Chapter 13 - Supervision & Enforcement Flashcards
What is the fundamental purpose of regulatory law?
-Fundamental purpose of regulatory law is to shape or influence the behavior of individuals and organizations.
-To be effective, a regulatory system must have the ability to hold these individuals and organizations accountable.
-Any regulation is only as good as the means by which it is supervised and enforced. Powers of supervision and enforcement should not lie only in the hands of regulators; models of optimum regulatory efficiency also vest power in the courts, markets, self-regulatory schemes, and citizens.
What tools does the GDPR incorporate for supervision and enforcement?
-GDPR incorporates tools such as powers vested in regulators, courts, markets, self-regulatory schemes, and citizens.
-The UK version of the GDPR, which has applied since Brexit, also incorporates these tools.
What is self-regulation and why is it considered effective?
-Self-regulation is considered one of the most effective tools of supervision and enforcement because controllers and processors directly control the application of appropriate processes, procedures, and measures to protect data.
-Regulatory laws should require the regulated entity to supervise itself and self-enforce the need for appropriate measures to achieve the required policy objectives.
How does the GDPR advance the idea of self-regulation?
-GDPR advances the idea of self-regulation through the introduction of the concept of accountability (Article 5(2)), which places a positive obligation on the controller to demonstrate compliance with data protection principles.
-It also introduces requirements for data protection officers (DPOs) (Articles 37-39) and focuses on codes of conduct and certification schemes for data protection seals and marks (Articles 40-43).
-Controllers have regulatory functions over their processors, and processors must regulate their subprocessors (Article 28).
What is the role of Data Protection Officers (DPOs) according to the GDPR?
-GDPR mandates the appointment of DPOs for the first time.
-DPOs are focused only on compliance and are immune from dismissal, making them quasi-regulators rather than ordinary employees.
-They have a duty of cooperation with the DPA and effectively act as an extension of the regulator.
-If their organizations come under pressure from DPAs, individuals, or privacy activists for compliance issues, DPOs will take a challenging role within the organization.
What are codes of conduct, certificates, seals, and marks in the context of GDPR?
-Articles 40-43 create a framework for self-regulation by way of codes of conduct and data protection certification mechanisms, such as seals and marks.
-Article 40 encourages representative bodies for controllers and processors to create codes of conduct on any aspect of data protection compliance.
-The adoption of codes is subject to the consistency mechanism in Article 63.
-Certification bodies are accredited either by the DPAs or national accreditation bodies in member states (Article 43).
What remedies are available to individuals for breach of obligations under the GDPR?
- If individuals have complaints about noncompliance, they can take them to the DPAs or courts, regardless of whether they have used the data subject rights or made prior complaints to the controller.
-Articles 77 and 79 provide the operative elements of the GDPR for these remedies. Individuals can pursue litigation, complain to their regulator, or pursue both remedies at the same time.
How does the GDPR empower citizens in the supervision and enforcement process?
-Citizens provide the second line of defense against bad data protection.
-The GDPR creates many rights for individuals:
-such as the right of transparency (Articles 13 and 14)
-right of access to data (Article 15)
-right to rectification (Article 16)
-right to erasure (Article 17)
-right to restriction of processing (Article 18), -right to data portability (Article 20)
-right to object (Articles 21 and 22).
-Individuals also have a right to be informed of serious personal data breaches (Article 34).
-If individuals are dissatisfied with their ability to exercise these rights, they can pursue both administrative and judicial remedies.
What are representative actions under the GDPR?
-Representative actions, sometimes called group litigation or class actions, allow groups of individuals to be represented as a collective before the courts.
=Article 80 introduces new representative action rights, allowing individuals to be represented by not-for-profit organizations (CSOs).
-Member states can give these organizations representative powers that stand independent of any mandates from individuals.
What is the significance of Article 82 regarding liability and compensation claims?
-Article 82 creates the right for citizens to pursue compensation claims against controllers and processors if they suffer damage as a result of an act of noncompliance.
-Controllers and processors have the possible defense of not being responsible for the event that gives rise to damage.
-The GDPR resolved ambiguities regarding the meaning of ‘damage,’ making it clear that damage includes distress.
What are the tasks of the Data Protection Authorities (DPAs) under the GDPR?
-The tasks of the DPAs are contained in Article 57 and include monitoring and enforcing the GDPR, promoting awareness and understanding of data protection, handling complaints, supporting the consistent application of the GDPR internationally, and monitoring the development of information and communications technologies and commercial practices.
What powers do the DPAs have under the GDPR?
-The powers of the DPAs are contained in Article 58 and include investigatory powers, corrective powers, and authorisation and advisory powers. Investigatory powers allow DPAs to access all necessary evidence, materials, and facilities.
-Corrective powers enable DPAs to warn controllers and processors about dubious data processing activities and to put a stop to business activities.
-Authorisation and advisory powers relate to codes of conduct, certifications, marks, seals, and international transfers of personal data.
What is the one-stop shop principle in the context of GDPR?
-The one-stop shop principle of supervision and enforcement applies to cross-border processing.
-The lead supervisory authority has competence based on the location of the ‘main establishment’ of the controller or processor (Article 56).
-The lead authority is the sole interlocutor for cross-border processing, but non-lead authorities can take action in cross-border situations where the complaint relates only to their territory or substantially affects individuals only in their territory.
What are the administrative fines under the GDPR?
-Article 83 outlines the administrative fines regime, allowing DPAs to impose fines up to a set financial cap (up to €10 million or €20 million) or up to a percentage of worldwide annual turnover (two or four percent).
-Fines must be effective, proportionate, and dissuasive.
-Factors to be considered before imposing fines include:
1. the nature
2. gravity
3.duration of the infringement
4.the intentional or negligent character of the infringement
5. any action taken by the controller or processor to mitigate the damage suffered by data subjects.
What is the Law Enforcement Directive (LED) and how does it relate to the GDPR?
-The GDPR is accompanied by the Law Enforcement Directive (LED), which covers the activities of the law enforcement community in the public sector.
-It contains a mirror supervision and enforcement regime, except for the absence of the lead authority concept and financial penalties.