As the EU General Data Protection Regulation celebrates its fourth anniversary since going into effect May 25, 2018, enforcement of the world's most comprehensive data protection regulation is still evolving.
No doubt, data protection authorities in the EU have been busy during the last four years. European Data Protection Board Chair Andrea Jelinek, who also serves as head of Austria's DPA, recently noted the EDPB has "invested a great deal of resources in the interpretation and consistent application of the GDPR," while issuing 58 guidelines, six recommendations, and DPAs have levied approximately $1.55 billion euros in fines by the end of last year.
And though more than billion euros in fines along with dozens of guidelines is nothing to balk at, criticism of GDPR enforcement has taken several forms in recent years, from concerns that some member states are slow to act on Big Tech companies headquartered in their nations to questions about whether the one-stop-shop mechanism is working effectively and efficiently. As with many other DPAs around the world, staff and financial resourcing often poses challenges to comprehensive and swift enforcement. Plus, in the EU, coordinating 27 different member states with a varying set of national laws and priorities may be the regulatory version of trying to herd cats.
To that end, EDPB members met in Vienna, Austria, last month to forge closer cooperation on strategic cases and increase the methods available to DPAs for enhancing enforcement. The initial result from the two-day meeting was a statement on enforcement cooperation, in which authorities "will collectively identify cross border cases of strategic importance in different Member States on a regular basis, for which cooperation will be prioritised and supported by EDPB."
In a lengthy discussion with The Privacy Advisor, EDPB Head of the Secretariat Isabelle Vereecken and Head of Activity for Enforcement Support and Coordination Gwendal Le Grand detailed the EDPB's moves to improve strategic enforcement of the GDPR in the EU. Vereecken said the Vienna meeting was intended to "dedicate fully our attention on improving cooperation on enforcement strategy."
The main takeaway for privacy pros? "It's an assurance," Le Grand said, "that regardless of where you are in the EU, you're going to be approached and addressed in the same way by all the authorities."
New phases of cooperation
The April 29 statement is part of a series of moves from the EDPB to improve its strategic enforcement cooperation. The EDPB first published a document on its Coordinated Enforcement Framework in October 2020, with an update last October. The EDPB also hired Le Grand, who previously worked on enforcement at the Commission nationale de l'informatique et des libertés — France's DPA — to lead enforcement support and coordination for the EDPB in October 2021.
In February 2022, the EDPB issued a call for experts — what it refers to as the "support pool of experts" — to assist DPAs in areas such as IT auditing, website security, mobile operating systems and apps, the Internet of Things, cloud computing, behavioral advertising, anonymization techniques, cryptography, artificial intelligence, user experience design, financial technology, data science and digital law.
The EDPB adopted Guidelines on Article 60 GDPR in March. According to an EDPB press release, "The guidelines provide a detailed description of the GDPR cooperation between (DPAs) and aim to further increase the consistent application of the legal provisions relating to the one-stop-shop mechanism."
And by May, the EDPB adoptedGuidelines on the calculation of administrative fines under the GDPR, which harmonizes the methodology data protection authorities use.
Vereecken explained that after a couple years of experience, DPAs realized that "what was provided strictly in the GDPR in matters of cooperation" — for example, issuing draft decisions or making comments — was perhaps "not comprehensive enough." Rather, the DPAs found that a comprehensive exchange of information from the beginning would be more successful and provide quicker results.
Le Grand said that indeed there has been a lot of media attention on certain companies and member states that are lead supervisory authorities, "but really the work that is being done here by the EDPB is to focus on cases of strategic importance. So it is not just when a big U.S. company is the controller," it can be cases for which a novel and important data protection issue emerges that will have implementation consequences across member states; a case that affects many citizens; a structural problem across member states; or a case related to the "intersection of data protection with other legal fields."
For such issues that have a lot impact, Le Grand said the EDPB aims to ensure the approach is consistent among DPAs, regardless of which authority is leading an investigation. He also said sharing the workload among DPAs will be important and that setting a concrete timeline to ensure progress is swift on those investigations. "It's also important," he said, "to give visibility to the authorities, to the companies, and to the citizens who file complaints on how this progress is going to be made."
"The idea," Le Grand said, "is really to ensure that you have efficient cooperation on those cases so that you tackle all the important issues up front and process the case in a swifter way and it's probably less likely that other authorities will raise objections once the draft decision has been tabled. Really, it's about making sure that these cases that are identified are prioritized and there is good cooperation that is being implemented."
Cooperative methods
To help with information sharing and consensus building, DPAs will "place a particular emphasis on early and sustained sharing of all relevant information" and groups of DPAs may join forces or create an EDPB Task Force.
Relatedly, the EDPB announced it will leverage all instruments provided for by the GDPR. This includes Article 62 joint investigations. However, to promote more efficiency, DPAs agreed in Vienna that joint investigations will be "carried out by a limited number of DPAs." Vereecken said that joint investigations had required an invitation to all the DPAs, which makes moving forward complex to manage. "We wanted to have an open and frank conversation that says 'okay, you can do this with few numbers of (DPAs) and go for it and no one will take it badly" in order to make it more efficient and agile.
The EDPB will also "streamline the use of Article 65 dispute resolution mechanism and Article 66 urgency procedures by DPAs," according to the April 29 statement.
Enforcement harmonization at the national and EU levels
The EDPB aims to better harmonize national enforcement priorities among member states at the EU level. Le Grand said that often national authorities know what their inspection and enforcement priorities will be for the year to come. "For the moment," Le Grand said, "this is not sufficiently harmonized," that "there is not enough exchange of information across the member states." He said this means that member state priorities are defined independently and the preparation of the inspection of those priorities is not shared.
