Introduction
Developments in data protection in the European Union (EU) have received extensive scholarly attention in recent years. For some, the degree of protection provided under EU law constitutes the basis on which modern data protection regulation is being designed. By contrast, considerably less attention has been devoted to developments on data protection stemming from the Council of Europe (CoE). This despite the fact that the so-called Convention 108 was deemed groundbreaking at the time of its adoption (in 1981).Footnote 1
While Convention 108 (and its modernised version, Convention 108+Footnote 2) are addressed to member states, a key change took place within the organisation on 1 January 2023, when new Data Protection Regulations entered into force further to a Resolution of the Committee of Ministers (CM).Footnote 3 The (outdated) 1989 Regulations of the Secretary General (SG)Footnote 4 were repealed and, after years of delay, a broad reform within the organisation was finally adopted. This development has, to date, escaped scholarly attention. The new CoE Data Protection Regulations amended the mandate of the CoE’s Data Protection Commissioner (hereafter Commissioner) and formally established a Data Protection Officer (DPO) within the organisation (even though a DPO had already been operational since 2019).
This contribution focuses on institutional reform within the CoE in the field of data protection and, in particular, on the reform of the two aforementioned offices (CoE Commissioner and DPO). First, it seeks to understand what inspired the creation or revision of the mandate of these offices. Drawing on the literature on institutional transplants, and the framework of institutional isomorphism more specifically, it shows (through a comparison of the respective mandates) that the design of the CoE offices was heavily inspired by that of their EU counterparts. This is significant because (i) on a broader level, there is a dialectical relationship in the development of data protection law between the EU and the CoE, but (ii) in terms of institutional design, it was the EU legal framework (specifically that which applies to the EU institutions and bodies) that was used as the reference point for the framework surrounding both CoE offices. Second, the comparison of the legal framework of the EU and CoE offices also reveals differences, especially in terms of institutional powers or prerogatives. In particular, notable differences are identified regarding the supervision and enforcement powers of the Commissioner (but fewer discrepancies in the institutional design of the DPOs). Indeed, there are key powers in the arsenal of the Commissioner’s counterpart at the EU level, the European Data Protection Supervisor (EDPS), that are not ‘mirrored’ by CoE Regulations: for example, in terms of enforcement, the Commissioner cannot impose administrative fines or refer a matter to a judicial authority (which, in the CoE case, would be the Administrative Tribunal of the Council of Europe). The article then explores the reasons behind this divergence: is it justified by the differences across both legal orders and the need for differentiation (where appropriate) or did the CoE drafters limit the powers of the Commissioner with a view to restricting avenues for accountability? The article argues that there are no good reasons to justify the Commissioner’s weaker institutional configuration. Existing shortcomings may undermine the Commissioner’s role to act as an accountability mechanism within the organisation in the field of data protection. It is therefore essential that the Commissioner’s mandate be strengthened in a revised Resolution of the CM.
This study, the first devoted to the new data protection rules within the CoE, is significant for several reasons. It shows that the impact of the EU data protection framework now extends beyond the national level and informs the design of international organisations. That is even more important since it was the CoE that originally acted as an inspiration and source of the first generation of EU data protection standards and, consequently, the development of a robust data protection framework. Thus, the CoE needs to intensify its efforts in that field (to take one example, the modernised Convention 108+ has not yet entered into force). Furthermore, rules on institutional design are no less significant than substantive (data protection) rules: if anything, it is the supervisory authorities (and the DPOs) that implement, interpret and enforce substantive rules, thereby contributing (alongside judicial and legislative institutions) to their development over time.
The article proceeds as follows. The next section provides the necessary background to situate the subsequent analysis of the institutions, namely the dialectical evolution of data protection law between the CoE and the EU. It shows that, more recently, the direction of influence has been reversed, and goes from the EU to the CoE. The following section revisits some key tenets of transplants of institutions and institutional isomorphism, in particular. Remarks about the institutional position of the supervisory authority and the DPO will then facilitate the comparison of mandates. The subsequent sections scrutinise the legal frameworks surrounding the EDPS and the Commissioner and the DPOs of the two organisations. This confirms that institutional isomorphism applies to these cases. Nevertheless, while assessing the divergences of the respective mandates, the penultimate section critiques the choice of the CoE organs to establish a weaker supervisory authority and argues that a revision of its mandate is appropriate. The last section offers some concluding remarks.
