European Data Protection Supervisor A new body in the European Institutional Landscape : the EDPS Presentation at the Court of Justice Hielke HIJMANS 12 March 2007 1 European Data Protection Supervisor Introduction Happy to be back Presentation in 2 parts 1. EDPS as an EC-institution (or body) 2. The EDPS and the Court. What are the relations ? For more info: my article in CMLR 43, 1313-1342, 2006. (Can also be found on www.edps.europa.eu). 2 European Data Protection Supervisor PART 1: Data Protection: a fundamental right Closely linked to privacy but not the same (Art 7 and 8 of Charter) Distinction recognised in C-465/00, Österreichischer Rundfunk. Privacy is more than private life (also work-related issues), but qualified interest. Data protection covers all processing of personal data. In practice Article 8 ECHR (and Strasbourg jurisprudence) plays important role Article 286 EC as recognition. 3 European Data Protection Supervisor Part I: Independent supervision Essential element of data protection, in most western countries (not US). Why? Element of secrecy of data processing: the right is not respected by itself. Proactive enquiries might be needed. Technical skills required. Judicial control not enough. 4 European Data Protection Supervisor Part I: The EDPS A new concept: supervising the institutions Based on Article 286 EC and Regulation 45/2001 Needed to harmonise level of protection within institutions with level in Member States (public and private sector). Wide responsibility ensuring respect of fundamental rights by EU-institutions. Not only supervision but also “consultation” and “cooperation”. 5 European Data Protection Supervisor Part I: The EDPS is not an institution He is not listed in Article 7 EC He has to respect the institutional balance But: he has privileged position (like f.i. ECB or Ombudsman) For specific purposes (budget, Staff) he is equal to institution Court did not find formal status important when granting leave to intervene. 6 European Data Protection Supervisor Part I: The EDPS is not an agency Because of his legal basis in the Treaty itself. His task does not originate in institutions, but is designed to supervise the institutions. Agencies can supervise the market, but not an institution. 7 European Data Protection Supervisor Part I: The EDPS is not a regulator A phenomenon coming from the US; independent authority with powers to give binding decisions and regulatory powers In EU mainly known in connection with liberalisation in specific sectors of market EDPS has many similarities, but also has completely different tasks 8 European Data Protection Supervisor Part I: The EDPS is not an Ombudsman Not an ombudsman for data protection. Complaints with EDPS are remedies, not political rights to participate. EDPS is not alternative to legal protection, but part of it. But, part of “good governance”. Close relation with European Ombudsman, laid down in MoU. 9 European Data Protection Supervisor Part I: Not a judicial authority But he fulfils criteria Court under Article 234 EC (Dorsch Consult). He is established by law, permanent, procedure is ‘inter partes’, he applies rule of law and he is independent. However: he is not meant to be a judge and has many tasks nothing to do with judicial tasks. 10 European Data Protection Supervisor Part I: Sui generis He does not fit in category, but has essential characteristics: 1. Visibility, giving data protection a face 2. Independence, offering additional legal protection 3. Expertise, improving the quality of EU-administration 4. Powers, building additional checks and balances in the system 11 European Data Protection Supervisor PART II: EDPS and Court The EDPS supervising the Court of Justice The EDPS as intervener The EDPS as applicant The EDPS as defendant 12 European Data Protection Supervisor Part II: Supervision and the Court The EDPS supervises all institutions with exception of the court acting in its judicial capacity. Cascade of supervision: Institutions themselves, internal DPO, EDPS, Court of Justice. DPO: internal monitoring in independent manner. Guarantees for independence in Art 24 of Reg 45/2001. 13 European Data Protection Supervisor Part II: The EDPS as intervener Art. 47 of Reg. 45/2001 allows EDPS to intervene. Orders of Court 17-3-2005 (PNR-cases C-317/04, C-318/04). “within limits deriving from the tasks entrusted to him”. Experiences until now. Three opportunities (6 affaires juridiques). 14 European Data Protection Supervisor Part II: The EDPS as intervener 2 Secondary legislation can be legal basis, where primary legislation (Treaty, Statute) is silent. Right to intervene not only relating to supervision of processing of data (as argued by Com) Interest of intervention can extend to cases on legal basis (C-301/06) 15 European Data Protection Supervisor Part II: The EDPS as applicant No experience yet. On one hand: Article 230 EC, limits the number of applicants (this does not include EDPS) On other hand: Article 47 of Reg 45/2001 allowing EDPS to refer matters to the Court Logical consequence if EDPS is part of system of legal protection Will Court follow same line as in PNR? 16 European Data Protection Supervisor Part II: The EDPS is defendant Again Article 230 does not mention EDPS. Position comparable to agencies like OHIM, whose decisions can be contested before the Court. What kind of cases? Appeals by complainants 2. Appeals by institutions?? 1. 17 European Data Protection Supervisor FINAL REMARKS Interesting part was to establish a real role within institutional landscape We did lot, but some roles are still open Still waiting for cases involving EDPS as a party. Those cases could arise before all 3 courts. EDPS is mentioned in Staff Regulations. THANK YOU!!! 18