Privacy Talk with Romain Robert, Member of the Litigation Chamber of the Belgian DPA: What does it require with judicial remedies for data protection?
“This interview recorded on 7th August 2023 is talking about data protection enforcement and litigation issues.”
Kohei is having great time discussing data protection enforcement and litigation issues.
This interview outline:
- What is the role of civil rights organization in the data protection space?
- Could you share the story of Schrem Ⅰ to Schrem Ⅱ?
- What does it require with judicial remedies for data protection?
- What is the role of civil rights organization in the data protection space?
Kohei: Thank you, I think the NGO in the data protection space is taking a key elementary role to protect fundamental rights. So in this case, what kind of the positions of the NGO to make a practice.
And this is an example you support enforcers to bring this voice to them, so what kind of responsibilities or roles, plays roles in the data protection space?
Romain: Depends on its civil society organization, I would say noyb ‘s role is a bit specific specific, it’s using a specific article of the GDPR to enforce the GDPR because the text just give the civil society organization the rights to file a complaint on behalf of citizens.
And that’s what noyb did. noyb is assisting and supporting people, especially the members because noyb is based on members, and help them, to file a complaint, howver noyb is not always doing complaints for the members because it’s only eight lawyers working at noyb, so it’s not enough to help everyone.
And second, some requests from these people, especially the members, are quite interesting. And that’s usually giving birth to a case. In this case noyb helps , to develop the complaint and strategy and to apply for funding and to hire a lawyer and to make publicity about the case.
noyb decides to take a case where it seems to be an interesting case in terms of clarity, legal certainty, or because it will have a massive impact. So that’s what happens to these cases, I would say.
Kohei: Thank you. It’s a very important role to protect the civil rights in this position. So I’d like to move the next question with you about the also the important case of the Schrem I and Schrem Ⅱ, which is very important and notice, not just only in Europe, but also in other countries as well.
So could you share about this story of Schrems I and Schrems Ⅱ, what did it happens in Europe?
- Could you share the story of Schrem Ⅰ to Schrem Ⅱ?
Romain: Sure. Schrems is basically the name of Max Schrems, and it was someone behind the name of the decision of the Court of Justice and it’s basically since Max Schrems who was back then, still a student in law school in Vienna, and he filed a complaint against Facebook in Ireland back then.
When he discovered all the data that Facebook was processing about him because he just made a request to Facebook and Facebook shared an entire pile of documents about the data that was processed by Facebook and then complained and it happened that you consider that with the scandal of the NSA surveillance and the Snowden revelations.
(Movie: The NSA and surveillance … made simple — animation)
I guess you heard about them. There was a huge problem of access by the American government to the data of European citizens and decided to litigate the case about this very particular concern meaning the transfer of data from the EU to the US without particular, you know, protection.
Back then, the decision was the framework for the transfer of data between the EU and the US was the safe harbor agreement. And this case went to the Irish DPA and the Irish court and then to the Court of Justice of the EU, decided to annul the safe harbor agreements.
In Schrems I, the CJEU sent the decision back to the Irish court in Ireland and I think all that happened in 2011. So you can see it’s a long story, a long journey to get there.
When the case was sent back in Ireland, the new Privacy Shield agreement was voted to accept it, which was the second framework for the actions of data between the EU and the US.
That case went then sent back to the Irish court and again to the Court of Justice , which gave the you know, the the last decisions Schrems Ⅱ, where the Court of Justice again annuled the second adequacy decision: Privacy Shield, for the same reason as in Schrems I basically.
These reasons were the mass collection in interception of data by the US government of data coming from the EU and the lack of judicial remedy from the EU citizen, where the data were accessed by the US government in the US because the US citizen didn’t have the same right as the American citizen.
Then the court of justice, after this Court of Justice decision Schrems Ⅱ, the case was heard by the Irish court again, and by the DPC in Ireland and finally, and I guess you’ve seen it, in May of this year, the DPC issued a fine against a meta of 1.2 billion euros for illegal transfer of data from the EU to the US without appropriate legal basis.
(Movie: Privacy campaigner Max Scherems on Meta fined €1.2bn over EU-US data transfers)
I would just pass all the technicalities and the details of this case, which is a case that noyb also was supporting. But you can see it took like 13 years to enforce to issue a decision after a complaint.
So it’s really a long, long, long journey to enforce digital rights when it comes to these this kind of cases. And I think it’s really concerning.
And it’s not always really satisfying, I would say for all the actors, of course for controllers because if you are under investigation for six years, you would like to know what you have to do but also for civil society, because it just takes a lot of resources to enforce your rights specially when you are a GDPR professional and it just takes so long and just requires so many resources to enforce your right.
