28 January 2014

EU Data Protection Remedies

The European Union Agency for Fundamental Rights (FRA) has released a report [PDF] noting that "to uphold fundamental rights, individuals must have access to remedies that are both effective in law and in practice".

The preface to the report comments that it
presents the findings of a sociolegal research project on the main challenges and barriers that individuals encounter when seeking remedy after a data protection violation. It supplements FRA’s previous research on the role of national data protection authorities (DPAs) in the fundamental rights landscape as well as FRA’s Opinion on the proposed EU data protection reform package. 
To understand how data protection violations are remedied in practice, FRA interviewed key players involved in the remedial process: victims of the data protection violations, representatives of the DPAs, non‐governmental organisations (NGOs) and legal professionals. 
This FRA report identifies factors hampering the effectiveness of existing remedy mechanisms. It highlights a persistent lack of knowledge about the protection of personal data. Individuals therefore do not understand what constitutes a data protection violation. When they are informed, they address their complaint to national DPAs, which are key players in the fundamental rights landscape in the European Union. These, however, often suffer from a lack of adequate resources and powers. FRA findings also show that judges and lawyers are not aware of data protection rules. Too few are specialised in this area of law, rendering judicial enforcement of this fundamental right difficult. In the absence of specialised NGOs, the burden falls on DPAs to effectively guarantee data protection.
The report states that
This FRA report encompasses legal and social fieldwork research on European Union (EU) Member States’ remedies in the area of data protection. By offering an EU‐wide legal comparative analysis of data protection remedies, it gives an insight into the availability of remedies in each EU Member State. It also shows the challenges people encounter when seeking remedies following a data protection violation in a selected number of Member States. 
This research aims to provide evidence on the use and application of data protection remedies in the EU Member States studied; to identify the main challenges faced by different actors; and to identify possible improvement in access to data protection remedies.  
Policy context 
The report focuses on two fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union: the right to the protection of personal data (Article 8) and the right to an effective remedy before a tribunal (Article 47). These two fundamental rights should be analysed together because the right to an effective remedy cannot be dissociated from the need to effectively enforce all fundamental rights, including the protection of personal data. 
A number of remedy mechanisms are available to victims of data protection violations. The spectrum ranges from assistance from various non‐judicial bodies and national data protection authorities (DPAs) to the courts, including administrative as well as civil and criminal proceedings. 
FRA’s research focuses on DPAs and the judiciary. It touches on the role of other non‐judicial bodies such as national ombudsmen or other administrative authorities that can promote data protection rights and pro‐ vide remedies for violations. However, the number of non‐judicial bodies reported to be operating in the area of data protection is small and many non‐judicial bodies have only limited powers to offer remedies. 
In addition to the Charter of Fundamental Rights of the European Union guaranteeing the right to an effective remedy and the right to the protection of personal data, the Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is the keystone of EU legislation guaranteeing the right to personal data protection in EU Member States. It requires each Member State to set up an independent supervisory authority and provide for the right of every person to a judicial remedy for any violation of the rights guaranteed by the national law applicable to the processing in question. The directive also requires Member States to provide for a remedy against decisions by a supervisory authority which give rise to complaints. Thereby, it acts as a tool to provide access to justice for this area of law. The Data Protection Directive allows Member States to implement these requirements into their own data protection systems. This results in a variety of possible outcomes depending on the Member State in which remedy is sought. 
The European Commission has proposed a comprehensive data protection reform package, bearing in mind the need for more effective enforcement of the fundamen‐ tal right to personal data protection. This report does not assess that reform, but its findings provide evidence to inform and contribute to the reform. 
Key findings 
The legal analysis found that DPAs across EU Member States can issue orders to rectify violations and impose sanctions ranging from warnings and fines to the revocation of licences. Sanctions that DPAs are empowered to impose differ between Member States. In most of them, judicial authorities can award damages for violations, although guidelines on award amounts vary. FRA data shows that in almost all Member States criminal sanctions can be imposed, in the form of a fine or imprisonment. The duration of a sentence and the amount of a fine also vary across Member States. 
Most data protection violations in the 16 EU Member States were thought to arise from internet‐based activities, direct marketing and video surveillance with closed‐circuit television (CCTV) cameras. Institutions responsible include governmental bodies, law enforcement agencies and financial and health institutions. The complainants and non‐complainants interviewed defined the damage from data protection violations as psychological and social. They described emotional distress, offence, insecurity or damage to reputation as well as impact on their relations with other people. Fieldwork participants also reported financial damages but less frequently.  
