PHAEDRA II

IMPROVING PRACTICAL AND HELPFUL CO-OPERATION BETWEEN DATA PROTECTION AUTHORITIES II phaedra-project.eu

Recommendations for improving practical cooperation between European Data Protection Authorities

Deliverable D4.1 version 4 final

David Barnard-Wills Vagelis Papakonstantinou Cristina Pauner José Díaz Lafuente

Brussels – London – Warsaw – Castellon January 2017

A report prepared for the European Commission’s Directorate-General for Justice and Consumers (DG JUST).

The PHAEDRA II (2015-2017) project is co-funded by the European Union under the Fundamental Rights and Citizenship Programme (JUST/2013/FRAC/AG/6068).

The contents of this deliverable are the sole responsibility of the authors and can in no way be taken to reflect the views of the European Commission.

Cover picture: © David Barnard-Wills, 2016.

Permanent link: http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA2_D41_final_20170114.pdf

Authors Name Partner David Barnard-Wills TRI Vagelis Papakonstantinou VUB Cristina Pauner Chulvi UJI José Díaz Lafuente UJI Internal Reviewers Name Partner Dariusz Kloza VUB-LSTS Sophie Kwasny Advisory Board Dan Svantesson Advisory Board (anonymous) (anonymous) Institutional Members of the PHAEDRA II Consortium Member Role Website Vrije Universiteit Brussel (VUB) Research Group on Law, Science, Technology and Society (LSTS)

Project Coordinator vub.ac.be/LSTS

Trilateral Research Ltd. (TRI) Partner trilateralresearch.com Biuro Generalnego Inspektora Ochrony Danych Osobowych (GIODO) Partner giodo.gov.pl Universidad Jaume I (UJI) Partner uji.es

version #4 final 14 January 2017 20:00 CEST

Table of Contents

PHAEDRA II FINAL RECOMMENDATIONS’ SUMMARY ........................................................................ 6

LIST OF ABBREVIATIONS ............................................................................................................................... 8

1 INTRODUCTION ......................................................................................................................................... 9

1.1 GENERAL REMARKS .................................................................................................................................. 9

1.2 BACKGROUND TO THE PHAEDRA AND PHAEDRA II PROJECTS ............................................................. 9

1.3 METHODOLOGY ....................................................................................................................................... 10

2 THE EVOLVING CONTEXT OF INTERNATIONAL COOPERATION

IN THE AREA OF PERSONAL DATA PROTECTION ........................................................................ 11

2.1 GENERAL DATA PROTECTION REGULATION ............................................................................................ 11

2.2 SAFE HARBOR AND PRIVACY SHIELD ...................................................................................................... 12

2.3 ARTICLE 29 DATA PROTECTION WORKING PARTY ACTIVITIES ............................................................... 12

2.4 INTERNATIONAL NETWORKS AND ENFORCEMENT COOPERATION RESOLUTIONS ...................................... 14

3 GENERAL RECOMMENDATIONS ........................................................................................................ 17

3.1 RECOGNISE THE FUNDAMENTAL EQUALITY OF SUPERVISORY AUTHORITIES ............................................ 17

Audience for this recommendation ........................................................................................................... 17

Rationale ................................................................................................................................................... 18

Challenges and barriers ............................................................................................................................. 18

Resources .................................................................................................................................................. 18

3.2 INFORMAL MECHANISMS FOR COOPERATION SHOULD SUPPLEMENT

THE FORMAL ONES. TRUST IS A KEY FACTOR ENABLING COOPERATION ................................................... 19

Audience for this recommendation ........................................................................................................... 19

Rationale ................................................................................................................................................... 19

Challenges and barriers ............................................................................................................................. 20

Resources .................................................................................................................................................. 21

3.3 COOPERATION SHOULD RESPECT NATIONAL DIFFERENCES,

BUT ALSO ALLOW FOR SOME EXTRATERRITORIALITY WHEN APPROPRIATE .............................................. 21

Audience ................................................................................................................................................... 21

Rationale ................................................................................................................................................... 22

Challenges and barriers ............................................................................................................................. 22

Resources .................................................................................................................................................. 22

3.4 COOPERATION SHOULD HAVE AS BROAD GEOGRAPHICAL SCOPE AS POSSIBLE......................................... 22

Audience for this recommendation ........................................................................................................... 23

Rationale ................................................................................................................................................... 23

Challenges and barriers ............................................................................................................................. 24

Resources .................................................................................................................................................. 24

3.5 COOPERATION SHOULD BE DEVELOPED GRADUALLY

AND ITS FUNCTIONING SHOULD BE REVIEWED PERIODICALLY ................................................................. 24

Audience for this recommendation ........................................................................................................... 25

Rationale ................................................................................................................................................... 25

Challenges and barriers ............................................................................................................................. 26

Resources .................................................................................................................................................. 26

3.6 DECIDE HOW TO SHARE THE COSTS OF COOPERATION ............................................................................. 26

Audience for this recommendation ........................................................................................................... 26

Rationale ................................................................................................................................................... 26

Challenges and barriers ............................................................................................................................. 27

Resources .................................................................................................................................................. 27

3.7 KEEP TRANSLATION TO A MINIMUM WHILE DEALING WITH INDIVIDUAL CASES.

MAXIMISE TRANSLATION IN GUIDANCE AND PUBLIC COMMUNICATIONS ................................................. 27

Audience for this recommendation ........................................................................................................... 28

Rationale ................................................................................................................................................... 28

Challenges and barriers ............................................................................................................................. 29

Resources .................................................................................................................................................. 29

4

3.8 COOPERATE ON THE DEVELOPMENT OF POLICIES AND PRACTICES

TO PREVENT DATA PROTECTION VIOLATIONS ........................................................................................... 29

Audience for this recommendation ........................................................................................................... 30

Rationale ................................................................................................................................................... 30

Challenges and barriers ............................................................................................................................. 31

Resources .................................................................................................................................................. 31

3.9 SET UP A COLLABORATIVE TECHNOLOGY FORESIGHT TASK FORCE.

OFFER RESEARCH FUNDS TO THAT END ................................................................................................... 31

Audience ................................................................................................................................................... 32

Rationale ................................................................................................................................................... 32

Challenges and barriers ............................................................................................................................. 33

Resources .................................................................................................................................................. 33

3.10 EXPLORE ALTERNATIVE DISPUTE RESOLUTION METHODS ........................................................................ 33

Audience for this recommendation ........................................................................................................... 33

Rationale ................................................................................................................................................... 33

Challenges and barriers ............................................................................................................................. 33

Resources .................................................................................................................................................. 34

4 RECOMMENDATIONS ON COMPLAINT HANDLING ..................................................................... 35

4.1 INTRODUCE DETAILED GUIDELINES

WITH REGARD TO GDPR COMPLAINT HANDLING REQUIREMENTS ........................................................... 35

Rationale ................................................................................................................................................... 35

4.2 LINGUISTIC BARRIERS NEED TO BE ADDRESSED ....................................................................................... 35

Rationale ................................................................................................................................................... 35

4.3 APPLY COMMON ENFORCEMENT PRACTICES WHERE POSSIBLE ................................................................ 35

Rationale ................................................................................................................................................... 35

4.4 INTRODUCE A COMMON COMPLAINT CLASSIFICATION SYSTEM

FOR INTERNAL DPA MANAGEMENT PURPOSES ........................................................................................ 35

Rationale ................................................................................................................................................... 36

4.5 ENHANCE PUBLIC PARTICIPATION AND TRANSPARENCY IN HANDLING COMPLAINTS

AND – THEREFORE – TRUST THROUGH THE USE OF AUTOMATED ELECTRONIC

MANAGEMENT PLATFORMS ...................................................................................................................... 36

Rationale ................................................................................................................................................... 36

4.6 INTRODUCE COMPLAINT-HANDLING PROCEDURES

THAT TAKE INTO ACCOUNT KNOWLEDGE-MANAGEMENT PROCESSES ...................................................... 36

Rationale ................................................................................................................................................... 36

5 RECOMMENDATIONS ON THE CONSISTENCY MECHANISM .................................................... 37

5.1 MANAGE PUBLIC EXPECTATIONS ABOUT THE APPROPRIATE PLACEMENT

OF THE CONSISTENCY MECHANISM WITH OTHER LAW ENFORCEMENT MECHANISMS

IN MEMBER STATES ................................................................................................................................. 37

Rationale ................................................................................................................................................... 37

5.2 DELINEATE THE SCOPE OF THE CONSISTENCY MECHANISM

AGAINST OTHER FORMS OF COOPERATION ............................................................................................... 38

Rationale ................................................................................................................................................... 38

5.3 ADOPT DETAILED BY-LAWS AND OPERATIONS PROVISIONS ..................................................................... 38

Rationale ................................................................................................................................................... 38

5.4 THE EDPB SHOULD BE BOTH AN ADJUDICATOR AND A CONSULTATION MECHANISM .............................. 39

Rationale ................................................................................................................................................... 39

5.5 EXPLICITLY ADDRESS THE RIGHT OF APPEAL ........................................................................................... 39

Rationale ................................................................................................................................................... 39

6 RECOMMENDATIONS ON INFORMATION SHARING

AND INFORMATION TECHNOLOGY PLATFORMS

SUPPORTING COOPERATION .............................................................................................................. 40

6.1 INTRODUCTION ........................................................................................................................................ 40

6.2 PLATFORMS ............................................................................................................................................. 41

6.2.1 Concept of a platform ...................................................................................................................... 41

6.2.2 Examples of (electronic) platforms used in the EU ......................................................................... 43

(a) Communication and cooperation platforms for EU DPAs ............................................................... 43

5

(b) Cooperation platforms used within the EU ...................................................................................... 45

6.2.3 Main lessons and benefits of existing platforms .............................................................................. 45

6.3 RECOMMENDATIONS FOR THE CONFIGURATION

OF AN IT PLATFORM FOR THE EDPB ........................................................................................................ 46

6.3.1 Protection of personal data ............................................................................................................. 46

6.3.2 Linguistic and translation recommendations ................................................................................... 47

6.3.3 Accessibility recommendations ........................................................................................................ 47

6.3.4 Security recommendations ............................................................................................................... 48

6.3.5 Admissibility of digital evidence ...................................................................................................... 49

6.3.6 Usability requirements ..................................................................................................................... 49

6.3.7 Alerting and project management recommendations ...................................................................... 50

6.3.8 Repository recommendations ........................................................................................................... 50

7 BIBLIOGRAPHY ........................................................................................................................................ 52

7.1 PHAEDRA II PUBLICATIONS .................................................................................................................. 52

7.1.1 Deliverables ..................................................................................................................................... 52

7.1.2 Academic publications ..................................................................................................................... 52

7.1.3 Commissioned research ................................................................................................................... 53

7.2 GENERAL BIBLIOGRAPHY ........................................................................................................................ 53

ANNEX I:

MAPPING OF PHAEDRA I AND PHAEDRA II RECOMMENDATIONS ................................................ 56

ANNEX II:

THE DPA COOPERATION SCORECARD (WORK IN PROGRESS).......................................................... 64

6

PHAEDRA II final recommendations’ summary

General recommendations

2. Linguistic barriers need to

be addressed

Recommendations on complaint

handling

3. Apply common enforcement practices

where possible

5. Investigate automated complaint

management

6. Introduce knowledge management processes into complaint handling

procedures

1. Introduce detailed guidelines on GDPR complaint handling

requirements

1. Recognise the fundamental equality of supervisory authorities

2. Informal mechanisms for cooperation should

supplement formal ones. Trust is a key

factor enabling cooperation

4. Cooperation should have as broad a

geographical scope as possible

5. Cooperation should be developed

gradually and its functioning should be reviewed

periodically

6. Decide how to share the costs of cooperation

8. Cooperate on the development of policies

and practices to prevent data privacy

violations

9. Set up a collaborative

technology foresight task force.

Offer research funds to that end

3. Cooperation should reflect national

differences, but also allow for some

extraterritoriality when appropriate

7. Keep translation to a minimum while dealing with individual cases.

Maximise translation in guidance and public

communications

10. Explore alternative dispute resolution

methods

4. Enhance public participation,

transparency & trust in handling complaints

using automated electronic management

platforms

PHAEDRA II Final Recommendations

2017

www.phaedra-project.eu

7

2. Delineate the scope of the consistency mechanism against

other forms of cooperation

Recommendations on the consistency

mechanism

1. Manage public

expectations about the appropriate placement of

the consistency mechanism with other law enforcement mechanisms

in Member States

3. Adopt detailed by-laws and operations

provisions

4. The EDPB should be both an

adjudicator and a consultation

mechanism

5. Explicitly address

the right of appeal

6. Keep translation to a

minimum in cases and maximise

translation in public communication

2. Linguistic and translation

(automated translator tools)

Recommendations on information

sharing

1. Protection of personal data (legal

compliance flexibility and responsiveness to

legislative changes privacy by design)

3. Accessibility (standardisation of

document formats

universal accessibility [respect for different

abilities]) 4. Security (compliance with standards

decentralisation end-to-end encryption

role-awareness validation polices for

multi-users) 5. Admissibility of digital evidence

(authenticity completeness reliability

believability proportionality)

6. Usability (multi-device

offline friendliness multi-organisation

working)

7. Alerting and project

management (alerting functionality

a project space for bilateral cooperation)

8. Repository (different spaces

simultaneous & shared use templates & guidelines tracking & recording

global search functionality)

8

List of abbreviations ADR Alternative dispute resolution CJEU Court of Justice of the European Union CFR European Union Charter of Fundamental Rights COE Council of Europe DPA Data Protection Authority DPIA Data protection impact assessment ECHR European Court of Human Rights EDPB European Data Protection Board EDPS European Data Protection Supervisor ENISA European Network and Information Security Agency EU European Union GDPR General Data Protection Regulation GPEN Global Privacy Enforcement Network ICDPPC International Conference of Data Protection and Privacy Commissioners IT information technology MoU Memorandum of understanding PbD Privacy by Design PC Privacy Commissioner PEA privacy enforcement agency PIA privacy impact assessment PIL private international law WP29 Article 29 Data Protection Working Party

Introduction

9

1 Introduction

1.1 General remarks

This report presents the final recommendations from the PHAEDRA II project and marks the completion of the project.

The report contains an overview of the PHAEDRA I and PHAEDRA II research projects, the two projects with the shared aim of supporting practical cooperation between data protection authorities (DPAs). It provides a brief outline of the evolving context of international cooperation of relevant authorities in the area of personal data protection, which serves as a background to the report's recommendations. These recommendations are provided in four chapters: (1) general recommendations across the various forms of cooperation between EU data protection authorities, and (2) specific recommendations on complaint handling, (3) the consistency mechanism, and (4) information technology (IT) platforms for cooperation. In addition, the report concludes with two appendixes: one mapping the recommendations arising from both the PHAEDRA and PHAEDRA II project and the other – setting out the work-in-progress on the DPA Cooperation Scorecard, aimed at evaluating DPAs cooperation.

Despite this report being the ultimate output of both PHAEDRA projects, the research and policy advice on cooperation of supervisory authorities in the area of data privacy law is far from complete. Although after the conclusion of the PHAEDRA II project (i.e. 14 January 2017) – in the foreseeable future – there will be no structured research agenda in this regard, it is the intention of the editors of this report, as well as of all PHAEDRA consortium members, to continue this research endeavour under other available frameworks.

1.2 Background to the PHAEDRA and PHAEDRA II projects

The main goal of the PHAEDRA II project – or “Improving Practical and Helpful co-operAtion betweEn Data pRotection Authorities II” (2015-2017) – is to identify, develop and recommend measures for improving practical cooperation between European Union DPAs.1

The PHAEDRA II project represents a natural continuation of an earlier project under the same name and builds on its results. The first PHAEDRA project (2013-2015) focused on cooperation and coordination mechanisms between DPAs, privacy commissioners (PCs) and privacy enforcement agencies (PEAs) (‘supervisory authorities’) around the world. It was aimed at adding value, complementing and supporting the initiatives of these supervisory authorities to improve international cooperation and coordination among them. The project analysed the state-of-the-art on the matter and – having interacted with supervisory authorities via interviews, surveys and workshops – advised policy-makers and supervisory authorities themselves how to improve their practical cooperation and coordination, in parallel raising awareness about the problem at stake. The first PHAEDRA project concluded with two sets of recommendations:

1. Wright, David, David Barnard-Wills, and Inga Kroener, Findings and recommendations, Deliverable D4, London 2015, 53 pp.2

2. Dariusz Kloza and Antonella Galetta, “Towards efficient cooperation between supervisory authorities in the area of data privacy law”, in: De Hert Paul, Dariusz Kloza and Paweł Makowski (eds.) Enforcing privacy: lessons from current implementations and perspectives for the future, Wydawnictwo Sejmowe, Warszawa, 2015, pp. 77-108.3

Whilst the first PHAEDRA project focused on supervisory authorities’ cooperation on a global scale, the core interest of the second phase lay in the practical cooperation of European Union DPAs. PHAEDRA II was focused on the challenges for cooperation arising both from the reform of the EU data protection framework as well as from the EU framework in force. The project tackled three of the biggest challenges facing EU DPAs: ensuring consistency, sharing different types of information (including confidential or otherwise privileged information) and coordination and cooperation regarding enforcement actions.

This report also offers the project the opportunity to reflect back on four years worth of close cooperation with both EU and international supervisory authorities and interested communities in the policy making,

1 Cf. http://www.phaedra-project.eu. 2 Cf. http://www.phaedra-project.eu/wp-content/uploads/Findings-and-recommendations-18-Jan-2015.pdf. 3 Cf. http://www.phaedra-project.eu/wp-content/uploads/phaedra1_enforcing_privacy_final.pdf.

Introduction

10

business and academic worlds. The projects have made recommendations and suggestions along the way, this report also offers the opportunity to reflect on some of these.

1.3 Methodology

The recommendations presented here, and summarised in the graphic at the start of the report, build upon the previous research work, including consultancy and legal analysis, of the PHAEDRA and PHAEDRA II projects. Previous reports from the two projects have contained their own recommendations based upon their specific research activity, and a mapping of the relationship between those recommendations and those presented in this final document can be found in Annex 1. As the context for these recommendations evolves over time, and the focus of the analysis shifts from the global to the specifically European, certain framings of the recommendations becomes more or less pertinent, but strong common threads can be seen through the recommendations made by the project. Each of the final recommendations made in this report is build upon previous work, thus supporting its validity. We chose to separate out specific recommendations on complaint handling, the consistency mechanisms and on IT platforms from more general recommendations because of their importance and their granularity.

The evolving context of data protection cooperation

2 The evolving context of international cooperation in the area of personal data protection

It is a continuing fact that privacy violations in the present-day globalised and digitalised world often do not stop at the borders of a single jurisdiction, and this places greater pressure upon relevant authorities to work together more closely and more frequently: both to develop policies and practices to minimise the risk of violations occurring, and to sanction such violations should they occur.4 At a more granular level, the context in which international cooperation in the area of personal data protection occurs has developed over those four years, and any set of recommendations must be sensitive to that new context. Data protection authorities, and their international networks of collaboration, have not stood still during this period, and our final recommendations must therefore take this progress and evolution into account. This introduction therefore highlights the key events shaping the context of this report, and their relation to the project.

2.1 General Data Protection Regulation

The most significant shift in the cooperation landscape is, of course, the passing of the General Data Protection Regulation (hereinafter: the Regulation, GDPR)5 and the associated Criminal Justice Data Protection Directive.6 Even as the new GDPR changes how data protection law is applied and enforced among the EU Member States, uncertainties persist as to how this new legal framework will be applied in practice and how it will impact the day-to-day activities of EU DPAs. As was widely recognised, the GDPR, which will come into effect in 2018, changes the way in which EU data protection authorities (“supervisory authorities” in the text) are required to cooperate. Cooperation is now not merely a possibility, but an obligation under EU law. Nevertheless, the text does not provide comprehensive rules on the modalities and procedures involved. PHAEDRA II’s first report, issued in July 2015, collected the perspectives of EU DPAs in the midst of the reform process, and in particular their attitudes towards cooperation and the way in which the Regulation would impact upon this.7 PHAEDRA II’s third report subsequently provided a detailed legal analysis of the legal challenges around applying the GDPR ’s new cooperation provisions.8 Our two workshops and three roundtables have engaged with DPAs through the trialogue process and beyond into the period in which DPAs have started to build the infrastructure needed to respond to the new law. Finally, several public statements by DPAs on the impact of the Regulation and new public guidance they have issued based upon the reform9 are hosted in the PHAEDRA II repository – our collection of significant cases and documents.10

The implication for PHAEDRA II’s recommendations is that these developments must be addressed at this particular point in the reform process, where the texts have been settled, but not yet come into force, and during which many of the actors to whom our recommendations are addressed are already engaged in active preparation for that moment. A certain path dependency has been established and recommendations must be contextually relevant within those bounds.

4 Barnard-Wills, David and Vagelis Papakonstantinou, Best Practices for cooperation between EU DPAs, PHAEDRA II

Deliverable D2.2: London-Brussels-Warsaw-Castellón, February 2016. 5 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural

persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive

95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, pp. 1–88. 6 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural

persons with regard to the processing of personal data by competent authorities for the purposes of the prevention,

investigation, detection or prosecution of criminal offenses of the execution of criminal penalties, and on the free movement

of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, pp. 89–131. 7 Barnard-Wills, David and David Wright, Authorities’ views on the impact of the data protection framework reform on their

co-operation in the EU, PHAEDRA II Deliverable D1: London-Brussels-Warsaw-Castellón, July 2015. 8 Papakonstantinou, Vagelis, Cristina Pauner Chulvi, Andres Cuella and David Barnard-Wills, European and national legal

challenges when applying the new General Data Protection Regulation provisions on co-operation, PHAEDRA II

Deliverable D3.1: London-Brussels-Warsaw-Castellón, September 2016. http://www.phaedra-project.eu/wp-

content/uploads/PHAEDRA2_D31_final_15092016.pdf. 9 PHAEDRA II repository, “New checklist prepares organisations for the new EU regulation”, May 2016,

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II-Repository_SW_DI_TRI_-May-2016.pdf. 10 For more information, cf. Pauner, Cristina and Jorge Viguri, A report on a repository of European DPAs’ leading decisions

with cross-border implications, London-Brussels-Warsaw-Castellón, January 2017. http://www.phaedra-project.eu/wp-

content/uploads/PHAEDRA2_D42_final_20170112.pdf.

The evolving context of international cooperation in the area of personal data protection

12

2.2 Safe Harbor and Privacy Shield

A second significant event during the period of our research was the shift in the legal framework for transfer of personal data between the EU and the United States (US), in which the EU DPAs were increasingly involved. In October 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor Agreement, essentially finding that Safe Harbor failed to meet adequate data protection standards. This followed from the disclosure of US surveillance programmes. The agreement had been formulated to allow for US companies and organisations to meet EU data protection requirements. Many companies were therefore using this arrangement to transfer personal data from the EU to the US.11 In February 2016 a new arrangement, the US-EU Privacy Shield was proposed which the European Commission argued met the requirements of the CJEU.12 It was adopted in July 201613 following input from the Article 29 Working Party.