I. The dialectic relationship and evolution of data protection in the EU and the CoE
The cooperation between the EU and the CoE (including between the Luxembourg and Strasbourg courts) in the field of human rights is far broader than data protection, and sometimes has even taken the form of antagonism—but this line of research is well documented and will not be pursued further here.Footnote 5 Regarding the evolution of the right to data protection, one would need to start with the right to privacy,Footnote 6 but, in spite of an obvious connection between the two rights, their precise interrelationship remains subject to debate.Footnote 7 Unlike the European Convention on Human Rights (ECHR), there is a separate right to data protection under the Charter of Fundamental Rights of the European Union (EU CFR) (Article 8),Footnote 8 which further provides for the establishment of independent supervisory authorities in the field of data protection.Footnote 9 Data protection regimes (including the EU framework, discussed below) have also been subjected to criticism. For example, with reference to the EU legal order, it has been claimed that the very broad scope of application of data protection could render such law the ‘law of everything’.Footnote 10 Other commentators claim that a more nuanced approach is preferable, pointing to the multidimensional significance of the right to data protection.Footnote 11
Nevertheless, even if the EU is currently considered a pioneer in that field, the development of data protection law in Europe (and the right to data protection, more generally) originated in the CoE.Footnote 12 Indeed, Convention 108 (on the protection of individuals with regard to automatic processing of personal data) is generally regarded as the first legally binding convention in the field of data protection.Footnote 13 Its Explanatory Report remains a highly interesting (or even prophetic) text, even though it was adopted in 1981.Footnote 14 In addition, earlier case-law of the European Court of Human Rights (ECtHR) referred (directly or indirectly) to personal data as falling within the scope of Article 8 ECHR;Footnote 15 while also linking Article 8 ECHR with Convention 108 in its reasoning.Footnote 16
The EU followed suit with the adoption of a major piece of legislation: Directive 95/46/EC.Footnote 17 That Directive is widely regarded as having been inspired by Convention 108 (for example on the ‘elimination of public/private divide’ in terms of data processing).Footnote 18 Indeed, as stated in the Directive preamble itself, one of its aims was to ‘give substance to and amplify’ the protection and rights enshrined in Convention 108.Footnote 19 Accordingly, the explanatory text to Article 8 EU CFR referred, inter alia, to Convention 108 and the fact that it had been ratified by all EU member states.Footnote 20 Overall, until the adoption of the Directive and in the few years following its adoption, the CoE was exercising significant influence over the EU in the field of data protection.
This trend would be reversed in subsequent years. One of the drivers of this shift was the landmark line of judgments by the Luxembourg Court,Footnote 21 especially once the Charter became legally binding; another was the adoption of EU Directive 95/46. In 2001, an additional Protocol to Convention 108 was agreed regarding supervisory authorities and transborder data flows; this Protocol drew on Directive 95/46/EC, as Convention 108 had not addressed the question of supervision or cross-border flows. As to the Court, the far-reaching impact of its judgments in data protection law raised significantly the level of data protection in the EU and paved the way for major legislative interventions (such as the General Data Protection Regulation (GDPR)). They reaffirmed and expanded the scope of rights recognised under EU law (such as the ‘right to be forgotten’, to be codified later on in the GDPR), and prohibited the transfer of data to third countries that do not provide an equivalent level of protection, often invalidating agreements with considerable impact for multinational corporations. The Lisbon Treaty, itself viewed as having an ‘enormous impact on the development of data protection law’,Footnote 22 included a legal basis under Article 16 of the Treaty on the Functioning of the European Union (TFEU) for data protection legislation—it was on this basis that the GDPRFootnote 23 and EU Regulation 2018/1725Footnote 24 (applicable to the EU institutions and bodies) were subsequently adopted.
The adoption of the GDPRFootnote 25 became the catalyst for the revision (modernisation) of Convention 108,Footnote 26 but (as will be shown later) it also accelerated developments for the adoption of data protection rules within the CoE. After all, the Commission was an ‘active participant’ in the revision of Convention 108, with a view to ensuring consistency with EU rules.Footnote 27 Accordingly, more recent case-law of the ECtHR on data protection has referred extensively to the jurisprudence of the Luxembourg Court.Footnote 28 Joint efforts to embed a culture of respect for data protection, addressed (mainly) to national authorities, should be noted.Footnote 29
The earlier sections have provided useful background to the analysis of institutions that follows: they have illustrated the mutual influence of the two legal orders in the development of data protection rules, but also the reversal of the direction of influence (from the EU towards the CoE) in recent years. This article argues that this influence extends to the design of institutions in the field of data protection. Despite some discrepancies regarding the CoE supervisory authority, the institutional design of both the Commissioner and the DPO was heavily influenced by the EU legal order. The article will now turn to the institutional isomorphism framework to substantiate this claim.
II. Some remarks on institutional isomorphism
It is often claimed that, given ‘variations in the organisation of power between one country and another’, institutions are the most ‘resistant’ to legal transplantation.Footnote 30 Nevertheless, and without providing here an assessment of the acceptance or functionality of the new CoE framework,Footnote 31 which will need to be evaluated in due course, the mutual dialectical relationship between the two international organisations presents a more favourable environment for institutional transfer than would be the case in a transfer across two domestic jurisdictions. More generally, the phenomenon of legal transplantationFootnote 32 has admittedly been studied primarily with reference to transplants across national legal orders, or perhaps a supranational legal order and a national one; less so across two international (or supranational) orders. And yet, there have been accounts that rely on the framework of institutional isomorphism to provide an explanation of the transfer of institutions.
Indeed, work primarily rooted in sociological theory sought to explain the homogeneity across organisations and develop a typology of institutional ‘isomorphic change’.Footnote 33 To that end, ‘attraction’ is a key driver for institutional isomorphism:
Isomorphic institutional change occurs if institutional models exist that institutional entrepreneurs actively seek to imitate because they are interpreted as attractive institutional solutions to the problems being faced. In this case, isomorphic change is the result of voluntary imitation and is motivated by the expectation of achieving superior results after existing institutional models are adopted. Actors are not pushed but pulled toward a specific institutional solution.Footnote 34
Gains of this strand of institutional isomorphism include, most notably, the absence of ‘learning costs’ and (more generally) decision-making costs: actors need not reinvent institutional design but rather apply successfully tested institutional models.Footnote 35 In fact, public sector organisations (as opposed to business or non-profit organisations) have been found to be even more ‘vulnerable’ to the different types of institutional pressure analysed in the institutional isomorphism literature.Footnote 36
In this context, the EU has served as a fertile case study through which to examine institutional transfers—primarily from the member state to the EU level. Thus, scholarly work has explored, for example, the institutional design of the European Monetary Union (EMU) and its national reference points (Germany, in particular) as a means of increasing the EU’s legitimacy;Footnote 37 or the creation of the office of the European OmbudsmanFootnote 38 and the European Court of Auditors.Footnote 39
Given the previous discussion, the modelling of the new CoE data protection offices on their EU counterparts can be understood as the result of institutional isomorphism, particularly the kind of isomorphism that is based on attraction, rather than coercion (power).Footnote 40 The dialectical relationship in the field of data protection (see earlier section) serves as useful background in understanding the existence and nature of the aforementioned institutional pressures. The comparative examination of the mandates in subsequent sections will illustrate the extent of the similarities between the respective EU and CoE offices (especially in the case of DPOs), as well as some differences.