Most complaints were lodged with the national DPAs and very few went through judicial procedures. Most individuals will not pursue cases before a court because of the lengthy, time‐consuming and complicated procedures and costs involved. This view is widely shared by judges and practising lawyers. Reasons why people more often lodge complaints with national DPAs include the following factors: DPAs do not necessitate high costs; their complaint procedure is shorter and less complex; and the procedure does not demand legal representation. Financial compensation was not a motivating factor to seek redress for the fieldwork participants. Instead, most complainants and non‐complainants say they sought redress to ensure that similar data protection violations do not recur. 
Most interviewees worry about the lack of legal assistance available. Judges and lawyers interviewed noted that there are too few data protection professionals; they also recommended training and more specialisation in data protection law. This lack of data protection experts was also a problem in looking for and trying to access interviewees during the fieldwork. People also raised concerns over the lack of financial and human resources available to DPAs and intermediary organisations specialised in the area of data protection. Many individuals reported difficulty in obtaining information about procedures and insufficient knowledge of remedies. Most interviewees who had suffered a data protection violation said they lacked information; only a minority, defined as ‘well‐informed’, said they had information thanks to their professional background (mainly legal) or previous experience. 
The general public needs to know more about data protection violations, existing remedies and support, as FRA findings show. There is also a need to ensure that professionals dealing with data protection issues are aware of developments in the field and legislation. Fieldwork also indicates that DPAs and intermediaries lack adequate resources. 
Methodology 
Based on FRA legal research analysing laws and rules of procedure in each of the 28 EU Member States, this report provides a comparative analysis of the national legal frameworks in the area of data protection remedies. The social fieldwork is based on qualitative research in the following 16 EU Member States: Austria, Bulgaria, the Czech Republic, Finland, France, Germany, Greece, Hungary, Italy, Latvia, the Netherlands, Poland, Portugal, Romania, Spain and the United Kingdom. 
Over 700 individuals from six target groups were interviewed or took part in the focus groups. These six target groups were complainants; non‐complainants such as alleged victims of data protection violation who decided against seeking a remedy; judges; staff of DPAs; intermediaries, including staff members of civil society organisations; and practising lawyers. 
The report presents an overview of the legal framework and the procedures in place. An assessment of the implementation of the data protection remedies as perceived by the main actors is made by looking at a number of related issues, namely fieldwork findings assessing the accessibility and availability of support structures. These structures help affected individuals to access procedures for remedies (both judicial and alternative) in the field of data protection. The report also presents how interviewees perceived costs, deadlines to be observed and the burden of proof. In addition, it seeks to identify barriers met in using and applying the remedies in the field of data protection, including the perspectives of individual complainants and other relevant actors. It also seeks to identify areas for improvement in accessing data protection remedies.  
Opinions 
This report identifies potential for concrete improvement in a number of areas. The EU institutions, EU Member States and mechanisms involved in implementing data protection remedies could all take action to improve the present situation. The European Union Agency for Fundamental Rights (FRA) has formulated the following opinions based on the findings in this report and previous research as ways forward to improve the availability and quality of remedies available to victims of data protection violations in the EU. 
Strengthening the role of data protection authorities 
Data protection authorities (DPAs), the main actors protecting data protection rights, play a crucial role in processing the overwhelming majority of data protection complaints. Further action is needed to ensure that access to DPAs is effective in practice. 
The independence of DPAs must be strengthened through a reform of EU legislation. They should have enhanced powers and competences, supported by adequate financial and human resources, including diverse and qualified professionals, such as trained information technology specialists and qualified lawyers. 
The European Parliament and the Council of the European Union are proposing regulation to protect individuals with regard to the processing of personal data and the free movement of such data. This General Data Protection Regulation seeks to further harmonise data protection legislation, and to further strengthen the ability of DPAs to remedy violations. 
Data protection strengthening could include safeguards for effective enforcement of their deci‐ sions and reasonable length of procedures (see also, in the specific context of non‐discrimination, the 2012 FRA report on Access to justice in cases of discrimination in the EU: steps to further equality). This would enable DPAs to remain the preferred point of access for remedying data protection violations, while streamlining the existing remedy avenues and decreasing overall costs, delays and formalities (see the 2012 FRA Opinion on the proposed data protection reform package). 
To strengthen their authority and credibility, DPAs should play an important role in the enforcement of the data protection system, by having the power to either issue sanctions, including fines, or procedures that can lead to sanctions (see also the 2010 FRA report on Data protection in the European Union: the role of national data protection authorities). 