Further lawsuits are in progress in relation to other data transfer mechanisms, such as model contracts14 and standard contractual clauses.15 Following the CJEU decision on the invalidity of the Safe Harbor decision, a reformulated complaint against Facebook was lodged with the Irish DPA.16 In its subsequent investigation, the office concluded that transfers of personal data within Facebook were largely reliant upon standard contractual clauses (SCC) (as it is with many other large companies). The office expressed concerns that the SCC do not meet the CJEU’s concerns about legal remedy. Given that questions about validity can only be determined by the CJEU, the Irish DPA therefore commenced legal proceedings in the Irish High Court seeking a declaration as to the validity of the EU Commission decisions on SCC and a preliminary reference to the CJEU on this issue.17 The hearing before the High Court is due in February-March 2017. The case has substantial significance for other EU DPAs as the resulting CJEU decision will once-more impact the legal basis used for international transfers of personal data across the EU.

The implication for PHAEDRA II’s recommendations is that these cases have stressed the interdependence of EU DPAs, that “local” cases can have international impact, and that jurisdiction is not a clean cut and easily determined matter.

2.3 Article 29 Data Protection Working Party activities

The Article 29 Data Protection Working Party (WP29), the advisory body gathering all of the EU DPAs, has continued its activity as the key forum for collaboration between these authorities through the duration of our work. Arguably, the WP29 has developed its forms of collaborative working during this period18 under some pressure from the legislative process of the GDPR and from external events such as the Safe Harbor/Privacy Shield decisions.

The GDPR has acted as a driver for WP29 cooperation in preparation and response. The WP29 has also released an Action Plan concerning the implementation of the new Regulation.19 Various sub-groups of the Working Party have been given the task organising working documents within their areas of activity. In December 2016, at a plenary meeting, the WP29 adopted guidelines and FAQs for controllers and

11 Court of Justice of the European Union, 6 October 2015 in C-362/14 Schrems v Data Protection Commissioner. 12 European Commission, “European Commission launches EU-U.S. Privacy Shield: Stronger protection for transatlantic

data flows”, press release, Brussels, 12 July 2016. http://europa.eu/rapid/press-release_IP-16-2461_en.htm. 13 Ibid. 14 Data Protection Commissioner, Statement by the Office of the Data Protection Commissioner in respect of the application

for Declaratory Relief in the Irish High Court and the Referral to the CJEU, 25 May 2016.

https://www.dataprotection.ie/docs/25-05-2016-Statement-by-this-Office-in-respect-of-application-for-Declaratory-Relief-in-

the-Irish-High-Court-and-Referral-to-the-CJEU/1570.htm. 15 PHAEDRA II Repository, “Update on litigation involving Facebook, Maximillian Schrems: Explanatory Memo”,

September 2016.

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II-Repository_DPC_IR_TRI_September-2016.pdf. 16Data Protection Commissioner, “Update on litigation involving Facebook, Maximillian Schrems: Explanatory Memo”,

28 September 2016, https://www.dataprotection.ie/docs/28-9-2016-Explanatory-memo-on-litigation-involving-Facebook-

and-Maximilian-Schrems/1598.htm. 17 PHAEDRA II Repository, “Statement by the Office of the Data Protection Commissioner in respect of

application for Declaratory Relief in the Irish High Court and Referral to the CJEU”, May 2016. http://www.phaedra-

project.eu/wp-content/uploads/PHAEDRA-II-Repository_IR_DPC_TRI_-May-20161.pdf. 18 First explored in Wright, David and David Barnard-Wills (eds.) Co-ordination and co-operation between Data Protection

Authorities, PHAEDRA Workstream 1 report, 1 April 2014, revised 30 June 2014. http://www.phaedra-project.eu/wp-

content/uploads/PHAEDRA-D1-30-Dec-2014.pdf. 19 Article 29 Data Protection Working Party, Statement on the 2016 action plan for the implementation of the General Data

Protection Regulation (GDPR), WP 236, 2 February 2016. http://ec.europa.eu/justice/data-protection/article-

29/documentation/opinion-recommendation/files/2016/wp236_en.pdf.

The evolving context of international cooperation in the area of personal data protection

13

processors on the right to data portability,20 on Data Protection Officers (DPO)21 and on identifying the Lead Supervisory Authority.22 These guidelines were developed with the support of a "FabLab" organised by the working party in Brussels in July 2016.23 Further guidelines on data protection impact assessment (DPIA) and certification are intended to be ready in 2017. If the pattern followed by previous guidance from WP29 remains, these documents are likely to be used by at least some national DPAs as building blocks for their own communication and education activity. The press release following the December 2016 plenary meeting also provides some information on the internal work the WP29 has been doing on collaboration including work on the modalities of future cooperation; position papers on mutual assistance, one stop shop and joint operations; work on the administration and rules of procedure of the EDBP and the IT platform being developed by the EDPS. 24

As indicated above, the issue of EU-US transfers was also a key priority for the WP29 as a collective body throughout 2016, and was another driver for the group to respond collectively to a significant issue at the EU policy level. In 2014, the WP29 had responded to discussions in the media and elsewhere about surveillance activities of intelligence agencies by issuing Opinion 04/2014 on surveillance of electronic communications for intelligence and national security purposes.25 It concluded that companies might be in breach of EU law if they grant access to personal data of Europeans on a mass scale to third-country intelligence agencies, or allow this to occur.

In October 2015, the WP29 stated that an assessment of the consequences of the Schrems decision with respect to all mechanism permitting data transfers to the US would be carried out. The WP29 proceed then to inventory and examine the jurisprudence of the CJEU as regards to Articles 7, 8 and 47 of the European Union Charter of Fundamental Rights (CFR) and the jurisprudence of the European Court of Human Rights (ECtHR) related to Article 8 of the European Convention on Human Rights (ECHR) dealing with surveillance issues. The conclusions of this assessment were presented in a working document alongside the opinion on a proposed new framework for EU-US personal data transfers. After the Commission presented its draft for Privacy Shield in February 2016, the WP29 responded with Opinion WP238,26 and subsequently a statement in July 2016.27 The Opinion expressed concerns and asked for various clarifications (around commercial aspects of the Shield, data retention, definitions, onward transfers, redress mechanisms, derogations for national security purposes, and joint review).28 The Working Party stressed the general complexity and lack of clarity regarding the Privacy Shield and expressed concerns with respect to both the commercial and national security aspects of the new framework. The July statement welcomed changes made upon the basis of the Opinion, but stated that a number of concerns remained (lack of specific rules on automated decisions, independence and powers of the ombudsman and lack of concrete assurances on mass and indiscriminate data collection). The opinion also highlighted that the role of DPAs in the annual review process for Privacy Shield should be clarified. The authorities made a fairly substantial claim for their role in the process, arguing that

"all members of the joint review team shall have the possibility to directly access all the information necessary for the performance of their review, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities. When participating in the review, the national

20 Article 29 Data Protection Working Party, Guidelines on the right to data portability, WP 242, 13 December 2016,

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf. 21 Id., Guidelines on Data Protection Officers (‘DPOs’), WP 243, 13 December 2016,

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf. 22 Id., Guidelines for identifying a controller or processor's lead supervisory authority, WP 244, 13 December 2016.

http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp244_en_40857.pdf. 23 Id., Fablab: “GDPR/from concepts to operational toolbox, DIY - results of the discussion”, 2016.

http://ec.europa.eu/justice/data-protection/article-29/documentation/other-

document/files/2016/20160930_fablab_results_of_discussions_en.pdf. 24 Article 29 Data Protection Working Party, December 2016 Plenary Meeting. Press release, Brussels, 16 December 2016,

http://ec.europa.eu/newsroom/document.cfm?doc_id=40853. 25 Id., Opinion 04/2014 on surveillance of electronic communications for

intelligence and national security purposes, WP125, Brussels, 10 April 26 Id., Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision, WP 238, 13 April 2016,

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf. 27 Id., Statement on the decision of the European Commission on the EU -U.S. Privacy Shield, press release, 26 July 2016,

http://ec.europa.eu/justice/data-protection/article-29/press-material/press-

release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf. 28 PHAEDRA II repository, “Opinion of Article 29 WP29 on the EU –Privacy Shield draft adequacy decision”, May 2016.

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II-Repository_WP29_UJI_May-2016.pdf.

The evolving context of international cooperation in the area of personal data protection

14

representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective."29

Additionally, the DPAs collectively committed themselves to:

"proactively and independently assist the data subjects with exercising their rights under the Privacy shield mechanism, in particular when dealing with complaints. The WP29 will soon provide information to data controllers about their obligations under the Shield, comments on the citizens’ guide, suggestions for the composition of the EU centralized body and for the practical organisation of the joint review."30

PHAEDRA II project members have presented on-going research findings to the WP29 and to individual national representatives. The implication for PHAEDRA II’s recommendations is that members of the WP29 and its constituent working groups are a key audience in the moment in which they are preparing for transition to a new regulatory regime. We are also within the timeframe to contribute the requested stakeholder inputs on their various activities.

2.4 International networks and enforcement cooperation resolutions

Outside the EU, the international context within which DPAs operate has also continued to evolve, not least through the international conferences and networks that were the focus of much of the work of the first PHAEDRA project.31

The Council of Europe continues to work on the modernisation of ‘Convention 108’. Both the current wording of ‘Convention 108’, and the Additional Protocol thereto already provide for mutual assistance (Arts 13–17). The proposed modernisation text strengthens the cooperation requirement, stating “the supervisory authorities shall co-operate with one another to the extent necessary for the performance of their duties and exercise of their powers”, specifically mentioning the provision of mutual assistance through information exchange, coordination of investigations, interventions and joint actions, and providing information on their legal and

administrative practices in the area of data protection.32 Next, the Convention Committee, an advisory and monitoring body composed of representatives of all parties, would be obliged to ‘facilitate, where necessary, the friendly settlement of all difficulties related to the application of [the] Convention’ [Art. 19(i)]. Last but not least, the DPAs, in order to organize their cooperation and to perform their duties, should ‘form a conference/network’ [Art. 12bis(8)].33

Whilst the Council of Europe's ‘Convention 108’ extends far beyond EU countries, there are points of overlap. All EU Member States should eventually be bound by both the GDPR and the modernised Convention 108 when entered into force. A dual yet coherent standard will be created in which EU Member States will need to cooperate not only with themselves, but also with authorities from outside of the EU.

‘Convention 108’ is intended to be coherent and compatible with other legal frameworks,34 and the reform process ran in parallel with that of the GDPR. The explanatory report to the modernised Convention states: “With regard to the EU data protection reform package in particular, the works ran in parallel and utmost care was taken to ensure consistency between both legal frameworks. The EU data protection framework gives substance and amplifies the principles of Convention 108 and takes into account

29 Article 29 Data Protection Working Party, op. cit., 26 July 2016, p. 1. 30 Ibid. 31 Barnard-Wills & Wright, op. cit, June 2014, pp. 105-137. 32 Ad hoc Committee on Data Protection, Draft Protocol amending the Convention for the Protection of individuals with

regard to Automatic Processing of Personal Data (ETS No.108), Council of Europe, 5 March 2015. Cf. Article 12bis

paragraph 7.

https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016806a616c 33 Kloza, Dariusz and Anna Mościbroda, 2014. “Making the case for enhanced enforcement cooperation between data

protection authorities: insights from competition law”, International Data Privacy Law 4, pp. 120–138.

doi:10.1093/idpl/ipu010. 34 Council of Europe, Convention for the protection of individuals with regard to the automatic processing of personal data,

draft explanatory report.

https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016806af966, p. 1

and https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=09000016806b6ec2.

The evolving context of international cooperation in the area of personal data protection

15

accession to Convention 108, notably with regard to international transfers.”35 In its Communication on “Exchanging and Protecting Personal Data in a Globalised World” the European Commission underlines the complementarity of both frameworks by stating that the modernised Convention “will reflect the same principles as those enshrined in the new EU data protection rules and thus contribute to the convergence towards a set of high data protection standards.” 36

The International Conference passed the Resolution on International Enforcement Cooperation in October 2016.40 The resolution recognises existing approaches to enforcement cooperation, and (1) mandates a new working group of experts to develop proposals for key principles in legislation that facilitate greater cooperation, supported by other initiatives and explanation for national legislatures, (2)

nominates leader participant authorities in each of the global regions to act as contact points for promoting conference members’ participation in the Global Cross-Border Enforcement Cooperation Arrangement (the Mauritius Resolution)41 and (3) mandates the conference committee to discuss practical projects with Global Privacy Enforcement Network (GPEN) and other relevant networks in particular looking into the feasibility of populating a database of each authority's legal powers to cooperate, evidence gathering requirements, definitions of personal data and confidential data.

The Global Privacy Enforcement Network (GPEN) has continued to expand, reaching 59 authorities across 43 jurisdictions in 2015.42 The GPEN Alert tool was launched.43 The GPEN side-event at the International Privacy Conference provided an opportunity for GPEN organisers to report back to network members on the on-going activity of the network, and consult on its planned future actions. On-going initiatives include a survey on enforcement powers, reaching out to other networks, and developing an enforcement

practitioners workshop. GPEN conducted two further sweeps during this period, focusing upon apps and websites targeted at children in 2015 and Internet of Things (IOT) devices in April 2016.44 Consistent with past practices since the first joint sweep in 2013, the joint operations provide a broad inventory of these sectors on an international scale and will indicate national specificities. The GPEN “Privacy Sweeps”, which took place 2015 and 2016 where several EU DPAs participated was reported in the PHAEDRA II repository from various sources.45

The Common Thread Network linking data protection and privacy enforcement authorities across the Commonwealth was founded during this period, and has continued to expand, reaching twenty members and launching a website in October 2016.46 Based upon the analysis in

35 Ibid, p. 2. 36 Communication from the Commission to the European Parliament and the Council, 10 January 2017, COM(2017) 7 final. 40 38th International Conference of Data Protection and Privacy Commissioners, Resolution on International Enforcement

Cooperation, Marrakesh, 18 October 2016, https://icdppc.org/wp-

content/uploads/2015/02/7._resolution_on_international_enforcement_cooperation.pdf. 41 36th International Conference of Data Protection and Privacy Commissioners, Resolution on Enforcement Cooperation,

Mauritius, 2015, https://icdppc.org/wp-content/uploads/2015/02/ResolutionInternational-cooperation.pdf. 42 Azarya, Sharon, "Privacy network expands global participation and cooperation opportunities", Global Privacy

Enforcement Network, 21 March 2016, https://www.privacyenforcement.net/node/660. 43 The Alert tool was analysed from the perspective of the information sharing needs of EU data protection authorities in

PHAEDRA II deliverable 2.2: Barnard-Wills, David and Vagelis Papakonstantinou, Best Practices for cooperation between

EU DPAs, PHAEDRA II Deliverable D2.2: London-Brussels-Warsaw-Castellón, February 2016. 44 PHAEDRA II Repository, "GPEN Sweep -Internet of Things", April 2016, http://www.phaedra-project.eu/wp-

content/uploads/PHAEDRA-II-Repository_IR_DPO_TRI_April-2016.pdf. 45 Cf. PHAEDRA II Repository, "CNIL issues Internet sweep outcomes on connected devices", September 2016,

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II-Repository_CNIL_UJI_September-2016.pdf, Launch by

the GPEN of the 2016 Global Privacy sweep of "internet of things", April 2016, http://www.phaedra-project.eu/wp-

content/uploads/PHAEDRA-II-Repository_FR_CNIL_UJI_April-2016.pdf, and “International privacy scan apps for kids”,

September 2015. http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II-Repository_NL_CBP_Apps-for-

kids_TRI_September-2015-PHAEDRA-II-Repository_NL_CBP_Apps-for-kids_TRI_September-2015.pdf. 46 Information Commissioner's Office, “Common Thread Network website launched”, press release, 19 October 2016,

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/common-thread-network-website-launched.

The evolving context of international cooperation in the area of personal data protection

16

PHAEDRA I D1,47 the Common Thread Network does not duplicate the membership of any existing network (other than being a sub-set of potential participants in the ICDPPC) instead forming a potential bridge between different global regions (potentially in a similar manner to the Association francophone des autorités de protection des données personnelles (AFAPDP).

International Cyber Security Enforcement Network (or the so-called LAP, London Action Plan), which aimed at promoting international spam enforcement cooperation and addressing spam related issues, was represented by both private sector representatives and government and

DPAs from Ireland, Spain and the UK. The latest form of cooperation that occurred in June 2016, when 11 enforcement authorities across the globe, including those from the UK and the Netherlands, signed a Memorandum of Understanding (MoU) to provide a framework for information and intelligence sharing and to reinforce cross-border cooperation to address unwanted messages and calls.

The implication of this continued international network development for PHAEDRA II's recommendations is that whilst our work has been focused upon EU cooperation and coordination, this occurs in an international context, and that recommendations may be addressed to both EU DPAs in their international relations, but also to international data protection and privacy enforcement authorities in their interactions with their EU counterparts.

47 Barnard-Wills & Wright, op. cit., 30 June 2014 (Chapters 3 and 4).

General recommendations

17

3 General recommendations The PHAEDRA II project final recommendations for improving practical and helpful cooperation between EU DPAs – in the context of the new regulatory regime and contemporary data protection environment –are split into four sections. A set of general recommendations across all areas of DPA cooperation is followed by more granular and focused recommendations on a set of key areas: complaint handling, the consistency mechanism and information sharing and IT systems.

3.1 Recognise the fundamental equality of supervisory authorities

Cooperation should be based on the presumption of the equal value, competence and standing of each supervisory authority and of the legal system in its jurisdiction and thus on the principle of mutual trust.48 This is a necessary starting point for developing trust and respect so fundamental for long-term and sustainable cooperation, often neglected amidst discussion of legal frameworks. Whilst there are factual differences in resources and experience, and the nature of the domain to be regulated in any given country (e.g. the number of international entities headquartered in that country with a “potential” to infringe data protection law), there is no legal differentiation between DPAs (To the extent that these authorities qualify as DPAs in the strictest, EU meaning).

DPAs will have differences of opinion, either based upon different reading of the facts of an investigation, different understanding of the best strategy to ensure to data protection, or their perception of how to most effectively use their limited human or financial resources. However, these differences should be resolved cordially and in a collegiate manner, based upon recognition of fundamental equality supported by clear communication and transparency around decision-making.49 Otherwise, the risk is that coordination diminishes and DPAs might withdraw from otherwise effectively collaborative activity. No agency wants to be regarded as a junior partner, even in a positive relationship based around mutual learning.

Furthermore, whilst they will have a clear extra-national responsibility under the GDPR, supervisory authorities are still embedded in their national legal and political systems. Whilst they are independent, this creates some variance in their functions in relation to each other. In the short term there is little supervisory authorities can do about many of these issues. In the longer term, authorities should support their peers, and provide examples to governments of what can be achieved with appropriate levels of resourcing and expertise. The identification and sharing of best practices is a contribution to this.51

Additionally, supervisory authorities should recognise that the GDPR is not exclusive, and that in seeking remedy for a particular issue, citizens might first approach a range of consumer protection or advocacy organisations outside of the data protection context. This introduces a pressure to regard a wider range of authorities and bodies as peers, and to seek out means of cooperation with them.52 This reduces the initial burden upon the individual to identify the appropriate regulatory authority for their particular complaint, which is likely to blend elements of data protection, consumer rights, etc.

Audience for this recommendation

This recommendation is addressed to EU DPA staff at multiple levels from the strategic to the operational. At a leadership and strategic level, this recommendation informs the organisational posture in relation to peer DPAs, as fed down in internal documentation and policy. In particular it should inform clarity and transparency around decisions, when those decisions differ from those expressed by other peer authorities. Commissioners should be able to spread the message within their organisations that are strongly committed to cooperation, and that teams would be supported in making it work.53 Investigative teams need to be creative and adaptive, and with support of senior management makes this easier. At an operational staff level, this recommendation informs those likely to be involved in greater day to day interactions between authorities.

48 Galetta, Antonella and Dariusz Kloza, “Cooperation among data privacy supervisory authorities: Lessons from parallel

European mechanisms”, Proceedings of the 19th International Legal Informatics Symposium, IRIS 2016,

http://www.phaedra-project.eu/wp-content/uploads/phaedra2_Galetta_Kloza_IRIS2016.pdf. 49 Papakonstantinou, Pauner, Cuella & Barnard-Wills, op. cit., September 2016, p. 95. 51 Such as in PHAEDRA II D2.2 report, but replicable across all other areas of supervisory authority activities. 52 An example of this is provided by the ICO's collaboration with OFCOM, the UK's telecommunications regulator to address

nuisance calls and texts. See http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II-

Repository_UK_ICO_TRI_December-20152.pdf for more information. 53 Papakonstantinou, Pauner, Cuella & Barnard-Wills, op. cit., September 2016, p. 95.

General recommendations

18

This recommendation is also addressed to national governments and legislatures, who determine the budgets provided to their DPAs and are therefore responsible for determining if the authorities have adequate resources to meet their mandated objectives. Article 52(4) GDPR requires Member States to provide the necessary human, technical and financial resources for the effective performance of their tasks and the exercise of their powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the board. Those national governments should ensure that the supervisory authorities are sufficiently resourced so as to be able to act as full peers in the emergent EU data protection regulatory community.

Rationale

This recommendation is strongly supported by the comparative analysis of parallel collaboration mechanisms, in particular that of EU private international law (PIL). Our report stated:

“We have observed that mutual trust in the administration of justice in the Member States is pivotal to the functioning of EU private international law (PIL). As early as 1968, such trust has enabled automatic recognition of judgments given in other Member States «without any special procedure being required». Some 40 years later, in 2012, it has further justified the abolition of the exequatur (i.e. declaration of enforceability), thus bringing the EU PIL closer to the ideal of the Full Faith and Credit Clause in the American Constitution.”54

Second, this recommendation arises from PHAEDRA II’s perspective upon the nature of the international data protection and privacy context. National states and their authorities cannot any longer guarantee rights and freedoms recognised in their domestic legal system by themselves (if this was ever the case). Interdependence creates a sense of vulnerability, through the reliance on external parties to meet one's objectives. Sharing part of their formal sovereignty is necessary to protect the rights and freedoms of their citizen.55 This recommendation is also supported by the importance of trust to social collaboration and shared group interests (cf. Recommendation 3.3 below) and the role of mutual perception and reputation play in building trust. If a collaborating party feels appropriately regarded, then they are less likely to risk that reputation.

Our analysis of the legal challenges around cooperation highlighted the importance of DPAs recognising their individual strengths and weaknesses, the importance of leadership and senior level support, the potential value of relationship management, and continuity planning and the critical importance of clarity and transparency about criteria and reasons for cooperation decisions.56

Challenges and barriers

Fundamentally, there are certainly still differences in size, experience and resources between the DPAs (i.e. factual differences). Changes in attitude and perception will not make these differences disappear immediately. Additionally, the experience of collaboration in the past has not always been smooth, as evidenced by some of the case studies of enforcement cooperation in PHAEDRA ,I57 and in our interviews with DPAs in PHAEDRA II.58 Poor experiences of collaboration in the past may continue to unfairly or disproportionately impact perceptions of peers long after substantive corrective changes in personnel, procedure or policy. There are inevitable differences of opinion and of strategy, or indeed persist under a new structural legal framework. Key challenges for DPAs interviewed by PHAEDRA II included maintaining legitimacy, freedom of action and ability to determine their own strategies and methods, and ability to take what they see as appropriate measures, whilst maintaining co-ordination and consistency with their peers.

