From Better Regulation to Better Aligning Regulation and Enforcement: The Example of Data Protection

Next year, a new European Commission will take office. It will no doubt develop new policies in the field of better regulation as its predecessors have done as well. In 2015, the current Juncker Commission presented the better regulation for better results policy – the EU’s ‘Better Regulation’ agenda. Since then, the Commission published several policies as part of this agenda, inter alia, a policy on effective enforcement in December 2016. More recently, in October 2018, the Commission presented a policy on subsidiarity and proportionality in EU policymaking. With these policies the Commission has made important steps in improving legislative quality in the EU. One element is missing however: the link between legislation and legislative differentiation on the one hand and the effects thereof on enforcement on the other. This would be an important issue for the next Commission to take up as we will demonstrate here.

Aligning regulation and enforcement

The Commission’s policies on subsidiarity and proportionality and on effective enforcement are at the heart of the EU’s ‘Better Regulation’ agenda. They represent the distinction between legislation on the one hand and enforcement on the other. This distinction is also reflected in the division of authority between the EU and the Member States. The archetype division of authority involves legislation being adopted by the EU and the Member States being in charge of enforcement. However, it has been demonstrated that enforcement of EU law is progressively being Europeanized. And there is more. Also the picture of EU legislation, which entails a full, comprehensive and exclusive responsibility for the EU institutions, needs to be nuanced. Much EU legislation leaves considerable scope for national discretion, and thus for variation in legislative regimes among the Member States – legislative differentiation is thus a common feature of EU legislation. And so a more refined picture emerges of both legislation and enforcement in the EU. This makes the connection between the two even more relevant.

The new policy of the Commission on subsidiarity and proportionality seeks to strengthen these principles in the EU. Strengthening subsidiarity involves leaving certain aspects of regulatory regimes to the Member States and thus allowing for differentiation in legislation where possible. From a subsidiarity perspective, such differentiation strengthens legitimacy – by legislating closer to citizens – and ensures better efficiency in respecting national differences between and within Member States. At the same time, such differentiation comes with downsides and may cause coherency problems and may even result in outright regulatory failures. As a consequence, such legislation is often revised and replaced by more concrete and specific legislation that leaves less room for national and individual choices.

What is remarkable is that this tension between the effectiveness and coherence of EU legislation on the one hand and the need to accommodate national and local diversity on the other is hardly reflected in enforcement approaches. This is exemplified already by the two separate policies of the European Commission. This creates mismatches between regulation and enforcement. The Commission in its 2016 policy on effective enforcement simply states that: “The uniform application of EU law throughout all Member States is essential for the success of the EU” without mentioning how to deal with legislative differentiation itself. This reflects no understanding whatsoever of the abovementioned tension in EU legislation.

Aligning EU data protection laws

This runs the risk that the outcome of regulatory processes will be the exact opposite of what the Commission seeks to achieve with its Better Regulation agenda. The example of EU data protection is illustrative in this regard. It shows that the lack of alignment between different legislative measures creates problems for the effective enforcement of data protection in the EU.

First, there is the General Data Protection Regulation (GDPR), which provides for a rather strict and elaborate general legislative regime for data protection. The GDPR strengthened the pre-existing network of national enforcement authorities by creating a cooperation and consistency mechanism and regulates national enforcement by prescribing procedural and substantive enforcement standards. This cooperation and consistency mechanism first requires the national data protection authorities to cooperate. Second, the consistent application of the law is ensured by the European Data Protection Board (EDPB). All national data protection authorities are represented in the EDPB, which serves to align their policies in view of a consistent application of the law throughout the EU. The revised Payment Services Directive (PSD2) applies to specific data protection situations. PSD2’s primary focus is on regulating payment services throughout the EU. However, it also regulates the processing of personal data by payment service providers. In particular, the processing of payment account data to third parties is a sensitive issue in this Directive. To ensure that payment service providers comply with the rules, PSD2 requires Member States to appoint supervisory authorities, but it leaves the Member States free to decide how.

In practice, this leads to a lack of coherence. Most Member States have appointed two supervisory authorities: one authority responsible for the prudential supervision and one for data protection supervision. The latter normally is the same supervisory authority as under the GDPR and which would thus be part of the consistency mechanism. The Netherlands, however, initially appointed data protection supervision responsibility to the authority which was responsible for prudential supervision. This choice had two negative effects. The designated authority on data protection supervision under PSD2 could not take part in the GDPR data protection consistency mechanism. Another effect was that the Dutch supervisory authority might apply the rules differently from other Member States. This would not only impede the coherence of data protection legislation in the EU but would also affect the protection of individuals.

Conclusion

In the end, the problem in this case solved itself. After having been criticized, the Dutch legislator now intends to appoint the Dutch data protection authority as the supervisory authority for data protection under PSD2. However, similar problems may easily arise here and in other fields. The EU can prevent problems like these by better alignment of its policies. The first step would be to make the alignment of regulation and enforcement a key aspect of its better regulation policies.

Michael Hubner and Ton van den Brink

Michael Hübner is a PhD Candidate at Utrecht University. His research focuses on legislative differentiation and the relationship with enforcement. He is a member of the Utrecht Centre for Regulation and Enforcement in Europe (RENFORCE).

Ton van den Brink is Associate Professor of EU Law at Utrecht University and is a member of RENFORCE as well.

Latest posts by Michael Hubner and Ton van den Brink (see all)

Author: Michael Hubner and Ton van den Brink

Michael Hübner is a PhD Candidate at Utrecht University. His research focuses on legislative differentiation and the relationship with enforcement. He is a member of the Utrecht Centre for Regulation and Enforcement in Europe (RENFORCE). Ton van den Brink is Associate Professor of EU Law at Utrecht University and is a member of RENFORCE as well.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *