The European Union Agency for Fundamental Rights released its report “Access to data protection remedies in EU Member States.” The report identified remedies available to those who have suffered data protection violations as well as the obstacles faced by the individuals and organizations who try to help the victims. The report also identified the incentives that would motivate someone to try to access these remedies.
The report laid out the legal and social research, conducted by the FRA, to determine the legal structure that exists in members states, as well as to assess the needs and experiences of those who have suffered data protection violations. Field research was conducted in 16 members states, Austria, Bulgaria, the Czech Republic, Finland, France, Germany, Greece, Hungary, Italy, Latvia, the Netherlands, Poland, Portugal, Romania, Spain and the UK. Seven hundred individuals were consulted, either in interviews or focus groups conducted between April and September of 2012. Those interviewed included lawyers, judges, data protection authorities and victims of data protection violations.
According to the report, many of the violations that the interview subjects faced involved “the processing of personal data, such as collection, storage, disclosure and dissemination.” The violations, committed by both public and private institutions, included the illegal transfer of personal data to third parties, publication of personal data without the knowledge or consent of the victim and the revealing of data to unauthorized persons by controllers, among other violations.
The report listed four main avenues for seeking remedy after a data protection violation has occurred:
- Non-judicial bodies: non-judicial bodies, such as an ombudsman, can be consulted, but the powers of these institutions vary between member states. Some can levy fines or annul the decisions of other institutions, but others can only ask data protection authorities to rectify the violation.
- Data protection authorities: DPAs can issue a variety of administrative sanctions and some can revoke licenses, but this again depends on the member state.
- Judicial procedures: civil and administrative procedures can be filed in some cases which may lead to fines. In other cases criminal proceedings can be filed, which may lead to anything from a fine to a prison sentence.
- Intermediaries: intermediaries may also be consulted, but they mainly serve to bridge the gap between the victim and the courts or government.
Most people who decided to seek remedy did so by filing a complaint with the national DPA. Courts were less frequently consulted, and when they were it was usually for civil proceedings, not administrative or criminal. Most victims interviewed said they chose to seek remedy through their national DPA because the costs were lower and the proceedings were shorter than they would have been if they had gone through the court system.
The majority of those who chose to seek remedy said they did so to prevent future data protection violations or to put an end to ongoing violations. Financial compensation was not a predominant reason.
There were also victims who chose not to seek remedy. Those who chose not to said they did so because the costs associated were too high or there was a lack of accessible legal representation. Many were also unaware of the options available to them.
This lack of information was highlighted in the report as one of the largest problems that faced those who wished to seek remedy for data protection violations. This lack of information not only applied to victims, but to judges and lawyers as well. Many of the judges and lawyers interviewed for the report by the FRA said they needed more training and specialization in matters of data protection violation. DPAs and non-judicial bodies who dealt with these infractions lacked specialization, too, as well as funding.
The report gave suggestions for improving the EU institutions, member states and the mechanisms designed to help victims seek remedy after data protection violations:
- Strengthen DPAs: the report recommended DPAs have more independence as well as increased power to issue sanctions. It also recommended DPAs be more transparent and engage in better communication with the public.
- Supplement the role of the court system: judges and lawyers were not always aware of legal procedures. The report recommended increased specialization in data protection violation, including EU and member state funding of training activities and a greater emphasis in legal curriculums.
- Fortify the role of civil groups: the report recommended increased funding to civil society organizations as well as the ability to lodge complaints on behalf of a victim, if the victim is unlikely to do so on their own.
- Reduce the cost of remedy procedures and ease the burden of proof: litigation has been extremely expensive and it has been very difficult to prove data protection violations. These roadblocks often dissuaded victims form seeking remedy.
- Raise awareness: victims, as well as lawyers and judges, were often not aware of violations and the remedies open to them after a violation has occurred. The report recommended awareness programs at the member state level.
You can read the full report on the FRA website.