Resources

With the passage of the GDPR, all EU DPAs now will hold the same enforcement powers, ability to impose fines, etc. A lack of such full harmonisation created barriers to cooperation in the past. It also provides the opportunity for a fresh start and re-orientation of attitudes towards cooperation. The recommendation is also supported by the emerging culture of cooperation that PHAEDRA has identified amongst EU data

54 Barnard-Wills & Papakonstantinou, op. cit., 2016, p. 92. 55 Galetta, Antonella, Dariusz Kloza and Paul De Hert, Cooperation among data privacy supervisory authorities by analogy:

lessons from parallel European mechanisms, PHAEDRA II Deliverable D2.1: Brussels-London-Warsaw-Castellón, April

2016. p. 94. 56 Papakonstantinou, Pauner, Cuella & Barnard-Wills, op. cit., September 2016, p. 95. 57 Barnard-Wills & Wright, op. cit., 2014, p. 77. 58 Barnard-Wills & Wright, op. cit., July 2015.

General recommendations

19

protection authorities,59 and in particular by the mechanisms for cooperation that are being established within the Article 29 Working Party.

3.2 Informal mechanisms for cooperation should supplement the formal ones. Trust is a key factor enabling cooperation

Cooperation should be firmly based in law, at least when supervisory authorities enforce data privacy laws. Whilst the new legal framework provides a basis for cooperation, the formal mechanisms do not exhaust the space of potential cooperation. In any case, cooperation efforts amongst supervisory authorities must not contravene the legal provisions. Informal mechanisms of cooperation, ranging from communication and discussion, cooperation planning and strategic thinking, networking and personal relationships, mutual learning, staff visits and exchanges, to joint projects and interaction with stakeholders, have been the basis for much of the existing cooperation to-date. These mechanisms, and the experience and learning that have evolved with them, should not be jettisoned. Supervisory authorities and other relevant stakeholders should also take care to build, foster and protect those informal mechanisms, institutions and processes that allow for mutual trust between supervisory authorities. Informal mechanisms are also fundamental to building and increasing trust between cooperating parties.

Due to technological development and the speed at which new products and services can be brought to market (and achieve a high number of users in a short space of time), data protection regulation is an evolving and changing field, marked by a high pace of change. This suggests that there is a need for flexible and innovative responses, which may not have been anticipated in the legal framework.

Audience for this recommendation

As in the preceeding one, this recommendation is primarily addressed to EU DPA staff at the leadership and strategic level to be implemented across their organisations. At an operational staff level there is likely to be a reduced level of flexibility to implement informal forms of cooperation, however personal relationships (developed for example through a staff exchange) should still be promoted.

Other stakeholders, including the European Commission, should be aware that as well as the formal cooperation mechanism exist, there are likely to be informal cooperation and coordination processes even if they are relatively invisible and difficult to track. They should also be aware that these processes are likely to be carrying some of the organisational weight and coordination capacity of the supervisory authorities, and potentially reducing the friction of formal cooperation mechanisms. This awareness may potentially avoid actions, for example implementing acts for the European Commission, or budgetary decisions by Member States, which might negatively impact upon these processes. Informal cooperation processes are likely to be threatened by budgetary pressures in comparison to formal processes where these are based on a legal requirement.

Rationale

The PHAEDRA reports have consistently identified informal cooperation mechanisms as vital to the cooperation that has been achieved to date amongst EU DPAs, as well as providing a measure of operational flexibility. For example, with regard to sharing best practice, our interviews with EU DPAs found that DPAs expressed clear appreciation for the willingness of their colleagues to relatively freely exchange experience, positions and activity from their peers. Several DPAs said that they gained very valuable perspectives from these informal exchanges. In addition, some DPAs stated that they preferred to share these experiences in interactive sessions with their peers, where questions could pass back and forth and details be discussed.

As the PHAEDRA II project showed in its second report,60 examples from other fields of law (e.g. competition or consumer protection law) can also bring new ideas while establishing cooperation between DPAs. This research suggested that efficient cooperation could be sought by supervisory authorities appreciating the many nuances and the benefits of cooperation itself.61

59 Barnard-Wills, David, Cristina Pauner Chulvi and Paul De Hert, “Data protection authority perspectives on the impact of

data protection reform on cooperation in the EU”, Computer Law and Security Review, Vol. 32, No. 4, August 2016, pp.

587–598. 60 Galetta, Kloza and De Hert, op. cit., April 2015. 61 Ibid, p. 94.

General recommendations

20

Trust is an issue that emerged in many of PHAEDRA II’s workshops and round-tables, and was the key theme of the final workshop at the International Conference of Data Protection and Privacy Commissioners in October 2016. Whilst trust can be a tricky concept, defined in many ways in different fields, it is useful in this context because it takes our understanding of DPA collaboration (and therefore our recommendations regarding it) beyond the formal legal requirements and instruments for cooperation, but without leaving those elements behind completely. Many informal mechanisms of DPA cooperation are trust building activities. Trust is a positive factor for social groups and in a cyclical relationship with cooperation – particularly in the development of trust through continued cooperation and the facilitation of cooperation by trust. Trust makes interaction predictable, creates a sense of community and makes it easier for people to work together.62 Conversely, mistrust can be understood as a “tax” or additional cost on all forms of collective activity.63

Following Scheier's work on social trust,64 EU DPAs can be thought of as a “society”, albeit a small one, with a shared group interest. All social groupings potentially suffer from defection – where the tension between the shared collective interest and the individual interest of its members becomes too great and a member acts in its individual interest as opposed to the collective interest. Defection is not always bad, and may result from moral reasons or from competing (overlapping) group interests. However, too high a rate of defection removes the possibility of trust within the social grouping. Defection is prevented by countervailing pressures, including:

moral pressures (the internal sense of DPAs to do the right thing), reputational pressures (how DPAs are perceived by their peers, stakeholders and the public), institutional pressures (codified norms, sanctions, organisational pressures, including formal

legal mechanisms such as the consistency mechanism), and security systems (measures to identify or prevent defection).

If so, it is then possible to consider to what extent this “society” has the right infrastructures to generate the right types of pressures towards trust. Given the changes derived from the GDPR, as well as the external pressures towards increased cooperation, the EU DPA “society” is now at a point where shared social norms of cooperation are emerging (for example, through the regular activities of the WP29), but are not yet settled or fixed. This is therefore a significant moment in which those norms can be explored and agreed upon. It would therefore valuable for EU DPAs to collectively determine how they see their group interest, grounded as one would expect, upon the protection of the rights of Europeans to personal data protection and privacy. It would not be remiss for this group interest to include political and organisational shared interests (for example, further professionalisation of data protection regulators, increased technical skills, sufficient funding in each Member State, etc.). Finally, some element of internal feedback between supervisory authorities upon how they perceive each other to be meeting their obligations to cooperation could be valuable in intentionally harnessing these social pressures.

Challenges and barriers

The demands to give full effect to the new GDPR, as well as the introduction of a number of formal cooperation structures may place pressure upon the informal methods of cooperation. Authorities may feel under some pressure to formalise all cooperation in order to meet requirements under the GDPR (for example, having records of responses to enquiries from their peers in order to demonstrate they have responded within the allowed time window).

Prior to the GDPR, cooperation between DPAs has largely been on the basis of informal personal relationships, and therefore largely through moral and reputational pressures (it has been possible, for example, for a member of staff working on international cooperation issues to know many if not all of their peers working on the same). These pressures may not scale sufficiently with the anticipated increase in the volume of day to day cooperation, and additionally so if cooperation is automated or across an IT platform.

While informal cooperation is mostly undocumented, it is nevertheless crucial for DPA cooperation. In particular, not all matters concerning a DPA merit to be referred to the GDPR’s consistency mechanism. By introducing a formal cooperation mechanism, the GDPR risks abolishing the cooperation paths already in

62 Misztal, Barbara, Trust in Modern Societies: The Search for the Bases of Social Order, Polity Press, Cambridge, 1996. 63 Fukuyama, Francis, Trust: The Social Virtues and the creation of Prosperity, Simon and Schuster, 1995. 64 Schneier, Bruce, Liars and Outliers: Enabling the trust that society needs to thrive, John Wiley & Sons, Indianapolis,

2012.

General recommendations

21

existence today, even under the less-developed provisions of Directive 95/46 in this regard, which is something that could ultimately harm DPA effectiveness.65

Resources

The prime resource supporting this recommendation is the legal provisions for cooperation in GDPR, located in Chapter VII Cooperation and consistency. This provides the legal mandate for cooperation between EU DPAs.

The provisions in the GDPR on cooperation (particularly the consistency mechanism and the role of the European Data Protection Board (EDPB)) do provide some support to building and maintaining trust through the introduction of institutional pressures against defection. The Board in particular could be positioned to promote trust, by codifying norms, and recording “defections” from collective interests.

3.3 Cooperation should respect national differences, but also allow for some extraterritoriality when appropriate

First, cooperation between DPAs must respect national and regional differences of the jurisdictions involved. Some jurisdictions will not give up control over aspects that they regard as fundamental and only by allowing exceptions (e.g. grounds for refusal of a request for mutual assistance) can cooperation ever be possible, especially in sensitive aspects such as enforcement.

Both regulators and DPAs themselves must recognise and take account of such “red lines” when deciding upon cooperative arrangement and when allocating work. The first and foremost recognition to make is that of a different the legal systems in a sister jurisdiction. Regulators and authorities subsequently must recognise some contextual factors, e.g. geographical location, pre-existing relationships, technological capacity, etc.

In the EU context, whilst the GDPR harmonises several areas of DPA cooperation, and in doing so it eases it, there will still potentially be substantial differences due to the Regulation leaving for EU Member States a lot of manoeuvre to execute the provisions on the set-up of the supervisory authorities. Furthermore, the Commission is empowered to issue delegated acts that will have impact on cooperation. Finally, national DPAs will always operate partially on the existing elements of national legislation (e.g. administrative procedural law) and this too will impact their capacity to cooperate. At this stage, the extent of this difference is unknown. Therefore, DPAs and the European Commission, needs to collect systematic data on these matters and share with national governments and with DPAs counterparts. This will form a strong guide for future cooperation.

Second, supervisory authorities should be able to exercise – to a reasonable extent – extraterritorial jurisdiction. This is because data breaches often have cross-jurisdictional implications and may require cross-border remedies. Providing effective data protection for citizens requires extending data protection to the conduct of foreign parties.66

Supervisory authorities should be both empowered and obliged to act speedily on cross-border data privacy violations.67 Speedy responses will require training for operational staff to be aware of their cross-border roles and to have the capacity to make appropriate decisions.

Audience

As the primary actors in their international cooperation, the audience for the first part of this recommendation are EU DPAs. In much the same way as they will be required to acknowledge the equal standing of their peers, they will need to be aware of (or let their peers inform them of) red-lines arising from national jurisdictions.

If the EDPB has developed a good understanding of the barriers and challenges created by national legislation differences (which it should), then it should be able to counter-balance any cases where national legislation has been offered as an excuse for non-cooperation, rather than a reason for it. Clear analysis of potential differences may also served to demonstrate that many of these anticipated differences are not absolute and indefatigable barriers to cooperation in all modalities.

65 Papakonstantinou, Pauner Chulvi, Cuella & Barnard-Wills, op. cit., September 2016, p. 12. 66 Svantesson, Dan, Extraterritoriality in Data Privacy Law, Copenhagen, Ex Tuto Publishing, 2013. 67 Galetta, Kloza & De Hert, op. cit., April 2016, p. 94.

General recommendations

22

Alongside the Board, the European Commission is a good position to collect, analyse and publish information of national differences. Member State lawmakers are in a position to reduce national differences.

Rationale

The challenges for a consistent application of the GDPR are that Member State legislators are entitled and obliged to maintain and adoption national rules (both sectorial and general), thus Member State law forms an integral part of the data protection acquis, DPAs and the EDPB apply also Member State law, and therefore, the lawfulness of the same data processing activity may vary by Member States.68 Further, DPAs need to retain their independence, operational flexibility and ability to respond to the context of particular cases.

These differences are not always barriers, and can in some contexts be leveraged to positive effect in terms of the protection of data and privacy rights. In their joint investigation of WhatsApp the Canadian system allowed more contact with the data controllers under investigation, whilst the Dutch capacity for punitive enforcement encouraged compliance with the investigation as a whole.69

According to Hijmans,70 EU DPAs under the GDPR will become no longer simply national authorities but organisations somewhere between the EU and national levels, with EU law deciding what they will do, including tasks and duties and cooperation mechanisms. There are issues with this situation – DPAs remain national authorities, covered by national administrative law – so there may be two sets of law they need to comply with. In many EU countries, national administrative law says what organisations can and cannot do, which may be overruled by the Regulation.

Our comparative analysis of parallel cooperation mechanisms supports the recommendation for the possibility of a degree of extraterritorial jurisdiction, identifying a pertinent example of extraterritorial jurisdiction in the Schengen system. Under this system, if a person is presumed to have taken part in an extraditable criminal offence and he has moved from one Schengen state to another, the former state can keep conducting investigations on him on the ground and beyond its national borders, as long as authorised by the latter. Furthermore, in an emergency and for violent and serious crimes, such an authorisation is initially replaced by mere notification.71

If the use of the formal consistency mechanism is to be minimised, then there will be need to more efforts towards prior or “built in” consistency through agreed and shared positions, guidance, etc., otherwise differences will emerge. Tracking the use of the consistency mechanism will help to identify areas of dispute and therefore areas that need more discussion and agreement.

Challenges and barriers

The legal framework is set by the GDPR, which limits any further efforts to provide DPAs with additional powers that might be required for extra-territorial action. There is however some room for national implementation and for decisions at the level of the EPDB and implementing measures on the part of the Commission. These might be leveraged in this direction.

Resources

Fundamentally, the GDPR is not the start of cooperation between EU DPAs and the existing practices and channels provide the largest resource for organically developed cooperation.

3.4 Cooperation should have as broad geographical scope as possible

The GDPR presents a legal requirement and mandate for cooperation between EU DPAs. Subsequent guidance, agreements on additional supporting activities and internal organisational changes can be expected to build upon this basis. We do not believe, however, that data protection regulation can be effectively operationalised solely inside the EU. This means that cooperation between the EU supervisory

68 Barnard-Wills, David, "PHAEDRA II Second round-table event at the Spring Conference of European DPAs", PHAEDRA

II Blog, 8 July 2016, http://www.phaedra-project.eu/phaedra-ii-second-round-table-event-at-the-spring-conference-of-

european-dpas/. 69 Ibid. 70 Hijmans, Hielke, “The DPAs and Their Cooperation: How Far Are We in Making Enforcement of Data Protection Law

More European?”, European Data Privacy Law, 3/2016. 71 Galetta, Kloza & De Hert, op. cit., April 2016, p. 93.

General recommendations

23

authorities (both as a collective group, and as individual authorities) and their counterparts from the outside of the EU should continue to expand.

EU DPAs should reflect upon their existing involvement in international networks and forums, and consider the extent to which the current context allows for extending or expanding these activities.

With regard to international cooperation and coordination, many of the final recommendations of the first PHAEDRA project, which were addressed to global cooperation remain relevant, i.e.

sharing and disseminating understanding of the legal provisions around enforcement in different regimes;

active seeking of opportunities for collaboration in order to increase the practical experience of cooperation;

identification of best practices in cooperation; contributing to appropriate databases and repositories of powers, key legislation and contact

information; increasing the volume of shared position statements, and increasing the number of study visits and personnel exchanges globally.72

Audience for this recommendation

The European Data Protection Board, as the collective body for EU DPAs, should prepare to exercise a role in international data protection cooperation. Its administration and staffing should be structured so that it will be able to achieve this. The evolution of the activities of the WP29 provides some direction for this. The Board should consider establishing regular communication channels with other networks and bodies.

Many EU DPAs are already strongly engaged in international forums and networks.73 Closer and more regular cooperation within the EU provides a strong basis for contributing to these networks, both in terms of sharing best practices, but also speaking with a coordinated perspective (providing that perspective has been agreed in advance by the EU DPAs). A potentially increased role for the EDPB in these forums should not mean that the independent voices of individual EU supervisory authorities should be diminished as each of these holds meaningful perspectives and experiences.

DPAs outside of the EU would be well advised to understand, at least in overview, the internal collaboration activities of EU DPAs, and how this might affect on-going or future collaboration efforts with such organisations. They should understand that coordination with an EU DPA in certain areas (including enforcement, but extending to any process under the consistency mechanism) may inevitably extend to some form of interaction with other EU supervisory authorities. Lawmakers outside the EU might consider explicitly empowering their privacy enforcement authorities to engage in international cooperation if their legal framework does not yet allow for this.

Rationale

This recommendation follows from the current context of data protection risks as well as from PHAEDRA’s initial research into global cooperation and coordination practices. As demonstrated in the introduction to this report, the context of international collaboration has continued to advance and develop. Data protection regulation is a somewhat unique parallel strand of diplomatic international relations, complicated by the fact that it is largely conducted by bodies that are independent of national executives. The experience of Privacy Shield demonstrates the continued importance of extra-EU interaction and international relations. Given the extent to which data handling outside the EU has the potential to impact upon data protection and privacy in the Union, the EU regulators have an interest in engaging with their international peers.

Extraterritoriality in the GDPR, with applicability to monitoring the behaviour of EU residents, suggests regulatory authorities will be looking for local partners in international investigations.

Whilst the EU has played a leading role in data protection regulation, and the GDPR marks a landmark moment in this, there is still much that can be learnt from experience in other countries. Broad

72 Wright, Barnard-Wills & Kroener, op. cit., 2015, pp. 27-34. 73 For example, the International Conference, Spring Conference, GPEN, Ibero-American Data Protection Network, and the

Association francophone des autorités de protection des données personnelles (AFAPDP) as described in Barnard-Wills &

Wright, op. cit., June 2014, pp. 105-137.

General recommendations

24

geographical cooperation has supported learning and provided evidence of best practices for EU DPAs74 and should continue to do so.

Challenges and barriers

Key constraints on this recommendation are first the necessary commitment and resources to extend international collaboration. Second, many of the structural constraints that have often limited global DPA collaboration and cooperation still persist (lack of awareness, difficulty in finding appropriate contacts, language barriers, legal recognition)75 although in this respect with the continued expansion and activity of international networks, this picture is improved.

Resources

While the GDPR sets for an extensive method for cooperation of the EU DPAs, it devotes only a single provision for extra-EU cooperation, i.e. Art 50. (The counterpart of the GDPR, the Police and Judicial Cooperation Data Protection Directive, sets forth such extra-EU cooperation in its Art 40.) These provisions require (Art 50 GDPR):

[…] the Commission and supervisory authorities shall take appropriate steps to:

(a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;

(b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

(c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;

(d)promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

The rationale for leaving a blanket provision on extra-EU cooperation is at least two-fold. First, one-size cooperation model does not fit all. There are jurisdictions that, for example, might offer adequate protection of personal data, and a permanent method for cooperation might be developed therewith. There are equally jurisdictions with which ad hoc, temporary cooperation measures might be required, e.g. to deal with a particular case or to engage in awareness-raising activities. Or only a few of EU DPAs might be interested in cooperating. Second, this provision will allow the EDPB and individual its members (i.e. national DPAs) to join international networks of cooperation, such as – mentioned earlier – a “network” in the modernised Council of Europe’s ‘Convention 108’.

Nevertheless, we fear that these actions might remain uncoordinated and thus running contrary to the goal of personal data protection if the EDPB is not actively engaged therein.

In addition, harmonisation of the enforcement powers, for example, may be an appropriate time to revisit the possibility of GPEN participation for those authorities that have previously decided against becoming members.

3.5 Cooperation should be developed gradually and its functioning should be reviewed periodically

With the completion of the GDPR, supervisory authorities are placed under time pressure. They have to have their systems and processes in place for when the Regulation comes into force in 2018, and to produce guidance for stakeholders (particularly controllers and processors) on these processes. Because of this, there will also be pressure for instant systems of cooperation. We acknowledge this pressure, and recognise the work on-going in the WP29 cooperation subgroup on procedures for cooperation under the new regime. We would like however to raise the risk of setting in stone unworkable and unsustainable arrangements. Supervisory authorities should therefore do four things:

1. Build upon existing successes and mechanisms and evolve cooperation attitudes over time,

74 Barnard-Wills & Papakonstantinou, op. cit., April 2016, p. 58. 75 Wright, Barnard-Wills & Kroener, op. cit., January 2015, p. 22.

General recommendations

25

2. Identify and execute quick collaboration wins – i.e. areas in which high gains can be achieved from cooperation activity with either little political or strategic disagreement, or using relatively little resources.77

3. Monitor cooperation and report back upon it to identify any difficulties and areas of improvement.

4. Revise collaborative mechanisms, if necessary.78

Audience for this recommendation

EU DPAs are the primary audience for this recommendation. They will be responsible for creating and implementing cooperation processes (as they are already doing) and building upon their current level of cooperation. They would also need to conduct the primary data collection that would be necessary to monitor their collaborative activity.

The role of the EDPB with the consistency mechanism – and potentially within other methods of cooperation (both formal and informal) – makes it a second audience for this recommendation.

The European Commission may potentially play a role in monitoring implementation of cooperation mechanisms within the Regulation, as well as retaining the possibility of implementing acts. The Commission also exercises a potential role in the consistency mechanisms.

External stakeholders should be aware that collaboration processes for supervisory authorities will shift under the GDPR, but might be expected to further evolve as cooperation becomes routine. The way that the one-stop-shop operates in 2018 may differ from that in 2020.

Rationale

PHAEDRA's research has consistently identified a number of areas where there is successful collaboration on-going between EU DPAs. The central role of the WP29 has been part of this. This reminds us that collaborative mechanisms do not need to be built entirely from scratch.

It has been repeatedly emphasised within PHAEDRA II’s interviews, roundtables and workshops that key to effective collaboration will be taking time to establishing trust and positive communication on a human level between occupational counterparts, and getting used to methods of collaborative working.79 As in any new system, especially one as potential complex as supervisory authorities are faced with, there will be both a bedding-in period, and unanticipated “bugs”. Acknowledging this transition period will be important for the various organisations involved. Additionally, successes in collaboration under the GDPR will be self-reinforcing, supporting the continued evolution of collaboration mechanisms. For this to work however, there needs to be adequate feedback, and supervisory authorities need to keep track of their collaborative engagement (for example, are their peers responding to collaboration or information requests within the appropriate time-frame? how often are they acting a lead authority, concerned authority, etc.? Which other authorities are they working with, on what types of case?). In the absence of such data, the efficacy of how, for example, the one-stop-shop principle has been operationalised will remain anecdotal. The start of this process is also an appropriate period to develop these data collection practices.

