member States, Conference Paper, ECPR Standing Group on Regulation & Governance (Biennial Conference) <4, 2012, Exeter, at 5.

  134. 134.

    Schütz, equally with a reference to G. Majone, Philip Schütz; (2012): Comparing formal independence of data protection authorities in selected EU Member States, Conference Paper, ECPR Standing Group on Regulation & Governance (Biennial Conference) <4, 2012, Exeter, at 5.

  135. 135.

    Shapiro, Independent agencies, in: Paul Craig and Grainne de Burca (eds), The evolution of EU Law (Second Edition), Oxford University Press, 2011, at 113.

  136. 136.

    In Sects. 7.13 and 7.14.

  137. 137.

    As Shapiro formulates, where government speaks with many independent voices; Shapiro, Independent agencies, in: Paul Craig and Grainne de Burca (eds), The evolution of EU Law (Second Edition), Oxford University Press, 2011, at 117.

  138. 138.

    Vibert calls this “institutionalised elitism”, F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, at 3.

  139. 139.

    As stated by M. Busuioc and M. Groenleer, in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, at 175.

  140. 140.

    Baron de Montesquieu, De l’esprit des lois, 1748.

  141. 141.

    In this sense F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, as explained below.

  142. 142.

    M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), at 176–180.

  143. 143.

    The ‘bipartisan requirement’.

  144. 144.

    According to Craig, the institutional balance, as a concept, is even opposed to the strict separation of powers. Paul Craig in Paul Craig and Grainne de Burca (eds), The evolution of EU Law (Second Edition), Oxford University Press, 2011, at 41–42.

  145. 145.

    Case 9/56, Meroni, EU:C:1958:7, at 152.

  146. 146.

    The Court states: “the balance of powers [which] is characteristic of the institutional structure of the Community a fundamental guarantee granted by the Treaty in particular to the undertakings and associations of undertakings to which it applies.

  147. 147.

    Communication from the Commission of 11 December 2002 The operating framework for the European Regulatory Agencies, COM (2002) 718 final.

  148. 148.

    Case 9/56, Meroni, EU:C:1958:7, at 152.

  149. 149.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press. The book is mainly based on economic theory.

  150. 150.

    It was this lack of control that did trigger this book.

  151. 151.

    Craig in Paul Craig and Grainne de Burca (eds), The evolution of EU Law (Second Edition), Oxford University Press, 2011, at 68.

  152. 152.

    Further read: Craig in Paul Craig and Grainne de Burca (eds), The evolution of EU Law (Second Edition), Oxford University Press, 2011, Chap. 3.

  153. 153.

    E.g., in Case 294/83, Les Verts v Parliament, EU:C:1986:166.

  154. 154.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, at 88–94.

  155. 155.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, gives, at 43–44, a range of arguments relating to knowledge and information, that is not repeated here.

  156. 156.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, at 68.

  157. 157.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, stating at 87 that a separation of powers is never complete.

  158. 158.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, at 73.

  159. 159.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, at 121.

  160. 160.

    F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, at 47–48.

  161. 161.

    This is not addressed by Vibert.

  162. 162.

    Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council, EU:C:2014:18, at 65.

  163. 163.

    A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015, Chap. 3.

  164. 164.

    OECD (2014), The Governance of Regulators, OECD Best Practice Principles for Regulatory Policy, OECD Publishing.

  165. 165.

    See on this Chap. 4 of this book.

  166. 166.

    Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, e.g., the contributions of Vos, at 34, and Ottow, at 135.

  167. 167.

    Joint Statement and Common Approach of the European Parliament, the Council of the EU and the European Commission on Decentralised Agencies of 19 July 2012.

  168. 168.

    In Sect. 7.9. Further read, Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, e.g., the contributions of Vos, at 34, and Ottow, at 135.

  169. 169.

    Vos in: Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, at 45.

  170. 170.

    Saskia Lavrijssen and Annetje Ottow, “Independent Supervisory Authorities: A Fragile Concept”, Legal Issues of Economic Integration, 39, no. 4, 419–446, 2012, at 438–440.

  171. 171.

    Lavrijssen and Ottow call this “double-hattedness”; Saskia Lavrijssen and Annetje Ottow, “Independent Supervisory Authorities: A Fragile Concept”, Legal Issues of Economic Integration, 39, no. 4, 419–446, 2012, at 439. The example they elaborated is the Agency for the Cooperation of Energy Regulators (ACER).

  172. 172.

    See on BEREC also Chap. 8, Sect. 8.6 of this book.

  173. 173.

    Article 6 of Regulation (EC) No 1211/2009 of the European Parliament and of the Council of 25 November 2009 establishing the Body of European Regulators for Electronic Communications (BEREC) and the Office, OJ L (2009), 337/1.

  174. 174.

    See Saskia Lavrijssen and Annetje Ottow, “Independent Supervisory Authorities: A Fragile Concept”, Legal Issues of Economic Integration, 39, no. 4, 419–446, 2012, at 438.

  175. 175.

    Cases C-518/07, Commission v Germany, EU:C:2010:125, C-614/10, Commission v Austria, EU:C:2012:631 and C-288/12, Commission v Hungary, EU:C:2014:237. See Sect. 7.9 below.

  176. 176.

    Thatcher concludes that the EU adopted the agency form (by creating more agencies), but not yet the reality of agency governance, Mark Thatcher, The creation of European regulatory agencies and its limits: a comparative analysis of European delegation, Journal of European Public Policy 18:6 September 2011: 790–809, at 806.

  177. 177.

    The examples of Germany and Sweden are illustrative, Philip Schütz; (2012): Comparing formal independence of data protection authorities in selected EU Member States, Conference Paper, ECPR Standing Group on Regulation & Governance (Biennial Conference) <4, 2012, Exeter.

  178. 178.

    Mark Thatcher, The creation of European regulatory agencies and its limits: a comparative analysis of European delegation, Journal of European Public Policy 18:6 September 2011: 790–809, at 806.

  179. 179.

    Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals – WP 191 (23.03.2012), at 22.

  180. 180.

    Articles 64 and 71 of Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final. The final outcome does, in comparison with this proposal, no longer mention the EDPS as permanent vice-chair, limits (in Article 64(5) the EDPS’s voting rights and ensures, in Article 71, that the secretariat operates at a distance of the EDPS.

  181. 181.

    Case C-518/07, Commission v Germany, EU:C:2010:125.

  182. 182.

    At 36 of the ruling.

  183. 183.

    Case C-614/10, Commission v Austria, EU:C:2012:631, e.g. at 52 and 61.

  184. 184.

    Case C-288/12, Commission v Hungary, EU:C:2014:237, e.g. at 59.

  185. 185.

    For some further background: András Jóri, Shaping vs applying data protection law: two core functions of data protection authorities, International Data Privacy Law, 2015, Vol. 5, No. 2.

  186. 186.

    Case C-362/14, Schrems, EU:C:2015:650, particularly at 40–43.

  187. 187.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 25.

  188. 188.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 29.

  189. 189.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 19.

  190. 190.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 40.

  191. 191.

    Case C-614/10, Commission v Austria, Opinion AG Mazak, at 25.

  192. 192.

    A. Balthasar, “‘Complete Independence’ of National Data Protection Supervisory Authorities”, Utrecht Law Review, Volume 9, Issue 3 (July) 2013, at 30. Balthasar criticises this consequence.

  193. 193.

    The aim is not to grant a special status to the authorities, see at 25 of the ruling.

  194. 194.

    This wording is chosen as a compromise formula, P. Hustinx in Reinventing data protection? S. Gutwirth et al. (eds), Springer, 2009, at 132.

  195. 195.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 36; Case C-288/12, Commission v Hungary, EU:C:2014:237, at 47.

  196. 196.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 31–37 (in particular at 36).

  197. 197.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 51.

  198. 198.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 35.

  199. 199.

    This links to what was said in this book on (government) surveillance.

  200. 200.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 30.

  201. 201.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46.

  202. 202.

    The Court also rejects arguments of the German government relating to the legal basis and to subsidiarity and proportionality, but these are not relevant for this part of the book.

  203. 203.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 62–64.

  204. 204.

    The importance of this accountability is underlined by the annotation of M. Szydlo on Case C-614/10, Commission v Austria, EU:C:2012:63, in CMLR 50 (2013), 1809–1826, at 1821–1822.

  205. 205.

    See annotation M. Szydlo on Case C-614/10, Commission v Austria, EU:C:2012:63, in CMLR 50 (2013), 1809–1826, 2013.

  206. 206.

    As will be explained below in Sect. 7.13.

  207. 207.

    And private organisations, but that is not relevant here.

  208. 208.

