¹ European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/23.

² Opinion of AG Jääskinen in Google Spain, C-131/12, EU:C:2013:424, para 13.

³ Leveson, Lord Justice, An Inquiry into the Culture, Practices and Ethics of the Press (London, 2012), p 999 Google Scholar.

⁴ European Union (EU), Treaty of Lisbon Amending the Treaty on European Union and the Treaty establishing the European Community [2007] OJ C306/01. Art 16, TFEU (EU, Consolidated Version of the Treaty on the Functioning of the European Union [2010] OJ C83/47).

⁵ Koops, BJ, ‘The Trouble with European Data Protection Law’ (2014) 4 International Data Privacy Law 250 CrossRefGoogle Scholar.

⁶ Volker und Markus Schecke and Hartmut Eifert, Joined Cases C-92/09 and C-93/09, EU:C:2010:662. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others, Joined Cases C-293/12 and C-594/12, EU:C:2014:238.

⁷ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.

⁸ European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ COM(2012) 11 final.

⁹ A notable recent addition to this literature is: H Hijmans, The European Union as Guardian of Internet Privacy (Springer, 2016), pp 325–448. For instance, the UK Competition and Markets Authority (CMA) highlights in its report the perceived shift in power between individuals and data controllers (who determine the purposes and means of personal data processing) which respondents to its surveys was, in part, as a result of the ‘lack of effective enforcement of the current regime. CMA, ‘The commercial use of consumer data: Report on the CMA’s call for information’, CMA38, June 2015, p 169, para 5.51. The challenges to data protection enforcement are outlined by the European Data Protection Supervisor (EDPS). EDPS, Preliminary Opinion of the European Data Protection Supervisor, ‘Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy’, March 2014, paras 28 and 29.

¹⁰ Art 29 Data Protection Working Party, ‘Statement on the 2016 action plan for the implementation of the General Data Protection Regulation (GDPR)’, WP236, 2 February 2016, p 2.

¹¹ Olsen, JP, ‘The Many Faces of Europeanisation’ (2002) 40(5) Journal of Common Market Studies 921 CrossRefGoogle Scholar, p 921.

¹² Ibid, p 932.

¹³ CM Radaelli, ‘Europeanisation: Solution or Problem?’ (2004) 8 European Integration online Papers (EIoP) no 16, p 3.

¹⁴ T Risse et al, ‘Europeanisation and Domestic Change. Introduction’ in M Cowles et al (eds), Transforming Europe: Europeanisation and Domestic Change (Cornell University Press, 2001), p 3.

¹⁵ See note 1 above, Art 1(1).

¹⁶ Ibid, Art 28(1).

¹⁷ Bennett, C and Raab, C, The Governance of Privacy: Policy Instruments in Global Perspective (MIT Press, 2006)Google Scholar.

¹⁸ See note 1 above, Art 28(6).

¹⁹ Ibid, Art 28(6).

²⁰ Ibid, Art 28(1).

²¹ Ibid, rec 62; Art 28(1).

²² Hüttl, T, ‘The content of “complete independence” contained in the Data Protection Directive’ (2012) 2(3) International Data Privacy Law 137 CrossRefGoogle Scholar, p 138.

²³ Shapiro, M, ‘The problems of independent agencies in the United States and the European Union’ (1997) 4(2) Journal of European Public Policy 276 CrossRefGoogle Scholar, p 279.

²⁴ European Commission v Federal Republic of Germany, C-518/07, EU:C:2010:125.

²⁵ Ibid, para 15.

²⁶ Ibid, para 16.

²⁷ Opinion of AG Mazák in European Commission v Federal Republic of Germany, C-518/07, EU:C:2009:694, para 22.

²⁸ Ibid, para 24.

²⁹ Ibid, para 30.

³⁰ Ibid, paras 31–35.

³¹ See note 24 above, para 19.

³² Ibid.

³³ Ibid, para 36.

³⁴ European Commission v Republic of Austria, Case C-614/10, EU:C:2012:631.

³⁵ Ibid, para 43.

³⁶ Ibid, para 48.

³⁷ In an editorial, Kuner et al suggest that it is necessary to consider ‘the complete legal and political structure of a country before determining whether its data protection regulator is independent’ as in some countries a supervisory authority will have more ‘clout’ if situated within rather than outside a government ministry. Kuner, C et al, ‘The Intricacies of Independence’ (2012) 2(1) International Data Privacy Law 1 CrossRefGoogle Scholar, p 1.

