Roles and Powers of National Data Protection Authorities: Moving from Directive 95/46/EC to the GDPR: Stronger and More 'European' DPAs as Guardians of Consistency? Special Issue: The General Data Protection Regulation 2 European Data Protection Law Review (EDPL) 2016

2 Eur. Data Prot. L. Rev. 342 (2016)
Roles and Powers of National Data Protection Authorities: Moving from Directive 95/46/EC to the GDPR: Stronger and More 'European' DPAs as Guardians of Consistency?

handle is hein.journals/edpl2 and id is 368 raw text is:

342 1 Roles and Powers of National Data Protection Authorities

Roles and Powers of National Data Protection

Authorities

Moving from Directive 95/46/EC to the GDPR: Stronger and More
'European' DPAs as Guardians of Consistency?

Andra Giurgiu and Tine A Larsen*

Safeguarding the rights of the citizens to the protection of their personal data in an era of
nearly ubiquitous computing has become increasingly challenging. National data protec-
tion authorities (DPAs), central actors in the data protection landscape, face a difficult task
when fulfilling their missions and acting as guardians of these rights under the provisions
of the outdated Directive 95/46/EC. Critical decisions of the Court of Justice of the European
Union illustrate the challenge of 'stretching' the provisions regarding the powers and com-
petences of DPAs under the Directive to make them applicable to current data processing
realities. The article points out the existing problems under the current framework with re-
gard to powers and competence of DPAs and examines if and to what extent they are mend-
ed by the General Data Protection Regulation (GDPR). It analyses substantive and procedur-
al aspects of the new cooperation model under the one-stop-shop and consistency mecha-
nisms and discusses whether and how these new tools successfully contribute to solve exist-
ing problems.

I. Introduction: Data Protection
Authorities as a Fundamental Pillar of
EU Data Protection Law

The European right to the protection of personal da
ta builds on three main pillars: the obligations of da
ta controllers, the rights of data subjects and the role
of data protection authorities (DPAs).1 The existence
and well functioning of independent DPAs in the
Member States constitutes 'an essential component'
of European Union (EU) personal data protection.2
There has been important case law from the Court

Andra Giurgiu is Post-Doctoral Researcher at the Interdisciplinary
Centre for Security, Reliability and Trust (SnT) of the University of
Luxembourg; for correspondence: <andra.giurgiu@uni.lu>. Tine
A Larsen is the President of the National Commission for Data
Protection of Luxembourg; for correspondence: <info@cnpd.lu>.
Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such
data, O.J. L 281, 23 November 1995, recital 62; see also Gloria
Gonzalez Fuster, 'Beyond the GDPR, above the GDPR' (Internet
Policy Review, 30 November 2015) <http://policyreview.info/articles/
news/beyond-gdpr-above-gdpr/385> accessed 18 August 2016.

of Justice of the European Union (CJEU) on the need
to ensure the independence of national DPAs3 exact
ly because of their fundamental role as regards mon
itoring the application and ensuring compliance with
data protection law, as well as generally acting as
guardians of the rights of citizens as far as the pro
tection of their personal data is concerned.
According to Directive 95/46/EC4, each Member
State has the obligation to set up a national DPA, the
mission of which is to monitor the application of the
national data protection laws implementing the EU
Directive. DPAs derive this mandate from legal in

2 Directive 95/46/EC, recital 62.

3 For the CJEU case-law on the independence of national data
protection authorities see also Case C-51 8/07 European Commis-
sion v Federal Republic of Germany [2010] ECLI:EU:C:2010:125;
Case C- 614/10 European Commission v Republic of Austria
[2012] ECLI:EU:C:2012:631; Case C-288/12 Commission v Hun-
gary [2014] ECLI:EU:C:2014:237; but also Case C-362/14 Max-
imillian Schrems v Data Protection Commissioner [2015]
ECLI:EU:C:2015:650.

4 Directive 95/46/EC, art 28 para 1.

EDPL 312016

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.

Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

What Is HeinOnline?

Purchase Access

Contact Us

Log In

NEED HELP?

CONTACT US

Get started

Subscribe to our Newsletter