Uncertainty is a common theme in the privacy community, but it seems one thing that can always be counted on is a difference of opinion on how to apply the EU General Data Protection Regulation. This butting of heads recently revealed itself again as European data protection authorities triggered the dispute-resolution mechanism in Article 65 of the GDPR.
The mechanism was invoked by the Irish Data Protection Commission in relation to its ongoing case against Twitter, one of the first high-profile GDPR cases handled by the regulator. The Irish DPC announced the completion of its investigation into a four-year data security lapse by Twitter in October 2019 and indicated it would have a ruling on the matter by November 2019, but it only submitted its draft decision for the case in May. The DPC consulted fellow DPAs on its decision, at which point an unknown number of DPAs voiced their displeasure with the proposed punishment. Specific details of the reprimand have not been disclosed, but it could include a fine, operational orders and oversight, or both. The proposal and its objections are now in the hands of the European Data Protection Board, which will be handling its first-ever Article 65 dispute-resolution procedure.
"I can confirm that the Irish DPC has triggered an Article 65 procedure and that the EDPB will work on this issue like foreseen in Article 65 (dispute resolution by the board) within the given time frame," EDPB Chairman Andrea Jelinek told The Privacy Advisor. The procedure can take as little as a month or stretch to as long as two-and-a-half months, according to Article 65.
The common reaction from leaders within the privacy community is one of little shock.
"I am not surprised at all," Morrison & Foerster Senior Counsel Lokke Moerel said. "With new rules like the GDPR, and in complex cases, you would expect such ‘reasoned objections’ to be the rule rather than the exception. ... The whole purpose of the EDPB is to reach consensus on the many topics of interpretation of GDPR, and I assume the process to reach agreement here will be no different than before."
The only surprise for Promontory Senior Principal John Bowman, CIPP/E, CIPM, FIP, was that the dispute-resolution mechanism "laid dormant" in the two years since the GDPR took force. The mechanism itself was created as means for DPAs to leave their mark on cross-border cases that fell within the GDPR's one-stop-shop mechanism.
"On the one hand, businesses wanted the simplicity of dealing with a single lead supervisory authority while; on the other hand, some EU member states wanted the ability for their own regulators to intervene in cases of cross-border interest," Bowman said of the one-stop-shop. "In the end, a consistency mechanism was devised to enable concerned authorities to challenge decisions of the lead authorities."
Despite the unknowns surrounding the specific points of contention, TrustArc Director of EU Operations and Strategy Paul Breitbarth said the Irish DPC is presumably "pretty convinced" about its case since it did not try to resolve objections without invoking the mechanism and an EDPB vote. Breitbarth is also under the impression that the Irish regulator wouldn't have left this to the EDPB "without making some type of head count" and knowing it has the votes to support its case.
"It's clear there have always been differences in enforcement between the DPAs," Breitbarth said. "You always have the more stringent ones and the more lenient ones. I recall the days when I attended the (Article 29 Working Party) meetings, and we had these same debates on how far we should go and how strict we could be. Some of the more Northern European DPAs were certainly a little more strict with their interpretation compared to the Atlantic or southern offices. I think some of those stances are still the same."
The EDPB Secretariat's office told The Privacy Advisor that the office is unable to discuss the timeline for the completion of specific cases but did explain how the procedure under Article 65 will unfold.
"In accordance with Article 65 (2) of the GDPR, a decision shall be adopted within one month from the referral of the subject-matter by a two-thirds majority of the members of the board. That period may be extended by a further month on account of the complexity of the subject-matter. The decision shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them," the office wrote.
The Secretariat added that if the procedure extends to the two-and-a-half-month maximum, the EDPB will decide the issue by simple majority. Moerel said a split decision from the board will require a deciding vote from Jelinek. Also, the Irish DPC will be required to adopt the EDPB ruling within a month of it rendering a decision.
"The whole purpose of the EDPB — and its predecessor, the WP29 — is to reach consensus on the many topics of interpretation of the GDPR, and I assume the process to reach agreement here will be no different than before," Moerel said.
Neither Moerel nor Bowman ventured a guess as to what direction the EDPB might lean, but Breitbarth preidcted how everything might shake out.
"I think there's a fair chance the Irish DPC's decision will be upheld with maybe the less vocal DPAs simply choosing the side of the DPC to make sure the case is decided without too much friction," Breitbarth said.
Breitbarth added that regardless of the outcome of the procedure, the fact that the dispute-resolution mechanism was always a known option may open the door for it to be used with more regularity. Bowman sits on the fence as to whether this instance will draw more awareness to the mechanism or push DPAs to carefully avoid decisions that may draw irresolvable discrepancies.
"It may well be the case that the mechanism will be triggered by further big and controversial cases in the pipeline," Bowman said. "However, this situation may also cause supervisory authorities to anticipate the reception of other concerned authorities when preparing their own draft decisions. Either way, this is a significant development in the cross-border application of the GDPR."
On the concept of avoiding future procedures, Breitbarth believes more cross-border cooperation from the outset of investigations could prove effective.
"You could have more staff from the various DPAs already involved in the investigations taken up by the lead authority," Breitbarth said. "In this case, the Irish DPC could've had much more involvement in the investigation phase from representatives of other member states. It's not something that is happening an awful lot yet, but I do think it can help avoid a lot misunderstandings later in the process when you've been able to present your views and ideas on where a case should go."
Photo by Felix Mittermeier on Unsplash