³⁸ Commission v Hungary, C-288/12, EU:C:2014:237.

³⁹ See note 24 above, para 35.

⁴⁰ P Schütz, ‘Comparing Formal Independence of Data Protection Authorities in Selected EU Member States’, Conference paper for the 4^th Biennial ECPR Standing Group for Regulatory Governance Conference 2012, p 13. See also, Szydło, M, ‘Principles Underlying Independence of National Data Protection Authorities: Commission v. Austria’ (2013) 50(6) Common Market Law Review 1809 Google Scholar, p 1819.

⁴¹ Maximillian Schrems v Data Protection Commissioner, C-362/14, EU:C:2015:650, para 41. See also note 24 above, para 25; note 34 above, para 48.

⁴² See note 40 above, p 1822.

⁴³ Curtin, D, ‘Holding (Quasi-)Autonomous EU Administrative Actors to Public Account’ (2007) 13(4) European Law Journal 523 CrossRefGoogle Scholar, p 525. See Schütz note 40 above, p 4.

⁴⁴ Balthasar, A, ‘“Complete Independence” of National Data Protection Supervisory Authorities – Second Try’ (2013) 9(3) Utrecht Law Review 26 CrossRefGoogle Scholar, p 34.

⁴⁵ Zemánek, J, ‘Case C-518/07, European Commission v. Federal Republic of Germany, Judgment of the Court of Justice (Grand Chamber) of 9 March 2010 ECR I-1885’ (2012) Common Market Law Review 1755 Google Scholar, p 1767.

⁴⁶ Hijmans, H, The EU as a Constitutional Guardian of Internet Privacy and Data Protection (2016) PhD thesis, University of Amsterdam, p 287 Google Scholar. http://hdl.handle.net/11245/2.169421

⁴⁷ See note 41 above, para 57.

⁴⁸ Foto-Frost v Hauptzollamt Lübeck-Ost, C-314/85, EU:C:1987:452.

⁴⁹ See note 37 above, p 1.

⁵⁰ See note 24 above, para 28.

⁵¹ See note 40 above, p 1818.

⁵² See note 24 above, para 32.

⁵³ See note 45 above.

⁵⁴ In Commission v Germany (see note 24 above, para 28) the Court held that the Regulation governing data processing by the EU Institutions and the Data Protection Directive must be interpreted homogenously as they are based on ‘the same general concept’. The Regulation governing data processing by the EU institutions provides the EDPS with a separate budget under the general budget of the EU. See note 34 above, para 58.

⁵⁵ See note 34 above, para 36; para 29.

⁵⁶ Schütz, suggests that if supervisory authority officials continue their careers later on in the civil service this may be ‘highly problematic in terms of the staffs’ de facto commitment, orientation and willingness to comply’. See note 40 above, p 14.

⁵⁷ A notable exception is the UK’s Information Commissioner’s Office (ICO) which is funded through annual notification fees received from data controllers. https://ico.org.uk/about-the-ico/our-information/income-and-expenditure/

⁵⁸ Edwards, E, ‘Independence of Data Protection Commissioner questioned’ (Irish Times, 28 January 2016)Google Scholar. http://www.irishtimes.com/business/technology/independence-of-data-protection-commissioner-questioned-1.2513682

⁵⁹ See note 37 above, p 1.

⁶⁰ Request for a preliminary ruling from the Raad van State (Netherlands), lodged on 24 April 2015 (Case C-192/15) [2015] OJ C236/26.

⁶¹ T. D. Rease and P. Wullems v College bescherming persoonsgegevens, C-192/15, EU:C:2015:861.

⁶² ICO, ‘How we deal with complaints and concerns: a guide for data controllers’, 1 April 2014. https://ico.org.uk/media/for-organisations/documents/1561/how-we-deal-with-complaints-and-concerns-a-guide-for-data-controllers.pdf

⁶³ Logue, F, ‘Data protection chief must not distance herself from complainants’ (Irish Times, 9 August 2016)Google Scholar. http://www.irishtimes.com/business/technology/data-protection-chief-must-not-distance-herself-from-complainants-1.2750669

⁶⁴ Ibid.

⁶⁵ Art 29 Data Protection Working Party, ‘Statement on the Role of a Risk-based Approach in Data Protection Legal Frameworks’, adopted on 30 May 2014 (WP218), p 3. See Digital Rights Ireland, note 6 above, para 33.

⁶⁶ See note 1 above, rec 131.

⁶⁷ See Szydło, note 40 above, p 1825.

⁶⁸ See note 45 above, p 1762.

⁶⁹ Ibid above, p 1755.

⁷⁰ See note 44 above, p 28 fn 9.

⁷¹ Bauman, Z and Lyon, D, Liquid Surveillance: A Conversation (Wiley, 2012)Google Scholar.

⁷² See note 38 above, para 39.

⁷³ Ibid, para 40.

⁷⁴ See Szydło, note 40 above, p 1818.

⁷⁵ See note 44 above, p 29.

⁷⁶ Ibid, p 31.

⁷⁷ See note 41 above, para 40.

⁷⁸ See note 44 above, p 38.

⁷⁹ See note 1 above, Art 28(1).

⁸⁰ Art 41, Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [2001] OJ L8/1.

⁸¹ See note 1 above, Art 29(1).

⁸² Giurgiu, A and Larsen, TA, ‘Roles and Powers of National Data Protection Authorities’ 2016 (3) European Data Protection Law Review 342 CrossRefGoogle Scholar, p 344.

⁸³ Art 29 Data Protection Working Party, Letter to Google Inc CEO Larry Page, 2 February 2012, Ref. Ares (2012)123126-02/02/2012. http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2012/20120202_letter_google_privacy_policy_en.pdf

⁸⁴ Letter from CNIL President Isabel Falque-Pierrotin to Google Inc CEO Larry Page, 27 February 2012. http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2012/20120227_letter_cnil_google_privacy_policy_en.pdf

⁸⁵ Art 29 Data Protection Working Party, Letter to Google Inc CEO Larry Page, 16 October 2012. http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2012/20121016_letter_to_google_en.pdf

⁸⁶ See note 1 above, Arts 10 and 11.

⁸⁷ Ibid Art 6(b). According to this principle, data must be collected for specific purposes and cannot be processed for other incompatible purposes.

⁸⁸ Art 29 Data Protection Working Party, Appendix: Google Privacy Policy: Main Findings and Recommendations. http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2012/20121016_google_privacy_policy_recommendations_cnil_en.pdf

⁸⁹ For instance, the ICO informed Google that the changes did not comply with the UK Data Protection Act 1998 and Google therefore implemented changes in two stages, while in dialogue with the ICO, to conform to the UK law. ICO, ‘Google to change privacy policy after ICO investigation’, 30 January 2015. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/01/google-to-change-privacy-policy-after-ico-investigation/

⁹⁰ Art 29 Data Protection Working Party, Letter to Google Inc CEO Larry Page, 23 September 2014, Ref. Ares(2014)3113072 - 23/09/2014. http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140923_letter_on_google_privacy_policy.pdf

⁹¹ For a timeline of the Google investigation see note 89 above.

⁹² ASNEF, C-468/10, EU:C:2011:777, para 29.

⁹³ See note 84 above.

⁹⁴ The criteria for direct effect (Van Gend en Loos v Administratie der Belastingen, C-26/62, EU:C:1963:1) – that a text is clear, precise and unconditional – are ostensibly difficult to satisfy for the open-textured principles set out in the Directive. However, the Court has recognised the direct effect of vaguely worded provisions of the Directive (Art 6(1)(c) and Art 7(c) and (e)) in Österreichischer Rundfunk and Others, C-465/00, EU:C:2003:294, para 101.

⁹⁵ See note 1 above, Art 4(1)(a); Art 28(1).

⁹⁶ Svantesson, D, ‘Article 4(1)(a) “establishment of the controller” in EU data privacy law – time to rein in this expanding concept’ (2016) 6(3) International Data Privacy Law CrossRefGoogle Scholar, doi: 10.1093/idpl/ipw013 [first published online 10 August 2016]. Svantesson notes in regard to Article 4 that ‘[n]o one seems to have been quite certain as to exactly what the role of that Article is and how it relates to other provisions; especially how it relates to Article 28 dealing with jurisdiction’.

⁹⁷ See http://europe-v-facebook.org/EN/en.html and http://europe-v-facebook.org/EN/Complaints/complaints.html

⁹⁸ Data Protection Commissioner, ‘Report of Audit – Facebook Ireland Ltd’, 21 December 2011. https://www.dataprotection.ie/documents/facebook%20report/final%20report/report.pdf. No documentation on the latter point is available on the website of the Irish Data Protection Commissioner.

⁹⁹ Essers, L, ‘EU data protection authorities get serious about Facebook’s privacy policy’ (PCWorld, 4 February 2015)Google Scholar. http://www.pcworld.com/article/2879872/eu-data-protection-authorities-get-serious-about-facebooks-privacy-policy.html

¹⁰⁰ SPION and Emsoc, ‘From social media service to advertising network: A critical analysis of Facebook’s revised policies and terms’, 25 August 2015.

¹⁰¹ Commission de la Protection de la Vie Privée, Recommandation n° 04/2015 du 13 mai 2015.

¹⁰² Ibid, paras 25–31.

¹⁰³ Ibid, paras 32–35.

¹⁰⁴ Google Spain SL and Google Inc v Agencia Española de Protección de Datos and Mario Costeja González, C-131/12, EU:C:2014: 317, para 60.

¹⁰⁵ Fioretti, J, ‘Facebook wins privacy case against Belgian data protection authority’ (Reuters, 29 June 2016)Google Scholar. http://uk.reuters.com/article/us-facebook-belgium-idUKKCN0ZF1VV

¹⁰⁶ For instance, in its 2014 investigation of the legality of Facebook’s psychological study of users without consent, the ICO stated that it planned to liaise with the Irish Data Protection Commissioner on the matter. K Fiveash, ‘British and European data cops probe Facebook user-manipulation scandal’ (The Register, 1 July 2014). The ICO has also previously stated that it recognises ‘the role of the Irish data protection authority in ensuring Facebook comply with European data protection rules’.

¹⁰⁷ Graham, N and Bentham, J, ‘The slow death of EU forum shopping’ (Lexology, 7 August 2015)Google Scholar. http://www.lexology.com/library/detail.aspx?g=97b1f899-9acf-417a-ba93-2652b6d10cfa

¹⁰⁸ Wirtschaftsakademie Schleswig-Holstein, C-210/16, [2016] OJ C260/18 (pending).

¹⁰⁹ Weltimmo, C-230/14, EU:C:2015:639.

¹¹⁰ Ibid, para 24.

¹¹¹ Ibid, para 28.

¹¹² Ibid, paras 31 and 32.

¹¹³ Ibid, para 57.

¹¹⁴ Verein für Konsumenteninformation v Amazon EU Sàrl, C-191/15, EU:C:2016:612.

¹¹⁵ Ibid, paras 75–78.

¹¹⁶ Ibid, para 81.

¹¹⁷ Opinion of AG Saugmandsgaard Øe in Verein für Konsumenteninformation v Amazon EU Sàrl, C-191/15, EU:C:2016:388.

¹¹⁸ Ibid, para 110.

¹¹⁹ Ibid, para 109.

¹²⁰ Ibid, para 112.

¹²¹ Ibid, para 124.

¹²² Ibid, para 125.

¹²³ See note 96, p 10.

¹²⁴ Szydło, note 40 above, p 1820.

¹²⁵ Regulation (EU) 2016/679, note 7 above, Art 52.

¹²⁶ Ibid, Art 55(2).

¹²⁷ Ibid, Art 56(3); Art 56(2).

¹²⁸ Ibid, Art 51(2).

¹²⁹ Ibid, Art 56(1).

¹³⁰ Ibid, Art 56(6).

¹³¹ Ibid, Art 60(2).

¹³² Ibid, Art 60(3).

¹³³ Ibid, Art 56(4).

¹³⁴ Ibid, Art 60(4).

¹³⁵ Ibid, Art 63.

¹³⁶ Ibid, Art 68; Art 68(3).

¹³⁷ Ibid, Art 65(1)(a).

¹³⁸ Ibid, Art 65(1)(b); Art 65(1)(c).

¹³⁹ Ibid, Art 65(2).

¹⁴⁰ Ibid, Art 65(2).

¹⁴¹ Ibid, Art 65(6).