Cooperation in other domains has likewise advanced in a step-by-step manner. PHAEDRA II’s comparative analysis provides the example of the EU private international law in a process running from 1968 to 2012. It also noted that many of the instruments analysed contained some manner of revision clause, either the need for external review or a report on the functioning of the instrument.80

The potential for identifying quick collaborative wins is supported by PHAEDRA II’s analysis of existing cooperative best practices. This report identified areas where such wins could be achieved including collective technology foresight, greater collaboration on certain types of public communication and collective approaches to privacy impact assessment (PIA). It some areas it appears potentially easier to create a collaborative scheme at the EU level in areas where no current practices exist, as no participants would be required to abandon their current efforts or strategy.81

77 Barnard-Wills & Papakonstantinou, op. cit., April 2016, p. 73. 78 Papakonstantinous, Pauner, Cuello & Barnard-Wills, op. cit., September 2016, p. 96. 79 Barnard-Wills, op. cit., 8 July 2016. 80 Galetta, Kloza and De Hert, op. cit., April 2016, p. 93. 81 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 73.

General recommendations

26

Challenges and barriers

As noted, the time pressure and need to provide external stakeholders (including data controllers and processors) with a clear picture of how the new regime will operate are key challenges. Data on cooperation is currently not systematically collected (other than by external research projects such as PHAEDRA II) and would need to be increased in order to properly monitoring cooperation under the new framework.

Resources

As mentioned earlier, the GDPR is not the start of cooperation between EU DPAs and the existing practices and channels provide the largest resource for organically developed cooperation.

3.6 Decide how to share the costs of cooperation

Cooperative activity of all types carries costs. The GDPR reforms will change the way that cooperation occurs between DPAs and therefore, change the distribution of the costs of cooperation. This creates the requirement to consider how these costs are distributed amongst the various stakeholders, and determine if this distribution is the right one to carry forward sustainable, long-term cooperation.

The first step will be deciding collectively upon what a fair distribution of costs should look like and then gaining agreement and commitment to this distribution. This is primarily a process for the DPAs themselves. We do however recommend that this process is explicit, consensual and clearly documented in order to create principles for cost sharing that are sustainable and can be referred back to in the future.

This discussion around the appropriate distribution of costs should be linked to on-going discussions around the one-stop-shop mechanisms and the development of processes to determine the “main establishment” of a data controller, and by extension the identity of the lead and participating supervisory authorities. It should also include discussion of language and translation needs, as well as IT infrastructure.

One proposal would be to make use of the harmonised power to levy fines for data protection offences. This is now set at potentially up to 4% of the total worldwide annual turnover of the preceding financial year for certain types of infringements. DPAs might consider pooling some or all of the income generated from such fines in international cases, in order to fund collaborative activities. At the other extreme, DPAs might agree simply to carry the costs associated with completing their legal obligations.

Audience for this recommendation

EU DPAs will have to make such decisions collectively, to the extent that they are able to due to their organisational frameworks and the discretion they are able to exercise over their budget. Collective bodies will play an important role in this, but any decisions about resource expenditure cannot be imposed upon the DPAs.

Action from Member States’ legislatures may likely be required to allow for the pooling of administrative fines, in particular in relation to governmental and state data controllers, and to allow for other budgetary distributions.

EDPB may have some potential role in coordination and oversight of this area.

Rationale

The motivating rationale for this recommendation is to support a sense of fairness and appropriate partnership, which the PHAEDRA II project regards as fundamental for sustainable cooperation under the GDPR.

A secondary rationale is the concerns expressed by a number of DPAs interviewed by the project regarding the anticipated increase in costs of international cooperation under the new framework.82 In the interviews conducted in PHAEDRA II, we found several budgetary issues raised by cooperation under the GDPR. Many DPAs said that participating in an investigation with or at the request of another DPA would not pose a budgetary problem or that budgets would not pose an obstacle to responding to such a request. Some DPAs in this position highlighted other cooperation issues (for example coherence and consistency) as more significant than budgetary and financial considerations. Particularly, responding to requests for information or perspectives were not dealt with in terms of their budgetary implications.

82 Barnard-Wills & Wright, op. cit., July 2015, pp. 22-23.

General recommendations

27

Other DPAs told us that their current budgetary arrangements did not contain any provision for cross-border or joint investigations. Some said that the budget could be found for such participation, but that it would require some re-prioritisation of other activities and therefore some careful consideration. Some DPAs anticipated shifting a proportion of their budget to explicitly cover such costs post-GDPR, but that such requests might currently cause a problem. Finally, some DPAs told us about legal requirements as part of their foundational legislation that required them to investigate all complaints put to them, and that they therefore could not distinguish legally between a complaint put to them by a data subject, or an issue brought to their attention by a fellow DPA. In a similar manner, one DPA suggested that although there was no specific budget for coordination in this respect, they expected properly organised cross-border cooperation to actually reduce their investigating costs.83

The costs of international investigations are fundamentally disconnected from the budgetary resources available to EU DPAs. The costs are likely to be dependent primarily upon the choices by multinational data controllers about where to do business with the EU and where to locate the capacities and business functions that will lead to the identification of their main establishments. These factors are outside of the control of individual DPAs. Such factors are also quite liable to change over time. Therefore a distributive scheme based upon foundational principles that can determine how the balance of costs should shift in response to such changes would be necessary.

As in any collective action problem, there is a risk of free-riding. In this context, this would be drawing upon the benefits of collective activity, without contributing to the costs of it. If the distribution of costs is poorly managed, and they are seen as falling unfairly upon particular DPAs, then the risk of free-riding increases, as does the risk of gaps in the protection of personal data.

The costs of other forms of cooperative activity (e.g. building and maintaining networks, contribution to shared databases, infrastructure costs, repositories, etc.) are more predictable than those arise from cross-border complaints and enforcement action, but are still prone to collective action problems and the risk of free riding.

To the extent to which EU DPAs can be considered as a single group, with a common responsibility for protection of the right to privacy and with each national DPA responsible for contributing to the consistent application of the regulation throughout the Union (not only in their own states),84 then there is strong argument for some measure of pooling of resources for collaborative action.

Challenges and barriers

This is a politically charged issue, and it will be difficult to achieve a rapid consensus. In any new distributive scheme, there will be winners and losers in raw financial terms. It is too early to work out the economics at this stage until more is known about the on-going systematic costs of cooperation under the GDPR regime.

Resources

The comparative analysis of parallel legal cooperation mechanisms found multiple models of cost sharing which might serve as an inspiration to DPAs. For example, in border control databases, due to their technical design, the costs of running national units are borne by the Member States concerned, while the general EU budget covers the costs of the central unit of each database. Conversely, in consumer protection cooperation all claims for the reimbursement of expenses incurred are normally waived.85

3.7 Keep translation to a minimum while dealing with individual cases. Maximise translation in guidance and public communications

For practicality, efficiency and cost reasons, the need for translation and interpretation in routine cooperation on cases and investigations should be reduced to the absolute minimum. The type of information exchanged should determine the need for translation and interpretation. DPAs should have a right to waive such a need. Translation should be used flexibly and responsively, where necessary, rather than applied to all interactions. Supranational legal provisions should govern the linguistic regime. DPAs

83 Barnard-Wills & Wright, op. cit., July 2015, p. 20. 84 Hijmans, Hielke, “Further food for thought on the role of DPAs in our European Structures”, PHAEDRA blog, 11 April

2016, http://www.phaedra-project.eu/further-food-for-thought-on-the-role-of-dpas-in-our-european-structures-some-

personal-observations/. 85 Galleta and Kloza, op. cit., April 2016, p. 95.

General recommendations

28

will need to agree practical but fair procedures for the interpretation of meetings and information shared between them.

However, with regard to publicly shared content (guidance notes, education material, press releases, etc.), translation of collectively generated material should be maximised to make the best use of the intellectual and policy effort required to generate the content. The paradigmatic pre-GDPR example is the translation of opinions from the WP29 into guidance disseminated by DPAs. Coordination of public communication is possible, and could be increased from the low current level at relatively little cost. The approaching entry into force of the GDPR provides a more harmonised data protection framework and a greater possibility for the production of shared guidance and its communication to the public. In essence, it should not matter from which DPA a data controller accesses guidance. The same applies to the codes of conduct, which may be identified as optimised instruments to fully exploit the potential of coordination and cooperation among agencies.

DPAs should be encouraged to make their decisions, guidelines and other statements available on the official DPAs websites, translated at least into English in order to address cross-border issues and support the exchange of best practices. If they are able to, they should also translate these texts into other commonly understood languages.86

Costs associated with translation should be considered under the approach adopted to determine the general balance of cooperation costs (see Recommendation 3.8).

Audience for this recommendation

EU DPAs will be responsible for enacting much of this recommendation.

The European Commission has some of the most developed experience with high volume official translation in the world. It is therefore in a position to support EU DPAs in terms of expertise and experience as well as different approaches to translation.

Rationale

EU DPAs face a number of challenges around language, which are expected to increase with the implementation of the GDPR. Language and the issue of translation in cross-border cases, investigations and communications has been consistently raised across the PHAEDRA II project. Problems raised by language emerged in our interviews in relation to the exchange of information, communication systems, requests for assistance, repositories of decisions, public communication, and dealing with the one-stop-shop. Whilst DPAs generally felt able to communicate with their peers, either with English as a lingua franca or a set of commonly used and known European languages, communication with and from the public in different countries posed a greater challenge, as did the translation of decisions and legal documents in investigations and court cases. Translation imposes resource questions and there was uncertainty about the source of the required resources, and who should carry the cost. Working in common or shared languages, and making a decision about which to focus upon is a highly political issue.87 However, a further de facto conclusion is that English is, and is likely to remain, the default lingua franca of internationally active staff at DPAs. We consider this largely a solved challenge in this context. For the purposes of establishing cooperative networks, deciding upon joint policy and strategic discussion, DPA staff should be able to communicate in whichever languages they prefer.

The comparative analysis of parallel cooperation mechanisms found a number of solutions to the linguistic challenge. In border protection databases, the use of multiple languages is unproblematic as the information exchanged consists merely of alphanumeric data, e.g. names or car plates. As another example, EU private international law works on standardised certificates, which only require translation in exceptional situations. In customs cooperation, a request for assistance should be accompanied by translation to a language of the state being asked, but this state can waive this requirement. In consumer protection cooperation, the languages to be used in a collaborative initiative are to be agreed in advance. If no agreement can be reached, each jurisdiction uses its own language. What links these diverse solutions is the governance of the linguistic regime on a supranational level. This suggests that the need for

86 Further insights on the extent to which key decisions are publicly available can be found in Cristina Pauner & Jorge Viguri,

A report on a repository of European DPAs' leading decisions with cross-border implications, PHAEDRA II Deliverable 4.2.

January 2017.http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA2_D42_final_20170112.pdf. 87 Barnard-Wills & Wright, op. cit., July 2015, p. 26.

General recommendations

29

translation varies across the forms of cooperation in which EU DPAs will be engaged in and there is no one-size-fits-all solution.88

Our analysis of current best practices in cooperation found that there are a small number of joint press releases by EU DPAs. The benefits of coordination in this area are limited by the requirement of DPAs to communicate with the media and the public in the relevant Member State languages and to be responsive to local contexts, media usage and channels, and public attitudes.89

Our experience developing the PHAEDRA II repository of key decisions90 and cases found several issues with the information available on DPAs’ websites. Many authorities do not provide full text accounts of their decisions, or many do not do so in a systematic searchable form. This would be a critical first step, even before these decisions should be translated into multiple languages. The repository has also demonstrated cases where guidance has been productively re-used. The guidance on the impacts of the GDPR and what data controllers must do to ensure compliance that has been produced by the Irish, UK and Swedish DPAs in 2016 is essentially the same text with minor variations.91 DPAs will be responsible for ensuring that any translation and re-use of guidance is locally appropriate, but should be supported in producing consistent and efficient guidance.

Challenges and barriers

Translation costs will still remain in some contexts, and deploying translation flexibly might meet with some resistance. This recommendation is likely to feel unfavourable to some linguistic groups.

Resources

Appropriate technology can support this recommendation. Whilst not yet approaching the quality of a skilled translator, machine translation can generally produce “understandable” if not “court-ready” translation in many contexts. Additionally, the development of appropriate IT systems that are designed to systematise as many routine interactions as possible (e.g. notification of an investigation, provision of contact details, etc.) would support the use of multiple languages.

Resources on best practices in multilingualism in international organisations are available.92

3.8 Cooperate on the development of policies and practices to prevent data protection violations

In addition to cooperation on enforcement and consistency, EU DPAs should increase their coordinated activity in areas intended to reduce and prevent data protection violations, such as education and awareness-raising, training of data protection officers (DPOs), support to privacy engineering and privacy-by-design, as well as data protection impact assessments (DPIA) and certification, among others. This recommendation is, essentially, about giving more importance to anticipative, ex ante thinking.

The GDPR makes explicit requirements upon DPAs to encourage and support data protection certification mechanisms (Article 39) and sets out a role for DPAs in determining when DPIAs are required in certain contexts, and for consulting with data processors following impact assessment exercises (Article 35). DPAs should determine collectively what they consider to be data processing that is likely to result in a high risk to rights and freedoms of data subjects, having in mind a higher level of protection. Prior agreement on this latter issue will reduce the degree to which the consistency mechanism need be formally invoked and will provide clarity to data controllers and processors across the Union.

Addressing these requirements in a collaborative manner increases the efficiency of these efforts, many of which will be transferable between jurisdictions. It does not make sense for each authority to develop its own best practice guidance on DPIA. Cooperatively developed resources will contribute to harmonisation of best practices across the EU and further support the Digital Single Market. There are already good

88 Galetta, Kloza & De Hert, op. cit., April 2016, p. 93. 89 Barnard-Wills & Papakonstantinou, op. cit., February 2016, pp. 53-54. 90 http://www.phaedra-project.eu/leading-cases-documents/. 91 Cf. PHAEDRA II Repository, “New checklist prepares organisations for the new EU regulation”, May 2016,

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II-Repository_SW_DI_TRI_-May-2016.pdf and PHAEDRA

II Repository, “The GDPR and You - Preparing for 2018”, November 2016, http://www.phaedra-project.eu/wp-

content/uploads/PHAEDRA-II-Repository_IR_IDC_TRI_November-2016.pdf. 92 PHAEDRA was provided with such guidance material from the Organisation Internationale de la Francophonie by the

Association francophone des autorités de protection des données personnelles (AFAPDP).

General recommendations

30

practices in this area that can be built upon, for example, the WP29 opinions on privacy by design. Also included in this area are awareness raising activities such as Data Protection Day.93

Cybersecurity is a key component of data protection. We therefore recommend that the EDPB develop a close working relationship with European Union Agency for Network and Information Security (ENISA), and a relevant EU’s Joint Research Centre (JRC), and that EU DPAs establish strong relationships with national competent authorities as established under the Network and Information Security Directive.94 Such relationships support the development of consistent and comprehensive best practice guidance on the protection of personal data by data controllers and processors, as well as facilitating clarity around notification of personal data breaches.

Audience for this recommendation

EU DPAs are the primary audience for this recommendation as they will be required to adopt collective positions on these lines of working, and will need to develop concrete strategies and initiatives in these areas. ENISA, JRC and other stakeholders might provide assistance, each within their expertise.

DPAs from all over the globe should be strongly encouraged to cooperate with their EU peers in these fields. Whilst many of the provisions emerging from the GDPR place specific requirements upon EU DPAs, more general work in this area (for example, not limited to legal compliance, but broader work on privacy-by-design, privacy engineering, or privacy protecting information security) can, and should, cross jurisdictions.

The academia and research community, including researchers within industry are a potential audience for this recommendation.

Rationale

As the GDPR changes the relationship between the DPAs, it also shifts their individual roles. If the DPAs are considered as public authorities with a responsibility to promote a high level of personal data protection in both the Member States and across the EU as a whole, then enforcement of the law is only one of their tasks.95 Regarding an earlier draft of the GDPR, the Article 29 Working party stated in 2012 that it “welcomes the inclusion of provisions that give incentives to controllers to invest, from the start, in getting data protection right (such as data protection impact assessments, data protection by design and data protection by default)”.96

PHAEDRA II’s analysis of existing best practices in cooperation found multiple cases of EU DPAs advocating the uses of privacy and/or data protection impact assessments (DPIA) including as collective bodies. There is shared learning in this field, but primarily from jurisdictions outside the EU. The WP29 has been involved in the development of methods for DPIA, but guidance on these matters has been thus far produced largely on a national basis. There is clear potential for the development of a shared approach and shared guidance on DPIA, and this is likely necessary given the requirements for DPIA in the GDPR, to support harmonisation of DPIA across the EU and to prevent forum shopping or sending out contradictory guidance. Increased cooperation in these areas was identified by PHAEDRA II as an area where additional gains from cooperation were possible.97

However, PHAEDRA II’s interviews found a general absence of structured processes for identifying privacy risks. In order to prevent forum shopping by data controllers established in multiple jurisdictions, mandatory DPIA for certain types of processing appears to require consensus amongst EU DPAs on which constitutes an adequately conducted DPIA, and then a working consensus on those areas that would require one. The PIAF project (A Privacy Impact Assessment Framework for data protection and privacy rights) previously identified the need for DPAs to cooperate on multi-organisational and transnational PIA.98

93 Cf. http://www.coe.int/en/web/portal/28-january-data-protection-day. 94 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high

common level of security of networks and information systems across the Union, OJ L 194, 19.7.2016, p.1-30. 95 Hijmans, op. cit., April 2016. 96 Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals, WP 2012, 23 March

2012, p. 4. 97 Barnard-Wills & Papakonstantinou, op. cit., February 2016. 98 De Hert, Paul, Dariusz Kloza & David Wright (eds.), Recommendations for a privacy impact assessment framework for the

European Union, PIAF Project, Deliverable D3, Brussels & London, November 2012,

http://www.vub.ac.be/LSTS/pub/Dehert/506.pdf, p. 11.

General recommendations

31

In the majority of analogous cooperation mechanisms analysed in our comparative analysis, much attention is paid to ex post cooperation, but there are elements of anticipatory, ex ante cooperation. In many ways, the EU DPAs are ahead of other similar areas.99 Collaborative privacy risk assessment sits in the area of low difficulty-high benefit with a high potential return on effort.100

Challenges and barriers

Anticipatory thinking thus far has not been the core part of the activities of EU DPAs. For some, their strategic focus was upon legal enforcement, and for some others, their legal foundation required this. As a result, there are variations in the amount of experience in these fields and practically in appetite for this mode of working. For many of the issues in this area there are likely to be philosophical and strategic differences between authorities and agreement would have to be reached on the desired approach.

This mode of work does, of course, require resource commitment and this may include decisions about the appropriate balance of resources between prevention and enforcement.

Certification raises a particular challenge in that some DPAs have already very established certification schemes, whilst others have embryonic schemes, and the majority do not engage in certification at all. Therefore a harmonised position will be challenging to reach, but offers great benefits in terms of communication and awareness of certification schemes as well as in relation to certifications that easily and smoothly cross borders.101

Resources

Existing best practices in PIA, DPIA or privacy certification at multiple levels were identified in our analysis of existing best practices, 102 this included PIA methods from individual DPAs, WP29 comments on DPIA and on PIA and DPIA for both RFID applications103 and smart grids.104

3.9 Set up a collaborative technology foresight task force. Offer research funds to that end

DPAs should set up a collaborative technology foresight group to coordinate this important, but often neglected task, which informs much of their other activity. In exercising their multiple roles, DPAs engage in a range of activities centred around understanding of new technology developments and anticipating their potential effects and impacts upon personal data protection and privacy. As responsible parties in relation to enforcement of national and EU data protection law, DPAs are in a clear position to assess or provide guidance upon the requirements of the existing legal framework in relation to new technologies.

This task force could even be expanded out to a more generic shared research department or capacity. This is not improbable as many supervisory authorities invest considerable resources in privacy research. For example, the Office of the Privacy Commissioner of Canada (OPC) funds independent privacy research and related knowledge translation initiatives through its ‘Contributions Program’ / ‘Programme des contributions’.105 The Office of the Privacy Commissioner of New Zealand manages the ‘Privacy Good Research Fund’ to stimulate privacy-related research and public education or awareness raising initiatives.106

99 Galetta, Kloza & De Hert, op. cit., April 2016, p. 92. 100 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 74. 101 Rodrigues, Rowena, David Barnard-Wills & Vagelis Papakonstantinou, “The future of privacy certification in Europe: an

exploration of options under article 42 of the GDPR”, International Review of Law, Computers & Technology, Vol.30, No. 3,

2016, pp. 246-270. 102 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 53. 103 Art 29 Working Party, Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact

Assessment Framework for RFID Application, WP 180, Brussels, 11 February 2011, http://ec.europa.eu/justice/data-

protection/article-29/documentation/opinion-recommendation/files/2011/wp180_en.pdf. 104 Art 29 Working Party, Opinion 04/2013 on the Data Protection Impact Assessment Template for Smart Grid and Smart

Metering Systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission’s Smart Grid Task Force, WP 205,

Brussels, [no date], http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-

recommendation/files/2013/wp209_en.pdf. 105 Cf. https://www.priv.gc.ca/fr/mesures-et-decisions-prises-par-le-commissariat/recherche/financement-pour-les-projets-de-

recherche-et-d-application-des-connaissances. 106 Cf. https://privacy.org.nz/further-resources/privacy-research/.

General recommendations

32

Audience

Both the EU DPAs and the EDPB would likely be responsible for forming any such body or capacity, and for providing resources, both in terms of budget and personnel with appropriate experience. However, we acknowledge that the EU has been already funding research on privacy and personal data protection e.g. through its Fundamental Rights and Citizenship Programme (2007-2013), under which both PHAEDRA projects have been supported financially.107 The plea here is, however, not only to maintain funds for such research, but also to create synergies with the work of the EDPB (collectively) and EU DPAs (individually) on, inter alia, technology foresight.

Participation in a technology foresight task force need not be limited to DPAs, although this has some risk of expanding the remit of the group to the extent that its focus is diluted.

Rationale

The potential for such a task force was discussed with DPAs through PHAEDRA II’s interviews and formed part of the analysis of existing best practices in a subsequent report.108 Based upon this research, a paper by Barnard-Wills in 2016 addressed the potential for a collective technology foresight capacity.109

Information on technology trends and potential future risks is shared between DPAs. The WP29's Technology Sub-Group allows for information sharing, but also for concerns to be raised and for collaborative activity to be discussed and agreed upon (recently, this has included informing counterparts about investigations).110 However, some DPAs suggested that the activity of the Technology Sub-Group was primarily driven by responding to issues raised by the plenary meeting of the Working Party, for example, supporting the production of opinions, and that this did not leave much capacity for horizon scanning (in much the same way as experienced by individual DPAs, who often conduct technology foresight in a response rather than pro-active manner). The transition to the EDPB might recompose this group. However, this change offers the potential to explicitly construct an appropriate and effective technology foresight taskforce. If the board possessed the institutional capacity to host a technology foresight task force, team or department, then this group should have a high level of interaction with similar roles located within national and regional EU DPAs (potentially including secondment and joint projects if possible). PHAEDRA II’s analysis of existing best practice in this area identified the following potential benefits from a collaborative technology foresight task force:

Established regular channels of communication would speed up the transfer of information. EU DPAs are faced with the same emerging technologies therefore there is much potential for collaboration in this area, and especially to reduce the repetition of work.

