European Data Protection Supervisor (EDPS) Peter Hustinx has released a policy paper, “Monitoring and Ensuring Compliance with Regulation (EC) 45/2001” (EU pdf; archive pdf), that “signals a fundamental change of gear in the field of enforcement,” his office says. “The EDPS has to date adopted an approach which prefers to make recommendations and encourage compliance rather than warn or admonish or make legally binding orders. Following five years of such activity, the EDPS believes that the time has come to take a more robust approach to enforcement, particularly in cases of serious, deliberate or repeated non compliance with data protection principles. This policy therefore introduces a set of criteria which will ensure a proactive, as well as consistent and transparent, application of his enforcement powers.”
From the paper’s introduction:
This policy paper elaborates how the EDPS monitors, measures and ensures compliance with Regulation (EC) 45/2001 (“the Regulation”), and explains the nature of the various enforcement powers, as well as when and how the EDPS will use them. The paper reflects many of the current activities and actions of the EDPS in relation to monitoring and ensuring compliance, and sets out a comprehensive framework for all future work in this area. It is guided by the principles of proportionality, accountability and consistency, and aims to give transparency to what the EDPS does with the information gained from our activities (complaints handling, prior checking, monitoring, etc) as well as reflect general principles on how we will assimilate and act on this information and where applicable, the weight or severity we would accord to such information.
The policy seeks to encourage voluntary compliance and best practice, create sufficient incentives for compliance and facilitate targeted action where appropriate, by:
- emphasising where the responsibility for compliance lies
- explaining how the EDPS will support this compliance
- explaining what the EDPS will do in the case of non-compliance
In order to optimise the effectiveness of the existing framework, the policy aims to reflect the layered approach, provided by the Regulation, to guaranteeing data protection in the institutions and bodies of the EU: the institutions/bodies, controllers, data protection officers (DPOs) and EDPS all contribute to the application of and compliance with the Regulation. The policy therefore seeks to exploit these roles and responsibilities, and the underlying synergies in order to ensure effective compliance with data protection principles.