Complete Independence of national Data Protection Supervisory Authorities: About persons, czars and data governance in Belgian debates
There is a beautiful debate about the independence of the national Data Protection Authority (DPA) in Belgium and there is a European dimension to it. While many independent administrative authorities have been created by EU law, the authorities in EU data protection law are special: (1) they are active in enforcing fundamental rights while the others are mostly active in market regulation and (2) their independence is guaranteed by EU primary law since the adoption of the Lisbon Treaty and the Charter.
The European Commission now pursues legal action against Belgium about lack of independence of the Data Protection Authority, but the Belgium government is reluctant to see the problem. While the infringement procedure is steaming up, one of the directors of the Belgian DPA steps up, dissatisfied with attempts to make the DPA more ‘complete independent’. What is happening? What follows is an attempt to clarify a complex multilevel interplay, topped with a sauce of Belgian surrealism. Essential documents, both on the EU side and on the Belgian side, are not public. Hence, the wealth of references to journals by the author. The story unfolds in a surprising way, without a definitive plot. Slow reading with a pleasure for the anecdotical, but a concern for the fundamental is recommended.
Belgian concerns about the independence of the national DPA
The Belgian DPA is managed by five directors and a rotating presidency. Why five? There is no explicit or legally mandated reason for, but the high number helps finding consensus amongst the Belgian policy makers, divided along left/right lines, religious lines (catholic or not) and linguistic lines (French talking versus Dutch talking). Before the 2018 reform of the Belgian DPA there was only one Director, supported by a vice Director, both taken from the respective linguistic communities).
The Belgian authority is composed of five bodies (General Affairs Secretariat, the Front Office, the Inspection Service and the Litigation Chamber and the Knowledge Centre). The DPA knowledge center is the more important organ in the current debate. This organ, headed by Alexandra Jaspar (one of the five directors), and consisting of six members, helps to screen legislative proposals for privacy issues and produces either on its own initiative or upon request Opinions concerning any matter relating to the processing of personal data.
The work of the director and her DPA knowledge center, in particular its critical screening of governmental proposals, was more than satisfactory. On the Internet one can find a recording and a summary of one of this Director’s excellent presentations. A very nice example of what the Knowledge Centre stood for, were the negative Opinions on governmental plans to roll out the Covid Safe Ticket with unclear intentions (‘purpose limitation’) and with no safeguards. Principle-driven, courageous and to the point.
Alexandra Jaspar is now leaving her post at the Knowledge Centre out of dissatisfaction with the structure of the DPA. Some of the six members of this Centre are high ranking government officials and should, in her view, not be part of the DPA. She also said her department is being thwarted by GBA’s the current president or chairman of the DPA whose close contacts with government members threatens, in her view, the integrity of the privacy watchdog that would become too lenient with government agencies.
In the past year, Jaspar and another director of the DPA, alarmed all possible Belgian actors about these issues, also adding a series of complaints about decisions and practices of the other directors. Firstly, they turned to the Belgian Parliament to whom the DPA must render account about activities. From this body, the case went to the Belgian Court of Auditors. This bulwark of political integrity considered that the DPA “generally meets the requirements of independence”, while recognizing that the presence of members who have their main activity outside of the agency is “at odds with the European vision of a completely independent authority”. The report and the discussions in Parliament are shielded. So little is known, about the details, but we will see at the end of this blog how these procedures have led to unexpected outcomes.
EU concerns about the independence of the Belgium DPA (first half of 2021)
Jaspar also found EU support. After having received anonymous complaints, EU Commissioner for Justice Didier Reynders (MR) intervened with a letter in March 2021. In his letter to the Belgian government, Commissioner Reynders expressed his concerns that the Data Protection Authority (DPA) would not be independent. “Some of its members cannot be considered free from outside influence, either because they refer to a management committee that depends on the Belgian government, or because they take part in government projects on the tracing of Covid contacts -19, or because they are members of the Information Security Committee (CSI).“
Then the European Commission stepped in with a ‘formal notice’ to the Belgian government. The Commission declared on June 9th, 2021 that contained amongst others the same finding:
“some members of the Belgian Data Protection Authority cannot currently be considered free of external influence, as they either report to a management committee dependent on the Belgian Government, have participated in government projects to trace COVID-19 contacts, or are members of the Information Security Committee”.
