Competent Authorities: A Definition
References to “competent authorities” occur eight times in the GDPR. So what and who are they, and why does the GDPR give them special access to personal data? Does “competent” infer that “incompetent” authorities can’t see your data? (Good luck proving that one!)
The GDPR does not define what a competent authority is. Instead it refers to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 where the phrase is defined. This Directive is
on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data
and it essentially defines the usage and sharing of personal data within and between authorities, in light of the GDPR.
A competent authority is defined as:
a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
… so think police and Interpol…
b) any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
… so non-public agencies, competent or not. I presume this means state intelligence agencies, they being more covert than public, but it could also include private companies or individuals engaged by the state to, in short, uphold the law.
Article 45 of Directive (EU) 2016/680 does define what “competence” means, in a sense:
- Each Member State shall provide for each supervisory authority to be competent for the performance of the tasks assigned to, and for the exercise of the powers conferred on, it in accordance with this Directive on the territory of its own Member State.
- Each Member State shall provide for each supervisory authority not to be competent [the emphasis is my own] for the supervision of processing operations of courts when acting in their judicial capacity. Member States may provide for their supervisory authority not to be competent to supervise processing operations of other independent judicial authorities when acting in their judicial capacity.
Each state, therefore, is responsible for determining the competence or otherwise of its own authorities with regards to the GDPR. One might expect this to lead to regional variations in the application of GDPR.
It is perhaps mischievous of me to suggest that “competence” in GDPR terms means “good at their job”, like a surgeon is competent to perform heart bypasses, or a bus driver to drive double-deckers. In organisational terms the authority will – one would hope – have a reasonable case for handling and sharing personal data provided they can do so with diligence and care
I have tried to work out what the second part of the competence definition means, where it refers to authorities NOT being competent with relation to courts. My opinion is that this refers to the avoidance of prejudice in legal proceedings where the supervisory authority could use their special access to personal data to improperly influence a trial. However I am always open to correction.