This opinion is in line with the findings in the context of other non‐judicial bodies, such as equality bodies, as highlighted in the 2013 FRA Opinion on the EU equality directives (p. 3): “The degree to which complaints procedures fulfil their role of repairing damage done and acting as a deterrent for perpetrators depends on whether dispute settlement bodies are able to issue effective, proportionate and dissuasive sanctions” and “allowing civil society organisations, including equality bodies, to bring claims to court or conduct investigations [...] could help facilitate enforcement.” Data protection authorities are encouraged to be more transparent, as well as to communicate effectively with the general public, providing necessary information and easing access to remedies in practice. In addition, as highlighted by the 2010 FRA report on the role of national data protection authorities in the EU, DPAs “should promote closer cooperation and synergy with other guardians of fundamental rights [...] in the emerging fundamental architecture of the EU” (p. 8). Such steps would improve the image of DPAs, their perceived effectiveness and independence and the trust of the general public. 
Enhancing the role of lawyers and judges 
Legal professionals rarely deal with data protection cases, so they are not aware of the applicable legal procedures and safeguards. There is a lack of judges specialised in this area. 
The EU could financially support training activities for lawyers and judges on data protection legislation and its implementation at Member State level. EU Member States should seek to strengthen the professional competence of judges and lawyers in the area of data protection, providing training programmes and placing added emphasis on data protection issues in the legal curriculum. This would increase the availability of sufficiently qualified legal representation. 
Strengthening professional competence would also help reduce the length of proceedings. The gap in such competence is one of the barriers to seeking redress before courts, as confirmed by the 2011 FRA report on Access to justice in Europe: an overview of challenges and opportunities, and by the findings of this fieldwork. 
Strengthening the role of civil society organisations 
The report highlights the importance of intermediary organisations as a source of information, advice, legal assistance and representation. However, only a very limited number of civil society organisations are able to offer comprehensive services for victims of data protection violations. The EU and its Member States should increase funding for civil society organisations and independent bodies in a position to assist such victims seeking redress. 
Victims are often reluctant to bring claims. Allowing civil society organisations to bring claims to court or con‐ duct investigations could constitute an important step to help enforcement. As already emphasised in other FRA reports and opinions, and confirmed by the findings of this report, strict rules relating to legal standing prevent civil society organisations from taking a more direct role in litigation in cases of fundamental rights violations (see the 2011 FRA report Access to justice in Europe: an overview of challenges and opportunities and the 2012 FRA report Access to justice in cases of discrimination in the EU: steps to further equality). 
The 2012 FRA Opinion on the proposed data protection reform package in particular says that the EU should consider further relaxing legal standing rules to enable organisations acting in the public interest to lodge a data protection complaint in cases where victims are unlikely to bring actions against a data controller, given the costs, stigma and other burdens they could be exposed to. As underlined in FRA reports on access to justice, this would also ensure that cases of strategic importance are processed, thus enhancing the culture of compliance with data protection legislation. Such broadening of the legal standing rules should be accompanied by additional safeguards preserving the right balance between the effective access to remedies and abusive litigation. The Commission has proposed a form of representative collective redress in the General Data Protection Regulation. 
Reducing costs and easing the burden of proof 
Victims of data protection violations are dissuaded from pursuing cases for several reasons, including costs and difficulties associated with proving data protection violations. 
EU Member States should consider promoting support through legal advice centres or pro bono work. These support mechanisms should be complementary to, and not a substitute for, an adequately resourced legal aid system. 
Rules on the burden of proof should be streamlined, especially in cases concerning internet‐based activities. 
Raising awareness 
Victims lack awareness of data protection violations and of available remedies. These findings of the FRA fieldwork confirm existing FRA research conclusions. 
As recognised by the 2010 FRA report on Data protection in the European Union, awareness‐raising on data protection legislation is an important task for relevant institutions, such as national DPAs. A similar lack of awareness was highlighted in the 2012 FRA report on Access to justice in cases of discrimination and the 2013 FRA Opinion on the EU equality directives, in relation to EU non‐discrimination legislation. From the general public to judges, awareness‐raising measures are needed. Knowledge about support organisations that complainants can turn to when lodging data protection complaints needs to be significantly increased throughout the EU. The EU could promote and possibly financially support awareness‐raising campaigns at EU Member State level. To raise national practitioners’ awareness of the data protection rules, the FRA, together with the Council of Europe and the European Court of Human Rights, prepared a Handbook on European data protection law. 
EU Member States could consider taking the necessary steps to increase the public’s awareness of the existence and functioning of available complaint mechanisms, particularly DPAs. In addition, DPAs should pay particular attention to cultivating their public profile as independent guardians of the fundamental right to data protection, and should enhance their awareness‐raising activities on data protection.