The letters are not public and are said not to contain precise names of individual members. All commentators agree that these considerations are aimed in particular at Frank Robben, one of the members of the ADP knowledge center, while also managing the Belgian Social ePlatform (Banque Carrefour de la Sécurité sociale), the Belgian eHealth platform, and who is also member and main drafter of the decisions of the Information Security Committee (CSI), a controversial organ that nobody in Belgium understands well but serves as the IT arm of the Belgian government while also serving as a sort of Data Protection Officer for that same government. In addition, Robben is CEO of the most important non-profit ICT-service provider of the Belgian administration (Smals) and is involved in many other data projects of the different governments in Belgium. Franklin Dehousse (Faculty of Law of the University of Liege) counted no less than 18 mandates in the hands of Robben and underlines the considerable resources in Robben’s hands, as managing director of the ‘non for profit’ Smals with an annual turnover between 300 or 350 million euros: “A black box created to manage the computerization of the federal government in complete autonomy. Its status as non-profit organisation allows it to escape the control of the Court of Auditors and Parliament, VAT and public procurement regulations for many operations”. For Dehousse “Frank Robben is the prototype of the politician camouflaged under a civil servant suit”.
It is not necessarily an insult to be called a politician. In a good way, it can mean that one has a vision. Robben has strong visions and declares himself as ‘a strong proponent and advocate of the free reuse of ICT services and components, and the development of an API-economy’.
All governments, in the past and today, work and depend on this Czar of the Belgian public data infrastructure. His pitch is his ability to deliver in time to policy makers whatever he promises with as a guarantee his presence in the full lifecycle of decision making on data processing. To quote Elise Degrave (Faculty of Law of the University of Namur): “He is both the one who sets up the processing operations (on the administration side) and the one who will say that it is legal to set up this processing activities. Judge and party, controller and inspected “. His other pitch is to set up processing systems that are centralized and top down. Easy to understand but very close to the Chinese, authoritarian way of handling citizen’s data. Equally Chinese is his presence behind initiatives to intimidate critical voices, to organize self-assessments to prolong his mandates, and to play out sensitive political cards by opposing Flemish and Francophone Belgians in all sorts of privacy debates. This last strategy works wonderfully well. The current Belgian privacy-scandal is hardly reported at all in the Flemish press, the one closest to the political parties that defend and rely on Robben.
EU concerns about the independence of the Belgium DPA (second half of 2021)
Some things changed after the Belgian procedural steps taken by Jaspar in the beginning of 2021 and the EU’s intervention of June 2021. Two members of the DPA knowledge center, also heads of public administration, resigned last February, but Robben stayed. So Jaspar’s problem remained.
What has also not changed is Robben’s political support amongst certain Flemish center parties (catholics and social democrats). Current Minister of Health and key player in the Covid story of Belgium, Frank Vandenbroucke (social democrat), seemingly unaware of the EU procedures against Belgian, is an ardent admirer. Only some weeks ago he proposed to add extra mandates to the basket of mandates in Robben’s hands and has taken up his defense in public debate: “A guy like Robben should be given a statue. His work and his genius made it possible to organize vaccination in this order, despite the difficulties. Instead of attacking him and seeing the great dangers, let’s highlight the successes!” (Le Soir, June 25, 2021). Followed by a colleage from the catholic party in the Flemish government, he contrasts Robben (pragmatic, hard-working, visionary, reliable, etc.) with privacy professionals (like Jaspar) that are canceled and denounced as privacy fundamentalist.
Robben too, well protected by his political patrons, is not impressed by the EU procedures. “It is a pity that some people wrongly lend me other intentions” (than to do his work independently), was his reaction in the press. His line of defense is based on a double argument: he brings in the necessary expertise and feel to enrich the deliberations of the DPA (argument 1) and he does not take part of in these deliberations when one of his projects is on the table (argument 2).
The first argument has a longstanding legacy in Belgian public administration history, that has trouble understanding independent control other than this by the judiciary. The solution has been, -at least in the case of Belgian DPA- to appoint members that represent all sectors of society (banking, health, law enforcement, etc.) and all political and language fractions. The choice to have not one but five DPA-directors appointed in 2018 is a result of this tradition. We will see that the EU is not enthusiast, to say the least, about this ‘the controller should be expert’-model of supervision.