A centralised, collaborative body for technology foresight would also be a clear source for information, and could act as a clearing house for insight developed at national levels.

For industry and stakeholders, the body would be able to provide consistent guidance, applicable across the Member States.

Collective technology foresight could also allow for increased professionalisation of technology foresight and assessment methods through shared learning.

It would allow pooling of research budgets to support more in-depth technology assessment activity, which would then be distributed across all participants.

Similarly, the task force could pool stakeholder consultation activities and expert panels, with some limitations imposed by language differences and paying attention to local differences (e.g. the way an industry operates in one country as opposed to another).

The task force might also be able to conduct or contribute to forensic IT investigations where smaller DPAs lack the capacity for this.

A shared foresight programme may also serve to bring EU DPAs into closer cooperation, both through increased experience of collaborative working amongst the task force participants, but also promoting a shared and commonly accepted perspective on policy-relevant technological developments, as these participants inform and educate their colleagues using the knowledge gained in the task force.

107 Cf. http://ec.europa.eu/justice/fundamental-rights/programme/fundamental-rights-programme/index_en.htm. 108 Barnard-Wills & Papakonstantinou, op. cit., February 2016. 109 Barnard-Wills, David, “The technology foresight activities of European Union data protection authorities”, Technological

Forecasting and Social Change, October 2016. 110 National Authority for Data Protection and Freedom of Information, Annual Report of the National authority for Data

Protection and Freedom of Information of 2014, Budapest, March 2015, http://www.naih.hu/files/Annual-

report_NAIH_2014_EN_FINAL_v4.pdf, p. 72.

General recommendations

33

The greater weight of a collaborative technology foresight body may contribute towards the ability to argue for the different interests of society in technology development and deployment and achieving a balance between them and commercial concerns.

Challenges and barriers

The capacity to contribute personnel and/or budgets and the scope of such a task force would still have to be negotiated and agreed. There is a potential collective action problem in that the products of the task force are likely to be shared broadly, even beyond direct participants.

Resources

Several of the larger DPAs already conduct some form of technology foresight activity and these elements could serve as the basis of a larger collective activity. These practices are described in PHAEDRA II's study of existing best practices in cooperation between EU DPAs.111 The WP29 Technology Sub-Group also likely provides a basis for a collaborative foresight body. Similarly to the previous recommendation, input from research community would contribute here significantly.

3.10 Explore alternative dispute resolution methods

DPAs should explore – in a cross-border setting – alternative dispute resolution (ADR) methods for data subjects, and data controllers and processors, this including ADR by electronic means.

Audience for this recommendation

ADR mechanisms for solving data privacy disputes between data subjects and data controllers and processors, in particular in cross-border cases in the EU, should be explored both by policy makers, justice community (e.g. judges, prosecutors, etc.) and the DPAs themselves.

Rationale

The rationale for this recommendation comes from the analysis of parallel legal cooperation schemes. Online dispute resolution (ODR) constitutes an implementation of existing forms of alternative dispute resolution (ADR), enabled by information and communication technologies (ICTs). While various forms exist, negotiation, mediation and arbitration are the most widely practised ones, both in the business-to-consumer (B2C) and business-to-business (B2B) context.112 The main assumption of alternative methods of dispute resolution – that is the out-of-court settlement in the presence of a neutral third party during the process of reaching an agreement – remains unchanged. However, ODR has attained a different character because of the use of modern forms of communication. The term covers disputes that are partially or fully settled over the Internet, having been initiated in cyberspace, both with a source inside (on-line) or outside it (offline).113

The PHAEDRA II report stated:

“Out-of-court dispute resolution is usually easier, faster and cheaper. From 2016 Europeans will enjoy a possibility to solve their consumer disputes regarding a product or service they bought using an on-line platform. We see no reason to exclude cross-border disputes between data subjects and controllers/processors from using such possibilities.”114

ADR, applied appropriately to specific categories of complaint, might offer data protection authorities the opportunity to reduce some of the anticipated volume.

Challenges and barriers

This activity would require a commitment of resources on the part of the EU DPAs to investigate the possibilities in this area. At a very early stage, it would require further exploratory studies - in particular around the extent to which DPAs could act as neutral parties in such disputes and how two and more of such authorities could be engaged in a cross-border ADR case.

111 Barnard-Wills & Papakonstantinou, op. cit., April 2016, pp. 25-39. 112 Savin, Andrej, Internet Law, Edward Elgar, Cheltenham, 2013. 113 Galetta, Kloza & De Hert, op. cit., April 2016, p. 52. 114 Ibid, p. 61.

General recommendations

34

Resources

Article 40(k) GDPR on codes of conduct provides the potential for “[o]ut of court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing without prejudice to the rights of data subjects pursuant to Article 77 and 79 .” Existing research has scoped the potential for use of the ADR directive and ODR platforms within data protection.115

115 Clifford, Damian and Yung Shin Van Der Sype, “Online dispute resolution: Settling data protection disputes in a digital

world of customers”, Computer Law & Security Review, 2015.

Recommendations on complaint handling

35

4 Recommendations on complaint handling The GDPR introduces a new mechanism for complaint handling. It will be the working mechanism for the medium term future. We draw a list of six recommendations that need to be taken into account while applying the GDPR and handling complaints in the future. The audience for these six recommendations is primarily the EU DPAs, also gathered as the EDPB.

4.1 Introduce detailed guidelines with regard to GDPR complaint handling requirements

The WP29 or – after the entry into force of the GDPR - the EDPB – should offer and keep up-to-date guidelines on complaint handling. Particularly these guidelines should address the criteria to be applied by DPAs while distinguishing between complaints that may be treated locally and these that need to be referred to the consistency mechanism.

Rationale

While the GDPR introduces new requirements for complaint handling that ought to be applied across the EU, a significant space of autonomy is left to Member States and their DPAs while applying the relevant provisions. This is also applicable with regard to their current practices that vary significantly across the EU, ranging from DPAs addressing all complaints to complaint prioritizing or even complaint selecting. Additional guidance is therefore necessary in order to warrant consistency once the GDPR comes into effect. Particularly, with regard to the consistency mechanism (see infra), of utmost importance is the distinction of complaints between these of exclusively local interest and these that ought to be treated at EU level (in essence, these that, already local, may “substantially affect a significant number of data subjects in several Member States”). The criteria to be applied in this distinction ought to be introduced in a common manner for all EU Member States.

4.2 Linguistic barriers need to be addressed

While it is important that individuals be allowed to file complaints in their own languages, the possibility of employing automated translation systems as a supplement to professional translation, so as to overcome linguistic barriers needs to be assessed by DPAs. Cf. also Recommendation 3.7.

Rationale

While it is commonly accepted that individuals need to be able to file complaints in their own language, multilingualism does not facilitate DPA collaboration. Concrete measures need to be taken in this regard. At the early stage, these might include the translation of complaint summaries, even by automated means.

4.3 Apply common enforcement practices where possible

Common enforcement practices across the EU, as an integral part of any complaint handling procedure, need to be applied by DPAs, at least on a best-effort level.

Rationale

An integral part of complaint handling are enforcement practices. As identified in Deliverable 2 of the PHAEDRA II project, common enforcement among EU DPAs is still an elusive cause under the current legal framework. Practical difficulties that have led to lack thereof include, among others, information sharing barriers, difference in legal frameworks as well as differences in enforcement powers – and, even, culture. The GDPR expressly aims at addressing this issue; however, the best efforts of the actors concerned, meaning DPAs themselves, will be required in order to surpass deep-rooted difficulties and achieve this cause.

4.4 Introduce a common complaint classification system for internal DPA management purposes

The introduction of a common complaint classification system would enhance DPA collaboration and streamlining their work. Cases could be arranged e.g. per subject matter or data controller.

Recommendations on complaint handling

36

Rationale

Under current practices, each DPA is more or less free to introduce and apply its own complaint handling procedures that are applicable within its jurisdiction. Only in specific cases, for example while handling complaints pertaining to Google, a dashboard or other means of cooperation were introduced,116 so as to streamline the process and collaborate more effectively. Under the GDPR, complaint handling processes need to be harmonized across the EU.

A basic, fundamental step towards this direction could be the introduction of common complaint classification; specific codes could be awarded to specific complaints, so as to enhance their identification and categorization in view of more effective DPA collaboration. Complaint classes could be arranged e.g. per subject matter or data controller.

4.5 Enhance public participation and transparency in handling complaints and – therefore – trust through the use of automated electronic management platforms

Electronic automated complaint management platforms, operated by the respective DPAs, could be a valuable tool to enhance data subject’s participation and DPA transparency and accountability.

Rationale

DPAs should assess the use of an automated complaint handling platform within their jurisdictions. Such a platform would, for example, automatically forward an immediate acknowledgement of the complaint receipt, a respective reference number, as well as forward other communications to the complaints regarding the stage of examination, the options available to her, etc. Such a platform would enhance data subject participation and ultimately public trust, in the relevant system, as well as, transparency and accountability from the part of the DPA concerned.

At a later stage, perhaps a common EU complaint managed platform would effectuate in practice the GDPR one-stop-shop principle.

4.6 Introduce complaint-handling procedures that take into account knowledge-management processes

Complaints, apart from their intrinsic value with regard to the protection of individuals, are also a valuable source of knowledge and a driver for further research by DPAs. Therefore, complaint management processes need to take also this parameter into account.

Rationale

As repeatedly demonstrated within the PHAEDRA project, complaints addressed to DPAs by data subjects, apart from their own merit with regard to the protection of individuals, may also be a powerful drive for DPAs to expand their learning and experience. These often contribute to technology foresight and necessitate further research (cf. Recommendation 3.9). For example, with regard to technology watch practices, DPAs have witnessed their technology-learning processes to be frequently driven by complaints they have received. The same is the case with regard to DPA risk analysis processes – these are again oriented towards complaints received.117 Despite that they constitute a reactive, rather than proactive, response to data protection challenges, complaints include added value for DPAs that needs to be “harvested” by appropriate techniques (for example, knowledge management systems), that acknowledge this fact and are embedded in their complaint-handling processes.

116 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 11. 117 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 25 and p. 55, respectively.

Recommendations on the consistency mechanism

37

5 Recommendations on the consistency mechanism Consistency within the future EU data protection framework is to be achieved through the consistency mechanism, incorporated into Section 2 (Articles 63, 64, 65 and 66) of Chapter VII of the GDPR. Deliverable D3.1 of the PHAEDRA project included a detailed analysis of the relevant provisions. A series of concerns were raised on the basis of the legal text at hand. In essence, these concerns also reflect possible scenarios that may occur once these provisions become effective. Interpretational difficulties when it comes to a new, ambitious and complex mechanism such as the consistency mechanism are likely to arise. The early identification could lead to a timely response, through additional guidelines or by-laws, so as to actively warrant the mechanism’s operational effectiveness.

Other than interpretation-related scenarios, on the basis of the GDPR provisions, a number of fact-based scenarios could perhaps also be identified. These could relate to operational questions, such as

A possible system overload due to a high number of cases;

Introduction of other, complementary mechanisms in order to streamline work;

Resources issues (esp. funding).

These scenarios are conceivable even at this early stage: the GDPR will find immediate effect on 25 May 2018 and the consistency mechanism, being a critical tool in ensuring a harmonised application across the EU, is expected to find immediate, and even wide, use. However, the pace through which this will take place or the actual resources required so as for the mechanism to properly function are, at least today, unknown. We therefore consider that such operational issues, as well as any others that may arise through practice, need to be addressed only after they have occurred (see Recommendation 3.5). At the point of drafting this report, when only the actual provisions of the GDPR are known, it is perhaps too early to attempt to predict possible operational issues – such as system overload – and attempt to address them proactively. Instead, we believe that it is better to focus efforts on addressing conceptual issues that become apparent through the legal provisions at hand, even at this stage, before the GDPR becomes effective.

A list of recommendations therefore follows, on the basis of identified concerns set in Deliverable D3.1, taking into consideration recent developments in the data protection field. The audience for these recommendations is primarily the EU DPAs and the EDPB.

5.1 Manage public expectations about the appropriate placement of the consistency mechanism with other law enforcement mechanisms in Member States

Because of its ambitious aim, the consistency mechanism, despite being only one of the many law enforcement mechanisms for each Member State, may cause disappointment to the public if it is perceived as failing in its mission. Its success is ultimately a metric for the success of the GDPR itself. Therefore, not only its public image, but also its proper place within the legal framework needs to be appropriately safeguarded.

Rationale

The consistency mechanism has set an ambitious goal at its core: achieving a uniform application of data protection law among Member States. Expectations by data subjects, and data controllers and processors, once the GDPR comes into effect, are quickly expected to escalate, vesting upon this mechanism their hopes for the uniform application of data protection rules across the EU. Nevertheless, it is doubtful whether the consistency mechanism, at least as outlined in the text of the GDPR, is appropriately equipped and able to fulfill its purposes.

The mechanism is essentially a dual-means tool: ‘advisory’ (Art 64 GDPR) and ‘adjudicative’ (Art 65 GDPR), to be run among EU DPAs. The former one is applied in situations that require uniform application of data protection rules, e.g. a list, on a national level, “of the processing operations subject to the requirement for a data protection impact assessment”. National DPAs are to “take utmost account of the opinion of the Board”. Should they fail to do so, on a request of a DPA concerned or the Commission, the Board steps in again in its ‘adjudicative’ role. In any case, such an opinion would likely result in the creation of legal rules of a general nature, applicable erga omnes, within their territorial scope. The latter situation, ‘adjudicative’, the Board issues a binding decision in an individual case, thus producing effects inter partes.

Recommendations on the consistency mechanism

38

Nevertheless, the EDPD would not be the only ‘advisory’ and ‘adjudicative’ body on data protection in the EU. National parliaments may legislate on data protection matters as well in the areas not reserved for the Union. Other regulatory bodies, for instance electronic communications or financial agencies, may equally produce rules and decisions having personal data protection implications in the course of exercising their lawful powers. Similar effects might result from jurisprudence.

Consequently, from a conceptual point of view, the interplay of the consistency mechanism with other ‘advisory’ and ‘adjudicative’ mechanisms in Member States is expected to be crucial with regard to the mechanism’s success. Because both data subjects, and data controllers and processors are likely to place upon the consistency mechanism their hopes for uniform data protection application across the EU, any failure to accomplish this will be charged to it, regardless whether accountable for it is the mechanism itself or another third, unrelated, decision-making or rules-producing body. In result, stakeholders might resort to other branches of law and enforcement mechanisms provided therein to obtain data protection goals. The consistency mechanism needs to be safeguarded from these risks.

5.2 Delineate the scope of the consistency mechanism against other forms of cooperation

The consistency mechanism, by way of its importance and strong coverage in the text of the GDPR, particularly if taken together with the one-stop-shop mechanism, may be perceived by DPAs as the only cooperation tools among them once the GDPR comes into effect. However, this would ultimately hurt the data protection purposes: already operational ways of DPA cooperation need to be preserved and strengthened also under the new GDPR environment.

Rationale

The consistency mechanism, particularly if combined with the other important DPA cooperation mechanism included in the text of the GDPR, especially the one-stop-shop mechanism, have the potential to constitute the standard cooperation tools among DPAs after 25 May 2018 to the detriment of other, already operating, cooperation instances. Both are important tools that, given the expected volume of relevant matters under the GDPR, are expected to occupy a lot of resources by DPAs. The risk is therefore that DPAs may treat them as the only cooperation tools among them. Nevertheless, this would ultimately restrict cooperation.

As seen in previous PHAEDRA I and PHAEDRA II deliverables, cooperation among DPAs is – and should remain – both formal and informal (cf. Recommendation 3.2). While informal cooperation is mostly undocumented, it is nevertheless crucial for DPA cooperation. In other words, not all matters concerning a DPA merit to be referred to the consistency mechanism (or, for the same purposes, to the one-stop-shop), however they would perhaps benefit from informal cooperation with other DPAs. By introducing formal cooperation mechanisms, the GDPR risks abolishing the cooperation paths already in existence today, even under the less-developed provisions of Directive 95/46 in this regard, which is something that could ultimately harm DPA effectiveness.

5.3 Adopt detailed by-laws and operations provisions

The consistency mechanism is intended to operate among DPAs in a court-like manner: while a number of operational details in this regard are indeed included in the text of the GDPR, more detailed guidelines will be required prior to it coming into effect. Article 72 GDPR explicitly requires the Board to “adopt its own rules of procedure” and these rules should address the crucial operational details.

Rationale

The consistency mechanism is introduced in the text of the GDPR as a court-like mechanism: fully documented cases are brought to its attention, a suspension period until it reaches its decision is provided for, decision-making majorities are introduced and appeal-like means are also introduced. Case law effect is granted to its decisions. In this context, if the mechanism is indeed to be operated as a court system, more details will be needed for it to function in an adequate manner: in particular, provisions on document submission, participation of the parties affected (non-DPAs), appeal processes, format and publicity of decisions could strengthen its role further.

Recommendations on the consistency mechanism

39

5.4 The EDPB should be both an adjudicator and a consultation mechanism

Under the GDPR, the EDPB has multiple roles and among these that of an adjudicator and of a consultation mechanism. Possible cases of function creep need to be catalogued and adequate additional safeguards to be introduced in order to address this risk and balance these two roles.

Rationale

While an obvious policy option within the GDPR context, given the unique nature of the Board itself, the fact that the same body resolves disputes and at the same time consults or constitutes a place for cooperation for the same actors (DPAs), may lead to cases of function creep. In essence, the same body may be called to decide upon cases it has already consulted. This double role is not present in the Article 29 Working Party, the equivalent mechanism established under Directive 95/46, because it only has a advisory role. A decision-making role is qualitatively different; the Board may have to struggle so as to accommodate its new powers under the GDPR. Consequently, additional safeguards (e.g. in the form of public sessions or published minutes) need to be introduced in order to deal with cases where such an event may be anticipated (e.g. in Article 65 GDPR).

5.5 Explicitly address the right of appeal

Given the court-like nature of the consistency mechanism, an explicit right to appeal needs to be provided for the parties concerned (i.e. DPAs as well as data subjects, processors and controllers).

Rationale

Despite introducing the consistency mechanism in a court-like manner, the GDPR fails to introduce a comprehensive system in this regard. As highlighted above, under Recommendation 5.4, detailed by-laws will be required so as to address this shortcoming.

However, the right to appeal is a critical omission, which importance needs to be highlighted separately. A distinct, separate appeal process needs to be firmly established within the consistency mechanism. While it may be perhaps claimed that a DPA concerned may appeal any Board’s decisions that are binding upon them to the Court of Justice of the EU (i.e. action for annulment, Art 263 TFEU), there is no such a possibility for such a DPA within the EDPB. Therefore, an appeal process needs to be introduced, as a second-level examination of a case within the Board itself.

From the viewpoint of the parties actually affected by such decisions, i.e. data subjects, processors and controllers, the way to court redress may not be equally obvious. These parties may ultimately need to appeal the DPAs’ decision issued on the basis of the Board’s decision. All in all, two scenarios are possible:

a) an action for annulment in the CJEU by a data subject, processor or controller against the EDPB decision, as such a decision is “addressed to that person or [it is] of direct and individual concern to them” (Art 263 TFEU), or

b) instituting proceedings at a national level against the decision issued by their DPA on the basis of the EDPB decision; this situation is implicit in the text of the GDPR.

The former situation, i.e. an action for annulment, should be made possible de lege ferenda not only to ensure the consistent application of the EU data protection law (i.e. imagine a decision concerning e.g. 10 jurisdictions and each court therein decides on the subject-matter differently) but also to ensure efficiency of the protection of personal data (i.e. an ill-founded decision annulled produces no effects whatsoever nowhere in the EU.)

Given the importance of a right to appeal within any adjudication system, a relevant process or even clear and concise guidelines to the parties concerned on how to achieve a second hearing need to be introduced prior to the GDPR coming into effect.

Recommendations on information sharing and information technology platforms supporting cooperation

40

6 Recommendations on information sharing and information technology platforms supporting cooperation

6.1 Introduction

The need for information exchange between different DPAs has increased considerably in recent years because of multiple drivers that motivate and require efficient, secure and transparent European cooperation on data protection. In this sense, the context of cooperation between EU DPAs has evolved setting up an enabling environment needed of the creation of secure communication, cooperation and information exchange systems.

Firstly, critical decisions have been taken from the European courts, principally the Court of Justice of the European Union (CJEU) and the impact of these judgments transcends the national frontiers and produces legal effects at European and international level. While preserving the independence of the supervisory authorities, the judgements contribute to the consistent application of data protection regime through the EU. The already mentioned case law of the CJEU has a clear far-reaching application across the EU (e.g. Google Spain, Maximilian Schrems v Data Protection Commissioner).

Secondly, throughout the development of the second phase of PHAEDRA project (2015-2017) we have witnessed some positive, though intermittent, initiatives calling for “collective” work among DPAs. The creation of contact groups of several EU DPAs to supervise the compliance of the EU data privacy law, the establishment of Memoranda of Understanding between several peers providing some structure to EU DPAs interaction and cooperation or the conduct of joint audits across several countries are the main outstanding examples of what currently the cooperation between DPAs is.

Thirdly, in the near future and under the GDPR, the cooperation among the EU DPAs will become mandatory. The recent reform of the basic EU data protection legal framework introduced a major change in how data protection law is applied and enforced in EU Member States. It also introduced major changes in the nature of cooperation between EU DPAs as it GDPR provides for mandatory cooperation between national DPAs and provides that cases considered to have an impact in more than one Member State may be referred to the EDPB. Under this framework, the free flow of information between concerned DPAs and between them and the EDPB has to be assured.

Lastly, through the research and interviews carried out within the PHAEDRA project, a number of challenges have been identified for an effective harmonization of mechanisms for cooperation, communication and information exchange between DPAs.

Thus far we have been on the understanding that collaborative actions between DPAs require the implementation of supporting tools. Jointly with the fundamental role played by WP29 and the frequent face-to-face meetings and events, most of the time, the exchange of information or other communications between authorities take place by technical means. As detailed below, our research has shown that email communication, phone calls, existing networks are commonly used for the coordination purpose, but no common and shared information technology (IT) platform for EU DPAs has not yet been implemented.