    Spiros Simitis, “Reviewing Privacy in an Information Society”, University of Pennsylvania Law Review, 135/3, 707–46, 1987, at 744.

  209. 209.

    This is the model foreseen in the Joint Statement and Common Approach of the European Parliament, the Council of the EU and the European Commission on Decentralised Agencies of 19 July 2012.

  210. 210.

    Further read, Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, e.g., the contributions of Vos, at 34, and Ottow, at 135.

  211. 211.

    E. Chiti, An important part of the EU’s institutional machinery: Features, problems and perspectives of European agencies, CMLR 46 (2009), 1395–1442, at 1399.

  212. 212.

    And repeated in Article 7 of the Protocol (No 4) on the Statute of the European System of Central Banks and of the European Central Bank.

  213. 213.

    As explained in Chap. 2 of this book.

  214. 214.

    As mentioned in Case C-518/07, Commission v Germany, EU:C:2010:125, at 30.

  215. 215.

    The reference to the internal market in Case C-518/07, Commission v Germany, EU:C:2010:125, at 30, is made even more explicit in para. 50 of the ruling.

  216. 216.

    In Cases C-288/12, Commission v Hungary, EU:C:2014:237, at 51, and C-362/14, Schrems, EU:C:2015:650, at 42.

  217. 217.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 24.

  218. 218.

    Case 9/56, Meroni, EU:C:1958:7, at 152.

  219. 219.

    See on the Meroni doctrine: Vos in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, at 40.

  220. 220.

    See, e.g., E. Chiti, An important part of the EU’s institutional machinery: Features, problems and perspectives of European agencies, CMLR, 46, 1395–1442, 2009, at 1421–1424.

  221. 221.

    Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council, EU:C:2014:18 (on ESMA), ruling of 22 January 2014 and the Opinion of AG Jääskinen.

  222. 222.

    Wording from F. Vibert, The Rise of the Unelected, Democracy and the New Separation of Powers, Cambridge University Press, 2007, at 1.

  223. 223.

    See, e.g., ruling of CJEU in Case C-518/07, Commission v Germany, EU:C:2010:125.

  224. 224.

    See European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection reform package, at II.8.

  225. 225.

    And repeated in Article 7 of the Protocol (No 4) on the Statute of the European System of Central Banks and of the European Central Bank.

  226. 226.

    Case C-11/00, Commission v European Central Bank, EU:C:2003:395, at 134.

  227. 227.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 19.

  228. 228.

    Article 130 TFEU.

  229. 229.

    Case C-54/96, Dorsch Consult Ingenieursgesellschaft, EU:C:1997:413, at 34–38.

  230. 230.

    Case C-54/96, Dorsch Consult Ingenieursgesellschaft, EU:C:1997:413, at 34–38.

  231. 231.

    The mixed councils are mentioned in Case C-614/10, Commission v Austria,, EU:C:2012:631, Opinion AG Mazak, footnote 7 of Chap. 1. Further read: A. Balthasar, “‘Complete Independence’ of National Data Protection Supervisory Authorities”, Utrecht Law Review, Volume 9, Issue 3 (July) 2013, at 26–38.

  232. 232.

    Case C-53/03, Syfait and Others, EU:C:2005:333, at 29–38.

  233. 233.

    Case C-53/03, Syfait and Others, EU:C:2005:333, at 33.

  234. 234.

    Anna-Sara Lind and Jane Reichel, Administrating Data Protection – or the Fort Knox of the European Composite Administration, Critical Quarterly for Administration and Law (EuCritQ), 1, pp. 44–57, 2014, at 53.

  235. 235.

    See on this, Chiti, CMLR 46 (2009), 1395–1442.

  236. 236.

    Also the Commission and, where appropriate, the European Parliament participate in these Management Boards.

  237. 237.

    Further read: E. Vos in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, at 29.

  238. 238.

    See on this Chap. 4, Sect. 4.10 of this book.

  239. 239.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 36; Case C-288/12, Commission v Hungary, EU:C:2014:237, at 47. See also Sect. 7.9.

  240. 240.

    See Sect. 7.7 above.

  241. 241.

    See also Sect. 7.3 above

  242. 242.

    Further read: H. Hijmans, The European data protection supervisor: The institutions of the EC controlled by an independent authority, CMLR, 43, 2006, 1313–1342.

  243. 243.

    Cases C-518/07, Commission v Germany, EU:C:2010:125, C-614/10, Commission v Austria, EU:C:2012:631 and C-288/12, Commission v Hungary, EU:C:2014:237

  244. 244.

