The European Union Data Protection Supervisor has published its 2006 report. When set up under a 2001 EU regulation, this body was intended to play a key role in harmonising Europe’s data privacy laws and stiffening enforcement. Is it doing its job? Stephen Groom reports.
Topic: Privacy
Who: The European Data Protection Supervisor
Where: Brussels
When: May 2007
Law stated as at: 30 May 2007
What happened:
The European Data Protection Supervisor ("EDPS") published its 2006 Report. The EDPS was set up in 2004 by EU Regulation 45/2001/EC as an independent supervisory authority.
Each spring the EDPS reports its activities over the previous calendar year and its objectives for the current year to the European Parliament, the Council of Ministers and the European Commission.
One of its jobs is to ensure European Union institutions toe the data protection line in terms of personal data they process.
"Third pillar" aspirations
Another task is in the area of the so called "Third pillar." This is to work with national data protection supervisory authorities and bodies with a view to improving consistency across the Union in the protection of personal data. As one of marketinglaw's hobby horses has for long been the glaring discrepancies between member state application and enforcement of EU data privacy laws, this certainly seemed an encouraging step when the EDPS was first set up. So what did it achieve in this area in 2006?
Help to the Article 29 Working Party
The Report tells us that the body contributed to three opinions published by the so called Article 29 Working Party. This is another forum for cooperation between the data protection authorities of the EU.
Apart from this, the Report tells us that "Most of the attention during 2006 was placed on the interrelated framework decision proposals on data protection in the third pillar and on the exchange of information under the principle of availability." Hmmm.
Mention is also made of a "London Initiative" spearheaded by the French and UK data protection authorities and the EDPS. One of the objectives here is to spread awareness of European data protection laws and rights amongst individuals and businesses throughout Europe.
A conference looking at this topic was held in er… London and one of the main points agreed as part of the London Initiative was that data protection authorities across the EU should assess their efficiency and effectiveness and where necessary adapt their practices and that the excessive "legal" image of data protection must be corrected." Amen to that.
And give or take a few other international conferences that seems to be more or less it.
2007 objectives?
So far so uninspiring, but maybe the EDPS be going up a gear on the "third pillar" in 2007, thus justifying its increased budget allocation of €4 million and increased staff numbers of 24?
Objective # Seven for 2007 in the executive summary and the full report tells us under the intriguing heading "Data protection in third pillar" that "Special attention will be given to the development and adoption of a general framework for data protection in the third pillar. The EDPS will also closely follow proposals for exchange of personal data across borders or that provide access to private or public sector data for law enforcement purposes."
Objective #8 entitled "Communicating data protection" says that EDPS will give strong support to follow up activities of the London Initiative aiming at "communicating data protection and making it more effective." This will involve activities from "raising awareness" to "better implementation" and "effective enforcement" of data protection principles."
And that seems to be it.
Why this matters:
Clearly the EDPS has a fair amount on the rest of its plate in monitoring and supervising data protection law compliance by the sprawling EU institutions. But in the so called "third pillar" areas, where so much work is desperately needed if Europe's data protection laws are to be uniformly respected, enforced and complied with, little progress appears to have been made beyond platitudes and some background help to the Article 29 Working party.
Looking at the objectives for 2007, this picture looks unlikely to undergo violent change anytime soon and one cannot help asking whether the EDPS as currently constituted and funded is the right body to be discharging such a weighty and important responsibility. Perhaps it might be better shorn of its so called "Third pillar" harmonisation role and the job given to an upgraded Article 29 Working Party?
Stephen Groom
Head of Marketing and Privacy Law
Osborne Clarke, London
stephen.groom@osborneclarke.com
