Enforcement in the field of data protection Christian D’Cunha, Office of the EDPS Consumer Justice Enforcement Forum II Policy Debate Brussels 21 April 2015

Data protection enforcement Cooperation between data protection authorities Interaction between consumer and data protection

The EDPS Strategy 2015-2019: Leading by example Data protection goes digital Forging global partnerships Opening a new chapter for EU data protection

Data protection in flux Reform of data protection framework in EU and Council of Europe C-293/12 & C-594/12 DRI C-131/12 Google Spain C-362/14 Schrems

What data protection authorities do Ombudsmen Auditors Consultants Educators Policy Advisers Negotiators Enforcers [C.Bennett, Ch. D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate, 2003, pp. 107-116.]

Staffing of DPAs Size matters Luxembourg -13 Malta - 8 Netherlands - 88 Poland -123 Portugal - 28 Romania - 46 Slovenia - 34 Slovakia - 33 Spain - 154 Sweden - 44 United Kingdom - 380 EDPS - 50 Iceland - 4 Liechtenstein - 4 Norway - 40 [Source: Phaedra, June 2014] Austria - 20 Belgium - 56 Bulgaria - 67 Cyprus - 11 Czech Republic - 97 Denmark - 35 Estonia - 17 Finland - 21 France -148 FR Germany - 81 Greece - 27 Hungary - 48 Ireland - 30 Italy - 118 Latvia - 19 Lithuania - 30

http://www.phaedra-project.eu

Data protection Consumer protection Competition Welfare vs harm Choice Trust and the internal market Transparency Accurate, intelligible information Compatibility/ substitutability Data portability Exploitation

Fines

Data protection reform: look out for Article 76 Art 73: Right to lodge a complaint with a supervisory authority Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data. Art 76: Common rules for court proceedings Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects

The Charter of Fundamental Rights of the EU Art 7: Right to respect for private and family life Art 8: Right to protection of personal data… compliance subject to control of independent authority Art 37: Union policies shall ensure a high level of consumer protection

Lisbon Treaty: horizontal, heterogenous applicability Art 12 Consumer protection requirements shall be taken into account in defining and implementing other Union policies and activities Art 16: Rules shall be laid down on protection of individuals where data processed by EU bodies, by MS carrying out activities in scope of EU law and on free movement of data in the internal market. Compliance controlled by independent authorities. Art 169: To promote interests of consumers and high level of consumer protection, EU shall contribute to protecting health, safety and economic interests of consumers and to protecting right to information, education and to organise themselves to safeguard their interests – through measures that complete the internal market support, supplement and monitor MS policy MS may apply more stringent protective measures

Parallel lines Consumer law enforcement Choice Data protection fundamental rights Internal market Choice Protection from harm enforcement Data protection

Points of intersection What is the deal? Transparency of information – ‘concise, transparent, clear and easily accessible… in an intelligible form, using clear and plain language ‘ (GDPR Art 11); ‘plain and intelligible language (CPD Art.8.1) How do I agree to the deal? Concept of consent (Article 7(a) Directive 95/46/EC, Art 7 GDPR) ‘explicit acknowledgement’ (CPD Art 8.2) How do I get out of the deal? Data portability (GDPR Art 15), right to be forgotten (Art 17) Right of withdrawal (CPD Art 9)

Transparency Web 2.0? What is the deal? Our automated systems analyse your sent, received and stored emails to provide you personally relevant product features. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our services, and to develop new ones. How do I agree to the deal? When you upload, submit, store, send or receive content to or through our services, you give us and our partners a worldwide license to use, host, store, reproduce, modify, create derivative works communicate, publish, publicly perform, publicly display and distribute such content. How do I get out of the deal? You may block all cookies… However, it’s important to remember that many of our services may not function properly if your cookies are disabled.

EDPS Strategy 2015-2019 Priority action 3 develop a model for information-handling policies … which explains in simple terms how business processes could affect individuals’ rights to privacy and protection of personal data…

Big challenges Understanding the consumer interest Defining abuse of data/ unfair contracts Cooperation between authorities Enforcement powers and sanctions Redress

https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/big_data Thank you https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/big_data christian.dcunha@edps.europa.eu edps@edps.europa.eu @EU_EDPS