Le Grand used cloud computing in the public sector as an example, as it's been identified as a priority for the EDPB under the first Coordinated Enforcement Framework. He said DPAs interested in the topic gathered together, shared material and experience on the topic, and the types of questions asked in an investigation. "The good thing with this," he said, "is you are sharing experience among (DPAs) on what the important questions are and how you need to ask the questions. This means the approach is consistent among member states, that the same questions are being asked and the same things are being identified and investigated across the member states. It creates a level playing field for the quality of investigations."
Instruments for inspection and the pool of experts
In addition to a more open, transparent and communicative approach to enforcement, the EDPB aims to promote the sharing of DPA-developed tools and technology to assist other DPAs in their investigations. When DPAs prioritize a topic, for example, the idea is to have a complete tool box or a sort of "resource center" with common standards available for DPAs. Technological tools can be part of it so that DPAs do not have to reinvent the wheel when initiating an investigation. Included among this would be standardized templates for data subject complaints, for example, but these would be used on a voluntary basis for DPAs.
Vereecken and Le Grand said national authorities may have already developed tools, templates, manuals, questionnaires or other helpful items used in specific fields in past investigations. The goal is to ensure that those potentially helpful items are shared across the EDPB so DPAs do not have to start their investigations from scratch. DPAs can then enhance a preexisting tool and share those as well. For its part, the EDPB will facilitate the sharing and, if needed, the translation of the resources.
Similarly, Vereecken said the EDPB will help DPAs pool and share experts working at one authority when there is the possibility that expert can assist another DPA. If a DPA needs an external expert, the EDPB will help locate and potentially finance one.
"With these initiatives," Le Grand said, "the idea is to build common content, resources and tools for investigations to assist DPAs when needed." This can include exchanging personnel among member states from the EDPB's pool of experts to help assist with specific tasks (in fields like cryptography, targeted advertising, and so on).
Le Grand said when the EDPB initiated its call for experts, a huge number applied from several backgrounds. He said these experts act in their personal capacity and that the EDPB is not going to consulting firms for said experts. However, he pointed out that the priority for external experts is to help develop tools in specific fields of expertise that would assist in the investigation, but not to help conduct the actual investigation. This expert would then work under the lead SA in the case.
Budgeting, resources amid increased activity
High-profile hires like Le Grand to help the EDPB with its enforcement coordination efforts is part of the agency's attempts to confront the rapidly increased activity it's experiencing. Vereecken, who helps steer the agency's budget, is working on the 2023 budget, a complicated process of predicting future needs and conflicts in a world with emerging technology, a global pandemic and geopolitical issues like Russia's invasion of Ukraine.
Le Grand said, "there is more and more work that has to be done at the EDPB level. It's also a consequence of the ramping up of enforcement at the national level." He said fines adopted at the national level in 2021 totaled more than 5.5 times the fines collected in the whole previous history of the GDPR. Add to that the high-profile cases that are sensitive are the ones that likely need the EDPB to trigger the dispute resolution mechanism and may be challenged in the courts. There is more access-to-document requests each time a decision is made, Le Grand said. These take lots of resources to answer in time. "All the indicators at the Secretariat level are increasing very fast and we need to adapt our methods on the one hand, and we need more resources because there are limits to what you can do to adapt your own methods."
To further illustrate the increased activity at the EDPB, Le Grand said there was nearly 400 meetings in 2021 at both the plenary and sub-group level, "and I'm not talking about working on a complaint at a bilateral basis." This is an increase of 45% over what was seen by the EDPB in 2020. This shows "there is indeed a need to be even more efficient," he said.
Though much media focus has been on U.S. companies, Vereecken said a high portion of the EU economy is based on small- to medium-sized companies. SMEs are all processing data and receiving a lot of complaints, as well. She said there are 947 one stop shop procedures, out of which 354 have been decided. Vereecken said that the EDPB decided to make as much of this information on the EDPB's website as possible because the decisions have a lot of "interesting elements" that serve as a sort of case law. "There is very concrete elements there that can be interesting for a data protection officer," she said.
Legislative changes needed?
Le Grand specifically pointed out that the procedural aspects need to be harmonized in EU law to increase the impact of GDPR cooperation. "I think what the heads of authorities said in Vienna is that perhaps there is room for further harmonization of some procedural aspects within the legislation and with respect to that there will be some thought given to this approach. What we've seen with four years experience enforcing the GDPR is that sometimes the rules for all the procedural aspects could be further streamlined or specified in some cases. That is part of the technical response to better enforcement of GDPR."
Vereecken said there could be some legislative changes needed in order to facilitate this harmonization. She said they are collecting in a more structural way the elements that could be adapted to further harmonize at the EU level so the EDPB can make a formal request to the European Commission. The idea, she said, is not to change the GDPR but to have parallel legislation.
GDPR enforcement and the Digital Market Strategy
To further complicate the regulatory ecosystem in the region, the EU is quickly approving new regulations as part of its ambitious Digital Market Strategy. Regulations like the Digital Governance Act, Digital Markets Act, Digital Services Act are all rapidly advancing together with their own enforcement frameworks.
So how will this fit in with GDPR enforcement?
Vereecken said they want to "ensure the level of protection for citizens is not affected by other digital market strategy laws." Cooperation among new enforcement authorities will be key, she added. For Le Grand, "it's about making sure the governance of all these systems are consistent and that when the DPAs are not competent in there and there may be processing of personal data, making sure the discussion with the DPA is well framed and organized."
Photo by Christian Lue on Unsplash