Robben’s second argument is not very strong, at least in practice. A member is a member, even when he withdraws when the voting is done. The mere presence of a member or (one step further) the possibility to give an expert view as a member while discussing a project equals a strict understanding of the term ‘influence’.
The small changes in the Belgian data protection landscape did not impress the European institutions. On the 12th of November, 2021, came a follow up, with the European Commission sending the Belgian Government a reasoned opinion as concerns the issue of the independence of the Belgian DPA. The reasoned opinion is a consequence of the fact that the Belgian government’s response to the Commission’s formal notice of 9th June 2021 “did not address the issues raised in the letter of formal notice and the members concerned have remained in their posts.” For the Commission this situation violates Article 52 of the General Data Protection Regulation (GDPR), which states that the data protection supervisory authority shall perform its tasks and exercise its powers in ‘complete indepence’. The independence of data protection authorities requires that their members are free from any external influence or incompatible occupation. If Belgium does not rectify the situation within two months, the Commission may refer the case to the CJEU.
This time the heat is there, and Belgian government and parliament are negotiating about the follow up to give to avoid a continuation of the infringement procedure. At least for the Secretary of State, Mr Michel, Robben, ‘must take a step aside’ and this needs to be done by Parliament, empowered by Belgian law to nominate the members of the DPA (see more on this below).
What is a complete independent national authority?
The European Commission is clearly adding important interpretations with regard to this crucial notion of ‘independent data protection authority’, after the ground-breaking work of the Court of Justice on this matter in European Commission v. Germany (9 March 2010, C-518/07)) European Commission v. Austria (16 October 2012, C-614/10) and European Commission v. Hungary (8 April 2014, CJEU, C-288/12), with Schrems (6 October 2015, C‑362/14) and Wirtschafsakademie (5 Junie 2018, C-210/16) as a latest milestones.
The bar for data protection is very high, at least in Article 52 GDPR that speaks about ‘complete’ independence, whereas Article 16(2) of the Treaty on the Functioning of the European Union and Article 8(3) of the EU Charter of Fundamental Rights only requires ‘independence’ for data protection authorities (‘Compliance with these rules shall be subject to control by an independent authority’). The GDPR does not impose a unique model of organization but identifies must haves in terms of independence, powers, and resources. The German and Austrian case, -pre-GDPR cases-, are classics that have triggered the more than explicit paragraphs on supervision, resources, budget, staffing and oversight of DPA in Article 52(4-6) GDPR. Schrems and Wirtschaftsakademie clarify the autonomy of a single DPA in the broader institutional context where transnational data flows oblige DPA’s to work together. The Hungarian case is more closely related to our topic since it prohibits national practices affecting the independence of the staff and leadership of DPA’s workforce were prohibited, for instance by prematurely ending the term served by its members.
All these cases enlighten us about the umbrella concept of ‘complete independence’ anchored in Article 52(1) GDPR. The Hungarian case could be an obstacle, at least in the eye of some Belgian commentators, to a forced dismissal of Robben (see below).
The steps taken in the infringement procedure against Belgium, mentioned above, teaches us more about some major requirement contained in the remaining paragraphs in Article 52 GDPR: the duty of members to ‘remain free from external influence, whether direct or indirect’ (Article 52(2)) and the duty not to ‘engage in any incompatible occupation, whether gainful or not’ (Article 52(3)). Of course, the infringement letters of the Commission and essential Belgain documents on this matter are not public, and we need to fall back on the press releases about the procedure. But here are the take homes:
Article 52(1) in conjunction with 52(3) is violated when members are not free from external influence and engage in any incompatible occupation. At least for Commissioner Reynders, this is not solely an empirical, but also a formal issue: “If there is a body responsible for monitoring data protection, it must be completely independent from any other body dependent on the government, directly or indirectly.“
Bringing in expertise from the public sector in the DPA as a member is no longer possible, unless the ‘expert’ breaks all formal ties with the public body when entering the DPA. Persons with double hats cannot satisfy this requirement with not taking part in deliberations or votes when certain projects are tabled. A full-time membership is one of the options. Belgium, unfamiliar with this notion of independence, relies heavily on academics and magistrates (see also below), but there are other ways of doing and finding the right persons. An illuminating example is given by the practice of the Supreme Court in the Netherlands, that opens its deliberation table not only to former magistrates, but all kinds of experts and strives for as diverse a composition as possible. The lawyers it seeks for the job of becoming a member have a diverse professional background, ie a vision mix of those who have earned their spurs within the judiciary, the legal profession, academia, the tax world, a combination of these. The Supreme Court itself actively looks for the right profile in all these worlds and by bringing out vacancies that allow interested people to identify themselves. The Court does the first mentoring and organizes the selection procedure, using a transparent set of criteria. Its proposed ranking needs to be approved by the Parliament. A procedure that Belgians, flawed by distrust in their state structures and divided along political, linguistic, and religious lines, can only dream off. Hence, its reliance on magistrates and academics, excluding many brilliant others.
