Greetings from Brussels!
It’s been a busy week. The European Commission published its annual GDPR evaluation report. Two years in, and still a relatively young piece of legislation, Didier Reynders Commissioner for (EU) Justice said that it had largely met its objectives while becoming a global standard for data protection beyond the EU. He went further to state that we can do better, particularly in the uniform application of the rules across the Union for citizens and businesses alike particularly for SMEs. Reynders said that the European Commission will continue to monitor the reality of regulatory provisions in close cooperation with the European Data Protection Board.
The EDPB has not been sitting idle during these recent and difficult times, far from it. I had an opportunity yesterday to talk with Isabelle Vereecken, head of the EDPB Secretariat. The board has been prolific in its work of late: A typical year for the EDPB is about 100 meetings; in the last three months they’ve held 140 meetings, including 15 plenaries, over 70 sub-group meetings and a few dozen drafting team meetings. Clearly COVID-19-related work has amplified EDPB output and also in its advisory capacity to the Commission. And this in addition to its ongoing work. It goes to highlight that even in times of crisis, the work around data protection and the GDPR does not let up and remains at the forefront.
One of the more significant developments through the Board was its publication of the "one-stop-shop" decision register Thursday. One must remember that through the GDPR this innovative governance approach and system was designed to ensure — and demonstrate — an effective and consistent application of the GDPR for companies processing data cross border within the Union. A system whereby companies interact with one lead supervisory authority as interlocutor on behalf of other concerned national regulators.
As privacy pros look for practical guidance on the implementation of the law, the register goes a long way to answer this need. Companies look for real case examples to guide their respective privacy implementation projects. The register will help build up knowledge and awareness and thus help organizations mitigate their compliance risk. In many respects, the register represents a repository of case law from the EU’s administrative and regulatory bodies establishing a certain level of legal precedence. Importantly, these decisions are not taken in isolation by any given lead regulatory authority, they are the outcomes of extensive consultation processes on draft decisions. Regulatory enforcement has become an exercise in cooperation and, by extension, more consistent and more transparent in its application.
The register will be continuously populated with decisions once processed and approved for publication. In the words of Isabelle Vereecken, it is akin to a "treasure chest" for DPOs and privacy pros at large. These decisions reflect practical case scenarios that privacy pros are confronted with daily. The road has not been easy due to the differentiation of legislation and administrative law at the member state level, and the value of this central register is incalculable. It serves as a practical compendium not only to companies, but also to regulators alike.
We can already identify some early findings on the nature and outcome of one-stop-shop cases. It shows that most cases are related to data subject rights and, secondly, to the lawfulness of processing undertaken. Importantly, the register also reinforces that lead authorities won’t hesitate to impose substantial fines when multiple GDPR core provisions are infringed. However, overall, lead authorities issued more compliance orders and/or reprimands than fines taking account of a company’s willingness to cooperate and solution.
The fact that the register is public facing also emphasizes the accessibility to the work of the EU regulatory community going the extra mile to highlight transparency. It will no doubt be a welcome development by many.