To provide a fuller understanding of the respective mandates of both the Data Protection Commissioner and the DPO, a broader discussion of the institutional position of both offices is apposite. That is the purpose of the next section. Before this, a disclaimer is warranted. Regarding the EU legal order, references will primarily be made to EU Regulation 2018/1725 (addressed to the EU institutions) and only complementarily to the GDPR (addressed to the member states). However, it is well-known (as is also stated in its preambleFootnote 41) that Regulation 2018/1725 sought to align data protection law applicable to the EU institutions with the provisions of the GDPR,Footnote 42 in as much as the former EU regulation applicable to EU institutions, Regulation 45/2001,Footnote 43 sought harmonisation with the standards of the (now repealed) Directive 95/46. A parallel might be drawn, perhaps, between Convention 108 addressed to member states (which is broader in scope) and the CoE Data Protection Regulations (applicable to CoE organs).
III. Broader remarks on the institutional position of the data protection supervisory authority and the role of the Data Protection Officer
A. Data protection independent supervisory authority
The EDPS, the CoE Data Protection Commissioner, as well as the respective authorities of the member states should be regarded as ‘independent supervisory authorities’ in the field of data protection.Footnote 44 The institutional position of the supervisory authority (first envisaged by EU Directive 95/46) has been the subject of scholarly analysis. Pursuant to a view shared by many commentators, data protection authorities have a ‘mixed character’, which encompasses ‘shaping’ versus ‘applying’ data protection rules.Footnote 45 This ‘balance between advocacy and enforcement’ is also reflected in the design of the EDPS,Footnote 46 and may also be found in the mandate of other EU bodies that encompass a complaint-handling dimension, such as the European Ombudsman, despite their differences.Footnote 47
Moreover, as a mechanism of ‘administrative accountability’,Footnote 48 data protection authorities are increasingly considered to be part of a separate (fourth) branch of governmentFootnote 49—for some called the ‘integrity branch’, which is separate from legislatures, judiciaries, and the executive.Footnote 50 From a constitutional perspective, this elevates the importance of the authority within the legal order, but also entails that, in order for the independent authority to be able to undertake its functions as part of the ‘fourth branch’, sufficiently broad powers should be granted to it, including in the field of enforcement. Crucially, Article 8 is the only EU CFR provision which requires oversight of a right by an independent authorityFootnote 51—thereby further underlining their role as guardians of data protection.
The independence of data protection supervisory authorities (with reference to Directive 95/46/EC) was also highlighted by the Court of Justice in Commission v Germany and other cases,Footnote 52 but arguably in Facebook Ireland as well (although that judgment also raises different issues which need not be discussed here in detail).Footnote 53 As the explanatory report to Convention 108+ underlined, supervisory authorities are ‘an essential component of the data protection supervisory system in a democratic society’.Footnote 54 Despite these guarantees (and their acknowledgement by the CJEU), challenges in enforcement persist: one such challenge might be reconciling tensions between data protection and freedom of expression.Footnote 55
B. Data protection officers
It is perhaps more challenging to understand or classify the institutional nature of DPOs. Contrary to the new CoE Data Protection Regulations, Convention 108+ does not provide for this office: its explanatory report states that one of the means via which the controller and/ or the processor (in the context of their ‘general accountability responsibility’ under Article 10(1)Footnote 56) can ensure that the right to data protection is effective and facilitate the ‘verification and demonstration’ of data protection compliance is via the appointment of such office.Footnote 57 This post was envisaged in some member states prior to the GDPRFootnote 58 and was mentioned in Directive 95/46/ECFootnote 59 as well.Footnote 60
The GDPR views the DPO (whose appointment is compulsory in cases mentioned in Article 37) as an office that primarily provides advice on the application of data protection rules, monitors compliance, and cooperates with the supervisory authority. Interestingly, beyond a ‘cornerstone of accountability’, the DPO is also viewed as an ‘intermediary’ between different stakeholders, such as ‘supervisory authorities, data subjects, and business units within an organisation’.Footnote 61 Thus, ‘strengthening accountability is an important step to promote trust with users, both offline and online’.Footnote 62 This ‘dual responsibility’Footnote 63 of the DPO—providing advice but also ensuring compliance—does not mean that they are personally responsible for non-compliance; that responsibility remains with the controller and/ or the processor. It is therefore possible to consider the DPO as a ‘sui generis’ office, providing ‘leadership based on authority and expertise rather than on formal powers over the governance of personal data within organisations’.Footnote 64
The CJEU has underlined that, in light of the objectives of the GDPR, DPOs should be able to undertake their duties in an independent manner: national legislation that provides for the termination of employment of a DPO only with just cause is compatible with Article 38(3) of the GDPR, so long as the overall objectives of the Regulation are preserved.Footnote 65 As such, compared with data protection authorities, (i) the DPOs arguably enjoy independence, but under less stringent standards; (ii) their multidimensional role as outlined earlier renders them a softer avenue of accountability.
