The role of codes of conduct in the eu data protection framework

Drobek, Piotr

doi:10.57599/gisoj.2022.2.2.129

Artykuł - szczegóły

Tytuł artykułu

The role of codes of conduct in the eu data protection framework

Autorzy

Drobek Piotr

Treść / Zawartość

Pełne teksty:

2_2_22_Drobek_129-146_accepted_16.12.2022.pdf

Pobierz

Identyfikatory

DOI

10.57599/gisoj.2022.2.2.129

Warianty tytułu

Języki publikacji

Abstrakty

The paper presents the legal nature and functions of codes of conduct in EU data protection law. The General Data Protection Regulation (GDPR) contains much more extensive provisions on codes of conduct than previous Directive 95/46/EC, giving them a potentially much more significant role in the EU data protection regime. The GDPR specifies codes of conduct as co-regulatory instruments whose compliance by controllers and processors has significant legal consequences. They are primarily intended to facilitate compliance with the GDPR by controllers and processors from a specific sector or to perform similar processing operations. It is, therefore, essential to identify the legal nature of the codes of conduct, the legal consequences of adhering to them, and their function in the EU data protection model. The theoretical analysis of EU data protection codes of conduct considers legal and regulatory theory perspectives.

Słowa kluczowe

accountability data protection GDPR code of conduct co-regulation

odpowiedzialność ochrona danych RODO kodeks postępowania współregulacja

Wydawca

SILGIS Association
Croatian-Polish Scientific Network

Czasopismo

GIS Odyssey Journal

Rocznik

2022

Tom

Vol. 2, no. 2

Strony

129--146

Opis fizyczny

Bibliogr. 47 poz.

Twórcy

autor

Drobek Piotr

p.drobek@uksw.edu.pl

Cardinal Stefan Wyszyński University in Warsaw, Faculty of Law and Administration, Department of Informatics Law

https://orcid.org/0000-0002-0178-851X

Bibliografia

1. Act (1997). Act of 29 August 1997 on the Protection of Personal Data, unified text: Journal of Laws of 2014, item 1182 with amendments.
2. Bennet C., Raab C. (2006). The Governance of Privacy. Policy Instruments in Global Perspective. The MIT Press, Cambridge, London, pp. 155-158.
3. Black J. (2012). Paradoxes and Failures: New Governance, Technics and the Financial Crisis. Modern Law Review, vol. 76, no. 4., pp. 1037-1063.
4. Black's Law Dictionary (1999). West Group, St. Paul, p. 250.
5. Csink L., Mayer A. (2014). How to Regulate: The Role of Self-Regulation and Co- Regulation. Hungarian Yearbook of International Law and European Law, vol. 3, pp. 403-420.
6. Opinion of the European Economic and Social Committee on Self-regulation and co- regulation in the Community legislative framework (2015/C 291/05).
7. Directive 95/46/EC, 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281/31.
8. Directive 2005/29/EC, 2005. Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’), Official Journal L 149/22.
9. Drobek P. (2019). Opracowywanie i zatwierdzanie kodeksów postępowania oraz warunki i tryb akredytacji podmiotu monitorującego jego przestrzeganie (Drawing up and approving codes of conduct, as well as the conditions and procedure for accreditation of monitoring bodies). In: D. Lubasz (ed.), Ustawa o ochronie danych Osobowych. Komentarz (Personal Data Protection Act. A Commentary). Wolters Kluwer, Warszawa, pp. 179-204.
10. EUR-Lex. https://eur-lex.europa.eu/homepage.html [access: 24.11.2022].
11. European Commission (2003). Report from the Commission. First report on the implementation of the Data Protection Directive (95/46/EC) COM(2003) 265 final. https://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:52003DC0265&qid=1669466237911&from=PL [access: 24.11.2022].
12. European Commission (2010). Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions. A comprehensive approach on personal data protection in the European Union (COM/2010/0609 final) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52010DC0609&qid=1669720186919 [access: 24.11.2022].
13. European Commission (2020). Communication from the Commission to the European Parliament and the Council. Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation (COM/2020/264 final). https://eur-lex.europa.eu/legal- content/EN/TXT/?qid=1669720562137&uri=CELEX%3A52020DC0264 [access: 24.11.2022].
14. EDPB (2019). Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 Version 2.0 https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf [access: 24.11.2022].
15. EDPB (2021a). European Data Protection Board Opinion 16/2021 on the draft decision of the Belgian Supervisory Authority regarding the “EU Data Protection Code of Conduct for Cloud Service Providers” submitted by Scope Europe. https://edpb.europa.eu/system/files/202105/edpb_opinion_202116_eucloudcode_en.pdf [access: 24.11.2022].
16. EDPB (2021b). European Data Protection Board Opinion 17/2021 on the draft decision of the French Supervisory Authority regarding the European code of conduct submitted by the Cloud Infrastructure Service Providers (CISPE). https://edpb.europa.eu/system/files/202105/edpb_opinion_202117_cispecode_en_0.pdf [access: 24.11.2022].
17. EDPB (2022). European Data Protection Board Guidelines 04/2021 on Codes of Conduct as tools for transfers Version 2.0. https://edpb.europa.eu/system/files/2022-03/edpb_guidelines_codes_conduct_transfers_after_public_consultation_en_1.pdf [access: 24.11.2022].
18. European Economic and Social Committee (2015). Opinion on Self-regulation and co- regulation in the Community legislative framework, Official Journal C 291/05.
19. Fajgielski P. (2018). Art. 40 Kodeksy postępowania (Article 40 Codes of conduct). In: P. Fajgielski. Ogólne rozporządzenie o ochronie danych. Ustawa o ochronie danych osobowych. Komentarz (General Data Protection Regulation. Personal Data Protection Act. A Commentary). Wolters Kluwer, Warszawa, p. 250.
20. Fischer B. (2018). Art. 40 Kodeksy postępowania (Article 40 Codes of conduct). In: M. Sakowska-Baryła (ed.), Ogólne rozporządzenie o ochronie danych osobowych. Komentarz (General Data Protection Regulation. A Commentary). C.H. Beck, Warszawa.
21. Gaeta M. (2019). Hard Law and Soft Law on Data Protection: What a DPO Should Know to Better Perform His Or Her Tasks. European Journal of Privacy Law & Technologies, vol. 2019, no. 2, pp. 61-78.
22. GDPR, 2016. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation. Official Journal L 119/1.
23. Gellert R. (2020). The risk-based approach to data protection. Oxford University Press, Oxford.
24. Gilad S. (2010). It runs in the family: Meta-regulation and its siblings. Regulation & Governance, vol. 4., no.4, pp. 485-506.
25. Góral U., Makowski P. (2018). Art. 40. In: E. Bielak-Jomaa, D. Lubasz (ed.), RODO. Ogólne Rozporządzenie o ochronie danych. Komentarz (GDPR. General Data Protection Regulation. A Commentary). Wolters Kluwer, Warszawa, pp. 819-820.
26. Hodges C. (2015). Law and Corporate Behaviour. Integrating Theories of Regulation, Enforcement, Compliance and Ethics. Hart Publishing, Oxford and Portland, pp. 1-2 and 466.
