Saluti da Roma!

Nine months after the EU General Data Protection Regulation came into force, the European Data Protection Board sees GDPR cooperation and the consistency mechanism as working quite well. Is that true?

During a recent European Parliament session, EDPB Chair Andrea Jelinek discussed the implementation of the GDPR, with a special focus on the role and the means of the data protection authorities. It may be useful to analyze the information specified by Jelinek in her report to be aware of the status of DPA activities in relation to GDPR implementation.

Every day, the DPAs make efforts to facilitate cooperation, with multiple verbal and written exchanges. These communications are facilitated through the standardized Internal Market Information system, which allows the EDPB members to communicate with each other. As a matter of fact, the GDPR provides a set of tools and procedures to help cooperation and make effective the consistency of decisions and positions of the DPAs.

In line with the GDPR, the DPAs can cooperate with mutual assistance, joint operation, and the "one-stop-shop" mechanism. The latter is the most striking innovation of the GDPR cooperation procedures. By 25 May 2018, 45 one-stop-shop procedures had already been launched by DPAs from 14 different EEA countries. These 45 procedures are now at different stages: 23 of them are at the informal consultation level, 16 the draft decision level, and 6 at the final decision stage. The last ones are related to the exercise of the rights of individuals, the appropriate and legal basis for data processing, and data breach notifications.

A limited number of one-stop-shop procedures are in progress, since the circulation of the draft decision is the result of the investigations managed by the lead DPA, respecting national administrative procedural laws, as said by Jelinek. However, the number of one-stop-shop procedures is steadily increasing. It is worth noting that before starting a procedure, it is necessary to identify the lead authority. Since 25 May, 642 procedures have been initiated to identify the lead DPA and concerned DPAs in cross-border cases. Of them, 306 are closed and the lead DPA has been identified; furthermore, up until now, no dispute has occurred during the whole selection processes.

Regarding cases with cross-border components, 30 DPAs have recorded 281 cases through the IMI system. A large number of these cases are derived from complaints by individuals (194 cases), and the rest of them have other origins. The three main topics correspond to the application of data subjects' rights, consumer rights, and data breaches. The number of cases reported by DPAs from 31 EEA countries is 206,326, of which 94,622 were in the form of complaints, and 64,684 are data breach notifications. DPAs from 11 EU countries have fined data controllers/processors for a total amount of 56 million euros since May 2018.

Furthermore, we are witnessing increasing synergy and cooperation between antitrust and competition authorities and DPAs, such as through the cases of competition fines. This trend demonstrates the need to improve the collaboration among regulatory authorities across the EEA, as data flow rules are clearly paramount to ensure the protection of fundamental rights, consumer and property rights, and to reduce new emerging and consolidated monopoles, as well as dominant positions in the various markets.

With the deployment of the GDPR now on track, it is clear there will be busy times ahead.