A last lesson from the ‘Belgian’ infringement case has to do with the members of DPAs. There is a growing tendency ‘on the ground’ to seek for guidance and even clearance by the DPA of certain envisaged processing activities. One of the DPA directors in Belgium had accepted an invitation to join the Data as Corona taskforce of the Belgian government. Although we (again) lack clarity on this point, there is a view that such involvements are equally incompatible with the Article 52(3) GDPR prescription not to ‘engage in any incompatible occupation, whether gainful or not’. If this line of reasoning hardens, then all consensus-driven authorities in the EU are warned. Perhaps a status as observer in certain governmental data projects can be considered as a possibility, but all those around these project-tables will have to resist tendencies to expect real commitments of the staff members of a DPA.
So why is Alexandra Jaspar leaving her post?
So why is Alexandra Jaspar leaving her post as Director, when she has the support of the European Commission? Jaspar took her decisions after gaining knowledge of the corrective measures that the Belgian Parliament has on the drawing table in response to the EU procedures and also to the reported fautes graves of some of the Directors. A first measure is serious and consist of ending the term of two directors of the current DPA for reason of serious misfunctioning (‘faute grave’), one of them being the (Flemish) Director involved in governmental projects such as the Data Against Corona task force. The other one, is Director Charlotte Dereppe with whom Jaspar has allied from the start of the saga. Belgian members of Parliament, tired of the turmoil in the Belgian data protection landscape, wanted to see some heads roll and needed not only a Flemish, but also a Francophone head to respect linguistic power balances. By stepping down Jaspar made sure it was not her head that had to roll on the Francophone side. Dereppe could have benefitted from the EU Whistleblowing Directive, if only that Directive had entered into force a little earlier (the official date is December 17th, 2021)!
A second measure is to do nothing about Robben, but to reform the law in a gentle way hoping that Robben would step up. A first step is a proposal (proposition de loi) by some members of Parliament to reform the DPA and to limit its membership to magistrates and academics only, but with a possibility to rely on ‘experts’. Robben is many things, but neither of both. The golden question is whether this scenario would be compatible with the CJEU Hungarian case that prohibits ‘prematurely bringing to an end the term served by its members’. So Robben is still not outplayed! Perhaps there are other scenario’s on the table, but these are not public yet.
We will see whether the Commission is satisfied by the kid gloves-approach of the legislator and accept the provisional prolongation of Robben’s membership. Similarly, we have to await the EU’s satisfaction about the more fundamental review of the DPA. In Jaspar’s view the first drafts of proposed remedial measures to re-structure the DPA taken by Belgium are not convincing. The high-ranking officials that threaten the independence of the DPA, would not any longer be formal members of the DPA knowledge centre, but they keep their decisive influence through a backdoor solution that allows them to be invited by the DPA as ‘expert’.
When anecdotes and details about persons hide important things
There is a deeper dimension to Jaspar’s decision. Her concern about the amount of data in the hands of governments that can produce by connecting data bases all sorts of outcomes. You want to find out what medical doctors are treating non-vaccinated citizens to pressure these doctors to end their treatment because you believe that not treatment, but vaccination is the only way forward? Just connect the database on non-vaccinated people (or use the database of vaccinated people) with the database on health records mentioning people’s medical doctor and the hunt can start.
Jaspar refers to covid-measures by the Belgian government to illustrate their haste and the need for a firm national authority that safeguards fundamental rights at these moments.
I regret the departure of this Director and was looking forward to the further functioning of the DPA after the departure of non-independent members. Sending away full-time directors as is now on the table can set a dangerous precedent and fautes graves should not be too easy. Sometimes a warning can do the job.
