The Co-existence of Administrative and Criminal Law Approaches to Data Protection Wrongs

Abstract

Europe’s two basic regulatory texts, the 1981 Council of Europe’s Convention 108 and the 1995 European Union (EU) Data Protection Directive, say little on enforcement in general and on the use of criminal law in particular. As the 1995 Directive left the choice of the enforcement regime, including the establishment of appropriate sanctions and remedies, to the discretion of the EU Member States, the use of criminal sanctions varies from one Member State to another: there are Member States with only criminal sanctions, but most Member States have a mixed system of criminal and administrative enforcement. In practice, the criminal law provisions in countries where they exist are seldom used due to both institutional resistance from prosecutors and courts, and some characteristics of criminal law. There is indeed a general preference for administrative procedures controlled by the data protection authorities. However, the use of administrative sanctions in the EU is only of a recent date. Most national data protection Acts give no guidance on the choice of administrative or criminal sanctions and on the discretion of the data protection authorities to impose administrative sanctions. Such discretion for data protection authorities might raise questions, especially in the light of a trend towards high administrative fines in the EU Member States. The reform of the 1995 Directive shows the investment of the EU in a harmonised system of administrative sanctions. The minimal attention of the EU to criminal sanctions, on the other hand, can arguably be explained by the scarce case law on the matter and by the sensitivity of the use of criminal law in Community (former first pillar) matters. Neither do the reform instruments contain any provisions on the use of criteria to be taken into account when choosing between administrative or criminal enforcement. The lack of harmonisation goes against the aim of a regulation to establish a uniform data protection framework, is oblivious to the explicit powers for the EU created with the 2009 Treaty of Lisbon to impose criminal law obligations via directives, creates legal uncertainty for companies and the data subject, and might invite forum shopping, i.e., the fact that companies can move their main establishment to a Member State with the most flexible sanction powers. This chapter addresses seven characteristics of criminal law, which explain why Member States prefer to use administrative law. However, regulators should keep the different ratios of administrative law and criminal law in mind when selecting the appropriate enforcement regime. Principles of criminalisation should guide the regulators in their criminalisation exercise: it must be seen as a last resort, for serious cases only. Administrative law may turn out to be more accommodating to the dynamic character of data protection, but is in need of a fundamental rights agenda.