Competences of Supervisory Authorities
This position paper can also be downloaded in .pdf format.
POSITION PAPER ON THE COMPETENCES OF SUPERVISORY AUTHORITIES
Enforcement powers for supervisory authorities are the teeth of data protection. Given that the processing of personal data in the law-enforcement sector often has grave consequences for individuals, enforcement rules need to be strong.
(1) OUR ANALYSIS
The rules on supervisory authorities are modelled on those in the proposed General Data Protection Regulation. This makes sense, as it is highly likely that the same authorities will be designated as supervisory authorities under both texts. In many cases, the rules are identical or highly similar, for example as regards the independence of supervisory authorities. Yet, there are some important differences, most notably as regards their powers.
While under the proposed Regulation, contains a long list of specific powers of supervisory authorities (see Article 53 of the proposed Regulation), the provisions of the proposed Directive are less clear: Article 46 mentions that supervisory authorities should have investigative powers and powers of intervention (each accompanied by a list of examples), as well as the power to engage in legal proceedings. While these rules can potentially be strong – national legislators could easily copy & paste the rules from the proposed Regulation with some editorial changes – they also offer Member States the possibility to give less powers to supervisory authorities. This is not acceptable, especially given the possibly serious consequences of data processing by law-enforcement authorities and keeping in mind the numerous scandals regarding the infringements of data protection rules by law-enforcement agencies. Also, the harmonising effect of these provisions is missing.
A further difference is Article 45(6) of the proposed Directive, which allows supervisory authorities to charge fees for “vexatious” requests, as compared to “manifestly excessive” ones under the proposed Regulation (Article 52(6) there). Another difference is the publication of activity reports (Article 47): while under the Regulation, such reports will be public (Article 54 there), their counterparts under the Directive do not necessarily have to be published, only “be made available” to the Commission and the European Data Protection Board.
Article 48, dealing with mutual assistance of supervisory authorities is significantly shorter than the corresponding provision in the proposed Regulation (Article 55). Given that law-enforcement authorities often cooperate across borders, supervisory authorities should also have clear rules on mutual assistance.
(2) OUR RECOMMENDATIONS
- The most pressing changes need to be made to Article 46, which should be redrafted to include a list of powers that is aligned with the list of powers granted to supervisory authorities under the proposed Regulation (Article 53 there). If this is not possible, then at the very least the indicative list of powers (“such as”) should be changed to a minimum list (“including”).
- From the perspective of ensuring full political independence of supervisory authorities, it would be advisable to introduce an explicit clause in Article 41 that would clarify that their members should be appointed by the national parliaments. This can further help to remove supervisory authorities from political pressure (compared to the current wording, which also allows them to be appointed by the government). We have already suggested a similar change to the proposed Regulation.
- In Article 45 (6), the word “vexatious” should be changed to “manifestly excessive”, in line with the provisions in the proposed Regulation.
- Article 47 should be amended to require publication of activity reports. This would increase transparency in an area where it is of paramount importance.
- Article 48 should be brought in line with its counterpart in the General Data Protection Regulation, taking specificities of the law-enforcement sector into account where necessary.