The General Data Protection Regulation regulates cross-border processing of personal data. For many organizations, identifying their lead supervisory authority (LSA), the principal EU regulator responsible for enforcement of the GDPR in relation to cross border processing, will be straightforward. For others, with data decision-makers in various parts of the EU or with decision-making power regarding data taken outside of the EU but processing data affecting individuals in multiple Member States, it will not be.
It is time to review and be deliberate in structuring data decision-making in Europe. For some organizations, there are choices to be made which will determine the regulators with responsibility for GDPR enforcement decisions. It is sensible to take these decisions now, consciously, and not when an enforcement issue arises. Despite statements that there is no opportunity to forum shop regarding a choice of LSA under the GDPR, sophisticated organizations are structuring their decision-making functions concerning data in a manner which reflects a preferred enforcement forum strategy.
The significance of the LSA
Where an alleged breach of the GDPR involves cross-border data processing investigations will be led by a LSA. This is attractive to organisations facing data privacy issues, as they can liaise with just one regulator for one decision (and so deal with just one fine), despite the issue impacting data subjects in multiple Member States. Once an enforcement issue arises the LSA must then cooperate with any concerned supervisory authorities in other Member States to attempt to achieve consensus (paying particular attention to the supervisory authority which received the original complaint if it is not the LSA). In many cases the LSA’s decision will be accepted or a consensus reached. If a dispute arises between authorities then the European Data Protection Board (EDPB), comprising the supervisory authorities from all EU Member States, will make the final, binding decision on disputes based on a simple majority. This final EDPB decision is subject, of course, to request a validity ruling or an annulment ruling from the Court of Justice of the European Union.
On Oct. 3, 2017, the Article 29 Working Party adopted draft guidelines on issuing administrative fines. In the draft guidelines the degree of cooperation with supervisory authorities, the previous contacts with these authorities on previous infringements, and account taken of guidance are all considerations in the complex matrix of factors when determining fines.
While all supervisory authorities are equal under the GDPR, there will be organizational, technical, financing, structural and cultural differences between them. While it is difficult to assess and compare these differences today, as national laws creating and empowering GDPR regulators are still emerging, undoubtedly these differences will have an impact on the enforcement landscape.
More than one LSA?
For controllers and processors involved in processing data affecting individuals in multiple Member States, the LSA is the data regulator in the country in which the controller or processor has its “main establishment” for data processing purposes. However caution is required, as fragmentation of decision-making power for different data processing activities will lead to a single organization having multiple LSAs for different data sets. A lack of clear lines or split functions in relation to the same data set may also result in disputes as to which LSA should be the LSA with authority to deal with data issues. The EDPB is responsible for resolving such conflicts.
Under the GDPR the “main establishment” of a controller:
- is the place of its “central administration” in the EU unless
- the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the EU that has the power to have such decisions implemented, in which case that is location of the main establishment.
It is easiest to illustrate how this can play out with an example. If a Danish bank, with its central administration in Copenhagen and branches across Europe, manages and takes decisions about all its employee data from Paris, it will find itself with two LSAs. The French supervisory authority will be the LSA for the bank’s employee data, while the Danish supervisory authority will take the LSA role for all other data types.
Central Administration outside of the EU? And what about Brexit?
The GDPR is not a perfect instrument. It does not properly address how an entity with its central administration outside of the EU should determine its LSA. This is acknowledged to be an issue already by the Article 29 Working Party, which noted that there will be “borderline and complex situations where it is difficult to identify the main establishment or to determine where decisions about data processing are taken." In determining the location of a controller’s “main establishment” in cases where central administration is not in the EU the Article 29 Working Party suggests the following key questions should be used to work out the location of the LSA:
- Where are decisions relating to purposes and means of processing given final “sign-off”?
- Where are decisions about business activities that involve data processing made?
- Where does the power to have decisions implemented effectively lie?
- Where is the firector (or firectors) with overall management responsibility for the cross-border processing located?
- Where is the controller or processor registered as a company, if in a single territory?
This list is not an exhaustive list, and other factors may be relevant depending on the processing activity involved. As the Article 29 Working Party is made up of regulators which will form part of the EDPB, its views carry weight. Supervisory authorities can seek additional information if they think it necessary.
The Article 29 Working Party has said that the pragmatic way to deal with a non-EU central administration structure would be for the entity to designate the establishment in the EU that will act as its main establishment ensuring that:
- that entity must have power to make and implement EU data processing decisions;
- that entity must assume liability for EU data processing; and
- that entity must have sufficient assets to meet any sanctions imposed.
Clearly the asset adequacy to meet sanctions test is a very significant one, given the fines that can be levied under the GDPR.
U.K. entities that start with the U.K. supervisory authority as their LSA when GDPR comes into effect next year will most likely wish to continue to avail of the LSA structure under the GDPR post Brexit in 2019. To do so, depending on the nature of the U.K.’s exit agreement with the EU (if any), U.K. data headquartered entities may need to designate an EU-based group entity to act as its “main establishment” bearing in mind these tests. Entities headquartered outside of the EU have a degree of discretion as to where to locate their decision-making within the EU and consequently on their choice of LSA.
Planning for GDPR enforcement, a logical step
While choices are available to an entity with its central administration outside of the EU, the designated establishment must have real decision-making powers and have the resources necessary to effectively oversee its data processing activities across the EU. EU attorneys are seeing data planning exercises, somewhat similar to tax planning structures, emerging.
The GDPR warrants this sort of planning, given that breaches of the GDPR could result in fines of up to 4% of a company’s global turnover, or €20 million, whichever is the greater. Organizations will generally want to deal with a regulator in a jurisdiction with a language, legal system and business environment with which they feel comfortable. For many English-speaking organizations with headquarters outside of the EU, Ireland will be an obvious location to consider when planning for enforcement, as it will be the only English speaking, common law Member State post-Brexit.