Stakeholders within the EU data protection landscape are juggling many important issues these days, including those pertaining to cross-border enforcement of the EU General Data Protection Regulation. There is confusion aplenty regarding one-stop shop's effectiveness due to jurisdictional questions brought forward by precedent-setting fines and an opinion from the EU's highest court, while a clear difference of opinion remains between EU data protection authorities on enforcement strategies in one-stop-shop cases.
With few consensuses or viable solutions presented at this point, key players in the one-stop-shop debate came together on a panel during the IAPP's Global Privacy Summit Online 2021 to trade views on potential next steps toward a resolution.
"No doubt there are aspects that simply aren't working, and (there is) lots of unhappiness," Irish Data Protection Commissioner Helen Dixon said in a conversation with European Data Protection Supervisor Wojciech Wiewiórowski and European Commission Deputy Head of Unit for Data Protection Karolina Mojzesowicz. "Not everyone did support (one-stop shop) from the outset, including the regulatory community. It's difficult to stand something so complex up when you've got the participants pulling against it."
Wiewiórowski admitted he was among those that initially doubted the GDPR and one-stop shop but has reached a point where he is prepared to defend the models and contribute to improving them. However, he indicated he has underestimated the problems associated with the system and isn't confident there will ever be support for one-size-fits-all decisions.
"I'm afraid that one-stop-shop binding decisions taken by the (European Data Protection Board) may become orphans in the end," Wiewiórowski said, noting a majority of authorities will not be happy to defend them if appealed in the national courts. "They will all say in the end that 'we would've done it better only if it was our own decision.'"
Dixon went further in pointing out how the operationalization of the one-stop-shop system has uncovered vulnerabilities, particularly with Article 60 procedures and the dispute-resolution mechanism under Article 65 of the GDPR. DPAs have been able to scrutinize the leniency or severity of a given decision through these procedures, which in many ways has opened the door for friction and the current divide hampering those DPAs in disagreement.
Dixon revealed the Irish DPC's long-awaited WhatsApp decision is under an Article 65 procedure and could take "potentially nine months" to finalize while also indicating fellow DPAs are preparing to submit big decisions to the Article 60 and 65 processes.
"If all of them go the path of the Twitter and WhatsApp decisions have gone so far, the EDPB is going to be under huge strain because the resource-intensiveness is considerable," Dixon said.
The lack of "a definitive way for companies to get sign-off" on which DPA is their lead supervisory authority has been another one-stop-shop issue, according to Dixon, who also mentioned confusion in understanding when "an LSA is not an LSA" under EDPB guidance. She suggested an easy path to clarity on LSAs without serious reform would be to create "objective criteria" for a company to follow in designating where it is headquartered, subsequently deciding its LSA.
Mojzesowicz, one of the commission's representatives in the interinstitutional negotiations with the Parliament and the European Council on GDPR, suggested reform lies within the current system. She said there are considerations "as valid today as they were when the (one-stop-shop) system was created," with the main focus of those considerations boiling down to unified enforcement based on DPA collaboration and understanding.
"Before we undo this delicate balance, let's ... think if we do really have a solution which would address the considerations in an equally embracing way," Mojzesowicz said. "We see a lack of use and deployment of the means provided for in the GDPR. ... I think some of the concerns mentioned here could be solved by better using and exploiting the tools. This requires some self-restraint and following the European spirit by everyone."
The concept of self-restraint might be one of the only solutions, if not the lone solution, aside from reform, according to Dixon, who admits all-out system reform "is not going to be the reality for some time."
"I think it's not necessarily constructive for DPAs to slogging out all points, and those without particular substance in a decision, and maintaining objections, pushing everything to Article 65," Dixon said. "Why are we making the cases that we say are very important through the one-stop shop so elongated with no clear endgame in mind and creating what I see as an unsustainability?"
Photo by Guillaume Périgois on Unsplash