    M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), at 174.

  245. 245.

    Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8/1.

  246. 246.

    See mainly Article 3 of Decision No 1247/2002/EC of the European Parliament and of the Council and of the Commission of 1 July 2002 on the regulations and general conditions governing the performance of the European Data-protection Supervisor’s duties, OJ L 183/1

  247. 247.

    Article 53 (2) GDPR.

  248. 248.

    Case C-93/12, Agrokonsulting-04, EU:C:2013:432, at 35

  249. 249.

    Article 48 of Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final; amendment 325 of the legislative resolution of the European Parliament; Article 53 (1) GDPR.

  250. 250.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46

  251. 251.

    See also Chap. 6, Sect. 6.14 of this book.

  252. 252.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 25.

  253. 253.

    See Chap. 4, Sect. 4.13.

  254. 254.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46.

  255. 255.

    European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection reform package, at 236, with a reference to Commission v Germany.

  256. 256.

    See above, and the annotation of M. Szydlo on Case C-614/10, Commission v Austria, EU:C:2012:63, in CMLR 50 (2013), 1809–1826, at 1821–1822.

  257. 257.

    Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell, 2010, at 7–045 and case law mentioned in footnote 101 of Chap. 2.

  258. 258.

    The powers listed in Article 28 are powers of investigation, powers of intervention, powers to hear claims and to engage in legal proceedings.

  259. 259.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 25.

  260. 260.

    In this sense, Jürgen Habermas, The Crisis of the European Union, A Response, Cambridge University Press, 2012, at 15–16.

  261. 261.

    See on this, e.g.: Harlow in Paul Craig and Grainne de Burca (eds), The evolution of EU Law (Second Edition), Oxford University Press, 2011, at 447. On the principle of effectiveness in general: see Paul Craig and Grainne de Burca, EU Law, Text, Cases and Material (Fifth Edition), Oxford University Press, 2011, at various places, e.g. at 223–237, in relation to remedies before national courts.

  262. 262.

    Kenneth A. Bamberger, Deirdre K. Mulligan, 2013, “Privacy in Europe: Initial Data on Governance Choices and Corporate Practices”, George Washington Law Review, Vol. 81, p. 1529, 2013, at 1549–1550. See also: David Barnard-Wills and David Wright, Deliverable 1 – “Co-ordination and co-operation between Data Protection Authorities”, www.phaedra-project.eu

  263. 263.

    Kenneth A. Bamberger, Deirdre K. Mulligan, 2013, “Privacy in Europe: Initial Data on Governance Choices and Corporate Practices”, George Washington Law Review, Vol. 81, p. 1529, 2013, at 1550.

  264. 264.

    COM (2012), 11 final.

  265. 265.

    Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World A European Data Protection Framework for the twenty-first century, COM (2012), 9 final, pp 6–7.

  266. 266.

    Fundamental Rights Agency, Access to data protection remedies in EU Member States, 2013, at 4.2 and in Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010, at 5.1.1.

  267. 267.

    Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010, at 5.1.1.

  268. 268.

    Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010, at 5.1.3.

  269. 269.

    http://www.cnil.fr/english/news-and-events/news/article/the-cnils-sanctions-committee-issues-a-150-000-EUR-monetary-penalty-to-google-inc/. See also Dariusz Kloza and Anna Moscibroda, Making the case for enhanced enforcement cooperation between data protection authorities: insights from competition law, International Data Privacy Law, 2014, Vol. 4, No. 2.

  270. 270.

    An example of increased sanctioning powers can be found in The Netherlands. The Dutch DPA will be, as from 2016, empowered to impose administrative fines with a maximum of 810,000 Euro, Staatsblad 230 Wijziging van de Wet bescherming persoonsgegevens, 2015.

  271. 271.

    A principle for funding is found in the OECD (2014), The Governance of Regulators, OECD Best Practice Principles for Regulatory Policy, OECD Publishing. http://dx.doi.org/10.1787/9789264209015-en, at 98: “Funding levels should be adequate to enable the regulator, operating efficiently, to effectively fulfil the objectives set by government, including obligations imposed by other legislation.”

  272. 272.

    Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010, at 5.1.1

  273. 273.

    Article 52 (4) GDPR.

  274. 274.

    Article 52(4) and recital 120 GDPR.

  275. 275.