The cooperation between the DPO and the supervisory authority is no less complicated. That is because (i) they seemingly perform a number of similar tasks; (ii) the supervisory authority is above the DPOs; but (iii) there is no formal structure of hierarchy.Footnote 66
On this last point it is worth drawing a distinction between institutional settings that have both a DPO and a supervisory authority (as in international organisations like the EU and the CoE) where there is more room for such cooperation (and informal hierarchy) to manifest itself, and public or private authorities in which only a DPO operates and where there is no formal relationship with the supervisor. This article is focused on the former institutional setting, where both a DPO and a supervisory authority operate.
Having discussed the institutional position of these offices in broader terms, the next two sections will compare the mandates of the respective CoE and EU offices.
IV. Comparing the mandates of the EDPS and the CoE Data Protection Commissioner
The process of appointment of the two office-holders differs, but is also a reflection of the different sizes and natures of the respective organisations. In the EU case, a variety of interests needs to be taken into account, as reflected by different institutions (most notably the European Parliament, the Commission, and the Council). The EDPS is therefore appointed by common accord by the European Parliament and the Council, ‘on the basis of a list drawn up by the Commission following a public call for candidates’ for a period of five years which can be renewed once.Footnote 67 The Data Protection Commissioner is ‘elected by representatives of the member States in the Convention Committee established under Article 22 of the Convention 108+’.Footnote 68 However—and here the similarities with the EU become more visible—‘[t]he Convention Committee shall elect the Data Protection Commissioner from a list of names drawn up by the Secretary General of the Council of Europe following a public call for candidates’. This is a four-year mandate that can be renewed once.Footnote 69 As Convention 108+ has not yet entered into force, transitional arrangements seem to have been put in place to facilitate the election of a Commissioner.Footnote 70
On a broader level, the EDPS understands their mandate as consisting of four pillars of work: ‘supervision and enforcement’; ‘policy and consultation’; ‘technology and privacy’; and ‘cooperation’.Footnote 71 On such broader level, the (new) mandate of the Commissioner includes all of the aforementioned dimensions, with the exception of ‘technology and privacy’. This is a new area of work for the EDPS as well, whereby the aim is to ‘better understand future developments in the technology sector from a data protection perspective’.Footnote 72
Before delving into the three aforementioned areas, it should be underlined that some of the provisions of the CoE Regulations on the Commissioner use almost identical (to the EU Regulation) wording. This undeniably confirms the influence of the latter on the former. Some examples will illustrate this point.
Compare the respective provisions on the independence of the office-holders, which includes refusing to take instructions from any other entity.Footnote 73 Or the almost identical formulation in the (related) field of conflict of interest.Footnote 74 Some of the wording on the powers of the two bodies is also very similar, despite differences that signify an overall weaker position for the CoE Commissioner (discussed in subsequent paragraphs). For example, the text is identical in terms of the authorities’ power to impose a temporary or definitive limitation on data processing,Footnote 75 but the EDPS can, moreover, impose a ban. In both instances, the judicial organs of the respective institutions (in the EU case the Luxembourg Court and in the CoE both the ECtHR and the Administrative Tribunal of the CoE) are excluded from the mandate of the supervisory authorities,Footnote 76 insofar as they perform judicial functions.Footnote 77 The identical wording in places brings to the fore the need to justify the differences. It will be shown below that these mainly concern the powers of these bodies, especially in the field of enforcement and corrective action. For ease of reference, the aforementioned classification used by the EDPS (supervision/enforcement; policy/consultation; cooperation) will be relied upon in the following paragraphs.
A. Supervision and enforcement
It is in this field that one can find the most significant discrepancies in the institutional design of the two offices. This raises important questions about the role of the CoE Commissioner as a robust accountability mechanism within the CoE, a matter examined more closely in the penultimate section of this article.
Thus, the EDPS has, in the first instance, a broad scope of investigatory powers. These range from requesting information from the controller and the processor to accessing personal data to obtaining access to all premises or to undertaking data protection audits.Footnote 78 Both offices have the power to receive complaints alleging an infringement of data rights and/ or initiate inquiries on their own, but when it comes to the specific investigatory powers of the Commissioner the CoE Regulations are less detailed: they refer to the power to request and access personal data; and to access premises, including any data processing and means.Footnote 79
The EDPS also benefits from broad ‘corrective’ or enforcement powers. They include: to issue warnings or reprimands; to refer matters to the European Parliament, the Council, and the Commission; to impose a temporary or permanent limitation or ban (see also earlier); to order the controller or processor to comply with the data subject’s requests, to bring processing in compliance with the EU Regulation, and to communicate a breach to the data subject; to ‘order the rectification or erasure of personal data or restriction of processing’; to impose an administrative fine in cases of non-compliance; to ‘order the suspension of data flows to a recipient in a Member State, a third country or to an international organisation’; and ‘the power to refer the matter to the Court of Justice under the conditions provided for in the Treaties and to intervene in actions brought before the Court of Justice’.Footnote 80
By contrast, the CoE Commissioner’s powers are much more limited. Like the EDPS, they have the power to order the organisation to notify data breaches, bring operations in compliance with the CoE Regulations, or respect the rights of data subjects under the Regulation; or to order the rectification, erasure, or destruction of all data.Footnote 81 As noted earlier, a temporary or definitive limitation of processing can be imposed—but not a ban. However, the CoE Commissioner cannot impose fines. Moreover, they cannot refer the matter to a judicial authority (which in this case would be the Administrative Tribunal). They also do not appear to have the power to refer matters to the CoE’s consultative organ, the Parliamentary Assembly, with a view to raising awareness. They have no power to stop the transfer of data to third countries or other international organisations, although they are consulted by the SG (who makes the decision) and provided with all relevant information, in this respect.Footnote 82
The wording of the CoE Regulations is also rather confusing regarding the office that has the power to make a decision on whether a data breach has taken place (under the EU Regulation, it is the EDPS). Thus, regarding the examination of complaints, upon the conclusion of the investigation the Commissioner within two months shall communicate their findings to the SG. These ‘may include ordering any remedial action’ within the parameters specified earlier.Footnote 83 Crucially, however—and this is probably the most unusual of provisions in the Regulations, at least insofar as the mandate of the Commissioner is concerned:
The Data Protection Commissioner’s findings shall be final and binding. The Secretary General shall take a decision in accordance with the findings of the Data Protection Commissioner and notify the decision, together with the findings of the Data Protection Commissioner, to the data subject who lodged the complaint. The Secretary General may decide to award compensation for damages in justified cases.Footnote 84
It is unclear how the ‘final’ and ‘binding’ decisions are compatible with the delegation of the decision to the SG, who furthermore has clear discretion in the award of damages.