I’m concerned about how can regular citizens enforce its rights without being a professional. Schrems Ⅱ story (or saga whatever you call it) is also giving a good view on how it’s maybe sometimes difficult to enforce your rights in the EU.
But at least this case is not over. Maybe not because as you know there is a new framework that has been voted on by the commission by the EU which is the data protection framework.
And of course this framework will also be challenged. Maybe it’s not gonna be Schrems Ⅲ, it’s maybe noyb. I don’t know. But we’ll see what’s going to be angled to challenge this decision because we have seen that going in Ireland was not really the most efficient way.
So this time, it may be that this will be challenged directly before the court. I hope I made it clear it was really difficult to explain this case.
Kohei: Thank you for sharing a very significant history that you involve in and other civic organizations that have committed very important actions in the Data Protection space. So in the next topic is the privacy related.
Last year, EDPS has organized the conference in Brussels. And you spoke as a panel on the sessions about data protection and the important requirements for the mechanism. So could you share your ideas? So what does it require for judicial remedies for data protection in your sense?
- What does it require with judicial remedies for data protection?
Romain: Yeah, remember, this panel was really a nice initiative from the EDPS to discuss the effective enforcement of digital rights and especially the GDPR because as I said, it’s not really easy to make it work.
(Movie: 16 June — Breakout 6 — Power to the People! Judicial remedies & enforcement of data protection)
And going before a DPA and Data Protection Authority is one way for sure. But it’s also sometimes not really easy. I know it since I am still a member of the litigation chamber the Belgian DPA so I know it is not really easy to enforce it even for DPAs.
Because so many cases and the resources are not as are not unlimited, right? It’s quite difficult. An alternative is to go to court, of course, but as you know, courts, it’s usually expensive.
You need some usually need a lawyer to go to court. So that’s not really the way that you would just encourage when you want to advise citizens in order to enforce the right to go to court directly, but maybe it’s sometimes a way that can be contemplated for sure.
Knowing that the GDPR recognizes the right to have an effective remedy in front of a court as well. These effective remedies against the decision of the DPA or lack of decision and it’s another problem of course, I can go directly against a company or an organization processing your data if you think that your data protection rights has been violated.
So the first option is to go against the DPA is something that noyb for example, was doing a lot but even other citizens and I’ve seen when they are not happy about the decision of a DPA, they usually appealed the decision that happened, for example, very recently, the case in the court of justice when the Court of Justice decided that DPA just gave a wrong interpretation of the GDPR.
So you see that a lot. But it was also another way to challenge the DPA when DPAs do not adopt the decision, and that happens a lot as well. And working for noyb, I can tell you that complaints that were filed four years ago, still waiting to have an investigation open, for example.
So we understand this is really a long time and here as well, you have an effective remedy against its DPA, but this is really difficult to enforce, because national law is usually not providing any deadline for the DPA to issue a decision.
So we usually had to litigate in front of the court to try to set a precedent or like a case law, saying that, for example, two years was too long for a DPA do not issue a decision so you know that that’s an effective remedy does not mean anything if there is no definition in the GDPR.
So it’s really tiring as well to go to court in every national court to litigate about what does it mean, for example, to handle a case. So, some DPAs say that, you know, we open the case, we think that it was not really important and then we close it, and they consider that they handled the case, which is not of course satisfactory for the citizen.
So in these circumstances, you can decide to challenge the DPA because they did not act. I hope I make myself clear: either you challenge the decision if you’re not happy or either you challenge the lack of decision, but it’s really difficult because of this lack of definition in the GDPR of what is handling your case.
You know, what is an effective remedy? It’s not really clear because this obligation of giving you an update every three months about your complain is not really clear for eveyone.
And the other avenue, of course, is going directly to court, not before the DPA against an organization or a company, but of course, that’s quite expensive.
Sometimes it’s better to go before DPA because they have investigation power that you don’t have in front of the court, because it’s free because we know that this DPA is quite competent to investigate this case.
And sometimes we think that it’s better to go to a national court because we know the system because access to justice is quite cheap. And because we know that this Court is taking decisions quite quickly.
So we have to assess whether it’s better to go to court or better to go to a DPA. That’s the complexity of having access to a real judicial remedy before the court and we are not there yet. I think it’s really, really complicated.
Kohei: Thank you for your kind explanations. I assuming that the lack of the resources is one of the challenges to protect their fundamental rights, and you did great work to explore the best options for the European citizens to protect their own rights.
So that’s the very important action and this topic. And also in the recent Norway DPA made the decisions about the behavior advertisement against. So this news as I mentioned on the Schrem Ⅱ parts, then it’s a very important decisions against of the Meta, and other tech companies.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