    Legislative Resolution of the European Parliament, Amendment 65, relating to recital 94.

  276. 276.

    Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals – WP 191, at 17.

  277. 277.

    See on this A. Balthasar, “‘Complete Independence’ of National Data Protection Supervisory Authorities”, Utrecht Law Review, Volume 9, Issue 3 (July) 2013, at 32–37.

  278. 278.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 58.

  279. 279.

    Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010, at 4.1.2.

  280. 280.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 58. See on this: A. Balthasar, “‘Complete Independence’ of National Data Protection Supervisory Authorities”, Utrecht Law Review, Volume 9, Issue 3 (July) 2013, at 37.

  281. 281.

    Case C-270/12, United Kingdom of Great Britain and Northern Ireland v European Parliament and Council, EU:C:2014:18, at 85.

  282. 282.

    Article 52(4) GDPR.

  283. 283.

    Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger (C-594/12), at 68, and Case C-362/14, Schrems, EU:C:2015:650, at 44.

  284. 284.

    Article 28(4) of Directive 95/46.

  285. 285.

    Case C-230/14, Weltimmo, EU:C:2015:639, at 54.

  286. 286.

    See, e.g., Sect. 7.1 of this chapter.

  287. 287.

    Koen Lenaerts and Piet van Nuffel European Union Law (Third edition), Sweet & Maxwell, 2010, at 7–045 and case law mentioned in footnote 101 of Chap. 2.

  288. 288.

    Koen Lenaerts and Piet van Nuffel, European Union Law (Third edition), Sweet & Maxwell, 2010, at 7–045 and case law mentioned in footnote 101 of Chap. 2.

  289. 289.

    Further read: Paul Craig and Grainne de Burca, EU Law, Text, Cases and Material (Fifth Edition), Oxford University Press, 2011, Chap. 8.

  290. 290.

    Commission Proposal for a General Data Protection Regulation, COM (2012), 11 final.

  291. 291.

    Article 1(2) TEU.

  292. 292.

    The interaction of individuals with the European composite administration in this area is mentioned in Anna-Sara Lind and Jane Reichel, Administrating Data Protection – or the Fort Knox of the European Composite Administration, Critical Quarterly for Administration and Law (EuCritQ), 2014, 1, pp. 44–57, at 55.

  293. 293.

    Further read, Opinion Legal Service Council, e.g. 18031/13 (19 Dec 2013, full version on lobbyplag.eu).

  294. 294.

    As explained in Chap. 8, Sect. 8.12.

  295. 295.

    With the nuances in the case law of the Court, particularly C-131/12, Google Spain and Google Inc, EU:C:2014:317 and C-230/14, Weltimmo, EU:C:2015:639.

  296. 296.

    http://www.privacycommission.be/en/news/13-may-belgian-privacy-commission-adopted-first-recommendation-principle-facebook

  297. 297.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 19.

  298. 298.

    P. Hustinx in María Verónica Pérez Asinari et Pablo Palazzi (eds.), Défis du droit a la protection des données, Perspectives du Droit Européen et Nord-Américain, Challenges of privacy and data protection law, Perspectives of European and North-American Law, Cahiers du Centrede Recherches Informatique et Droit, 2008, pp 561–568, at 567.

  299. 299.

    In Case C-362/14, Schrems, EU:C:2015:650, at 53, the Court reiterates the importance of lodging complaint before a DPA.

  300. 300.

    Case C-192/15, Rease and Wullems. The case was repealed by Decision of the President of the Court of 9 December 2015, EU:C:2015:861, but the substantive issue remains relevant.

  301. 301.

    Hustinx in María Verónica Pérez Asinari et Pablo Palazzi (eds.), Défis du droit a la protection des données, Perspectives du Droit Européen et Nord-Américain, Challenges of privacy and data protection law, Perspectives of European and North-American Law, Cahiers du Centrede Recherches Informatique et Droit, 2008, pp 561–568, at 567.

  302. 302.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 24.

  303. 303.

    Zinzani in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, at 184.

  304. 304.

    See, in relation to agencies, E. Chiti, An important part of the EU’s institutional machinery: Features, problems and perspectives of European agencies, CMLR, 46, 1395–1442, 2009.

  305. 305.

    Case C-518/07, Commission v Germany, EU:C:2010:125, at 41–46, as explained in Sect. 7.9 above.

  306. 306.

    Or, as Scholten calls it, political accountability,, M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience (dissertation Maastricht, 2014).