27. Hustinx P. (1991). The Role of Self-Regulation in the Scheme of Data Protection. Paper presented to the 13th Conference of Data Protection Commissioners, Strasbourg, cited by Bennet C. Raab C. (2006). The Governance of Privacy. Policy Instruments in Global Perspective. The MIT Press, Cambridge, London, p. 152.
28. Kamara I. (2020). Article 40 Codes of conduct. In: C. Kuner, L.A. Bygrave, C. Docksey (ed.), The EU General Data Protection Regulation (GDPR). A Commentary. Oxford University Press, Oxford, pp. 718-723.
29. Korff D.(2003). EC Study on Implementation of Data Protection Directive 95/46/EC (2002). Available at SSRN: https://ssrn.com/abstract=1287667 or http://dx.doi.org/10.2139/ssrn.1287667 [access: 24.11.2022], pp. 185-188.
30. Kuner C. (2007). European Data Protection Law. Corporate Compliance and Regulation. Oxford University Press, Oxford, pp. 46-48.
31. LRDP KANTOR Ltd (2010). Comparative study on different approaches to new privacy challenges, in particular in the light of technological developments. Final Report. https://op.europa.eu/en/publication-detail/-/publication/9c7a02b9-ecba-405e-8d93-a1a8989f128b [access: 24.11.2022], p. 52.
32. Medzini R. (2021). Governing the shadow of hierarchy: enhanced self-regulation in European data protection codes and certifications. Internet Policy Review, vol. 10, no. 3. https://doi.org/10.14763/2021.3.1577.
33. Multistakeholder Expert Group (2019). Contribution from the Multistakeholder Expert Group to the stock-taking exercise of june 2019 on one year of GDPR application. https://ec.europa.eu/info/sites/default/files/report_from_multistakeholder_expert_group_on_gdpr_application.pdf, p. 4.
34. Robinson N., Graux H., Botterman M.,Valeri L. (2009). Review of the European Data Protection Directive. Sponsored by the Information Commissioner’s Office. RAND Corporation, Santa Monica, p. 37. https://www.rand.org/pubs/technical_reports/TR710.html [access: 24.11.2022].
35. Stefan O. (2012). European Union Soft Law: New Developments concerning the Divide between Legally Binding Force and Legal Effects. Modern Law Review, vol. 75, no. 5, pp. 879-893.
36. Stefan O. (2020). The Future of EU Soft Law: Research and Policy Agenda for the Aftermath of Covid-19. Journal of International and Comparative Law, vol. 7, no. 2, pp. 329-350.
37. Vander Malen C. (2020). Codes of (Mis)Conduct? An Appraisal of Articles 40-41 GDPR in View of the 1995 Data Protection Directive and Its Shortcomings. European Data Protection Law Review, vol. 6, no. 2, pp. 231-242.
38. Vander Malen C. (2021). First or Many? First GDPR Transnational Code of Conduct Officially Approved After EDPB Opinions 16/2021 and 17/2021. European Data Protection Law Review, vol. 7, no. 2, pp. 228-231.
39. WP 29 (1998), Article 29 Working Party Working Document: Judging industry self- regulation: when does it make a meaningful contribution to the level of data protection in a third country? https://ec.europa.eu/justice/article29/documentation/opinion-recommendation/files/1998/wp7_en.pdf [access: 24.11.2022].
40. WP 29 (2001). Article 29 Working Party Working Document on IATA Recommended Practice 1774 Protection for privacy and transborder data flows of personal data used in international air transport of passengers and of cargo. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2001/wp49_en.pdf [access: 24.11.2022].
41. WP 29 (2003), Article 29 Working Party Opinion 3/2003 on the European code of conduct of FEDMA for the use of personal data in direct marketing https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2003/wp77_en.pdf [access: 24.11.2022].
42. WP 29 (2008), Article 29 Working Party Opinion 3/2008 on the World Anti-Doping Code Draft International Standard for the Protection of Privacy. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2008/wp156_en.pdf [access: 24.11.2022].
43. WP 29 (2009), Article 29 Working Party Second opinion 4/2009 on the World Anti- Doping Agency (WADA) International Standard for the Protection of Privacy and Personal Information, on related provisions of the WADA Code and on other privacy issues in the context of the fight against doping in sport by WADA and (national) anti-doping organizations. https://ec.europa.eu/justice/article- 29/documentation/opinion-recommendation/files/2009/wp162_en.pdf [access: 24.11.2022].
44. WP 29 (2010), Article 29 Working Party Opinion 4/2010 on the European code of conduct of FEDMA for the use of personal data in direct marketing. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp174_en.pdf [access: 24.11.2022].
45. WP 29 (2015), Article 29 Working Party Opinion 02/2015 on C-SIG Code of Conduct on Cloud Computing. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2015/wp232_en.pdf [access: 24.11.2022].
46. WP 29 (2018), Article 29 Working Party letter to CISPE. file:///C:/Users/68366/Downloads/wp29_letter_to_cispe_final_ifp_9DD8DA13-948C-4F0E-50D80A5D97A2BB3E_49993.pdf [access: 24.11.2022].
47. Yeung K., Bygrave L. (2022). Demystifying the modernized European data protection regime: Cross-disciplinary insights from legal and regulatory governance scholarship. Regulation & Governance, vol. 16, no. 1, pp. 137-155. https://doi.org/10.1111/rego.12401.

Uwagi

Opracowanie rekordu ze środków MEiN, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2022-2023).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-f40179b7-c8f2-4525-b179-0f1c44af375a