Consequently, while collaboration among EU DPAs has long been a common feature in the European context, the new framework is calling for permanent, formal and structured cooperation channels. The implementation of an IT platform to replace the current informal mechanisms that are mostly used for this cooperation constitutes a critical point for the success of interactions among DPAs. In this sense, the exchange of information through secure electronic information sharing platforms – a “safe space” for privacy enforcement authorities – is one of the main recommendations from the 35th International Conference of Data Protection and Privacy Commissioners to encourage efforts to bring about more effective coordination of cross-border investigation and enforcement.118

Even so, the lack of a shared IT platform for EU DPAs is not the critical challenge to overcome, but – in a first place – it is necessary for EU DPAs to agree on what information they need to share and how that information will be shared. Subsequently, an appropriate platform can be adopted or developed. Then we will see how the GDPR clearly prescribes the requirement to establish standardised formats and to conduct by electronic means all the cooperation activities between DPAs and between DPAs and the Board.

118 35th International Conference of Data Protection and Privacy Commissioners, Enforcement coordination resolution,

September 2013.

Recommendations on information sharing and information technology platforms supporting cooperation

41

Besides, a key challenge that cooperation presents for DPAs is related with freedom of action and independence to determine their own strategies and methods while permitting collaboration and coherence with their peers.119

The following is a brief summary of the main current challenges of cooperation between DPAs identified under the PHAEDRA II project:120

Limited and varied resources of the DPAs. Currently, authorities present differences not only in human and budget resources but also in legal powers regarding enforcement, investigation and audit. These differences have an impact on the time of response, the possibilities for providing information requested, the real chance for leading investigations, etc. (To a large extent, the GDPR will remove these barriers yet they would remain when it comes to cooperation between an EU and a non-EU DPA.)

Multiple actors implied within the cooperation. Along with DPAs, other external users are involved in coordination of privacy enforcement activities and representatives from government, researchers, businesses and citizens can be included in networks.

GDPR integration in national legal systems. As a Regulation, the GDPR will be directly effective in Member States without the need for implementing legislation. Despite some exceptions to this general constitutional rule of the EU – the Regulation allows Member States to legislate on data protection matters and some its articles even state that their provisions may be further specified or restricted by Member State law.

Structure and formalisation. Structured and formalised mechanisms for cooperation are seen as positive for increasing efficiency and harmonisation in the collaborative activities of DPAs. The gradual development and continuous process of revision and improvement of cooperative mechanisms must be established in order to guarantee flexibility for the incorporation of new functionalities or uses of the system.

Linguistic challenges. As outlined supra, language differences remain a key topic. The wide range of official languages within the EU area, the lack of multilingual editions, the difficulties to implement linguistic properties to the websites or automated translation of some systems, etc. raise problems in relation to the exchange of information, repositories of decisions or request for assistance, among others.

The use of different communication, information exchange and alerting tools. Emails, phone calls or in-person meetings have frequently been identified as fundamental tools for cooperation. Despite the evident utility and compatibility of these tools with other mechanisms, they have limited technical functionality.

In the following sections, after the definition of what a platform is, a brief description of electronic platforms used in the EU is presented in Section 6.2. Under this section, the communication and cooperation platforms currently employed by the EU DPAs and other EU institutions are studied separately to highlight their features followed by an overview of the main lessons and benefits from the different platforms analysed in the PHAEDRA II project. The last section (Section 6.3) provides some final recommendations regarding the configuration and implementation of the IT platform for the EDPB.

6.2 Platforms

6.2.1 Concept of a platform

A “platform” can be understood as any mechanism supporting an activity, making that activity easier to perform or more efficient.121 In this context, the activity is based on the sharing of information that leads to coordination between EU DPAs in support of their duties, purposes and competences according to the EU data protection law. In our context, it will be a piece of software designed to serve this purpose with the functionalities recommended below.

119 Barnard-Wills & Wright, op. cit., July 2015, p. 5. 120 Ibid. 121 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 14.

Recommendations on information sharing and information technology platforms supporting cooperation

42

As pointed out by many scholars and as the first PHAEDRA project (2013-2015), cross-border cooperation among data supervisory authorities, both at the European and the international level, is underdeveloped.122 Therefore it needs to be strengthened in order to:

cope with contemporary challenges posed by both globalisation and information and communications technologies,

offer adequate, ‘practical and effective’ protection of the fundamental rights to privacy and personal data protection (as far as the EU is concerned), and

achieve efficiency, i.e. produce effects with the least waste of resources.123

An IT platform will contribute to all these three aims. Therefore it is not surprising that the GDPR clearly stipulates that the exchange of information must be completed by electronic means between supervisory authorities and between supervisory authorities and the Board and under a standardised format (Articles 60, 61, 64 and 67 GDPR).

In this sense, it is relevant to remark that Article 67 GDPR appoints the European Commission to develop implementing acts of general scope in order to specify the arrangements for the exchange of information by electronic means, in particular the standardised format referred to in Article 64.124

The platform should constitute a secure, well-designed and efficient system designed to allow the flow of information between DPAs themselves as well as with the EDPB. However, the nature of its infrastructure and its correlative level of complexity must be decided in a political decision-making level in order to determine its features and technological specifications. As outlined in the research of PHAEDRA II, “the technological requirements of any new information sharing, communication and coordination platform should follow on from the intended use case, as well as the legal roles and responsibilities of its users (as these will determine the former)”.125

In this line, three main kinds of platforms may be constituted:

A collaborative platform. This platform would be created mainly for the purposes of exchanging documents through a basic intranet system and would include messaging systems (e.g. forum, e-mail), complementary systems for private chats (e.g. real-time messaging) and spaces for the storage of documentation.

An operational platform. This second level of platform would be created not only to host documentation but also to allow EU DPAs to work together, including different services that may cover, from translation services to project management tools (integrated or not in the platform).

A decisional platform. In this case the platform would be constituted as a means for joint activities and would serve as the European single point of contact following all the regulations regarding the electronic administration that will require, among many other features, a regulated procedure of validation of identities. In this level, “the creation of a shared platform for EU DPAs might provide an opportunity to develop a citizen-facing platform, providing a single point of contact for EU citizens with DPAs in support of the one-stop-shop principle”.126

The research within this project has led us to identify and analyse different concurrent elements in the many types of platforms and cooperation systems already existing at the European level. The crucial factor for the functioning of an IT platform will be to ensure the different systems of the parties can communicate with each other and exchange information seamlessly (i.e. interoperability). This implies addressing a number of technical, organisational, legal and semantic barriers. More specifically, the main questions are related to the definition of terms, the purpose of the exchange of information, the designation of the accessing authorities and the conditions for access, the implementation of data

122 Galetta, Kloza & De Hert, op. cit., April 2016, p. 8. 123 Ibid. 124 Papakonstantinou, Pauner, Cuella & Barnard-Wills, op. cit., September 2016, p. 82. 125 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 21. 126 For example, as outlined in the Deliverable 2.2: “an EU citizen might be able to make a complaint to a single online

portal, which is routed to a particular DPA depending upon the details of the complaint, without the complainant having to

make any determination about which DPA to complain to, and not having to determine the key establishment of a data

processor. Whilst such a portal would require significantly more cooperation and agreement than a communication platform

solely for use amongst EU DPAs (and is contingent upon fundamental agreement on compatible shared case handling

methods and enforcement strategies), if such a venture is to be considered in future, it would be wise to determine the extent

to which a DPA communications platform as discussed in this Section might support public-facing elements” (Barnard-Wills

& Papakonstantinou, op. cit., February 2016, p. 24).

Recommendations on information sharing and information technology platforms supporting cooperation

43

protection and data security rules, the guarantee of data protection principles, the implementation of effective supervision, the costs of the infrastructure, the origin of the provider or the linguistic policies.127

6.2.2 Examples of (electronic) platforms used in the EU

In order to identify the multiple principles that a platform should guarantee and comply with, a comprehensive analysis of both the main communication platforms and the main databases currently available to the EU has been carried out.

(a) Communication and cooperation platforms for EU DPAs

The main communication platforms analysed in the current project are: CIRCABC, the Global Privacy Enforcement Network (GPEN) alerting tool and other conventional tools such as email communication.

- Conventional communication platforms

Throughout the interviews conducted by PHAEDRA II with EU DPAs, the “platform” most commonly used by DPAs to coordinate their activities is communication by email and phone calls, supplemented by face to face interaction through networks and events.128

The useful functions of these communication platforms should not be underestimated. It is relevant to take into account not only the costs involved in setting up a platform and learning how to use it, but also the level of acceptance of the new platform if it provides meaningful advantages over existing methods, considering the resistances to change, the familiarity with already existing mechanisms and the substantive policy-related concerns (for example, security or independence). 129

The main features of these communication platforms are:130

1. Accessibility. Both are easily accessible, sit within the workflow of DPA employees and require little formal training for most professionals to use.

2. Decentralisation. They are also decentralised, and the cost of setting up these networks will not be carried by individual DPAs, rather they will not have to be justified as part of a new budget line.

The main limitations of these conventional platforms are:

1. Individuality of the contacts, although some organisations may implement role-based email addresses or telephone numbers, this does not appear to be the case with many DPAs.

2. Security concerns for the exchange of confidential information. This can be achieved through an encryption protocol.

Due to all these features and limitations, it is advisable to integrate any e-mail or similar tool in an IT platform.

- The GPEN Alert tool

The Global Privacy Enforcement Network (GPEN) is an informal network of DPAs whose members include many EU agencies.131

It offers some elements for discussion related with the forthcoming IT platform since, similarly to the future EU DPA’s cooperation platform, the main purpose of the GPEN is to foster cross-border cooperation among DPAs in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. The GPEN connects DPAs from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy.132

Regarding the recommendations for an IT platform, it is relevant to outline the GPEN Alert tool allows participating authorities to find out what other GPEN members are investigating or taking enforcement action against the same company, person or practices.

However, the main limitations of the GPEN Alert found out through the research of this project are:

127 Papakonstantinou, Pauner, Cuella & Barnard-Wills, op.cit., September 2016, p. 83. 128 Barnard-Wills & Wright, op. cit., July 2015, pp. 15-16. 129 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 15. 130 Ibid. 131 Cf. https://privacyenforcement.net. 132 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 15.

Recommendations on information sharing and information technology platforms supporting cooperation

44

1. The amount of information shared. “The information in the Alert system may be contributed and accessed only by GPEN member authorities that have signed a memorandum of understanding and whose relevant staff have appropriate security credentials. It does not currently allow sharing of detailed confidential, non-public enforcement matters, nor does it allow the sharing of consumer complaints relating to privacy”.133

2. Membership of EU countries. The membership of GPEN does not include all EU DPAs with the consequence of making it unsuitable as a single point of coordination and communication for EU DPAs.134 Some commentators have been critical of the low take up within GPEN (16 out of 43 member countries).135 Some other commentators pointed out its lack of sufficient security as the main barrier.136

- CIRCABC

The Communication and Information Resource Centre for Administrations, Businesses and Citizens (CIRCABC) is an application used to create collaborative online workspaces where communities of users can work together over the web, distribute information and documents across multiple languages and with document control. It is open source software developed out of a EU-funded project and can be downloaded and used by anybody.137

CIRCABC is integrated with the European Commission’s Authentication Service (ECAS). The ECAS is the system for logging on to a whole range of websites and online services run by the European Commission, using a single username and password.138

In 2015, a Resolution of the European Data Protection Authorities' Conference in Manchester 2015 called for the opening of a dedicated European Conference section on the CIRCABC platform and resolved to "make consistent and continuous use of the CIRCABC platform" to archive and centralise past and future European Conference documents, as well as relevant information of common interest to Conference Members such as: best practices, common guidelines, or summaries of national decisions on particular subjects.139

In the PHAEDRA II interviews to DPAs, mixed perspectives were expressed upon CIRCABC. It was mentioned by several DPAs as an option for an IT platform. It is relevant to outline that:

one DPA felt that the tool was a good tool, but that it was currently under-used by other DPAs,

others expressed doubts, particularly that the tool was not designed for this purpose, was not controlled or owned by EU DPAs, and was not integrated with the day-to-day workflow of any authorities.140

Regarding a future IT platform, CIRCABC is being considered an optimal example of communication platform from a technical perspective. Some features and functionalities of this platform should be highlighted: 141

Support to geographically separated collaboration between groups;

Distribution and a management of documents in any format;

o Languages – including managing translations, search in multiple languages, o Document version control, o Parts of the library can be made publicly accessible;

High level of security

133Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 16. 134 Ibid, p. 18. 135 McCarthy, Kieren, "Feds in America very excited about new global privacy alert system: Rest of the world: not so much",

The Register, 26 October 2015. For a detailed comment on the EU DPAs’ views of the GPEN platform, see PHAEDRA

repository, “The CBP – Dutch Data Protection Authority – signs agreement GPEN Alert system”, 2 December 2015.

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II-Repository_NL_CBP_GPEN-Alarm-

System_TRI_October-20151.pdf. 136 Barnard-Wills & Wright, op. cit., July 2015. 137 European Commission, CIRCABC 3.6 User Guide, Version 2, 22 January 2014. 138 Cf. https://webgate.ec.europa.eu/cas. 139 Conference Working Group on European Cooperation, Resolution of the European Data Protection Authorities’

Conference, 18-20 May 2015, Manchester. 140 Barnard-Wills & Wright, op. cit., July 2015, pp. 16-17. 141 European Commission, op. cit., January 2015.

Recommendations on information sharing and information technology platforms supporting cooperation

45

o Advanced access control (either through ECAS or other);

Discussion forums and newsgroups;

Notification service (e-mail notifications sent when new content is posted to or updated in libraries or newsgroups, when translations are added to multi-lingual documents, when new forums are created in an interest group).

Manage users (with the ability to assign No-access, Access, Access and post, Moderate and Administer roles to different resources).

Event service – allows for scheduling of meetings and other events on a calendar, and inviting other users to participate.

Information services (a "front page" or introduction to an interest group to describe the scope, activities and services of the group in a static website).

Search functions (by text and meta-data fields e.g. file type), including saved/regular searches.

Designed for accessibility for users with disabilities.

- Other secure messaging tools

Secure messaging programs and applications are available at the market and they have been adopted by individuals and institutions in the framework of their digital communications strategy to better protect their privacy and secrecy. Applications ranging from Telegram, Signal, RedPhone, ChatSecure to CryptoCat are some examples of these apps based on security best practices such as encryption, verification, security design and authentication of codes.142 The main challenges and limitations detected for the use of this communication tools between DPAs are the security claims, the lack of integration within the workflow and the individualism that may not allow the operability of a professional coordination platform.

(b) Cooperation platforms used within the EU

Within the EU institutional framework, several databases and platforms have been created in order to foster cooperation between EU Member States in different areas and the interaction of the EU institutions, bodies, agencies and offices with a varied range of stakeholders and with the citizenship. According to the research carried out under PHAEDRA II, only at the EU, some of cooperation mechanisms, or elements thereof, have proven to be mature, efficient and successful enough.143 These include cooperation in the areas of (1) migration and border control, (2) private international law, (3) consumer protection, (4) competition law, (5) criminal justice and (6) fundamental rights. The barriers and obstacles to cross-border cooperation among supervisory authorities, which are invoked nowadays in data privacy law, represented matters of concern to policy makers and legal practitioners already as early as in the beginning of European integration, when the premises for cross-border cooperation in many areas of EU law were laid down.144

6.2.3 Main lessons and benefits of existing platforms

The following are the main challenges and benefits presented by the different platforms analysed in the PHAEDRA II project:145

Ownership and control remains a political decision. Platforms are likely to be limited to particular groups, with access granted only to membership of those groups. This means that for EU DPAs needing to share information amongst themselves, but perhaps not with third parties outside the EU, then the WP29, or its successor in the form of the EDPB would likely need to have a significant role in the provision (or at least the administration) of a communication platform.

Platforms often lack value for the first few users. This is a disadvantage for commercial platforms, but given the characteristics of the (compulsory) mandate of the GDPR to establish an IT platform, the appeal of the network will be immediately appreciated. Nevertheless, network effects and the challenge of incentivising use would be a key challenge for any new platform for information sharing between EU DPAs.

142 Barnard-Wills & Papakonstantinou, op. cit., February 2016, p. 21. 143 Galetta, Kloza & De Hert, op. cit., April 2016, p. 8. 144 Ibid. 145 Ibid, pp. 24-25.

Recommendations on information sharing and information technology platforms supporting cooperation

46

A shared platform for EU DPAs might also be citizen-focused by providing a single point of contact for EU citizens with the authorities. In this sense, the platform will come to improve the communication with one another and support the one-stop-shop principle.

Information security risk analysis and threat models need to be further developed for EU DPA communication and platforms.

The comparative analysis of cooperation mechanisms in other domains conducted in PHAEDRA II suggests that the majority of cross-border cooperation mechanisms analysed relies on sharing information. And such sharing occurs with the help of technology. Such infrastructure ensures reliable, permanent, real-time and up-to-date provision of information. The report also highlights the possibility of using electronic means for alternative dispute resolution (ADR) methods as potentially applicable to cross border disputes between data subjects and controllers.146

6.3 Recommendations for the configuration of an IT platform for the EDPB

According to the analysis carried out in the PHAEDRA II project, the configuration of an IT platform for the EDPB should follow the recommendations below:

6.3.1 Protection of personal data

The platform must comply with all the regulations and basic principles of EU data protection law. Therefore, the design of the platform should be consistent with the GDPR as well as, among others, with the ePrivacy Directive,147 Regulation 45/2001148 and Convention 108;149 all three currently under review. This specific legal context forces for a first technical requirement as the IT platform has to be a good fit for future legislation. Flexibility and responsiveness to legislative changes after its deployment shall be assured. And together with this requirement, security is vitally important for a communication, exchange information and cooperation platform of DPAs, not least because of the requirement for adequate security embedded in EU data protection law, but also because DPAs should be expected to be able to model and recommend good practices in security issues in other contexts, and may lose legitimacy if their own information systems are compromised or breached. The threat model and expected adversaries for a collective DPA platform is in need of further definition.150

In this sense, “privacy by design” (PbD) should be guaranteed, identifying the treatments of personal data in the IT platform that will affect not only the users of the platform but also to those third parties whose information is shared. For example, it is essential to follow the “privacy by design” principles in the following scenarios, among others:

When sharing decisions in individual cases between DPAs, these resolutions may be anonymised but when processing within a one-stop-shop procedure, such as a complaint regarding the conflict of which should be conferred upon a lead authority, the data will not be anonymised.

When deciding which is the lead authority for processing an international transfer.

The PbD requirement of the platform itself has also to be applied to a second level. In this second level, the privacy by design of the data it shares has to be guaranteed. The sharing of personal data in a collaborative action between DPAs has to be reduced to the minimum personal data necessary for each particular purpose, which brings us to the data minimisation principle. PbD of the data shared through an IT platform requires that the disclosure of data is limited to non-personal details which are irrelevant for the process development of the case. Limiting the data disclosure by protocol elements is, then, recommended.

146 Galetta, Kloza & De Hert, op. cit., April 2016, pp. 93-94. 147 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of

personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic

communications). The e-Privacy Directive was amended in 2009 by the Citizen’s Rights Directive 2009/136/EC. 148 Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of

individuals with regard to the processing of personal data by the Community institutions and bodies and on the free

movement of such data. 149 Council of Europe, Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal

Data. Council of Europe. 150 Saitta, Eleanor, “Please Stop Writing Secure Messaging Tools”, Dymaxion.org, Amsterdam, 31 October 2015, in Barnard-

Wills & Papakonstantinou, op. cit., April 2016, p. 22.

Recommendations on information sharing and information technology platforms supporting cooperation

47

Therefore, in terms of data protection, the requirements already arise at the design level, even within the internal procedures of DPAs when they register any kind of document they will have to foresee the existence of an IT platform itself.

6.3.2 Linguistic and translation recommendations

As with the issue of cooperation, the linguistic requirements imply one of the most important elements for the configuration of an IT platform. Translation imposes resource questions and there has been observed some uncertainty about the source of the required resources and who should carry the cost. Working in common or shared languages, and making a decision about which to focus upon is a highly political issue. According to the research carried out in PHAEDRA II, some DPAs looked to the European Commission for support in this area. The Commission has experience in working across 24 official EU languages and has one of the largest translation services in the world.151

If an IT platform accessible by all DPAs is pursued, it must decide between having an official translation service, such as the one of the Commission or linked to it, that performs the translations of all shared documents,. Alternatively, it might be incorporating an automatic translation tool complying the different national DPAs to follow the official version of the chosen language as the official language in case of any linguistic conflict.

In order to considerate any of the two proposed options, different criteria must be taken into account:

The operative capacity of the DPAs regarding human and financial resources in order to assume the costs of the translation of the documents.

The reliability of the different existing automatic translation tools and its possible integration into the IT platform.

The general budget of an IT platform.

It is relevant to underline that not all the DPAs are provided with the necessary means to translate all the documents and, consequently, could only translate into English. Some have a very limited staff who are unable to translate with their own resources without going to an external sworn translator. Some DPAs might not need to translate at all, e.g. due to multiple official languages in their home jurisdiction if a foreign case in such a language arises.

According to the analyses of all these three criteria, the option of integrating an automated translator should be consider as the most convenient, given a relatively good level of translation that these applications can reach due to the fact that they work on a very specific and limited vocabulary. Yet DPA staff should keep in mind such translations could not be considered official. Yet their do they job on a day-to-day basis and this pragmatic thinking justifies this recommendation.

English could be the working language in principle, unless the multiple involved DPAs decide otherwise on specific grounds. However, it is desirable that an IT platform supports automatic translation into and from English and all the official languages of EU Member States whenever documents (or summaries of documents) have to be exchanged among DPAs in actions pursuant to cooperation procedures. In this sense, all DPAs should comply the English version in case any linguistic conflict arises between different translated versions.

6.3.3 Accessibility recommendations

The accessibility per se is not a legal requirement, but universal access to an IT platform, avoiding any technological bias, constitute and essential value of the EU data protection law.

On the one hand, regarding the accessibility requirements, it is desirable that the management of documents standards should be determined in the design of the IT platform. It is relevant to notice that there are DPAs whose development of their applications is based on free software standards, such as the SUN office package sharing documents with databases or with any text in the open document format (extension .ODT) and others that are uploading proprietary standards of Microsoft (extension .DOC or .DOCX) or – even – cloud services such as Windows 365 or Google Docs. Consequently, it is necessary to set out the requirements regarding such documents standards by the selection of any of the following options:

To design an IT platform with the ability to manage documents with different standards, or

151 Barnard-Wills & Wright, op. cit., July 2015, p. 32.

Recommendations on information sharing and information technology platforms supporting cooperation

48

To make all DPAs upload their files in the rich text (.RTF) format, which is the standard format for the sharing of documents.

On the other hand, an IT platform should be multi-layered as it optimises the functionality of the platform. This feature will be positive in two respects: one, it will allow the user to clearly understand which ‘layer’ they are working on; and two, this will enable support for documents according to articles requiring DPAs’ cooperation in Chapter VII of the GDPR.

Thirdly, it should be noted that persons with disabilities may work in DPAs and, consequently, it is essential that an IT platform be accessible in order to provide equal access and equal opportunity to people with diverse abilities. Indeed, the UN Convention on the Rights of Persons with Disabilities recognises access to information and communications technologies constitute a basic human right.152 Therefore, an IT platform must operate in accordance with the protocols of accessibility and disability (see the 3WC Protocol).153 Similarly, if an IT platform is to allow submissions from data subjects, it must not only afford accessibility to people with disabilities, but also to children (to the extent minors can lodge their own complaints)154, elderly155 or ethnic minorities,156 among others.

