New publication on personal data protection in RGSL Research Papers series by RGSL Alumni Laura Grava “Personal data protection in the EU – cooperation and competences of EU and national data protection institutions and bodies“.
This article focuses on the institutional aspect of European Union (EU) personal data protection. The aim of the article is to identify current problems in division of competences and in cooperation between national and EU data protection institutions. The author analyses these aspects on two levels. On the vertical level, the author analyses the competences and cooperation between national and EU institutions and on the horizontal level – the division of competences and cooperation between different national data protection authorities.
As of now, each Member State has different data protection rules and procedures. Moreover, as in the EU context data protection is a shared competence, MS are under the obligation to avoid clashes of interests and competences. But due to the particularities of the current legal setup in the area of data protection, national data protection authorities have different levels of competences, involvement and participation in enforcement and protection of personal data. Even though national data protection agencies are obliged by EU law to cooperate, there are no certain ways or tools to ensure that they do so. And, given the recent Court of Justice of the European Union (CJEU) judgments in Weltimmo, Google Spain, Schrems and other cases involving personal data, the competences and required level of cooperation between national and EU institutions have become more unclear than ever.
The author considers that the current legal setup in terms of inter-institutional cooperation is not effective and is prone to creating more problems. As no clear legal mechanism exists, cooperation can become burdensome, complicated, and lengthy, thus failing to ensure uniform application of EU law and assure the legitimate expectations of data subjects or controllers. Moreover, the latest CJEU judgments on the issue of competences of national and EU data protection institutions can cause uncertainties and possible misunderstandings in terms of clear division of powers. It can be expected that in a few years the current problems should be resolved with the implementation of a new EU data protection regulation.