Last month, the European Data Protection Board released its first overview of the implementation and enforcement of the General Data Protection Regulation and the roles and means of the national supervisory authorities. The report indicates that the GDPR cooperation and consistency mechanisms are working quite well in practice due to the EDPB and national supervisory authorities’ ongoing efforts to facilitate collaboration and communication.
Since May 25, 2018, the total number of cases reported by supervisory authorities from 31 European Economic Area countries was 206,326. Most of the cases (94,622) were related to complaints, while 64,684 were initiated by data breach notification. According to the report, 52 percent of these cases have already been closed, and the total amount of fines imposed under Article 58 (2)(i) is 55,955,871 euros.
The report outlines the importance of and positive feedback from national regulators regarding the use of the Internal Market Information system, a secure, multilingual online tool that facilitates the exchange of information between public EU authorities. Additionally, the report states that the EDPB-created workflows in the IMI system have enabled greater cooperation by allowing supervisory authorities to more easily define their roles at an early stage and avoid later procedural objections in cross-border cases. In the 642 cross-border procedures that have been initiated since May 25, 2018, no disputes have arisen on the selection of lead supervisory authorities.
Additionally, the report states that with greater cooperation among supervisory authorities, the number of one-stop-shop procedures has increased steadily. Since May 25, supervisory authorities from 14 different EEA countries have initiated 45 one-stop-shop procedures. Currently, the procedures are at various stages: 23 are at the informal consultation level, 16 are at the draft decision level, and six have become final decisions. These final one-stop-shop decisions have been focused on the exercise of the rights of individuals, the appropriate legal basis for data processing, and data breach notifications.
From May 25, 2018, to February 18, 2019, no dispute resolutions were initiated. The report notes, however, that the EDPB did not have to act as a dispute resolution body because the number of decisions resulting from the one-stop-shop cases, while growing, is still relatively small. The report points to those cases on which the supervisory authorities were able to reach consensus without EDPB intervention as a good indicator of cooperation.
Mutual assistance procedures
The report also outlines the effective cooperation benefits from the use of mutual assistance procedures that allow supervisory authorities to not only ask for information of other supervisory authorities, but also to request other measures, such as prior authorizations or investigations. The report also highlights that cooperation mechanisms, such as the IMI, have facilitated the use of both informal mutual assistance for cross-border cases without any legal deadline and also formal mutual assistance where the requested supervisory authority has a statutory deadline of one month to reply to the request. Since last May, 444 mutual assistance requests (formal and informal) have been started by supervisory authorities from 18 different EEA countries. In 353 of these cases, the answers were sent within 23 days.
Budget and human resources
Additionally, the EDPB report acknowledges that these increased cooperation duties have led to increased workloads. Although in most cases supervisory authorities experienced increases in budgets and staffing in 2018 and 2019, most of the replying supervisory authorities reported that they have not yet received the needed 30 to 50 percent increase in budget and personnel, and in two extreme examples, budgets and personnel were decreased.
The report notes there is still work to be done at the EDPB level to further streamline procedures and make the system even more efficient. Nine months after the GDPR’s enforcement date, however, the EDPB believes the GDPR works quite well in practice and, despite the increase in the number of cases, the supervisory authorities have reported that the workloads are manageable for the moment, in large part thanks to the thorough preparation during the past two years by supervisory authorities, the Article 29 Working Party, and the EDPB.
If you want to comment on this post, you need to login.