While complaints may be submitted by ‘data subjects’, a distinction (not present in the EU framework) is drawn in terms of judicial enforcement depending on whether or not the data subject is a CoE staff member. If so, and if the data subject disagrees with the decision of the SG, they may bring an appeal before the Administrative Tribunal of the CoE.Footnote 85 If they are not a CoE staff member, then a ‘final and binding arbitration’ should be established in accordance with the Permanent Court of Arbitration Optional Rules for Arbitration between International Organisations and Private Parties.Footnote 86
B. Policy and consultation
Both offices have an advisory or even educational function under their remit. However, in this field as well the remit of the Commissioner is narrower. To begin with, there is an institutionalised process at EU level (‘prior consultation’) whereby the EDPS is consulted in high-risk cases of data processing, after the conclusion of an impact assessment (which also involves the DPO).Footnote 87 Such process is effectively entrusted to the DPO in the CoE framework, who, after being contacted by the controller, may decide to consult with the Commissioner if the risk ‘to the rights and fundamental freedoms of the data subjects due notably to the nature and volume of the data or the nature, scope and purpose of the processing’ is ‘particularly high’.Footnote 88 This matter is returned to below, in the discussion of the mandate of the DPO.
Beyond this more formal process, the advisory function of both offices is established in the respective instruments, but the EDPS has, once again, a broader remit. They can advise data subjects on their rights and—crucially—‘issue, on [their] own initiative or on request, opinions to Union institutions and bodies and to the public on any issue related to the protection of personal data’.Footnote 89 This very broad advisory function covers matters pertaining also to member state enforcement—hence, for example, the important EDPS Opinion (2012) on the proposed GDPR and on the broader revision of the EU data protection ‘package’,Footnote 90 among many other examples. The Commissioner also has the power to advise but seemingly only upon a relevant request: the Regulations state that the Commissioner can ‘formulate opinions at the request of the Data Protection Officer or a controller on any matter relating to the implementation of these Regulations’.Footnote 91 To be sure, this advisory function has been used on multiple occasions, including in the first years of implementation of the new data protection framework (as some, but not all, staff members within the organisation were keen to adjust or modernise practices with a view to complying with the new framework).Footnote 92 However, when compared to the broad advisory remit of the EDPS, the narrower advisory function of the Commissioner—who appears to have to anticipate an ‘invitation’ to express an opinion, but also does not extend to any data protection matter but only matters relating to the implementation of the CoE Regulation—could also be seen to undermine its operational independence. This matter is returned to in Section VI
Given the aforementioned distinction on judicial enforcement, questions could also be raised about the extent to which the Commissioner could advise and assist data subjects who are not staff members of the organisation. That being said, the Commissioner meets with staff in the context of working visits and provides advice, accordingly.Footnote 93
C. Cooperation
The EDPS has established a high-profile international institutional presence in the field of data protection, arguably going beyond the confines of the EU. The point to be made here is that such work follows significant guarantees in the applicable legal frameworks. Once again, the Commissioner’s relevant provisions are less ambitious (and therefore weaker) in scope.
Thus, the EDPS not only participates in the activities of the ‘European Data Protection Board’ (EDPB)Footnote 94 but also provides its Secretariat. The GDPR states that EDPS staff working for the Board Secretariat are subject to different lines of responsibility for that work and are accountable to the Board’s Chair.Footnote 95 In accordance with the GDPR, the EDPS and the EDBP have signed a Memorandum of Understanding with a view to facilitating good working practices in a collegiate and mutually supportive professional environment.Footnote 96 The EU Regulation also grants the EDPS and national authorities a broad cooperation and awareness-raising field of work, within their respective competences.Footnote 97
Although there is no equivalent to the Board at the CoE level (and direct comparisons may not therefore be apposite in this field), it may nonetheless be noted that a high-profile role in the field of cooperation with national authorities—which would be those referred to under Convention 108 or 108+ when it enters into force—is not envisaged for the CoE Commissioner. The Commissioner ‘upon request, participate[s] in the work of the Convention Committee established under Article 22 of the Convention 108+ as well as in the work of other convention committees or intergovernmental committees’.Footnote 98 Although the Commissioner’s reports indicate that such participation is regular,Footnote 99 the absence of de facto participation/membership is indicative of a more limited cooperation role, even if (as noted earlier) the Committee is not comparable to the institutional setting and work of the Board on the consistency and enforcement of data protection law.
