Consistency and cross-border cooperation under the General Data Protection Regulation have been highlighted as the biggest improvement to data protection law in the EU. But the so-called “one-stop-shop” is not as straightforward as it first appears.
Article 77 deals with the options for a data subject to file a complaint before a data protection authority or supervisory authority, and, in most cases, a data subject will file a case in their home jurisdiction. However, given the international nature of companies, in practice, this means that most complaints will be cross-border.
But that can be problematic for the complainant when it comes to understanding how a case has been decided.
Take for example the NOYB (or, None of Your Business, a digital rights organization co-founded by Max Schrems) complaint filed against Instagram in Belgium in May 2018. Facebook, to whom Instagram belongs, claims Ireland to be its main place of establishment in the EU, which makes Ireland the lead supervisory authority.
Belgian and Irish DPAs will now have to cooperate together under Articles 60 to 67 of the GDPR. If the complaint is fully upheld, the legally binding decision is issued by the Irish data protection authority under Irish law. The DPA of the complainant would only send an “information” notice to the complainant. The appeal would then lie within the Irish administrative system under Article 78 of the GDPR.
However, if the complaint is turned down, the legally binding decision is issued by the Belgian data protection authority under Belgian law. The lead authority in Ireland would only send information to the controller at this time and not the complainant. The appeal would then lie with a Belgian administrative system under Article 78 of the GDPR.
In essence, the formal decision and the appeal always lie within the country of the losing party. Only if the data protection authorities do not agree on a decision will the issue go to the European Data Protection Board.
However, as Isabelle Vereecken, head of the Secretariat of the European Data Protection Board, explained at the recent CPDP conference in Brussels, the EDPB does much more behind the scenes in ensuring cooperation.
“I have often heard that cooperation maybe does not work well in practice, but in my opinion, this is not true. The key role of the EDPB is to ensure consistent application of the GDPR. The GDPR is one law applicable to all, but it's really important that the business and the individual understand it in the same manner, and also that the supervisory authorities are applying it in the same manner in the different member states,” Vereecken said.
“There are two ways the European Data Protection Board can provide consistency, two main avenues: First the guidelines, and secondly the consistency activities,” she added.
The guidelines developed by the European Data Protection Board — and before that by its predecessor, the Article 29 Working Party — on transparency, consent of data subjects, data portability and so on, are well known.
Vereecken notes that “those guidelines are not only applied by the businesses, by the actors, the stakeholders, but also by the supervisory authorities in their own decisions. And since May 2018, the European Data Protection Board has also adopted four additional guidelines on certification, accreditation and territorial scope, all to help everybody to understand the GDPR in the same manner.”
She added that it is down to DPAs to enforce the European law, whether it is a national case or a cross-border case.
“There are different ways for them to cooperate in doing this job," she said. "For instance, there are mutual assistance requests. These are bilateral communications between supervisory authorities, where there is a request for country information on legislation or there is some fact to find. There is also a possibility to make a joint operation. So supervisory authorities will make an on-the-spot investigation together in one member state. And there is also the one-stop shop.”
For the cross-border procedure — when there is establishment in different member states, or there are citizens affected in more than one member state — there will be a lead supervisory authority.
“It's important to underline that the lead does not have the unique, exclusive competence. In fact, it's a cooperation, it's a communication between the different DPAs. They have to endeavor to seek consensus in this procedure and so the lead supervisory authority produces a draft decision, which is shared with the others, who have the possibility to comment and react to it,” Vereecken explained.
She added that while a lot of the private sector was complaining about the amount of work needed to be ready for the GDPR, the EDPB also had a huge amount of preparation to do.
“We knew that there would be a huge amount of communication between the supervisory authorities and that there was a need for secured and standardized communication,” she said. “So this is where the EDPB secretariat really intervened. We in fact invested in creating this communication system.”
The IT system used by the EDPB is based on the European Commission’s internal market information system. “It has also been used in many other areas of law and has been extended for the GDPR. We created the system in less than six months, and there are more than 10,000 fields, so it was a huge amount of work. But it is really, really used. There have been more than 1,000 communications between the DPAs,” Vereecken said.
Currently, there are more than 270 cooperation cases in the register on the basis of which a DPA can create a mutual assistance request, make a request for a joint investigation, or launch a one-stop-shop procedure.
It is crucially important to establish who is the lead authority early on, Vereecken explained. “It's really important that you don't start drafting an opinion and then realize that you were not the lead authority. This is why there is a need for legal certainty through this communication system on the mutual assistance and supervisory authority. I also want to break a little bit the idea that cooperation will be led only by big supervisory authorities, or that it's only about the big cases. I know that the GAFA is raising a lot of attention, but in practice there is a lot of business and there are a lot of activities in data protection by many, many actors, so it is not only a few DPAs that are acting.”
The figures back her up. Since May 2018, in terms of mutual assistance requests, there have been more than 400 procedures involving 17 member states. Of the procedures, 95 percent of the requests have been answered within the legal framework and the legal time. With just three months to go before taking stock of the first year of GDPR cooperation under the EDPB, hitting those targets is more important than ever.
photo credit: flazingo_photos Handshake man - women via photopin (license)