26 June 2015

Assessing DPA effectiveness

In 'European Data Protection Regulation and the New Media Internet: Mind the Implementation Gaps' (University of Cambridge Faculty of Law Research Paper No. 30/2015) David Erdos comments 
An extensive survey of European Economic Area (EEA) Data Protection Authorities (DPAs) explored the interface between the EU Data Protection Directive and the publication activities of seven types of ‘new media’ internet actor. It is demonstrated that these important regulators have generally adopted an expansive interpretative approach, holding data protection norms to be strongly engaged across this landscape. In contrast, implementation has been weak. Except for street mapping services, each type of new media actor had only faced relevant enforcement action from a minority of DPAs. DPA financial resourcing was also very limited. In addition, the reported enforcement efforts of the DPAs were far from harmonized. Extensive enforcement correlated with a particularly stringent interpretative approach but surprisingly not with better financial resourcing. The proposed General Data Protection Regulation is only likely to make a modest contribution to resolving these serious problems.
He goes on to state
the survey demonstrated that DPAs have generally adopted an expansive interpretation of data protection’s role vis-à-vis new media expression. In contrast, as regards both the track-record of most DPAs and the financial resources they have at their disposal, the regime established to implement these standards has been weak. In sum, notwithstanding a general understanding by DPAs that data protection standards are clearly engaged by the publication activities of all seven new media actors inquired about, the survey indicated that only street mapping services had faced enforcement action from more than a minority of these agencies since the transposition of Directive 95/46. Moreover, the survey suggested that on average responding DPAs had a budget for all their data protection activities of approximately €3.4M, which translates into a median per capita budget of just €0.33. Additionally, the survey uncovered evidence of a serious lack of harmonization as regards different DPAs’ enforcement efforts, with a small minority (10%) reporting that they had taken relevant enforcement against all seven new media actors, and a rather larger group (24%) reporting no enforcement action against any of them. Somewhat surprisingly, these differences were not correlated with divergence in the DPA financial resourcing but, rather, appeared affected by continuing disparity in the stringency of each regulator’s interpretative stance. In sum, the general gap between interpretation and implementation, coupled with the additional divergence between DPAs themselves as regards their enforcement efforts, belies the claim that Directive 95/46 provides, at a practical level, either the high5 or equivalent6 level of personal information which it mandates must be ensured. Although some of these problems have been recognised during the current process of European data protection reform, it seems that the proposed General Data Protection Regulation will likely only make a modest contribution to their resolution.
The rest of this paper is structured into the following seven sections. Section one briefly introduces the essential legal context including the default structure and substance of Directive 95/46, the original debate on its interface with public freedom of expression and the evolution of thinking on this issue consequent to the seminal case of Lindqvist.  Section two then outlines the methodology adopted in the research presented, including elucidating the specific questions put to DPAs in the 2013 survey. Section three presents the general results of the survey, whilst section four analyses these results. Section five then turns to explore the significant intra-DPA divergences as regards enforcement, focusing on whether these might explained by divergences in the level of financial resourcing of these agencies and/or by variation in the stringency of their interpretative stance. Section six explores the likely future shape of European data protection. Finally, section seven offers some brief conclusions.