In the last couple of days, commenting a Linkedin post about Article 29’s (the future European Data Protection Supervisor) opinions, I’ve been involved in an interesting thread that can be summarized as “Authority vs. Legal Interpretation”.
To put it short, my position is that “opinions”, “position papers” and ruling from administrative bodies run by a limited number of civil servants should be always taken with a grain of salt.
First, court-issued decision are the result of a process involving thousand and thousand of magistrates that – on the long term – produces an average, steady body of legal opinion. On the contrary, the decisions coming from an agency or an independent body such as a Data Protection Authority are actually the outcome of a limited number of people that will be in charge for decades. So it is fair to say that such kind of decisions are more likely to be “Monarch’s Edicts” instead of a “peer-reviewed” statements.
And, secondly, as I wrote in one of those comments:
whoever an interpretation of law comes from, it must be logical and technically sound. If A29 is more frequently right then wrong, that doesn’t make its next opinion to be automatically correct. I support David Hume’s approach : the fact that the sun rose yesterday doesn’t mean that it will tomorrow.
The core of the issue is was: what is the value of Article 29 opinions and should it be held as a binding (or preferred) interpretation of the GDPR?
Some of the commenters’ positions ranged from “A29 should be followed” to “It would be unwise to completely ignore A29” and are very interesting because are a chance to bridge the gap between theory and practice when enforcing a piece of legislation in the corporate world.
Of course, especially when advising companies, it would be irresponsible to simply disregard a legal interpretation coming from the entity that will investigate you. But it doesn’t neither implies that the public body’s legal findings are always correct nor that they must be taken at its face value.
Take, for instance, the Genetic Personal Data Processing Authorization issued by the Italian Data Protection Authority (IDPA) last November 2016.This authorization has no legal status as “source” of law [1. in Italy the source hierarchy goes from the Constitution to Parliament-passed laws, to Government-passed Decree-Law, down to Ministries’ Decrees and other minor acts. ] nevertheless the IDPA seized the moment to extend its reach from genetic personal data (well within its jurisdiction) up to biosamples that, per se, are not covered by the Data Protection Act.
By taking the IDPA authorization “as such”, a biotech company should “simply” extend its internal policy up to including Material Transfer Agreements, biobanks management and research protocols even though – as when using anonymous biosamples – non personal data are involved. All that comes with an increasing of costs (i.e. less money for the research) and bureaucratic burdens (i.e. less efficiency in the company’s management.)
Sure, by verbatim complying to what the IDPA stated reduces the risk of being fined, but where is the point in complying to a wrong (interpretation of a) law, it this leads you to paralysis, lack of funds or lesser efficiency? Answer: you should do it – as it has been advocated in thread about the A29 opinions’ legal value – because the DPAs statement are “authoritative.
But “authoritative” in the legal interpretation is a very vague word. Authority might comes from the blind exercise of power, so people comply with an “authoritative” suggestion just to avoid further troubles and not because of the intrinsic correctness of the suggestion. Or may comes from a rough consensus – that is not, per se, a guarantee of being right. Or, furthermore, can be the outcome of the personal beliefs of a single civil servant in the position of asserting his own personal views.
On the contrary, the enforcement of the legal logic and of the theory of legal interpretation is a scientific way to proceed. In a Continental Legal System such as the Italian one, the only authentic interpretation of Law comes from the Parliament. All other readings are done by applying the logic and the specific rules of legal interpretation set forth in the Civil Code.
This is to say that what matters is the strength of the logic holding an interpretation and not the “nobility” of the interpreter (that would turn out being an argumentum ad baculum that is incompatible with a modern legal system that aspires to be acknowledged as “scientific”.