The real elephant in the room, one that needed the complementary talents of all five current directors, including the powerful mind of Jaspar, is the future of development of a balanced policy with regard to the governance of data in the hands of the government: pragmatic and expert-controlled v. principles and democratically controlled? In times of crisis and with regard to topics that are closely linked to state interests, the Belgium executive has shown no great desire to consult the DPA in privacy matters although the GDPR is explicit on this. Problematic is that the GDPR has not much to say on the governance of data by the states, in particular their own data. The GDPR is loaded with state-friendly exceptions. (A good example is the green light for automated decision making only when done by governments as organized in Article 22 GDPR). The silence of the GDPR on the boundaries of the data driven state explain why all Member States struggle with the human rights and power dimensions of this matter. The childcare subsidies scandal of January 2021 in the Netherlands, that caused the government to resign has nothing to do with children, but everything with the organization of big data and data analytics mechanism within Member States.
Anecdotes are short accounts of a particular incident of an interesting or amusing nature. In this seemingly anecdotical blog I had to chronicle far too many details about people (although I tried to leave out as many names as possible). “Strong minds discuss ideas, average minds discuss events, weak minds discuss people”. The quote is on Frank Robben’s website. Of course, that quote in this context is more than controversial. A Czar is not a Person, but the Embodiment of a Dubious Concept of Data Governance. I would therefore like to re-appropriate the idea behind the quote in a more respectful way. Let us tackle the real problems and get rid of some bypassed features of Belgium data protection, like the idea that control is not possible without expertise from the controlled. A watchdog should control, not include, the government. The wrong people are leaving.
1 comment
The EU Law Blog of Professor Paul De Hert touches upon a potential weakness in guaranteeing the complete independence of data protection authorities: the appointment (and dismissal) of members of these authorities. This complete independence is specified by the EU Treaties, the General Data Protection Regulation (GDPR) and the case law of the Court of Justice. On the one hand, the requirements for independence are high, on the other hand, EU law leaves a wide margin of discretion for the member states in the appointment of the members of these authorities.
In Belgium, the national legislator has opted for a system with checks and balances, whereby the Belgian DPA consists not only of five full time members of a board of directors, but, in addition, of part-time experts with specific tasks. By nature, these part-time experts have other occupations, which may lead to conflicts of interest. One of the questions, following Professor De Hert’s contribution, is whether this system of part-time members of DPAs can be reconciled with European law. After all, the protection of the position of these members (amongst others against dismissal) is strong, equal to that of the members of the board. That is why it is so difficult to take measures, for example in the case of (potential) conflicts of members of the Knowledge Centre of the DPA appointed by the Belgian Parliament. The position of two of these members is the subject of an infringement procedure by the European Commission, as explained by Professor De Hert.
However, in my view the problem is not the structure of the Belgian DPA, as such. To be clear, the Knowledge Centre is an advisory body that does not take binding decisions, and if a member of this advisory body is too closely involved in a subject by virtue of a professional activity, he or she does not participate in the decision-making process in this regard. The Litigation Chamber, which I have the honour to chair, does take binding decisions on often very complex subject matters. It also consists of part-time members with other functions. Together with the members, I make sure that they do not sit on cases where there is a possibility or appearance of a conflict of interest. In this way, we try to make an imperfect system work, in the interest of the protection of the citizens in Belgium and in the European Union.
The debate triggered by the infringement procedure and commented on by Professor De Hert on individual members of DPAs is not the debate we should have. The debate should not be about polarization between members of national DPAs or between DPAs in different member states.
The problem is a different one: how to ensure effective and proper enforcement of EU data protection law should be the priority. This should be discussed in the EU Law Blog.
Data Protection Authorities have complex tasks in ensuring fundamental rights protection in a rapidly evolving digital environment, with far too limited resources.
Moreover, the GDPR requires close and loyal cooperation between authorities, for instance in the one stop shop mechanism of articles 56 and 60 GDPR. This mechanism is fully new, without precedent in EU law. It aims at reconciling national autonomy in fundamental rights protection with the need for unified application of the GDPR, but it is a complex and quite often cumbersome mechanism.
Therefore, it is of the utmost importance that the authorities themselves give priority in delivering what is often called “privacy on the ground”: effective protection.
A DPA can only convince on the basis of a good reputation, which does not only mean independence, but most and for all effective enforcement. How to improve the enforcement, that should be the discussion we should have.
Hielke Hijmans, President of the Litigation of the Belgian DPA and professor at the Vrije Universiteit Brussel (VUB)