D. Financial and budgetary matters
Lastly, there is a stark difference in the wording of the respective provisions related to financial and budgetary matters: the level of resources available to the EDPS cannot even be compared to that of the Commissioner. Given that the volume of work is incomparable, identical resource provision cannot be advocated for. Nevertheless, the overall resource provision for the Commissioner is highly problematic. This matter (crucial from the point of view of financial independence) is returned to in Section VI. Here, it is appropriate to focus on the applicable legal frameworks.
On the one hand, the EDPS is considered equivalent to a judge of the CJEU when it comes to ‘remuneration, allowances, retirement pension and any other benefit in lieu of remuneration’; ‘[t]he budgetary authority shall ensure that the European Data Protection Supervisor is provided with the human and financial resources necessary for the performance of his or her tasks’; ‘[t]he budget of the [EDPS] shall be shown in a separate budgetary heading in the section related to administrative expenditure of the general budget of the Union’ and, lastly, the EDPS is assisted by a Secretariat and staff members, who are appointed by the EDPS and are ‘subject exclusively to his or her direction’.Footnote 100
On the other hand, the CoE Regulations state that the Commissioner’s ‘operational costs’ shall be covered by the organisation, and that they should be ‘provided with adequate secretariat support necessary for the effective performance of her or his functions and exercise of her or his powers’.Footnote 101 There is no reference to a separate budget and/ or staff members reporting to or being under the direction of the Commissioner.Footnote 102
V. Comparing the EU and CoE DPOs
As seen in Section III, the office of DPO can be valuable for any entity, especially if that person(s) has/have expertise in data protection. They can offer valuable advice to administrators: it should not be forgotten that the GDPR was adopted fewer than 10 years ago, which is insufficient time for administrations to familiarise themselves with data protection requirements, a rather technical field. That is even more so in a fast-developing field marked by the expansion of the digital economy and artificial intelligence (AI). Unlike the EU instruments (the GDPR and the EU Regulation), Convention 108+ does not impose an obligation to establish a DPO. The establishment of a DPO within the CoE, therefore, can be seen as further evidence of the influence of the former legal order on the latter.Footnote 103
Even though subsequent paragraphs will refer to the CoE DPO with reference to the 2023 Regulations, a DPO has operated within the CoE since December 2019, apparently further to a Decision of the SG under an unclear legal basis. The time of the appointment of a DPO cannot easily be dissociated from the impact of the GDPR. Further to information available in one of the Commissioner’s reports, their mandate was not too dissimilar from the one formally established under the CoE Regulations.Footnote 104
The size of the EU entails that normally a DPO will be designated for each institution and body.Footnote 105 There is a strong emphasis on expertise (in the field of data protection), independence, as well as a broad mandate that can perhaps best be described as a ‘360 involvement’ in matters pertaining to data protection within each institution.Footnote 106 One dimension (possibly the most important one) is offering advice: to the controller, the processor, or the data subject about their rights. Appropriate resources and access rights should be provided.Footnote 107 Various provisions point to consultation and cooperation with the EDPS—who, as noted earlier, arguably benefits from a hierarchically superior role in the monitoring scheme of the EU, even if not formally expressed in the EU Regulation in such terms.Footnote 108
Under the CoE Regulations, one or more DPOs (presently one staff member) are appointed by the SG. The wording about qualifications is identical to the EU Regulations,Footnote 109 confirming the aforementioned influence between the two legal orders. There is an emphasis on independence, access, and a (perhaps slightly unclear) provision that the SG should ensure that the DPO ‘enjoy[s] widespread visibility within the Secretariat’.Footnote 110
An almost identical provision grants the CoE DPO, too, a ‘360 mandate’ in the field of data protection, emphasising their advisory function.Footnote 111 Reference is made to cooperation with the Commissioner;Footnote 112 however, there are no specific provisions to request advice or consult with the Commissioner, which could mean that the informal hierarchical structure present in the EU is absent from (or at least less visible in) the CoE. By contrast, it is the DPO who is granted an ‘awareness-raising’ missionFootnote 113—in the EU case both the DPOs and (especially) the EDPS are entrusted with raising awareness.
Overall, therefore, and unlike the findings in Section IV on the supervisory authorities, there are no significant discrepancies in the mandates of the DPOs—if anything, in the CoE context the DPO is probably granted a slightly higher institutional profile.
VI. Assessing the institutional divergence between the Data Protection Commissioner and the EDPS
This section argues that the differences between the supervisory authorities across the two legal systems should be attributed to a decision by the CoE organsFootnote 114 to establish a weaker mechanism at the CoE level. This is a shortcoming that potentially undermines the role of the Commissioner as an independent accountability mechanism in the field of data protection. Before explaining this position, some possible objections or counter-arguments need to be considered. Indeed, if the purpose of the law is to address problems, then—insofar as the comparative examination is concerned—rules may differ in terms of how they are formulated and yet provide equivalent protection to that same problem.Footnote 115
To begin with, it may be asked whether the CoE had to establish an office with similar or equivalent powers to the EDPS. Despite the obvious inspiration and mutual influence, mandates and functions do diverge across legal orders. Even when international organisations cooperate closely in a specific field (like that of data protection), there is obviously no automatic institutional necessity to adopt identical rules. In this case, the EU is a significantly bigger organisation with broader competences than the CoE (sometimes described as a sui generis organisation, to be placed somewhere in between a member state and a traditional IO).Footnote 116 Also, and crucially, unlike the GDPR, Convention 108+ has not yet entered into force. This is significant because often the requirements at the member state level impact on frameworks, cooperation, and resources at the supranational level. For example, the EU Regulation applicable to EU institutions was updated and harmonised with the GDPR after the latter’s entry into force. Moreover, the GDPR is an EU Regulation with direct effectFootnote 117 (and very broad scope of application at that) while Convention 108+ (once it enters into force) is an international treaty. Thus, there are significant differences which should challenge any automatic and unsubstantiated claim for similar rules (or even a framework establishing an equivalent level of protection). Nevertheless, for several reasons presented in what follows, the discrepancy specifically in the field of supervision and enforcement cannot be justified: the CoE chose to establish a manifestly weaker institution.
On a broader level, the dialectical relationship between the EU and CoE data protection rules and the isomorphic pressures from the EU towards the CoE (see Sections I–II) demonstrate that this discrepancy is rather unusual. More importantly, the assessment of divergences in the supervisory authorities should be viewed in the backdrop of the aims of the CoE reform, as clearly stated in various CoE documents: to modernise the CoE data protection framework and bring it in line not only with EU standards but also with those stemming from Convention 108+ (for which the CoE is undertaking extensive work to ensure that it enters into force as soon as possible). Simply put, this means that the organisation has a responsibility to practise (internally) what it ‘preaches’ (externally).
Thus, in the preamble to the CoE Data Protection Regulations, the CM was ‘[d]etermined to respect the principles of data protection contained in the Convention 108+ within the Council of Europe itself’. Accordingly, the Commissioner’s Report of 2018–2020 noted, regarding the revision of internal rules (still at draft stage, at the time), that the applicable internal rules were ‘outdated and inconsistent with the standards promoted by the Organisation’, and that ‘the urgency and importance of the situation’ had only been recognised with ‘the adoption of the updated version of Convention 108 and the applicability of the [GDPR] of the European Union (in 2018)’.Footnote 118
And yet, in the field of supervision, the CoE Regulations are the only instrument applicable at either supranational or member state level (Convention 108+, the GDPR, and the EU Data Protection Regulation) in which the supervisory authority does not benefit from powers to impose administrative fines or sanctions, or the power to bring legal proceedings.Footnote 119 Accordingly, among these instruments, in instances of complaints it is only the CoE Commissioner who does not adopt the final decision (even if their findings are binding) but rather has to anticipate the decision of the SG.
This is not an insignificant limitation of the mandate. The ability to impose fines (or adopt other sanctioning measures) is a crucial power that can contribute towards ensuring compliance with data protection rules.Footnote 120 How significant this power is for the EDPS can also be seen in the Decision to amend the Rules of Procedure in 2024, with a view to ensuring that the right to be heard is duly respected prior to the imposition of administrative fines or other sanctions.Footnote 121 The importance of granting powers to the supervisory authority for the effectiveness of the data protection framework is also recognised in the Explanatory Report to Convention 108+.Footnote 122
Could it be argued that in the CoE framework the weaker supervisory authority may be compensated, somewhat, with the stronger institutional presence of the DPO? The answer must be in the negative. The functions of the supervisory authority and the DPO may overlap at times, but they are clearly not identical. It is ultimately the supervisory authority, not the DPO, which should act as an accountability mechanism (or at least the main accountability mechanism, if it is considered that the DPO has such a role, too) within the organisation and be granted significant powers. Even so, the DPOs are not substantially different across the two legal orders—which raises questions as to why the supervisory authorities have such divergent mandates/powers. Moreover, it cannot be claimed that the CoE has invested significantly in the role of the DPO. The Commissioner’s report covering 2022–2024 is revealing in this respect. He stated that the appointment of only one DPO is insufficient as the ‘tasks are already considerable for one person, and internal collaboration [with other CoE departments] is not always easy’; and later on that ‘the issue of data mapping is becoming urgent for the Organisation’ and the ‘task is insurmountable for one person’.Footnote 123
The critique advanced in this article is also supported with reference to both the Opinion of the Bureau of the Committee of Convention 108 (T-PD) on the draft CoE Regulations (annexed to the Commissioner’s Report for 2020–2022), as well as the Commissioner’s own comments in the report, even though both documents downplay, perhaps, the discrepancies and state, at various places, that the new CoE framework largely complies with the requirements of Convention 108+.
Proposals by the Bureau that were not followed include that the data subject should have a right to be assisted by the Commissioner; that the Commissioner should benefit from the necessary human and financial resources, a separate budget, and choose their own staff; that the Commissioner should have a broader external profile with increased visibility, which should facilitate awareness-raising; and that there should be no distinction between staff and non-staff members in terms of the authority that should examine appeals stemming from decisions of the Commissioner/SG (currently the Administrative Tribunal for staff members, and arbitration for non-staff members).Footnote 124
The Commissioner opined that while the Regulations were (in his view) largely compliant with Convention 108+, he ‘regret[ted] that not enough account has been taken of the opinion of the Bureau … as that would have made it possible to have provisions that were fully in line with Convention 108+, especially as regards the role and powers of the supervisory authority’.Footnote 125 No further detail was provided.