6.3.4 Security recommendations

The configuration of an IT platform must also meet a number of security requirements. If this platform hosts sensitive data, or in any case, strategic administrative information, it is desirable that a security policy must be adopted following the below requirements.

Firstly, the security requirements regarding the provider of the platform should be delimited. One of the main elements for the configuration of an IT platform is the decision whether it is a self-produced or corporate platform, or if it is a commercial or third party application. The service provider must be headquartered within the EU territory in order to be fully submitted to the EU data protection law (or, at least, its servers have to be kept on the territories of EU Member States). In any case, it is advisable to comply with clear security certification standards such as the ISO/IEC 27000 series (most notably but not only, ISO/IEC 27001 for Information Security Management and ISO/IEC 27017 for Cloud Security). However, it should be underlined that there are also other advisable private organizations dedicated to defining and raising awareness of best practices to help ensure a secure cloud-computing environment such as the Cloud Security Alliance, CSA or the EuroCloud.157

Secondly, other specific security requirements are related to the place where the server of an IT platform is hosted. The most desirable option would be to decentralise the data storage on servers, since leaving a server somewhere is risky, inconvenient, sometimes prohibitively expensive, and can cause latency issues. In this sense, “a decentralised system offers some advantages to DPAs as a collective community in that it shares the responsibility for the system and increases its reliability”.158

Finally, the security requirements in order to identity the validation policies should also be defined, including users’ permissions, authentication methods and control or access limitations. To that extent, it is necessary to determine whether an IT platform will only be used by the authorities (in the strict sense of General Directors and Heads of Unit) or also by officials. In this second scenario, it is necessary to delimit if all the officials should have access to all the documents or by groups of specialty and, therefore, with definition of profiles when accessing to an IT platform.

In this sense, it is preferable to establish a multi-user platform. Depending upon which types of staff in each DPA would have access to and be expected to use the platform (if, for example, all staff are granted access, or if use is restricted to staff with an international/coordination role). The ability to form ad hoc teams on particular issues or cases would be desirable.159

152 Cf. https://www.un.org/development/desa/disabilities/convention-on-the-rights-of-persons-with-disabilities.html. 153 Cf. http://www.w3.org/standards/webdesign/accessibility. 154 Cf. e.g. UN, Convention on the Rights of the Child, 1989. Art. 16: “1. No child shall be subjected to arbitrary or unlawful

interference with his or her privacy, family, or correspondence, nor to unlawful attacks on his or her honour and reputation.

2. The child has the right to the protection of the law against such interference or attacks.”

http://www.ohchr.org/en/professionalinterest/pages/crc.aspx. 155 Cf. e.g. UN, United Nations Principles for Older Persons, 1991.

http://www.ohchr.org/EN/ProfessionalInterest/Pages/OlderPersons.aspx. 156 Cf. e.g. UN, General Assembly, Declaration on the Rights of Persons Belonging to National or Ethnic, Religious and

Linguistic Minorities, 1992. http://www.un.org/documents/ga/res/47/a47r135.htm. 157 These are mentioned here solely for information purposes and no evaluation is being made. 158 Barnard-Wills & Papakonstantinou, op. cit., April 2016, p. 22. 159 Ibid, p. 22.

Recommendations on information sharing and information technology platforms supporting cooperation

49

Eventually, the research of PHAEDRA II has identified subsequent security requirements advisable for the IT Platform:163

Client-side end-to-end encrypted. Confidentiality, integrity and authenticity of the information have to be assured and only authorized parties should have access to the shared information. The concrete conditions, rules and form this should take are not predetermined but should be agreed based upon a risk-based approach.

Role-aware. The most effective software is the one that supports the concept of roles. Different permissions and access to resources are given depending on the role that each user can play. The users only see, consult and work on the information they are entitled for. EU DPAs differ in size and as a result have differing levels of specialisation and differentiation amongst their staffs. For example, some DPAs may have a dedicated international relations person, or even team, whilst for others these roles may be distributed amongst different officers. Role-based users work more effectively and secure.

6.3.5 Admissibility of digital evidence

An IT platform has to be designed and implemented to respond to the potential use of stored and shared documents in proceedings.164 As digital evidence becomes more prevalent in court proceedings, it is necessary to guarantee that an IT platform will produce evidence, should the need be, that will be admissible in the receiving jurisdiction in accordance with their civil, criminal and/or administrative procedures. The compliance of this requirement is critical for the usefulness and success of the platform.

Although different rules governing admissibility of digital evidence are in force in the EU Member States, the use and acceptance of the digital evidence is basically based on the same conditions as the traditional evidence, that is, the demonstration of the integrity of the evidence in the sense that it has neither been manipulated nor contaminated.165 Digital evidence, defined as information transmitted or stored in a digital format that a party to a case may use at a proceeding,166 when it is handled within an IT platform, this platform must preserve the probative value of the evidence and operate under a protocol designed to ensure authenticity, accuracy, confidentiality and proper preservation thereof. The system has also to be able to compile metadata for each piece of evidence, including the chain of custody, the identity of the source, the original author and recipient information and the author and recipient’s respective organisations.

6.3.6 Usability requirements

Eventually, a few factors contribute to the easiness of the use of an IT platform:

Multi-device. The coordination platform should allow access from different hardware platforms and run various operating systems. In practical terms, a coordination platform would ideally be accessible to DPAs in different scenarios (for an online modality – meetings or events, or presence-based activities – on site investigations).

Offline-friendly. In case of need, working on the platform without access to the Internet has to be assured. Among other functions, it would be advisable to configure offline availability for a shared folder.

Multi-organisation. A multi-organisation structure ensures that different organisation entities can share or secure data. Going to the context of the EU DPAs, this requirement is critical. The technology of the platform must support multi-organisation working and administration, but the relationships and agreements between the participants require substantial attention to the formulation of the policies and the management of the platform in order to result in success.

163 Barnard-Wills & Papakonstantinou, op. cit., April 2016, p. 23. 164 Kloza, Dariusz, Stine Bergersen, Roco Bellanova and Ida Rødningen, Deliverable 2.2: Monitoring report on emerging

ethical challenges and current societal debates, Project LASIE – Large Scale Information Exploitation of Forensic Data,

August 2016, pp. 36-39. http://www.lasie-project.eu/wp-

content/uploads/2015/05/LASIE_D2.2_monitoring_report_v4.2_final_clean.pdf. 165 More specifically, the basic criteria to be taken into account for admissibility of digital evidence in courts procedures are:

authenticity, completeness, reliability, believability and proportionality (Kloza et al, op. cit. 2016, p. 37). 166 Eoghan Casey, Digital Evidence and Computer Crime, Academic Press-Elsevier, 2011, 3rd ed., cited in Aida Ashouri and

Warden, Cherry, “An overview of the use of digital evidence in international criminal courts”, Salzburg Workshop on

Cyberinvestigations, October 2013, p. 1. https://www.law.berkeley.edu/files/HRC/Scholarly_articles_Salzburg_2013.pdf.

Recommendations on information sharing and information technology platforms supporting cooperation

50

6.3.7 Alerting and project management recommendations

An IT platform should be provided with an alarm system that will strengthen and expedite the exchange of information and cooperation in a more immediate way among the different DPAs. In general terms, the alert system should operate for the following scenarios:

1. for users to know that an investigation has been opened on a subject in another country or that certain assistance is requested.

2. for keeping track of deadlines and the fact that common initiatives have been launched.

The alert system should also be able to be triggered by the leading DPA responsible for investigating whether several complaints about the same entity have been received in different Member States.

On the other hand, there is a need for a dedicated space for bilateral cooperation or “project space”. In this sense, it is advisable that an IT platform provides a project management tool that enable cooperation between two or more DPAs or, at least, to initiate contact.

6.3.8 Repository recommendations

An IT platform should offer a central ‘repository’ resource where users will find appropriate tools to cooperate not only for the exchange of information purposes but also for the availability of the maximum number of possible documents. This is the place where the documents are stored, managed and shared.

The repository should be provided with the following elements:

It has to admit different spaces, folders or logs in order to classify documents. In this sense, it appears essential to host the case law since it is very difficult to identify and find others MS courts’ judgments.167 Being aware of this shortfall and from an active perspective, a Repository of leading decisions in individual cases with cross-border implications168 has been built throughout the PHAEDRA II project life. The repository also includes a collection of most significant documents in the field such as resolutions, guidelines, opinions or best practices. The partners have critically commented these documents.169

The use of these folders/logs has to be opened and edited by several users at the same time. Changes should be registered.

The repository should provide with templates and guidelines on the cooperation procedures in order to create formal consistency during the proceedings.

In case a cooperation procedure is issued this should be integrated into the repository in a specific place of an IT platform in order to generate an overall picture of the cooperation actions (undertaken and on-going) concerning a data controller or processor.

This functionality is especially advantageous to prevent involved DPAs from delaying the fulfilment of their tasks – and possible sanctions – in the cooperation procedures relying on strict timeframes.

Global search from any location and retrieval functionality of any content must be assured. This functionality has to be designed having in mind the type of documents and information, which will be accessible to the DPAs.

Figure 2 summarises the recommended functionalities of an IT platform for the EDPB.

167 Most recently, the Irish Data Protection Commissioner’s webpage provides access to written judgments, which were

delivered in cases where the Data Protection Commissioner was a party to the proceedings, including a notice party.

Judgments for 2015 and 2016 are now available. 168 Cf. http://www.phaedra-project.eu/leading-cases-documents/. 169 Cf. Pauner and Viguri, op. cit., January 2017.

Recommendations on information sharing and information technology platforms supporting cooperation

51

Category of

recommendations Functionalities

1. Protection of personal data

1. Compliance with the relevant data protection legal framework

2. Flexibility and responsiveness to legislative changes after its

deployment

3. Privacy by design (PbD), incl. data minimisation

2. Languages and translation 4. Automated translation tools

3. Accessibility

5. Standardisation of document format or compatibility thereof

with different standards

6. Universal accessibility (respect for different abilities)

(e.g. disabled, children, elderly, ethnic minorities, etc.)

4. Security

7. Compliance with widely accepted security standards

8. Decentralisation

9. Client-side end-to-end encrypted. Confidentiality, integrity

and authenticity of information have to be assured

10. Role-awareness. Use of the platform and access to resources

is based on different permissions depending on the role that

each user can play

11. Multi-user platform with validation polices (i.e. users’

permissions, authentication methods and control/access

limitations)

5. Digital evidence 12. Conditions for admissibility: authenticity, completeness,

reliability, believability and proportionality

6. Usability

13. Multi-device. The coordination platform should allow access

from different hardware platforms and run on various

operating systems

14. Offline friendliness

15. Multi-organisation working and administration

7. Alerting and project

management

16. Alerting functionality

17. A project space for bilateral cooperation managed by DPAs

concerned

8. Repository

18. Different spaces, folders or logs in order to classify

documents

19. Simultaneous and shared use

20. Templates and guidelines on the cooperation procedures

21. Tracking and recording of the cooperation procedures

22. Global search and retrieval functionality of contents

Figure 2: Functionalities for an IT platform for the EDPB.

52

7 Bibliography

7.1 PHAEDRA II publications

7.1.1 Deliverables170

Barnard-Wills, David and David Wright, Authorities’ views on the impact of the data protection framework

reform on their co-operation in the EU, PHAEDRA II Deliverable D1: London-Brussels-Warsaw-

Castellón, July 2015. http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA2_D1_20150720.pdf

Galetta, Antonella, Dariusz Kloza and Paul De Hert, Cooperation among data privacy supervisory authorities by

analogy: lessons from parallel European mechanisms, PHAEDRA II Deliverable D2.1: Brussels-London-

Warsaw-Castellón, April 2016. http://www.phaedra-project.eu/wp-

content/uploads/PHAEDRA2_D21_final_20160416.pdf

Barnard-Wills, David and Vagelis Papakonstantinou, Best Practices for cooperation between EU DPAs,

PHAEDRA II Deliverable D2.2: London-Brussels-Warsaw-Castellón, February 2016.

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA-II_D2.2-report_2016.02.15.pdf

Papakonstantinou, Vagelis, Cristina Pauner Chulvi, Andres Cuella and David Barnard-Wills, European and

national legal challenges when applying the new General Data Protection Regulation provisions on co-

operation, PHAEDRA II Deliverable D3.1: London-Brussels-Warsaw-Castellón, September 2016.

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA2_D31_final_15092016.pdf

Pauner, Cristina & Jorge Viguri, A report on a repository of European DPAs’ leading decisions with cross-

border implications, PHAEDRA II Deliverable D4.2: London-Brussels-Warsaw-Castellón, January 2017.

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA2_D42_final_20170112.pdf

Pauner, Cristina and Jorge Viguri, A report on the PHAEDRA II blog, PHAEDRA II Deliverable D4.3: London-

Brussels-Warsaw-Castellón, January 2017. http://www.phaedra-project.eu/wp-

content/uploads/PHAEDRA2_D43_final_20170113.pdf

7.1.2 Academic publications

Barnard-Wills, David. “The technology foresight activities of European Union data protection authorities”,

Technological Forecasting and Social Change, October 2016.

http://dx.doi.org/10.1016/j.techfore.2016.08.032

Barnard-Wills, David, Cristina Pauner Chulvi and Paul De Hert, “Data protection authority perspectives on the

impact of data protection reform on cooperation in the EU”, Computer Law and Security Review, Vol. 32,

No. 4, August 2016, pp. 587–598.

De Hert, Paul, Dariusz Kloza and Paweł Makowski (eds.), Enforcing privacy: lessons from current

implementations and perspectives for the future, Wydawnictwo Sejmowe, Warszawa, 2015.

http://www.phaedra-project.eu/wp-content/uploads/phaedra1_enforcing_privacy_final.pdf

Galetta, Antonella and Dariusz Kloza, “Cooperation Among Data Privacy Supervisory Authorities: Lessons

from Parallel European Mechanisms”, in: Erich Schweighofer, Franz Kummer, Walter Hötzendorfer,

Georg Borges (Hrsg./Eds.) Netzwerke/Networks. Tagungsband des 19. Internationalen Rechtsinformatik

Symposions IRIS 2016, Österreichische Computer Gesellschaft, Wien 2016, pp. 495-498.

http://www.phaedra-project.eu/wp-content/uploads/phaedra2_Galetta_Kloza_IRIS2016.pdf

Kloza Dariusz and Antonella Galetta, “Towards efficient cooperation between supervisory authorities in the area

of data privacy law“, Brussels Privacy Hub Working Papers, Vol. 1, No. 3, October 2015, pp. 1-25.

http://www.brusselsprivacyhub.org/Resources/BPH-Working-Paper-VOL1-N3.pdf

170 In the order of issuance.

Bibliography

53

7.1.3 Commissioned research

Kloza, Dariusz, Opinion for the Council of Europe for the 37th Bureau meeting of the Consultative Committee of

the Convention for the Protection of individuals with regard to automatic processing of personal data (T-

PD-BUR) on the compatibility of the Global Cross Border Enforcement Cooperation Arrangement

(Mauritius Arrangement) with the said Convention, Council of Europe, Directorate General of Human

Rights and Rule of Law, T-PD-BUR(2016)04, Strasbourg, 28 June 2016.

http://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD-

BUR(2016)04%20Report%20Dariusz%20Kloza_En.pdf

7.2 General bibliography

35th International Conference of Data Protection and Privacy Commissioners, Enforcement coordination

resolution, September 2013.

36th International Conference of Data Protection and Privacy Commissioners, Resolution on Enforcement

Cooperation, Mauritius, 2015, https://icdppc.org/wp-content/uploads/2015/02/ResolutionInternational-

cooperation.pdf

38th International Conference of Data Protection and Privacy Commissioners, , Resolution on International

Enforcement Cooperation (2016), Marrakesh, 18 October 2016, https://icdppc.org/wp-

content/uploads/2015/02/7._resolution_on_international_enforcement_cooperation.pdf

Ad hoc Committee on Data Protection, Draft Protocol amending the Convention for the Protection of individuals

with regard to Automatic Processing of Personal Data (ETS No.108), Council of Europe, 5 March 2015.

Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals, WP 2012,

23 March 2012

Article 29 Data Protection Working Party, Statement on the 2016 action plan for the implementation of the

General Data Protection Regulation (GDPR), WP 236, 2 February 2016. http://ec.europa.eu/justice/data-

protection/article-29/documentation/opinion-recommendation/files/2016/wp236_en.pdf

Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy

decision, WP 238, 13 April 2016, http://ec.europa.eu/justice/data-protection/article-

29/documentation/opinion-recommendation/files/2016/wp238_en.pdf

Article 29 Data Protection Working Party , Statement on the decision of the European Commission on the EU -

U.S. Privacy Shield, Press release, 26 July 2016, http://ec.europa.eu/justice/data-protection/article-

29/press-material/press-

release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf

Article 29 Data Protection Working Party, Guidelines on the right to data portability, WP 242, 13 December

2016, http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp242_en_40852.pdf

Article 29 Data Protection Working Party, Guidelines on Data Protection Officers ('DPOs'), WP 243, 13

December 2016, http://ec.europa.eu/information_society/newsroom/image/document/2016-

51/wp243_en_40855.pdf

Article 29 Data Protection Working Party, Guidelines for identifying a controller or processor's lead supervisory

authority, WP 244, 13 December 2016. http://ec.europa.eu/information_society/newsroom/image/-

document/2016-51/wp244_en_40857.pdf

Article 29 Data Protection Working Party, Fablab "GDPR/from concepts to operational toolbox, DIY - results of

the discussion", 2016. http://ec.europa.eu/justice/data-protection/article-29/documentation/other-

document/files/2016/20160930_fablab_results_of_discussions_en.pdf

Article 29 Data Protection Working Party, December 2016 Plenary Meeting. Press release, Brussels,

16 December 2016, http://ec.europa.eu/newsroom/document.cfm?doc_id=40853

Article 29 Data Protection Working Party, Opinion 04/2014 on surveillance of electronic communications

for intelligence and national security purposes, WP125, Brussels, 10 April

Bibliography

54

Azarya, Sharon, "Privacy network expands global participation and cooperation opportunities", Global Privacy

Enforcement Network, 21 March 2016, https://www.privacyenforcement.net/node/660

Barnard-Wills, David, "PHAEDRA II Second round-table event at the Spring Conference of European DPAs",

PHAEDRA II Blog, 8 July 2016, http://www.phaedra-project.eu/phaedra-ii-second-round-table-event-at-

the-spring-conference-of-european-dpas/

Barnard-Wills, David & David Wright (eds.) Co-ordination and co-operation between Data Protection

Authorities, PHAEDRA Workstream 1 report, 1 April 2014, revised 30 June 2014. http://www.phaedra-

project.eu/wp-content/uploads/PHAEDRA-D1-30-Dec-2014.pdf

Conference Working Group on European Cooperation, Resolution of the European Data Protection Authorities’

Conference, 18-20 May 2015, Manchester.

Data Protection Commissioner, Statement by the Office of the Data Protection Commissioner in respect of the

application for Declaratory Relief in the Irish High Court and the Referral to the CJEU, 25 May 2016.

https://www.dataprotection.ie/docs/25-05-2016-Statement-by-this-Office-in-respect-of-application-for-

Declaratory-Relief-in-the-Irish-High-Court-and-Referral-to-the-CJEU/1570.htm

Council of Europe, Convention 108 for the Protection of Individuals with regard to Automatic Processing of

Personal Data. Council of Europe.

Council of Europe, Convention for the protection of individuals with regard to the automatic processing of

personal data, draft explanatory

report. https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=090

00016806af966

Court of Justice of the European Union, October 6th 2015 in C-362/14 Schrems -v-Data Protection

Commissioner

Data Protection Commissioner, "Update on litigation involving Facebook, Maximillian Shrems: Explanatory

Memo", 28 September 2016, https://www.dataprotection.ie/docs/28-9-2016-Explanatory-memo-on-

litigation-involving-Facebook-and-Maximilian-Schrems/1598.htm

De Hert, Paul, Dariusz Kloza & David Wright (Eds), Recommendations for a privacy impact assessment

framework for the European Union, PIAF Project, Deliverable D3, Brussels & London, November 2012,

http://www.vub.ac.be/LSTS/pub/Dehert/506.pdf

Eoghan Casey, Digital Evidence and Computer Crime, Academic Press-Elsevier, 2011, 3rd ed., cited in Aida

Ashouri and Warden, Cherry, “An overview of the use of digital evidence in international criminal

courts”, Salzburg Workshop on Cyberinvestigations, October 2013, p. 1.

https://www.law.berkeley.edu/files/HRC/Scholarly_articles_Salzburg_2013.pdf

European Parliament and the Council, Regulation (EC) No 45/2001 of the 18 December 2000 on the protection

of individuals with regard to the processing of personal data by the Community institutions and bodies

and on the free movement of such data.

European Parliament and the Council, Directive 2002/58/EC of 12 July 2002 concerning the processing of

personal data and the protection of privacy in the electronic communications sector (Directive on privacy

and electronic communications).

European Parliament and the Council, Directive (EU) 2016/680 of 27 April 2016 on the protection of natural

persons with regard to the processing of personal data be competant authorities for the purposes of the

prevention, investigation, detection or prosecution of criminal offenses of the execution of criminal

penalties, and on the free movement of such data, and repealing Council Framework Decision

2008/977/JHA

European Parliament and the Council, Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural

persons with regard to the processing of personal data and on the free movement of such data, and

repealing Directive 95/46/EC (General Data Protection Regulation). OJ L 119. 4.5.2016

Bibliography

55

European Parliament and the Council, Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high

common level of security of networks and information systems across the Union, OJ L 194, 19.7.2016,

p.1-30.

European Commission, CIRCABC 3.6 User Guide, Version 2, 22 January 2014.

European Commission, "European Commission launches EU-U.S. Privacy Sheild: Stronger protection for

transatlantic data flows", Press release, Brussels, 12 July 2016. http://europa.eu/rapid/press-release_IP-

16-2461_en.htm

Hijmans, Hielke The DPAs and Their Cooperation: How Far Are We in Making Enforcement of Data Protection

Law More European? ,European Data Privacy Law, 3/2016

Hijmans, Hielke, "Further food for thought on the role of DPAs in our European Structures", PHAEDRA blog,

11 April 2016, http://www.phaedra-project.eu/further-food-for-thought-on-the-role-of-dpas-in-our-

european-structures-some-personal-observations/

Information Commissioner's Office, "Common Thread Network website launched" Press release, 19 October

2016, https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/common-thread-

network-website-launched/

Kloza, Dariusz, Stine Bergersen, Roco Bellanova and Ida Rodningen, Deliverable 2.2: Monitoring report on

emerging ethical challenges and current societal debates, Project LASIE – Large Scale Information

Exploitation of Forensic Data, August 2016, pp. 36-39. http://www.lasie-project.eu/wp-

content/uploads/2015/05/LASIE_D2.2_monitoring_report_v4.2_final_clean.pdf

Kloza, Dariusz and Antonella Galetta “Towards efficient cooperation between supervisory authorities in the area

of data privacy law”, in: De Hert Paul, Dariusz Kloza and Paweł Makowski (eds.) Enforcing privacy:

lessons from current implementations and perspectives for the future, Wydawnictwo Sejmowe,

Warszawa, 2015, pp. 77-108. http://www.phaedra-project.eu/wp-

content/uploads/phaedra1_enforcing_privacy_final.pdf

Kloza, Dariusz & Anna Mościbroda, "Making the case for enhanced enforcement cooperation between data

protection authorities: insights from competition law". International Data Privacy Law, Vol.4, No.2, 2014

McCarthy, Kieren, "Feds in America very excited about new global privacy alert system: Rest of the world: not

so much", The Register, 26 October 2015

Misztal, Barbara, Trust in Modern Societies: The Search for the Bases of Social Order, Polity Press, Cambridge,

1996.

