Civil society organisations as natural allies of the data protection authorities

Wojciech Wiewiórowski

Earlier this year , we met with the European civil liberties organizations to discuss the state of data protection and privacy in the EU. This ‘EDPS-Civil Society (CSO) Summit’ is becoming a fond tradition I believe on both sides.  I will meet a number of these good people again for the RightsCon event, this year to be held in Toronto 16-18 May, where I will be part of a panel on the ‘global state of data protection’

Data protection authorities and non-governmental organizations are natural allies when it comes to putting data protection principles to practice, empowering individuals to assert their rights and holding data controllers accountable for their actions. In the recent years, civil society has brought landmark data protection an privacy challenges (for example, Digital Rights Ireland (CJEU), Zakharov v. Russia (ECtHR), 10 human right organizations v. the United Kingdom (ECtHR)), to the regulatory and judicial authorities, thereby developing both the law and rights awareness among a broader public.

A right to an effective remedy under the GDPR

This brings me to the first issue discussed at this year’s EDPS-CSO Summit - individual and collective redress under the General Data Protection Regulation (GDPR). In the 2014 report, the EU Fundamental Rights Agency acknowledged the important role of the CSOs in helping victims of data protection violations to overcome various challenges in exercising their right to effective remedy.

These include difficulties accessing personal data due to the information asymmetry between the data controllers and data subjects, assessing the comprehensiveness of the information received in response to data subject’s access requests, and identifying the right entity to address such requests to. As discussed during the Summit, there are also cases when individuals are not coming forward and reporting data breaches due to the sensitive nature of the information at stake, e.g. in the context of dating platforms, whistle-blowers or children.

In light of the obstacles to the effective exercise of the data protection rights, GDPR relaxes the legal standing rules for the CSOs allowing them to better fulfil their role. Article 80 of the GDPR provides for the data subject’s right to be represented by a non-profit body in the legal proceedings. Besides, the Member States may allow organizations to undertake a case independently of individual’s mandate, at their own initiative.

I have been working with the EU legislator to include these rights in the GDPR, and consider the new redress mechanisms as an important achievement. Now it is up to the Member States to make the necessary legal arrangements and ensure that individuals have the recourse to these rights under the national law. I encourage the national legislatures to create a system that will ultimately serve and benefit the individuals the most - the one where they can both entrust the civil society organizations to act on their behalf, and where their explicit mandate is not required for action. During the Summit, the Netherlands was mentioned as a jurisdiction with such favourable collective redress rules, and I advise the ones in charge of GDPR implementation to look for and learn from the best examples.

Together with the civil society organizations, we agreed to monitor national implementation of Article 80 of the GDPR. In parallel, I will work with the EU legislator to ensure that the analogous redress mechanism is made available under the future ePrivacy regulation.

Monitoring online content

The second big issue is ongoing legislative and political developments with respect to the monitoring of illegal and harmful content online. As the concerns over disinformation, ‘fake news’ and hate speech online are growing, policy makers are struggling to come up with the effective solutions to counteracting them. Most recently, the Commission has set up a High Level Group on Fake news charged with providing a better understanding of a phenomenon, defining roles and responsibilities of the relevant stakeholders and advising the Commission on the way forward. Back in November, I have met with the Commissioner Gabriel on whose initiative this High Level Group was set up and expressed my support in this endeavour, which is far from the easy ones.

There was a common agreement any remedies to these legitimate concerns need to respect the fundamental right to data protection. The EDPS has previously expressed its position on the regulation of online content on at least two occasions. In 2012, we responded to the consultation held by the DG MARKT, and in 2015, we participated in the Commission’s consultation on the regulatory environment of online intermediaries. On both occasions, we called for an increase in legal certainty of the proposed rules, their harmonization across the EU, and alignment with the existing legislation, such as the eCommerce Directive. We pointed out that when notice-and-action procedures imply processing of personal sensitive data, they requires having additional safeguards in place. These concerns have been echoed by the representatives of the CSOs.

The quest of solutions for addressing disinformation, harmful or illegal content online cannot focus on curbing the freedom of speech. We should rather shift our attention to the enablers, the ecosystem behind the widespread illegal content and to strengthen the enforcement of the existing rules under the data protection, consumer protection, and competition law. As pointed out in the recent study by the Harvard University, “we need to broaden the lens and assess all of the tools available to online commercial advertisers. Disinformation operators in the future will replicate all of these techniques, using the full suite of platforms and technologies”.  I will soon release an opinion to advance the debate on the emerging non-commercial uses of personal data.

The voice of the digital rights groups is particularly important in the growing debate around ethical implications of technologies, such as how artificial intelligence and big data challenge notions of individual agency, accountability and freedom in the public space. This is why we are delighted that two representatives of CSOs have kindly agreed to take an active role in the 40th annual International Conference of Data Protection and Privacy Commissioners (ICDPPC) by joining the conference’s Advisory Committee.

I am very much looking forward to continuing our discussion with the civil society representatives at RightsCon, during the upcoming ICDPPC, and on many other occasions to come.