¹⁴² Ibid, Art 65(6). It must also specify that the EDPB’s decision will be published on the EDPB website (Art 65(6)).

¹⁴³ Ibid, Art 77(2). The supervisory authority with which a complaint has been lodged shall inform the complainant of the progress and outcome of a complaint.

¹⁴⁴ Ibid, Arts 60(8) and (9).

¹⁴⁵ Ibid, Art 57(1)(a); Art 58(2)(i).

¹⁴⁶ Ibid, Art 83.

¹⁴⁷ Ibid, Art 78(1).

¹⁴⁸ Ibid, Art 78(4).

¹⁴⁹ Art 258 TFEU.

¹⁵⁰ Art 267 TFEU.

¹⁵¹ Art 29 Data Protection Working Party, ‘Opinion 01/2012 on the data protection reform proposals’, WP 191, 23 March 2012, p 20.

¹⁵² See note 9 above, CMA38, p 386.

¹⁵³ See Szydło, note 40 above, p 1815.

¹⁵⁴ Ibid, p 1816.

¹⁵⁵ See Commission v Germany, note 24 above, para 25.

¹⁵⁶ See note 45 above, p 1766.

¹⁵⁷ See note 104 above, paras 30, 34, 38, 53, 58 and 84.

¹⁵⁸ See note 24 above, paras 53 and 54.

¹⁵⁹ Ibid, para 55.

¹⁶⁰ See note 44 above, p 33.

¹⁶¹ Chiti, E, ‘An Important Part of the EU’s Institutional Machinery: Features, Problems and Perspectives of European Agencies’ (2009) 46 Common Market Law Review 1395 Google Scholar, p 1410.

¹⁶² Protocol (No 2) on the Application of the Principles of Subsidiarity and Proportionality [2004] OJ C310/07.

¹⁶³ European Commission, ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ COM(2012) 11 final, Art 60(1); Art 62(1)(a).

¹⁶⁴ Namely, the German Upper House, the Belgian House of Representatives, the French Senate, and the Italian Chamber of Deputies.

¹⁶⁵ Busuioc suggests that European agencies which are largely composed of Member State representatives are ‘problematic in terms of possible risks of paralysis and conflict’ and ‘creates the potential for tremendous conflicts of interests’. Busuioc, M, ‘Rule-Making by the European Financial Supervisory Authorities: Walking a Tight Rope’ (2013) 19(1) European Law Journal 111 CrossRefGoogle Scholar, p 120; fn 44.

¹⁶⁶ Ibid, p 121.

¹⁶⁷ Moloney, N, ‘Institutional Governance and Capital Markets Union: Incrementalism or “Big Bang”’ (2016) 13(2) European Company and Financial Law Review 376 CrossRefGoogle Scholar, p 384.

¹⁶⁸ See note 23 above, p 283.

¹⁶⁹ See note 45 above, p 1767.

¹⁷⁰ For instance, the purpose of the ‘European Union Agency for Fundamental Rights’ is to ‘provide the relevant institutions, bodies, offices and agencies of the Community and its Member States when implementing Community law with assistance and expertise relating to fundamental rights in order to support them when they take measures or formulate courses of action within their respective spheres of competence to fully respect fundamental rights’. Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for Fundamental Rights’ [2007] OJ L53/1. The Agency thus ‘follows the model of a European information and coordination agency’. Hinarejos, A, ‘A Missed Opportunity: the Fundamental Rights Agency and the Euro Area Crisis’ (2016) 22(1) European Law Journal 61 CrossRefGoogle Scholar, p 63.

¹⁷¹ Busuioc, M, European Agencies: Law and Practices of Accountability (Oxford University Press, 2013), p 21 CrossRefGoogle Scholar (emphasis removed).

¹⁷² Ibid, p 14.

¹⁷³ See further: https://europa.eu/european-union/about-eu/agencies_en

¹⁷⁴ See Schütz, note 40 above, p 2.

¹⁷⁵ See note 171 above, p 38.

¹⁷⁶ For instance, Maloney, notes that the use of Art 114 TFEU as a legal basis for the ESAs is a ‘somewhat shaky competence for a radical institutional reform’; Maloney, N, ‘The European Securities and Markets Authority and Institutional Design for the EU Financial Market – A Tale of Two Competences: Part (1) Rule-Making’ (2011) 12(1) European Business Organisation Law Review 41 CrossRefGoogle Scholar, p 49.

¹⁷⁷ Meroni, C559/14, EU:C:2016:349. Busuioc argues that the financial supervisory authorities’ rule-making powers ‘stretch the boundaries of the legal doctrine to the maximum’. See note 165 above, p 114.

¹⁷⁸ See note 161 above, p 1421 and the references cited in fn 74.

¹⁷⁹ See note 171 above, p 19.

¹⁸⁰ As Curtin suggests, the ‘necessity to bring expertise into the public policy process, or to ensure its credibility, features prominently in the motivations attributed to those who promoted this new trend [of decentralised agencies] in Europe’. See note 43 above, p 527.

¹⁸¹ Romano, C-98/80, EU:C:1981:104, para 20.

¹⁸² United Kingdom v Parliament and Council (‘Short Selling’), C-270/12, EU:C:2014:18.

¹⁸³ Ibid, paras 64 and 65.

¹⁸⁴ See note 43 above, p 527.

¹⁸⁵ See note 171 above, pp 14–15.

¹⁸⁶ See note 165 above, p 112.

¹⁸⁷ See note 161 above, p 1398.

¹⁸⁸ Ibid, pp 1399–1400.

¹⁸⁹ See Regulation (EU) 2016/679, note 7 above, Art 65(1)(b); Art 65(1)(a).

¹⁹⁰ Ibid, Art 64(2).

¹⁹¹ Ibid, Art 64(3).

¹⁹² Ibid, Art 64(8); Art 65(1)(c).

¹⁹³ Ibid, Art 70(1)(e). It can also issue guidelines, recommendations and best practice in a number of other situations (see Art 70(1)(d),(f),(g),(h),(i),(j) and (m)).

¹⁹⁴ Chiti, for instance, states that even the instrumental powers conferred on EU agencies may be less notable than those granted to other EU administrations but not necessarily less relevant. See note 161 above, p 1405.

¹⁹⁵ See note 23 above, p 284.

¹⁹⁶ Florio, M, Network Industries and Social Welfare: The Experiment that Reshuffled European Utilities (Oxford University Press, 2013), p 351 CrossRefGoogle Scholar. Similarly, Shapiro notes that ‘activities which in the abstract and/or most of the time are perceived as non-discretionary, managerial and technical will be reconstituted in the public perception as discretionary and political when they produce results that are significant to public policy choices or to the clash of political interests’; see note 23 above, p 284.

¹⁹⁷ Ibid (Florio), p 351.

¹⁹⁸ See note 40 above, p 1824.

¹⁹⁹ See note 40 above, p 1826.

²⁰⁰ See note 24 above, para 23; note 23 above, para 37.

²⁰¹ Principles relating to the Status of National Institutions (the Paris Principles), adopted by General Assembly resolution 48/134 of 20 December 1993. U.N.Doc. A/RES/48/134. http://www.ohchr.org/EN/ProfessionalInterest/Pages/StatusOfNationalInstitutions.aspx

²⁰² See note 170 above, pp 63–64.

²⁰³ See note 171 above, p 2.

²⁰⁴ See note 43 above, pp 528–529. Curtin identifies three problems in employing the principal-agent model of delegation to EU level agencies, including that ‘the tasks being “delegated” may be those of the Member States, not of the formal principals’.

²⁰⁵ Dehousse, R, ‘Misfits: EU Law and Transformation of European Governance’ in C Joerges and R Dehousse (eds), Good Governance in Europe’s Integrated Market (Oxford University Press, 2002) 207 CrossRefGoogle Scholar, p 221.

²⁰⁶ See Regulation (EU) 2016/679, note 7 above, Art 69(1); Art 69(2).

²⁰⁷ See note 24 above, para 40.

²⁰⁸ Ibid, para 42.

²⁰⁹ See note 37 above, p 1.

²¹⁰ See Regulation (EU) 2016/679, note 7 above, Art 71(1).

²¹¹ Ibid, Art 71(2).

²¹² Ibid, Art 68(5).

²¹³ Zemánek queried, prior to the enactment of the GDPR, whether the independence of supervisory authorities provided an illustration of this tendency; see note 45 above, p 1762. Curtin suggests that ‘integrated administration’ encompasses ‘both European and national levels with now no rigid separation between these levels’; see note 43 above, p 523.