FRA Report: “Access to data protection remedies in EU Member States”

The European Union Agency for Fundamental Rights (FRA) has published a report on ‘Access to data protection remedies in the EU Member States’. The report, which is based on social fieldwork research, shows the most important problems concerning the access to redress mechanisms in cases of data protection violations.

The social fieldwork research was conducted from April to September 2012 in 16 EU countries (including Poland, Germany, Portugal, Spain and Great Britain). Within the frames of the fieldwork, over 350 individual interviews were conducted with people who sought or did not seek a remedy after the protection of their personal data was violated. The Helsinki Foundation for Human Rights, as a FRA’s contractor in the FRANET network, prepared the country report.

“The conclusions of our research are quite depressing” – says Adam Bodnar, the Deputy President of the HFHR. “Judging from the conclusions of our interviews, the level of data protection awareness is quite low, and the available remedies in this sphere are not effective enough” – adds Adam Bodnar.

The most frequent data protection violations that were mentioned during the fieldwork refer to internet-based activities. The respondents often indicated problems with personal data protection while using social media or online shopping. Other prevalent data protection concerns were indicated in the employer-employee relationships. These include: collection of employee’s personal data, access to personal data stored on employers’ computers or disclosure of employees’ data by employers.

“Within the frames of the research, we focused not only on the spheres where personal data protection is violated, but also on the aspect of who is responsible for violations. The FRA’s research shows that government bodies, law enforcement agencies, and financial institutions are most often responsible for these violations” – says Dorota Głowacka, a HFHR’s lawyer.

In Poland, similarly to the majority of the EU countries, there are three possible procedures to seek a remedy in the case of personal data protection violation. These are: the administrative procedure (in Poland – before the GIODO, and then possibly before administrative courts), criminal procedure against the person responsible for data protection violation and the civil procedure (the suit for damages to personal goods, including the violation of the right to privacy).

The overwhelming majority of respondents included into the research chose the administrative procedure. The respondents indicated that there were several factors motivating such a decision. Among the factors, there were e.g. less complicated procedure which does not involve any high costs and does not require a professional representative.

In Polish part of the research, the respondents stated that the current legal framework does not meet the challenges of our times. In the information society, the length and formalism of the procedure make data protection redress mechanisms substantially less efficient. What is more, there are no specialised organisations in Poland which would provide legal aid in cases of personal data protection violations. Altogether, these factors discourage people whose personal data protection was breached from seeking a remedy.

The FRA report may be accessed here, and the Handbook on European data protection law may be accessed here.