Last September, the European Data Protection Board announced it will focus coordinated enforcement on data protection officer appointments. Starting mid-March 2023, and for about a year after, European data protection authorities will prioritize joint actions focusing on the position of DPOs, with activities ranging from awareness raising and information gathering to enforcement sweeps and joint investigations.
The DPO function is an integral part of EU General Data Protection Regulation compliance for many organizations and is the primary, and sometimes only, personnel appointment they need to account for. The rationale behind that choice is therefore self-explanatory but the EDPB also sees the DPO is a partner for DPAs, and a partner that needs to be protected. As attested by recent Court of Justice of the European Union rulings, the status of the DPOs still raise questions and deserve clarifications.
On October 2020, the EDPB adopted the Coordinated Enforcement Framework as a way to “provide a structure for coordinating recurring annual activities by EDPB Supervisory Authorities.” This stems directly from the GDPR which requires DPAs to cooperate, including by sharing information, to ensure consistency of application and enforcement of the GDPR itself. DPAs also have a requirement of mutual assistance towards each other, including through measures that ensure effective cooperation. Against this background, the EDPB created the CEF as a way for DPAs to carry coordinated enforcement action on an agreed upon topic, using a common methodology over a one-year period.
The first annual coordinated action ran through 2022 on the use of cloud-based services by the public sector and concluded January 2023.
What is the CEF process?
The process, as described by the EDPB, is fairly straightforward on paper. The first steps are for the EPDB to decide on a topic and methodology. The topic can be anything under the material or territorial scope of the GDPR. An EDPB working group drafts a questionnaire for DPAs to use throughout the duration of the ACA. While DPAs can adapt the questions to their own needs, resources and priorities at national level, the questionnaire ensures the action and its objectives remain consistent.
Timeline for the first ACA on cloud use:
- October 2021: Selection of the topic.
- November 2021 to January 2023: ACA conducted by 22 participating DPAs.
- January 2023: Report and annex adopted by the EDPB.
What do DPAs do during the CEA?
DPAs opt to participate in the ACA based on their interest in the topic. They can adjust their level of participation depending on their resources. Each DPA can also select which organizations to reach out to and how to do so. DPAs can initially engage in fact finding, determine follow-up actions based on the results, decide to open a new investigation or continue an ongoing investigation. DPAs are not obligated to publish which organizations are targeted by investigations.
The 128-page annex document on the first ACA, on cloud use in the public sector, gives interesting indications on the actions of individual DPAs as well as possible variations in the way they chose to conduct enforcement. For instance, some DPAs contacted one authority while others contacted up to a dozen. DPAs also provided varying degrees of detail on their respective findings.
What are the possible outcomes of an ACA?
During the ACA, DPAs can inform one another of updates, information and best practices. At the end of the process, the EDPB will produce a consolidated report with recommendations made by DPAs and points of attention.
The CEF does not replace the one-stop-shop but improves DPA cooperation, with the EDPB facilitating the information sharing and coordination of efforts. That said, it is possible for actions conducted in the context of an ACA to trigger the one-stop-shop, if it unveils relevant cross-border processing.
In the case of the first ACA, the final report contained a range of recommendations, from ensuring public-sector entities can meaningfully object to new subprocessors of their cloud service providers to promoting the involvement of the controller’s DPO in the negotiation of contracts offered by the CSP.
What happens after the ACA is completed?
It is important to point out the final report on the ACA does not necessarily mark the end of DPAs’ activities on the topic. In the case of the cloud ACA, some DPAs continue to carry investigations, even though the report is published.
The CEA on cloud use lists follow-up actions, including raising awareness campaigns via nonbinding opinions on some of the report’s recommendations, setting up technical working groups on issues raised, finalizing ongoing inspections and even launching new investigations.
The CEF is continuous. When one action wraps up, another is lined up to take over. The DPO action was announced in September 2022, will be launched in mid-March and is expected to run for about a year.
The IAPP will provide further reporting and analysis as the CEA follows its course.
Regardless of how deep and wide this CEA will be, it is a good time for organizations to revisit their DPO functions and conduct hygiene checks against what the GDPR and recent court cases require.
For more information:
DPO Handbook: Data Protection Officers Under the GDPR, Second Edition provides a comprehensive view of all aspects of the role of Data Protection Officers (DPOs) under the EU’s General Data Protection Regulation (GDPR), starting with a look at how organizations determine whether they need a DPO, defining the skills required for the role, and discussing how to source this skillset.
If you want to comment on this post, you need to login.