On January 27, the European Agency for Fundamental Rights (FRA), an official agency of the European Union (EU), released its report on Access to Data Protection Remedies in EU Member States. As detailed below, the FRA concluded that redress mechanisms for data protection violations in the EU need improvement. More Specifically, the FRA found that data protection authorities (DPAs) do not have sufficient powers or resources, there are not enough judges and lawyers with adequate knowledge of data protection issues, civil society organizations (e.g., consumer interest and privacy advocacy groups) have difficulty bringing suits on behalf of victims of data protection breaches, the costs and burdens of proof associated with data protection suits are too high, and Europeans lack awareness of remedies for data protection violations.
The report followed the FRA’s survey of over 700 individuals from 16 European Union Member States. Respondents included those who had complained of data protection violations, alleged victims of data protection violations who had not registered complaints, judges, lawyers, DPA staff, and staff members of civil society organizations. The FRA sought to assess the availability of redress mechanisms for data protection violations, identify potential barriers to redress, and propose areas for improvement.
Much of the report focused on DPAs, which, the report finds, receive the majority of data protection complaints. Few complaints are registered via judicial proceedings. The FRA’s survey suggested that individuals turn to DPAs because judicial remedies involve complicated procedures, high costs, and the need to obtain legal representation. However, the FRA found that DPAs were not always perceived as effectively carrying out their duties. For example, some respondents expressed concerns that the political appointment of DPAs may compromise their enforcement of data protection laws against public agencies.
For their part, DPA staff expressed concerns that the lack of financial support and qualified data protection professionals prevented them from conducting thorough investigations of data protection violations. The FRA’s report also noted that as a result of the national implementation of the EU Data Protection Directive, the enforcement authorities of DPAs differ across the 28 EU Member States. The FRA found that approximately half of DPAs are authorized to issue warnings. Although all DPAs are authorized to issue fines, the maximum fine permitted ranges from 12,000 Euros in Romania to 600,000 Euros in Spain.
Many respondents to the FRA’s survey considered judicial proceedings to be more effective than filing complaints with national DPAs or with local administrative bodies, which is permitted in some Member States. The courts are often empowered with more authority than other bodies. Courts can issue warnings, award damages, grant injunctive relief, and impose criminal penalties. As is the case with DPA authorities, the redress that courts can grant varies greatly across Member States.
Despite their perceived relative effectiveness, the report stated that individuals are dissuaded from pursuing judicial relief for several reasons. Judicial proceedings are often lengthy, involve complex procedures, and require complainants to obtain legal representation. Furthermore, judicial proceedings involve a high burden of proof. Many respondents noted that there is a lack of lawyers and judges competent to handle data protection issues.
The issues affecting DPAs and judicial proceedings were not the only obstacles the FRA found for the redress of data protection violations. According to the FRA, civil society organizations provide valuable information and assistance to individuals who have suffered data protection violations. However, the FRA found that there are few organizations that are able to offer such services. The FRA also noted that rules pertaining to legal standing often prevent civil society organizations from pursuing redress for data protection violations. One of the reasons that the FRA would like civil society organizations to have the right to pursue actions on behalf of others is that many Europeans lack awareness of their data protection rights and avenues of redress. The report also confirmed the findings of a 2011 Eurobarometer survey reporting that only 33% of individuals are aware of the existence of national DPAs.
The FRA offered five recommendations designed to address the shortcomings that the agency perceived with the EU data protection framework’s redress mechanisms:
- Increase public awareness of the right to data protection, the nature of data protection violations, and avenues for redress;
- Enhance the role and increase support for DPAs;
- Provide sufficient funding for civil society organizations and allow them to pursue action on behalf of individuals;
- Reduce the burdens of proof and costs associated with the pursuing data protection violations through the judicial process; and
- Increase the number of judges and lawyers competent to handle data protection issues by supporting training and emphasizing data protection in legal curriculums.
For the FRA’s report, click here.
Following the release of the survey on access to data protection remedies in EU Member States, the FRA and the Council of Europe released a practitioner’s guide to European Union Data Protection Law. To read the handbook, click here.