  307. 307.

    Case C-11/00, Commission v European Central Bank, EU:C:2003:395, at 135.

  308. 308.

    See Chap. 6, Sect. 6.14.

  309. 309.

    Mark Bovens, Analysing and Assessing Accountability: A Conceptual Framework, European Law Journal, Vol. 13, No. 4, July 2007, pp. 447–468, at 449–450.

  310. 310.

    Also in this narrower sense accountability is sometimes seen as more than judicial and democratic accountability, M. Busuioc and M. Groenleer in Everson, Michelle, Cosimo Monda, and Ellen Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, at 192. We stick to judicial and democratic accountability, because this links directly to the rule of law and democracy, and closely links to legitimacy, as understood in this book (see Chap. 1, Sect. 1.2).

  311. 311.

    Particularly in Chapter VIII thereof.

  312. 312.

    The issue of giving decision making power to the European Data Protection Board led to intensive discussions in the legislative procedure, not at least because of its impact on Article 47 Charter.

  313. 313.

    Case C-58/08, Vodafone and Others, EU:C:2010:321, at 52.

  314. 314.

    Opinion AG Cruz Villalón in Case C-62/14, Gauweiler and others, EU:C:2015:7: “111. The ECB must accordingly be afforded a broad discretion for the purpose of framing and implementing the Union’s monetary policy (58). The Courts, when reviewing the ECB’s activity, must therefore avoid the risk of supplanting the Bank, by venturing into a highly technical terrain in which it is necessary to have an expertise and experience which, according to the Treaties, devolves solely upon the ECB. Therefore, the intensity of judicial review of the ECB’s activity, its mandatory nature aside, must be characterised by a considerable degree of caution.”

  315. 315.

    Case C-288/12, Commission v Hungary, EU:C:2014:237, e.g. at 54.

  316. 316.

    E.g. Article 42 of Regulation 45/2001.

  317. 317.

    Under Directive 95/46, as interpreted in Case C-288/12, Commission v Hungary, EU:C:2014:237. See also Article 53(4) GDPR, which mentions “serious misconduct”.

  318. 318.

    Annotation by Jiří Zemánek, 49 CMLR (2012), 1755–1768, at 1765, on Case C-518/07, Commission v Germany, EU:C:2010:125.

  319. 319.

    As stated by M. Busuioc and M. Groenleer, EU Agencies in between Institutions and Member States, Edited by: Michelle Everson, Cosimo Monda, Ellen Vos, January 2014, at 175. See also Sect. 7.9.

  320. 320.

    Critical reactions on the CJEU’s extensive interpretation of independence of DPA relate to the effects on the democratic structure, annotation to Case C-518/07, Commission v Germany, on the independence of data protection authorities by Jiří Zemánek 49 CMLR (2012), 1755–1768.

  321. 321.

    This is not necessarily applicable to agencies: DPAs do not have a principal to whom they are accountable. See on this in relation to agencies, M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), in particular Chap. 1.

  322. 322.

    Mark Bovens, Analysing and Assessing Accountability: A Conceptual Framework, European Law Journal, Vol. 13, No. 4, July 2007, pp. 447–468, at 462–467.

  323. 323.

    Mark Bovens, Analysing and Assessing Accountability: A Conceptual Framework, European Law Journal, Vol. 13, No. 4, July 2007, pp. 447–468, at 466.

  324. 324.

    These are just examples.

  325. 325.

    M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), at 9–11.

  326. 326.

    Because they are funded by public money, Fundamental Rights Agency, Data Protection in the European Union, the role of National Data Protection Authorities, 2010, at 4.1.2.

  327. 327.

    Case C-614/10, Commission v Austria, EU:C:2012:631, at 58.

  328. 328.

    M. Scholten, The Political Accountability of EU Agencies: Learning from the US Experience, (dissertation Maastricht, 2014), at 77–90.

  329. 329.

    See Sect. 7.10.

  330. 330.

    Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8/1.

  331. 331.

    Also Article 28(5) of Directive 95/46 mentions the activity report, although it only should be submitted at “regular intervals”.

  332. 332.

    Article 48 of Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8/1 and Article 59 GDPR.

  333. 333.

    E.g., Article 3 of Decision No 1247/2002/EC of the European Parliament and of the Council and of the Commission of 1 July 2002 on the regulations and general conditions governing the performance of the European Data-protection Supervisor’s duties, OJ L 183/1.

