Data protection compliance in the EU administration
The European Data Protection Supervisor (EDPS) adopted a policy paper that sets out the framework within which he monitors, measures and ensures data protection compliance in the EU administration. The policy signals a fundamental change of gear in the field of enforcement.
The policy seeks to encourage voluntary compliance and best practice and create sufficient incentives for compliance by:
- Emphasising where the responsibility for compliance lies
- Explaining how the EDPS will support this compliance
- Explaining what the EDPS will do in the case of non-compliance.
The paper places a strong emphasis on the principle of “accountability” to encourage compliance and the adoption of best practice in the EU administration. Accountability requires the European institutions and bodies to put in place appropriate and effective measures to ensure compliance with data protection obligations and to demonstrate this to the EDPS.
Peter Hustinx, EDPS, says: “Holding the EU institutions accountable for ensuring compliance with data protection obligations, and for demonstrating such compliance, is a crucial first step in fostering data protection in practice. However, this must be backed up by a framework for dealing with those institutions and bodies that continue to fail to meet the required standards and demonstrate poor compliance records”.
The EDPS has to date adopted an approach which prefers to make recommendations and encourage compliance rather than warn or admonish or make legally binding orders.
Following five years of such activity, the EDPS believes that the time has come to take a more robust approach to enforcement, particularly in cases of serious, deliberate or repeated non compliance with data protection principles. This policy therefore introduces a set of criteria which will ensure a proactive, as well as consistent and transparent, application of his enforcement powers.
The EDPS also emphasizes that transparency and publicity are an important tool both for stakeholders and in terms of good governance. In relation to his enforcement activities, the EDPS will normally publish information regarding any official referrals he makes. He will also consider, on a case-by-case basis, whether it is appropriate to make public any of the other enforcement actions pursued.