National Authority for Data Protection and Freedom of Information, Annual Report of the National authority for

Data Protection and Freedom of Information of 2014, Budapest, March 2015,

http://www.naih.hu/files/Annual-report_NAIH_2014_EN_FINAL_v4.pdf,

Rodrigues, Rowena, David Barnard-Wills & Vagelis Papakonstantinou, "The future of privacy certification in

Europe: an exploration of options under article 42 of the GDPR", International Review of Law,

Computers & Technology, Vol.30, No. 3, 2016, pp.246-270.

Saitta, Eleanor, "Please Stop Writing Secure Messaging Tools", Dymaxion.org, Amsterdam, 31 October 2015.

Schneier, Bruce, Liars and Outliers: Enabling the trust that society needs to thrive, John Wiley & Sons,

Indianapolis, 2012.

Svantsson, Dan, Extraterritoriality in Data Privacy Law. Copenhagen, Ex Tuto Publishing, 2013.

Wright, David, David Barnard-Wills and Inga Kroener, Findings and recommendations, Deliverable D4,

London 2015, 53 pp. http://www.phaedra-project.eu/wp-content/uploads/Findings-and-recommendations-

18-Jan-2015.pdf

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

56

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

Relation between PHAEDRA I and PHAEDRA II final recommendations

PHAEDRA I final

recommendations,

January 2015. 172

Recommendations from "Towards

efficient cooperation between

supervisory authorities in the area of data privacy law"

PHAEDRA I,

January 2015.173

Recommendations from

"Cooperation among data privacy

supervisory authorities by analogy: Lessons from parallel European

mechanisms",

PHAEDRA II D2.1,

April 2016.174

Recommendations from "Best

Practices for cooperation

between EU DPAs"

PHAEDRA II D2.2

April 2016.175

Recommendations from

"European and national legal

challenges when applying the new General Data Protection

Regulations on Co-operation"

PHAEDRA II D3.1,

September 2016176

Recommendations for

improving practical

cooperation between European Data Protection Authorities,

PHAEDRA II D4.1

January 2017

10. Supervisory authorities and their networks should get to know each other

better and should know more both about

themselves and about their work. Supervisory authorities should treat their

counterparts as peers.

1. Cooperation should be based on the presumption of the equal value,

competence and standing of each

supervisory authority and of the legal systems in its jurisdiction and thus

on the principles of mutual trust.

5. Recognise each other’s strengths and weaknesses

6. Leadership and senior-level

support

7. Relationship management

9. Clarity and transparency

about criteria and reasons for cooperation decisions.

3.1. Recognise the

fundamental equality of supervisory authorities

22. Means of regulation, other than law could also be taken into consideration

while developing a framework for the

cooperation of supervisory authorities in the area of data privacy.

9. Cooperation among supervisory

authorities should rely on comprehensive and harmonised legal “tools” and

procedures to be used in cross border

cases. Extra-legal tools should supplement legal ones. To that end, some

2. Cooperation should be firmly based in law, at least when the

supervisory authorities enforce data

privacy laws.

13. Informal mechanisms for

cooperation shall supplement the

formal ones.

The level of structured coordination and cooperation

varies, with coordination

ranging from the ad-hoc and informal, to areas that do have

formal working groups or

memoranda of understanding between DPAs.

3. Strong initial planning.

4. Lots of communication

15. Arrange internal processes

for mutual assistance and joint operations.

Any cooperation system must

be based in the mutual trust of

its participants.

3.2. Informal mechanisms for

cooperation should supplement formal ones

172 Wright, Barnard-Wills & Kroener, op. cit., 2015, pp. 29-34. 173 Kloza & Galetta, op. cit., 2015, pp. 87-103. 174 Galetta, Kloza & De Hert, op. cit., April 2016, pp. 92-94. 175 Barnard-Wills & Papakonstantinou, op. cit., April 2016, pp. 72-74. 176 Papakonstantinou, Pauner, Cuella & Barnard-Wills, op. cit., September 2016, pp. 94-96.

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

57

minimal “table of contents” for any arrangement(s) and or/framework(s)

should be agreed in the first place.

14. Supervisory authorities must be genuinely convinced that engaging in

cross-border cooperation is beneficial for

the mission they realise.

16. Supervisory authorities should

continue to enhance their efforts in

mutual exchange of know-how by means

of study-visits, seminars and/or staff

exchange.

6. DPAs should address and clarify

the issues of jurisdiction and

applicable law at the global level.

3. Since there are fundamental rights to

privacy and data protection at stake,

breaches of these rights, especially with cross-border implications, must be

adequately addressed. Therefore the

framework(s) and arrangement(s) for cooperation of supervisory authorities in

the area of data privacy law must render

the exercise of these rights practical and effective.

6. Supervisory authorities in the field of

data privacy law should be able to exercise, to a reasonable extent

extraterritorial jurisdiction.

3. Cooperation should respect

national and regional differences of

the jurisdictions involved.

4. Supervisory authorities should be

able to exercise - to a reasonable

extent extraterritorial jurisdiction

14. Addendum: Transnationalisation:

Global risks require global

responses.

Easier to create collaborative

scheme at the EU level in areas

where no current practices exist

7. Relationship management

8. Training for less senior staff

on mutual assistance and joint operations.

14. Transparency of process

Additional, practical guidance to be issued, most likely, by the

Board.

3.3. Cooperation should reflect

national differences but allow

for extra-territorial jurisdiction

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

58

3. The European Union should develop co-operation mechanisms

with other regional and

international stakeholders, in particular the Council of Europe as

well as networks and associations

of DPAs, PCs, and PEAs.

4. The closer to the individual the case is solved, the better. The arrangement(s)

and/or framework(s) should be user

friendly

5. In order to ensure the "practical and

effective" protection, supervisory

authorities in the field of data privacy law should cooperate also with their

counterparts in other areas of law and

judicial authorities, also in different

jurisdictions, as long as their counterparts

touch upon data privacy issues. They

should also involve civil society organisations for this purpose. They

should not refuse cooperation with international or regional bodies (such as

the council of Europe) and networks of

supervisory bodies. The legal system should explicitly permit for such

cooperation.

5. Cooperation should have as board a geographical scope as possible.

3.4. Cooperation should have

as broad a geographical scope as possible

21. Stakeholders should bear in mind that the development of such a framework is

a time-consuming process.

23. The data protection reform in the EU will not stop in 2015 and there is a tight

agenda to do so.

6. Cooperation should be developed gradually and its functioning should

be reviewed periodically.

The development of the European Data Protection

Board under the GDPR, and its

increased role increases the possibility for strategic

management and planning

Several activities (coordinating

privacy risk assessment,

technology watch and some types of coordinated public

communication -particularly in

relation to international investigations and cross border

issues) sit in the area of low

difficulty-high benefit with a

high potential return on effort.

2. When embarking on a joint initiative, first get comfortable

12. Consider strategic level

agreements and memoranda of understanding amongst regular

co-operators

13. Conduct regular review of

cooperation procedures

Additional, practical guidance to be issued, most likely, by the

Board

Many of the issues analysed in this report constitute measures

of the success of the GDPR.

3.5. Cooperation should be

developed gradually and its functioning should be

reviewed periodically

18. Supervisory authorities should reach

an agreement on the way of covering the costs of cooperation. The establishment

of a system for the mutualisation of costs should not be excluded.

8. Stakeholders should share the

costs of cooperation

10. Determine if assistance is

necessary or nice to have. Recognise potential resources

drain.

11. Be generous with

invitations to participate

3.6. Decide how to share the

costs of cooperation

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

59

17. Supervisory authorities need to understand themselves, their work and

their “clients”, i.e. data subjects and data

controllers or processors. Despite English being the lingua franca, they

need to establish procedures for

interpretation and translation of meetings and information shared.

7. The need for translation and interpretation should be reduced to

an absolute minimum. The type of

information exchanged should determine the very need for

translation and interpretation. The

supervisory authorities should have to right to waive such a need.

Supranational legal provisions

should govern the linguistic regime.

Coordination of public communication is an area

where co-ordinated activity is

certainly possible, and could be increased from the low current

level at relatively little cost.

3.7. Keep translation to a

minimum while dealing with individual cases. Maximise

translation in public

communication

12. Supervisory authorities should take

the lead in preventing data privacy violations from occurring, including

cross-border ones. Therefore cooperation

should include all powers and duties and not just enforcement.

10. Cooperation should pay equal

attention to the development of policies and practices preventing

data privacy violations from

occurring.

Clear potential for the

development of a shared approach and shared guidance

on privacy and data protection

impact assessment. Strategic agreement would have to be

reached on the desired

approach

Collaborative privacy risk

assessment, sits in the area of

low difficulty-high benefit with a high potential return on

effort.

3.8. Cooperate on the

development of policies and

practices to prevent data privacy violations

13. DPAs should develop a

common view of the forensic tools

used by them in order to have a common technical approach.

Because the products of

technology watch can be

shared between DPAs, there are substantial benefits to

integrating technology watch

activity

3.9. Set up a collaborative

technology foresight task

force. Offer research funds to that end

11. Supervisory authorities should

support alternative dispute resolution (ADR) methods for data subjects and

controllers/processors, this includes

ADR by electronic means.

3.10. Explore alternative

dispute resolution methods

12. Supervisory authorities should be

empowered and obliged to act speedily on cross-border data privacy

violations.

The networks and institutions

through which to develop a common strategy are in place,

however different

philosophical and methodological approaches to

enforcement remain the key

area of challenge.

8. Training for less senior staff

on mutual assistance and joint operations.

11. Be generous with

invitations to participate

12. Consider strategic level

agreements and memoranda of

understanding amongst regular co-operators.

Recommendations

on complaint handling

4.1. Introduce detailed

guidelines with regard to

GDPR complaint handling requirements.

4.2. Linguistic barriers need to

be addressed.

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

60

14. Arrange internal processes 4.3. Apply common enforcement practices where

possible.

4.4. Introduce a common complaint classification

system for internal DPA

management purposes.

4.5. Enhance public

participation and transparency

in handling complaints and –

therefore – trust through the

use of automated electronic

management platforms.

4.6. Introduce complaint-

handling procedures that take

into account knowledge-management processes.

1. The legal arrangement(s) and/or

framework for the cooperation of supervisory authorities in the area of data

privacy law should be as clear, simple

and easy-to-apply as possible. Unreasonable multiplication of the said

arrangements and/or frameworks runs a

risk of counter-productivity.

7. The arrangement(s) and/or

framework(s) for cooperation of supervisory authorities in data privacy

law should not permit data controllers

and processors to escape liability for data privacy violations, in particular by

establishing business in a particular place

to be beyond the effective reach of the

law of certain jurisdictions.

The development of the

European Data Protection Board under the GDPR, and its

increased role t increases the

possibility for strategic management and planning

The internal management of

the EDPB and how it will undertake its consistency

activities still need to be resolved.

3. Strong initial planning

11. Be generous with invitations to participate

13. Conduct regular review of

cooperation processes.

14. Transparency of process.

Additional, practical guidance

to be issued, most likely, by the Board

Knowledge exchange amongst DPAs, know-how exchange

amongst DPAs, establish ways

of communicating amongst

DPAs, Training, DPA access to

academic and related material,

dissemination activities aimed at data subjects. Publication and

openness, continuous re-

assessment and re-evaluation.

Recommendations on

consistency mechanism

5.1. Manage public

expectations about the

appropriate placement of the consistency mechanism with

other law enforcement

mechanisms in Member States.

5.2. Delineate the scope of the consistency mechanism

against other forms of

cooperation.

5.3. Adopt detailed by-laws

and operations provisions.

5.4. The EDPB should be both an adjudicator and a

consultation mechanism.

5.5. Explicitly address the

right of appeal.

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

61

9. DPAs should develop a single, central, comprehensive list of

contacts at other DPAs, preferably

a contact list available to all DPAs.

13. Supervisory authorities need appropriate financial, human and

technical resources to carry out their

duties and exercise their powers in the context of cooperation

9. Cooperation should maximise the use of information and

communication technologies

EU DPAs need to agree on what information they need to

share, and how that

information will be shared, then an appropriate platform

can be adopted or developed.

Recommendations on

information sharing

(aggregated)

1. Protection of personal data 2. Linguistics and translation

3. Accessibility

4. Security 5. Admissibility of digital

evidence

6. Usability

7. Alerting and project

management

8. Repository

1. Both Member States and EU

lawmakers should create an adequate legal framework in

internal law allowing DPAs to

engage in EU, European and International co-operation.

4. The European Commission

should play an active role in the development of a co-operation

framework for DPAs.

10. In the context of the ICDPPC, DPAs should develop an online

platform for sharing information and providing different types of

documents (resolutions, criteria,

guidelines, regulations).

12. DPAs should collectively

finance a cooperative infrastructure

(including a small secretariat) at the ICDPPC level.

1. The legal arrangement(s) and/or

framework for the cooperation of supervisory authorities in the area of data

privacy law should be as clear, simple

and easy-to-apply as possible. Unreasonable multiplication of the said

arrangements and/or frameworks runs a

risk of counter-productivity.

2. There might be no need to create a

specific branch of law or specific legal

constructions for the cooperation of supervisory authorities in data privacy

law if existing legal tools, even if combined, can sufficiently protect data

privacy

11. Legal frameworks should permit supervisory authorities to act speedily

upon any cross-border data privacy law

breach, including the indication of interim measures, also ex officio.

13. Supervisory authorities need

appropriate financial, human and technical resources to carry out their

duties and exercise their powers in the

context of cooperation. The legal framework should allow them reasonable

time to investigate cross-border

violations.

Earlier recommendations with

are out of scope of the EU focus of PHAEDRA II, or that

explicitly addressed legal

frameworks that are now settled issues due to the

passing of the GDPR.

These recommendations remain pertinent for extra-EU

cooperation including extra-

EU cooperation when an EU DPA is involved.

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

62

2. DPAs should have the power to directly award damages and impose

fines and a broader mandate to

share information

8. DPAs should increase the

number of DPAs involved in the

co-ordinated expression of shared concern.

7. The arrangement(s) and/or framework(s) for cooperation of

supervisory authorities in data privacy

law should not permit data controllers and processors to escape liability for data

privacy violations, in particular by

establishing business in a particular place to be beyond the effective reach of the

law of certain jurisdictions.

8. Whenever supervisory authorities start

dealing with a cross-jurisdictional case,

they should be obligated to notify ex

officio their counterparts concerned without undue delay. Subsequently they

should be able to exchange information relevant for the case under appropriate

safeguards.

9. Cooperation among supervisory authorities should rely on comprehensive

and harmonised legal "tools" and

procedures to be used in cross border cases. Extra-legal tools should

supplement legal ones. To that end, some

minimal "table of contents" for any arrangement(s) and or/framework(s)

should be agreed in the first place.

19. An agenda for the development of the framework for the cooperation of

supervisory authorities should be

developed, prioritizing the most urgent, concrete and pertinent issues to be

addressed.

15. The worldwide cooperation of supervisory authorities in the area of data

privacy needs encouragement from the

authorities themselves as well as from policy makers, in particular from

international and supranational ones.

These bodies should set standards for efficient cooperation.

Earlier recommendations that are (at least to some extent)

included within the GDPR

regime.

Annex I: Mapping of PHAEDRA I and PHAEDRA II Recommendations

63

5. Privacy and data protection legislation and cooperation

instruments for DPAs should

distinguish and promote forms of cooperation and best elements for

co-operation between DPAs.

11. DPAs should provide a repository of best practice, which

would allow them to learn from

their international peers.

20 .In designing this framework, lessons should be learnt from cooperation in

other areas of law.

Recommendations that were practically attempted within

PHAEDRA II (in particular in

Deliverables D2.1 and D2.2).

Annex II: The DPA Cooperation Scorecard (work in progress)

64

Annex II: The DPA Cooperation Scorecard (work in progress) The DPA Cooperation Scorecard is an attempt to offer a framework for evaluating the development of the cooperation mechanisms under the GDPR (i.e. the EDPB) as well as other DPAs cooperation mechanisms worldwide. The scorecard, building on the experience of both PHAEDRA projects, was launched during the 38th International Conference of Data Protection and Privacy Commissioners (ICDPPC), held in Marrakesh, Morocco in October 2016. It was subsequently discussed among EU DPAs during the plenary session of the Article 29 Working Party, held in Brussels in December 2016. The scorecard is a work-in-progress, whose conclusion is not anticipated within the lifetime of the PHAEDRA II project, but rather remains an open invitation for research in the future.

A scorecard is a visualisation accessory that may be used as a metric for policies’ effectiveness. While the introduction of policies, practices and legal norms may demonstrate the willingness of the parties concerned to achieve specific purposes, it is possible that implementation is hindered by practical or other barriers that make law-making efforts ineffective. It may also be that the results of these policies are not proportionate to resources spent. A scorecard may help identify shortcomings or deficiencies in an easily viewable and comprehensible manner, thus aiding to overcoming these. In addition, scorecards often prove particularly useful when comparison is made between policies or legal norms.

However, the above also constitute a scorecard’s inherent limitations. Broad categorisations and classifications are required in order to visualise policies and the effectiveness of legal norms; such categorisations may ignore or underestimate important details. Or they may overestimate the effect of certain factors over others. Ultimately, concerns may be raised whether a scorecard is a suitable tool to measure social phenomena. This is why transparency about criteria and metrics is necessary in order to mitigate the risk of arbitrary assessments.

The ultimate goal of the DPA Cooperation Scorecard is to grade or measure, as well as to compare, the multiple aspects of DPAs cooperation under a given mechanism. In it first iteration, the Scorecard is based on criteria identified during the PHAEDRA II project as the most important. These criteria could be graded either in a binary way (yes/no) or by some qualitative measurement, e.g. in a scale from 1 to 10. These criteria are subsequently projected onto respective DPA networks that are already in operation or will soon become operational – bilateral cooperation is not assessed.

It is therefore hoped that through this visualisation tool, it will be easy to establish points and fields where improvement might be needed, e.g. by following the example of other cooperation mechanisms or by making full use of available regulatory tools. Such activity, ideally, should be performed on regular intervals.

Annex II: The DPA Cooperation Scorecard (work in progress)

65

EDP

B

GP

EN

AFA

PD

P

RIP

D

ICD

PP

C

Spri

ng

Co

nf.

Ber

lin

Gro

up

FORMATIVE

JURISDICTION

CHOICE OF LAW

RECOGNITION & ENFORCEMENT

PRACTICAL

SHARING INFORMATION incl. confidential? incl. personal data? how? (e.g. a platform)

COMMUNICATION (PUBLIC) awareness-raising training

TECHNOLOGY WATCH

RESOURCES time money people

LANGUAGES

COSTS

SELF-DEVELOPMENT staff exchanges sharing best practice

QUALITATIVE

TRUST

SOLIDARITY

TRANSPARENCY

RESPECT

COOPERATION SCORECARD

38

thIC

DP

PC

, Mar

rake

sh, 1

8 O

cto

ber

20

16

Figure 3: The DPA Cooperation Scorecard as introduced at the 38th ICDPPC (2016) by Paul De Hert, Vagelis Papakonstantinou and Dariusz Kloza.

The DPA Cooperation Scorecard is divided into networks and criteria. Existing cooperation networks among DPAs are listed on the horizontal axis. For the time being, the ones mentioned are the EDPB, GPEN, Association francophone des autorités de protection des données personnelles (AFAPDP), Red Iberoamericana de Protección de Datos (RIPD) as well as the DPA international conferences and the Berlin Group in Telecommunications. On the vertical axis, a number of cooperation criteria may be found. Their list, at this stage, is obviously non-exhaustive. These are distinguished into three categories, namely “formative”, “practical” and “qualitative”.

(i) Formative criteria177

Jurisdiction The criterion of jurisdiction refers, in a first place, to the legality of the establishment of a

DPA and to its ability to cooperate. In the second place, it is about the way jurisdictional

issues are addressed. In particular, attention is given to the handling of cross-border cases,

designation of a competent DPA, participation of other DPAs belonging to the same

network, structure and speed or relevant processes, etc.

Choice of law The applicable law for cross border cases within the network under examination. Under

normal circumstances, this will follow the designated jurisdiction as per the above

criterion.

Recognition &

enforcement

This criterion is aimed at addressing questions such as the mutual recognition of intra-

network DPA decisions, common enforcement operations and measures, any appeal

processes, etc.

177 A curious reader will see that these criteria build upon a classical triangle of private international law (conflict of laws). In

a cross-border case, a plaintiff needs first to know which court is competent to hear her case, which law this court would

apply and how to recognize and, should the need be, to enforce a judgment (decision, etc.) if assets are kept in a different

jurisdiction.

Annex II: The DPA Cooperation Scorecard (work in progress)

66

(ii) Practical criteria

Sharing

information

Is information sharing enabled within the network under examination? Which data are

made available? Are personal data also exchanged or only factual, case-specific

information? Are exchanges performed through secure means? Automated, for example

over an electronic platform or by simple means such as email exchanges?

Communication

to the public

Are there any public communication practices or expertise available within the network

under examination, e.g. awareness raising or training?

Technology watch The infrastructure in place, if any, in view of updating DPAs participating in a network

under examination on technological development within the personal data processing field

is assessed under this criterion.

Resources Under this criterion, the resources of a network under examination are assessed,

particularly in terms of time and personnel requirements for participating DPAs, as well as

on any funding requirements or opportunities.

Languages The operational (official) languages of the network under examination, as well as the

methods implemented in order to address the multilingualism problem among

participating DPAs are assessed under this criterion. In a first place, have the linguistic

problems been solved?

Costs How do cooperation cost are covered (shared)?

Self-development Under this criterion, the network’s policies for self-development, e.g. with regard to DPA

personnel exchanges or best practices sharing, are assessed.

(iii) Qualitative criteria

These criteria differ in comparison to the ones listed above in the sense that they refer to abstract, and perhaps non-measurable, qualities (“soft” criteria). However, an attempt to at least catalogue them is indeed undertaken under the DPA Cooperation Scorecard, in order both to highlight their importance and to list any relevant occurrence that may serve as best practice and point of future reference.

Trust

Solidarity

Transparency

Respect