INTRODUCTION

The Data Protection Directive requires strong enforcement measures in order to ensure its harmonized application across the EEA. Thus, in addition to the administrative remedies that may be applied by the national supervisory authorities, the Directive requires Member States to ‘provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question’. The Directive also requires Member States to provide legal mechanisms so that the data subject can recover compensation from the data controller for any damage suffered as a consequence of the data controller’s breach of the national laws adopted under the Directive. Finally, the Directive requires Member States to ‘adopt suitable measures to ensure the full implementation of [its] provisions’, which means that ‘sanctions’ should be imposed for infringements of national laws.

Of course, data protection laws are enforced in other ways. In addition to enforcement by the national supervisory authority, national courts and by data subjects the Directive creates enforcement roles for the European Commission and for data controllers, both in respect of transborder data flows. The seventh data protection principle in the DPA contains another specialized enforcement role for the data controller, who is required to take appropriate measures to ensure adequate security by data processors.