Who protects data protectors?
25/11/16
We recently attended the FBE conference in Luxembourg, dedicated to discussing rights of defence before the EU courts. While Denis Waelbroeck lashed out at rules capping the extension of briefs and Stefan discussed EU Criminal Law, there was not much of an outlook, e.g. at the hottest topic right now: Data Protection.
Parliament and Council adopted the General Data Protection Regulation (‘GDPR’) last spring. Everyone seems to focus on new material requirements and on the heavy fines for failing to comply. Yet Member States are still plotting the rules of procedure… and in Spain we remember Count Romanones’ infamous line after the 1932 election: ‘let them draft the laws, for I shall draft the implementing regulations.’ The Spanish Parliament’s procedural rules, as it were, seem to this very day designed to stop MPs from speaking.
Article 68 et seq. GDPR create a new authority, the European Data Protection Board, composed of the head of one supervisory authority of each Member State and the European Data Protection Supervisor. The Board will address binding decisions to national authorities when these disagree on how to apply the GDPR to a given cross-border case. Such national authorities will then adopt according decisions, after sending the Board a draft.
The issue from a rights of defence perspective is whether or not the Board must hear the parties to the procedure pending before a national authority involved or, in other words, whether it is enough for such parties to plead before the national authority. The Member States’ preparatory work seems to indicate that they’d rather answer the latter question in the affirmative.
We think that curtailing the ability of interested parties (i.e. individuals and companies subject to the GDPR) to plead before the Board would be questionable. Indeed, the most obvious example of the reverse seems to be the request for a preliminary ruling by the ECJ. If this instrument has become the prime driver of EU law it is not least because the ECJ, while not deciding the case before the national court, did and does hear the parties before the latter, getting the full picture of the real issues at stake.
Likewise, the Board is designed to be a key driver of the administrative practice in application of the GDPR. Therefore, there would seem to be every reason to give the Board the fullest possible information on the issues behind a given cross-border dispute.
Hopefully, Member States will share this view eventually.