The current arrangements at the CoE could also undermine the financial and budgetary independence of the supervisory authority. The Commissioner’s role appears to be a part-time, ‘voluntary’ post (largely confined to ‘working visits’ and other invitations to participate), without its own staff (relying, therefore, on ‘limited support from the Data Protection Unit, which already does not have sufficient human and financial resources for the tasks assigned to it’).Footnote 126 This clearly undermines the Commissioner’s role.Footnote 127 As such, the Regulation ‘risks remaining a dead letter, undermining the credibility of the Organisation’.Footnote 128 These comments can be contrasted with the aforementioned financial arrangements and support that the EDPS receives. But, crucially, sufficient financial resources (which may also include an independent budget) are a necessary prerequisite for financial independence: indeed, such requirements apply not only to judicialFootnote 129 but also to extrajudicial institutions with a supervisory function, like data protection authorities.Footnote 130
This discussion indicates that the CoE drafters (and primarily the CM, the CoE organ responsible for adopting the Regulations) made a decision to establish a weaker supervisory authority within the organisation. If anything, the CoE’s stated aims to align the CoE Regulations with Convention 108+ were not met. One can therefore conclude that it was an effort to limit scrutiny and accountability, given the significance of monitoring and enforcement powers for data protection authorities. Such criticism cannot be levelled at the institutional design of the CoE DPO—but the question of limited resources appears to be pertinent for that role, too.
Lastly, it might be asked whether the drafters of the CoE Regulations, granting as they have done a period of two years (since 1 January 2023, when they entered into force) for the administration to fully implement its requirements,Footnote 131 ultimately considered that a weaker version (for example than that of the EDPS) of a supervisory authority might be required in the first years of operation of the new framework. This hypothesis does not find evidence in preparatory work. In any event, this two-year period has now elapsed. Even if all departments within the CoE might still not be fully aware of the requirements and further training is essential,Footnote 132 one can only argue that after the expiration of two years the case can (and should) be made now to align the powers of the Commissioner with those of a fully operational and effective supervisory authority. In other words, this brings to the fore the need to ‘upgrade’ the CoE supervisory authority and bring it in line with its EU counterpart and Convention 108+. This matter is returned to in the concluding section of this article.
VII. Concluding remarks
This article began by exploring the dialectical relationship between the development of data protection in the EU and the CoE. It focused on the transfer of institutions, relying on the framework of institutional isomorphism: in the field of data protection, the EU is exercising significant influence over the CoE—or, conversely, the CoE is attracted by the EU’s institutional arrangements. This is significant because it entails that, beyond substantive norms, the impact of EU law on the CoE now extends to the institutional level. However, the comparison of the EU and CoE supervisory authorities showed discrepancies that cannot be justified. It is argued that such discrepancies may undermine the role of the Commissioner as an independent supervisory authority within the CoE. If the two-year time frame granted by the Regulations may be viewed as a ‘trial period’, such time has now elapsed, and it is therefore appropriate to amend the mandate of the Commissioner in a revised CM Resolution.
Changes that are essential to strengthen accountability within the CoE can now be outlined. The purpose of these recommendations is to establish a supervisory office with a robust mandate in the various functions that such an office should undertake—ranging from enforcement to advice and cooperation with peers. This is the model envisaged by all key relevant instruments (Convention 108+, the EU Data Protection Regulation, and the GDPR). The aim is not to create identical provisions but simply to establish an equivalent level of protection to that of the EU supervisory authority. It is therefore not necessary to prescribe specific formulations and/or wording for the respective provisions.
Thus, the Commissioner should be empowered to: issue administrative fines in cases of non-compliance with data protection rules; refer a matter to the Administrative Tribunal of the CoE; and to adopt a decision on a complaint themselves, without that decision being deferred to the SG. The Commissioner’s advisory function could also be strengthened: the latter should, in particular, be entitled to issue Opinions on their own initiative on all matters pertaining to data protection within the CoE, including on matters pertaining to Convention 108+. The Commissioner should also be a formal member of the Committee established under that Convention. Lastly, the relevant financial/budgetary provisions should be redrafted with a view to establishing the Commissioner as a non-voluntary post (which could entail a permanent post if the volume of work so requires), with a separate secretariat. Obviously, the office would consist of a limited number of staff members but, even so, that would still be a considerable improvement on the current situation.
If these changes are adopted, the CoE will meet the stated aims of the internal reform of its data rules, in establishing a supervisory authority that will largely align with the requirements of the EU framework and Convention 108+. These changes will also inevitably lead to a broader institutional presence for the Commissioner, as the Bureau of Convention 108 had recommended.
The EU influence over institutional design in the field of data protection is truly pervasive since the new CoE Data Protection Regulations, under EU influence on matters of institutional design, apply in the processing of personal data by CoE institutions. As far as institutional design is concerned, then, the reach of the EU data protection framework extends beyond states and informs the design of international organisations too.
Lastly, the EU and the CoE are working closely in many more areas beyond data protection. More recently, for example, significant work is being undertaken in the field of AIFootnote 133—which is also part of the digital economy. It is hoped that this study could pave the way for further research on institutional transfers between the two legal orders or, indeed, institutional transfers from the EU or the CoE to other international organisations.
Acknowledgements
The author is grateful to Yseult Marique, Giulia Gentile, Georgios Zouridakis, the anonymous reviewers and editors of the journal for comments and suggestions on earlier versions of this article. The usual disclaimer applies.
Parts of this article were drafted when the author held a Senior Humboldt Fellowship at the Academy for European Human Rights Protection in Cologne. The author wishes to thank the Alexander von Humboldt Foundation for its sponsorship.