  334. 334.

    A. Ottow, Market & Competition Authorities, Good Agency Principles, Oxford University Press, 2015, mainly Chap. 3. See Sect. 7.7 above.

References

  • Balkin, Jack M. 1993. The constitution in the national surveillance state. Minnesota Law Review 93(1): 1–26.

    Google Scholar 

  • Balthasar, A. 2013. ‘Complete Independence’ of national data protection supervisory authorities. Utrecht Law Review 9(3): 26–38.

    Article  Google Scholar 

  • Bamberger, Kenneth A., and Deirdre K. Mulligan. 2011. Privacy on the books and on the ground. Stanford Law Review 63: 247–316.

    Google Scholar 

  • Bamberger, Kenneth A., and Deirdre K. Mulligan. 2013. Privacy in Europe: Initial data on governance choices and corporate practices. George Washington Law Review 81: 1529.

    Google Scholar 

  • Barnard-Wills, David, and David Wright. 2014. Deliverable 1 – “Co-ordination and co-operation between Data Protection Authorities”. Available on: www.phaedra-project.eu.

  • Bennett, Colin J., and Charles D. Raab. 2003. The governance of privacy. Ashgate Publishing.

    Google Scholar 

  • Bennett, Colin J., and Charles Raab. 2006. The governance of privacy, policy instruments in global perspective. MIT Press.

    Google Scholar 

  • Bergh, G. van den. 1952. Montesquieu en het Staatsrecht. In Verzamelde Staatsrechtelijke opstellen. Samsom.

    Google Scholar 

  • Bovens, Mark. 2007. Analysing and assessing accountability: A conceptual framework. European Law Journal 13(4): 447–468.

    Article  Google Scholar 

  • Bygrave, Lee A. 2014. Data privacy law, an international perspective. Oxford University Press.

    Book  Google Scholar 

  • Chiti, E. 2009. An important part of the EU’s institutional machinery: Features, problems and perspectives of European agencies. Common Market Law Review 46: 1395–1442.

    Google Scholar 

  • Coen, David, and Mark Thatcher. 2008. Network governance and multi-level delegation: European networks of regulatory agencies. Journal of Public Policy 28(01): 49–71.

    Article  Google Scholar 

  • Craig, Paul, and Grainne de Búrca (eds.). 2011. The evolution of EU law, 2nd ed. Oxford University Press.

    Google Scholar 

  • Dougan, Michael. 2015. Judicial review of member state action under the general principles and the charter: Defining the ‘scope of Union law’. Common Market Law Review 52: 1201–1245.

    Google Scholar 

  • Everson, Michelle, Cosimo Monda, and Ellen Vos (eds). 2014. EU agencies in between Institutions and Member States, Kluwer Law International, 2014.

    Google Scholar 

  • Galetta, Antonella, and Paul De Hert. 2015. The proceduralisation of data protection remedies under EU data protection law: Towards a more effective and data subject-oriented remedial system? Review of European Administrative Law (REALaw) 1: 123–149.

    Google Scholar 

  • González Fuster, G. 2014. The emergence of personal data protection as a fundamental right of the EU, Springer, Law, Governance and Technology Series 16, 2014.

    Google Scholar 

  • Gutwirth, S., et al. (eds.). 2009. Reinventing data protection? Springer.

    Google Scholar 

  • Habermas, Jürgen. 2012. The crisis of the European union, a response, Cambridge University Press. Book Review by I. Pernice, Common Market Law Review 50, 1843–1874.

    Google Scholar 

  • Hancher, L., P. Larouche, and S. Lavrijssen. 2004. Principles of good market governance. Tijdschrift voor Economie en Management XLIX(2): 339–374.

    Google Scholar 

  • Hijmans, H. 2006. The European data protection supervisor: The institutions of the EC controlled by an independent authority. Common Market Law Review 43: 1313–1343.

    Google Scholar 

  • Hijmans, Hielke, and Herke Kranenborg (eds). 2014. Data protection anno 2014: How to restore trust? Contributions in honour of Peter Hustinx, European Data Protection Supervisor (2004–2014), Intersentia.

    Google Scholar 

  • Jóri, András. 2015. Shaping vs applying data protection law: Two core functions of data protection authorities. International Data Privacy Law 5(2): 133–143.

    Article  Google Scholar 

  • Kloza, Dariusz, and Anna Moscibroda. 2014. Making the case for enhanced enforcement cooperation between data protection authorities: Insights from competition law. International Data Privacy Law 4(2): 120–138.

