That’s a good question. And I will address it related to EU privacy and data protection law. I had the opportunity to look into the European Data Protection Supervisor’s Report for 2010 (which was published this past June) and I was particularly curious what is to be found in the complaints filed to EDPS.
I should mention beforehand that my PhD thesis will look exactly into data protection law as contributing to the enhancement of civil law and civil liabilities (somehow trying to define a new kind of tort). I will therefore look into distancing myself from an administrative point of view upon data protection law. Nevertheless, the administrative complaints filed to EDPS can be a very fruitful lead towards the framework of newfound civil liabilities regarding data protection, as they give me an idea of what can possibly people complain about regarding the protection of their personal data.
I will reveal in this post some interesting information from the EDPS 2010 report. And in my next post I will detail some of the complaints for a further understanding of this issue.
How many complaints?
According to the abovementioned report, the number of complaints received in 2010 decreased, while the complexity of the complaints increased: “In 2010, EDPS received 94 complaints (a decrease of 15 percent compared to 2009). Of these 69 complaints were inadmissible, the majority relating to processing at national level as opposed to processing by an EU institution or body. The remaining 25 complaints required more in-depth inquiries (a decrease of 41 percent compared to 2009). In addition, 18 admissible complaints, submitted in previous years (16 in 2009 and two in 2008), were still in the inquiry or review phase during 2010”.
Nature of complaints
Of the 94 complaints received, 17 complaints (18%) were submitted by members of staff of EU institutions or bodies, including former staff members and candidates for employment. For the remaining 77 complaints, the complainant did not appear to have an employment relationship with the EU administration.
Types of violation alleged
The violations of data protection rules alleged by the complainants in 2010 mainly relate to:
A breach of data subjects’ rights, such as access to and rectification of data (36%) or objection and deletion (12%);
Unlawful use (16%), excessive collection of personal data (12%), violation of confidentiality (8%).
Other violations less frequently alleged relate to data security (4%), ID thefts (4%), leaks (4%), data quality and information to data subjects (4%).
Institutions concerned by complaints
Of the admissible complaints submitted in 2010, the majority (80%) were directed against the European Commission, including OLAF and EPSO. This is to be expected since the Commission conducts more processing of personal data than other EU institutions and bodies. The relatively high number of complaints related to OLAF and EPSO may be explained by the nature of the activities undertaken by those bodies.
Tomorrow, in my next post, I will detail some of the complaints, as they are quite interesting.