In 'European Data Protection Regulation and the New Media Internet: Mind the Implementation Gaps' (University of Cambridge Faculty of Law Research Paper No. 30/2015) David Erdos
comments
An extensive survey of European Economic Area (EEA) Data Protection Authorities (DPAs) explored the interface between the EU Data Protection Directive and the publication activities of seven types of ‘new media’ internet actor. It is demonstrated that these important regulators have generally adopted an expansive interpretative approach, holding data protection norms to be strongly engaged across this landscape. In contrast, implementation has been weak. Except for street mapping services, each type of new media actor had only faced relevant enforcement action from a minority of DPAs. DPA financial resourcing was also very limited. In addition, the reported enforcement efforts of the DPAs were far from harmonized. Extensive enforcement correlated with a particularly stringent interpretative approach but surprisingly not with better financial resourcing. The proposed General Data Protection Regulation is only likely to make a modest contribution to resolving these serious problems.
He goes on to state
the survey demonstrated that DPAs have generally adopted an
expansive interpretation of data protection’s role vis-à-vis new media expression. In contrast, as regards both
the track-record of most DPAs and the financial resources they have at their disposal, the regime established to
implement these standards has been weak. In sum, notwithstanding a general understanding by DPAs that data
protection standards are clearly engaged by the publication activities of all seven new media actors inquired
about, the survey indicated that only street mapping services had faced enforcement action from more than a
minority of these agencies since the transposition of Directive 95/46. Moreover, the survey suggested that on
average responding DPAs had a budget for all their data protection activities of approximately €3.4M, which
translates into a median per capita budget of just €0.33. Additionally, the survey uncovered evidence of a
serious lack of harmonization as regards different DPAs’ enforcement efforts, with a small minority (10%)
reporting that they had taken relevant enforcement against all seven new media actors, and a rather larger group
(24%) reporting no enforcement action against any of them. Somewhat surprisingly, these differences were not
correlated with divergence in the DPA financial resourcing but, rather, appeared affected by continuing disparity
in the stringency of each regulator’s interpretative stance. In sum, the general gap between interpretation and
implementation, coupled with the additional divergence between DPAs themselves as regards their enforcement
efforts, belies the claim that Directive 95/46 provides, at a practical level, either the high5 or equivalent6 level of
personal information which it mandates must be ensured. Although some of these problems have been
recognised during the current process of European data protection reform, it seems that the proposed General
Data Protection Regulation will likely only make a modest contribution to their resolution.
The rest of this paper is structured into the following seven sections. Section one briefly introduces
the essential legal context including the default structure and substance of Directive 95/46, the original debate
on its interface with public freedom of expression and the evolution of thinking on this issue consequent to the
seminal case of Lindqvist. Section two then outlines the methodology adopted in the research presented,
including elucidating the specific questions put to DPAs in the 2013 survey. Section three presents the general
results of the survey, whilst section four analyses these results. Section five then turns to explore the significant
intra-DPA divergences as regards enforcement, focusing on whether these might explained by divergences in
the level of financial resourcing of these agencies and/or by variation in the stringency of their interpretative stance. Section six explores the likely future shape of European data protection. Finally, section seven offers
some brief conclusions.