    Article  Google Scholar 

  • Lavrijssen, Saskia, and Annetje Ottow. 2012. Independent supervisory authorities: A fragile concept. Legal Issues of Economic Integration 39(4): 419–446.

    Google Scholar 

  • Lenaerts, Koen, and Piet van Nuffel. 2011. European union law, 3rd ed. Sweet & Maxwell.

    Google Scholar 

  • Lind, Anna-Sara, and Jane Reichel. 2014. Administrating data protection – Or the fort knox of the European composite administration. Critical Quarterly for Administration and Law (EuCritQ) 1: 44–57.

    Google Scholar 

  • Majone, Giandomenico. 1998. Europe’s ‘Democratic Deficit’: The question of standards. European Law Journal 4(1): 5–28.

    Article  Google Scholar 

  • Ottow, A. 2015. Market & competition authorities, good agency principles. Oxford University Press.

    Google Scholar 

  • Peers, Steve, Tamara Hervey, Jeff Kenner, and Angela Ward (eds). 2014. The EU charter of fundamental rights, a commentary. Oxford: Hart Publishing.

    Google Scholar 

  • Pérez Asinari, María Verónica, and Pablo Palazzi (eds). 2008. Défis du droit à la protection des données, Perspectives du droit Européen et Nord-Américain – Challenges of privacy and data protection law, Perspectives of European and North-American Law, Cahiers du Centre de Recherches Informatique et Droit.

    Google Scholar 

  • Research Network on EU Administrative Law. 2014. “ReNEUAL Model Rules on EU Administrative Procedure: Introduction to the ReNEUAL Model Rules”/Book I – General Provisions, On Line version; Book V – Mutual Assistance; Book VI – Administrative Information Management.

    Google Scholar 

  • Rotenberg, Marc, Julia Horwitz, and Jeramie Scott (eds.). 2015. Privacy in the modern age, the search for solutions. The New Press.

    Google Scholar 

  • Rubinstein, Ira. 2011. Privacy and regulatory innovation: Moving beyond voluntary codes. NYU School of Law, Public Law Research Paper No. 10–16. Available on: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1510275.

  • Rule, James, Douglas McAdam, Linda Stearns, and David Uglow. 1980. The politics of privacy, planning for personal data systems as powerful technologies. Elsevier.

    Google Scholar 

  • Scholten, M. 2014. The political accountability of EU agencies: Learning from the US experience. Dissertation Maastricht University. Available on: http://digitalarchive.maastrichtuniversity.nl/fedora/get/guid:be4ab50f-ee14-46d1-b0ef-712fe4d07a3f/ASSET1.

  • Schütz, Philip. 2012. Comparing formal independence of data protection authorities in selected EU Member States. Conference Paper, ECPR Standing Group on Regulation & Governance (Biennial Conference) <4, 2012, Exeter.

    Google Scholar 

  • Simitis, Spiros. 1987. Reviewing privacy in an information society. University of Pennsylvania Law Review 135(3): 707–746.

    Article  Google Scholar 

  • Solove, D.J., and W. Hartzog. 2014. The FTC and the new common law of privacy. Columbia Law Review 114: 583.

    Google Scholar 

  • Thatcher, Mark. 2011. The creation of European regulatory agencies and its limits: A comparative analysis of European delegation. Journal of European Public Policy 18: 790–809.

    Article  Google Scholar 

  • Vibert, F. 2007. The rise of the unelected, democracy and the new separation of powers. Cambridge University Press.

    Book  Google Scholar 

  • Vladeck, David C. 2015. A U.S. perspective on narrowing the U.S.-EU privacy divide. In Hacia un Nuevo derecho europea de protección de datos, Towards a new European Data Protection Regime, eds. Artemi Rallo Lombarte, Rosario García Mahamut, 207–245. Tirant lo Blanch.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Brussels, Belgium

    Hielke Hijmans

Authors
  1. Hielke Hijmans
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Hijmans, H. (2016). Understanding the Role of Independent, Effective and Accountable DPAs: New Branches of Government in Between the Union and the Member States. In: The European Union as Guardian of Internet Privacy. Law, Governance and Technology Series(), vol 31. Springer, Cham. https://doi.org/10.1007/978-3-319-34090-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-34090-6_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-34089-0

  • Online ISBN: 978-3-319-34090-6

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation