This is the second in a two-part series. The first part, "Legal bases and transparency," can be found here.
Published: February 2023
If privacy years are measured by the passing of International Data Privacy Days, then the last year (January 28, 2022 – January 27, 2023) was yet another record-breaking one for EU General Data Protection Regulation fines. European data protection authorities issued more than 1.6B euros ($1.7B USD) in fines, an increase of more than 50% from the previous year.
Perhaps more consequential than the fines are enforcement orders mandating corrective action on what personal data organizations process, for what purposes, and how they do it, as well as on how they communicate that to data subjects.
January’s trilogy of enforcement against Meta nearly doubled the European Data Protection Boards’s tally of binding decisions arising out of the one-stop-shop dispute resolution mechanism. The EDPB has now adopted seven decisions in all, with an additional binding decision adopted under the separate urgency procedure.
Previously, I commented on the key practical takeaways of January’s enforcement as concerns legal bases and transparency. Here, I break down and comment on the key practical takeaways on the GDPR “one-stop-shop” dispute resolution mechanism, including on how to work with the lead supervisory authority and what to expect from the EDPB and other supervisory authorities.
As before, helpful links and extra reading are at the end of this article. On the facts of — and reaction to — the case, there’s no better place to look than IAPP Staff Writer Jenn Bryant’s reporting on the initial fines and industry reaction.
This note will be of relevance to organizations established in the EU engaged in cross-border EU data processing.
Top tips for privacy pros:
- If your organization is the subject of a cross-border EU investigation or complaint, marshal resources for a long process with quick turn arounds for responses.
- EDPB binding decisions may affect your organization, even if you are not a party, and even if your lead supervisory authority is not the addressee of the decision.
The one-stop shop was proposed in early 2012 by the European Commission in order to “enhance consistency in application, legal certainty and reduce the administrative burden for controllers and processors” (Recital 97). Four years later, just before the adoption of the GDPR, the European Commission added that the one-stop shop would bring “significant added value” for individuals, i.e. by facilitating central enforcement by a single decision of one lead supervisory authority. In fact, the details underpinning the workings of the one-stop-shop mechanism were the last hurdle for the GDPR’s adoption.
The efficacy of the one-stop-shop mechanism has been much debated ever since, including by some of the regulators in the EDPB.
The one-stop shop – accessible for organizations established in the EU engaged in cross-border EU data processing and are able or chose to determine a main establishment in the EU/European Economic Area – allows an organization to deal with a single lead supervisory authority for most of its processing activities. The supervisory authority of the EU member state where that organization’s main EU establishment is located will be the LSA.
Article 60 of the GDPR requires LSAs to cooperate with other concerned supervisory authorities in an endeavor to reach consensus on an investigation and related enforcement. Part of that cooperation includes the exchange of all relevant information and the communication of the LSA’s draft decision to the other CSAs for their opinion. The LSA is required to “take due account” of the views of CSAs.
Where any of the CSAs express a “reasoned and relevant objection” on the draft decision and the LSA does not intend to follow that objection, the LSA is required to submit the matter to the GDPR’s consistency mechanism. Under this mechanism, and as part of its main role to ensure the consistent application of the GDPR throughout the EU, the EDPB can issue a binding decision on “all the matters” which are the subject of the objection(s), in particular whether there is an infringement of the GDPR (Article 65(1)(a)).
The Meta Timeline
Facebook, Instagram, WhatsApp
- May 25: noyb (representing Austrian, Belgian and German data subjects) lodge complaints with the Austrian, Belgian and German supervisory authorities.
- May 30-31: Austrian and Belgian SA's transfer the complaints to the Irish Data Protection Commission which, in turn, is satisfied that it is the LSA for Meta Ireland.
- May 31: Hamburg SA transfers the complaint to the Irish DPC which, in turn, is satisfied that it is the LSA for WhatsApp Ireland.
Facebook, Instagram, WhatsApp
- August 20: DPC commences the inquiry and starts to request information from the parties.
DPC works on its inquiry report, allowing Meta Ireland and noyb to make submissions.
- April 6-7: DPC issues a letter to the parties to confirm the commencement of the decision-making stage.
- April 17: DPC issues a letter to the parties to confirm the commencement of the decision-making stage.
- May 14: DPC issues a preliminary draft decision to the parties.
- Both parties provide submissions on the preliminary draft decision.
- October 6: DPC shares its draft decision with concerned supervisory authorities in accordance with Article 60(3) GDPR.
- Several concerned supervisory authorities raise objections in accordance with Article 60(4) GDPR.
- December 23: DPC issues a preliminary draft decision to the parties.
- January 28: DPC issues a “composite response” setting out its replies to such objections and shares it with the CSAs. Several CSAs confirm that they maintain objections.
- February 4: Both parties provide submissions on the preliminary draft decision.
- February 17: WhatsApp provides submissions on the draft decision. No further submissions received from noyb.
- April 1: DPC shares its draft decision with concerned supervisory authorities in accordance with Article 60(3) GDPR.
- April 28-29: Several CSAs raise objections in accordance with Article 60(4) GDPR.
- June 2022: DPC invites Meta Ireland to exercise its right to be heard in respect of the objections (and comments) that the DPC proposed to refer to the EDPB, along with the DPC’s composite response and the communications received from the CSAs in reply to the composite response.
- July 1: DPC issues a “composite response” setting out its replies to such objections and shares it with the CSAs. Several CSAs confirm that they maintain objections.
- July 8: DPC invites Meta Ireland and WhatsApp Ireland to exercise the right to be heard in respect of the objections (and comments) that the DPC proposed to refer to the EDPB, along with the DPC’s composite response and the communications received from the CSAs in reply to the composite response.
- July 15: Meta Ireland makes its requested submissions.
- July 25: DPC submits the matter to the EDPB.
- July 27: EDPB Secretariat contacts the DPC, asking for documents.
- August 9: Meta Ireland makes its requested submissions.
- August 11: DPC submits the matter to the EDPB.
- August 17: WhatsApp Ireland makes its requested submissions.
- August 19: DPC submits the matter to the EDPB.
- EDPB Secretariat contacts the DPC, asking for documents.
Facebook, Instagram, WhatsApp
- October 5-7: EDPB Secretariat circulates its decision on the completeness of the file to all the members of the EDPB. Chair of the EDPB decides to extend the default timeline for adoption of a decision within one month by a further month due to the complexity of the case.
Facebook, Instagram, WhatsApp
- December 5: EDPB adopts binding decision.
- December 31: EDPB adopts binding decision.
- January 12: DPC adopts binding decision.
How does the EDPB reach a binding decision?
If the LSA and CSAs fail to reach an agreement on a cross-border case, the dispute resolution mechanism is triggered. This means a case is escalated to the level of the EDPB, which will adopt a binding decision. Once a matter has been submitted to the EDPB for dispute resolution, the EDPB Secretariat takes the lead for the preparation and drafting of a binding decision. The EDPB Secretariat is staffed by officials and contract agents that offer analytical, administrative and logistical support to the EDPB.
The process to arrive at a binding decision happens at pace. In cases not deemed complex, this all happens within a month of the matter being referred to the EDPB.
In other cases, it cannot take longer than two months and two weeks from referral (the two weeks are added when a decision cannot be adopted within the preceding one month and then two month deadlines).
In that time, the EDPB Secretariat is charged with drafting a decision that it believes to be both the correct application of the GDPR and capable of garnering the required votes from EDPB members, based on the investigation and file provided by the LSA and the reasoned and relevant objections raised by CSAs. The matters on which it is writing are necessarily disputed, very often complex, and most likely the subject of many pages of documentation.
- First, the Secretariat checks for the “completeness’ of the file on behalf of the chair and may seek further documentation or information from the LSA.
- Once the file is deemed complete, it is circulated to all members of the EDPB. This is the moment that serves as the starting point for the legal deadlines mentioned in Article 65(2)-(3), GDPR.
- Usually, the EDPB Secretariat forms a drafting team, pooled of individuals from – and only from – the EDPB Secretariat. Occasionally, a small number of representatives from supervisory authorities (usually individuals representing their SA on the EDPB’s subgroup on enforcement) contribute to this work. Notably, the LSA and the CSAs that raised objections are not represented on this drafting team.
- In practice, the EDPB Secretariat holds the pen on the draft and shares progress with an expert subgroup (usually, the enforcement expert subgroup) during a series of technical meetings. As this process nears the deadline for a vote by EDPB members, one or more of the members of the subgroup will facilitate deliberations among the EDPB members. These deliberations inform the drafting of the decision.
- The decision must be adopted within a month by a two-thirds majority of the members of the EDPB.
- A month’s extension is permitted where the matter is complex (as was the case in the Meta cases).
- Where a two-thirds majority cannot be reached, a decision can be adopted by a simple majority within two weeks of the end of the second month. Where the vote is split, the decision is adopted by the vote of the EDPB Chair. To date, neither the simple majority nor the tie-breaker vote have been used (i.e., during the above time periods, CSAs are prohibited from adopting their own decisions on “the subject matter” referred to the EDPB.)
- After the adoption of the binding decision, the LSA shall adopt its final decision, addressed to the controller/processor, at the latest one month after the EDPB has notified its decisions.
- The EDPB publishes its decisions on its website after the LSA has notified the controller/processor of its decision.
- In order to respect legal duties to not disclose information covered by professional secrecy, in particular information about undertakings, their business relations or their cost components, some portions of the EDPB’s and/or the LSA’s decisions may be redacted.
Key takeaways include:
- Take advantage of opportunities to make submissions to the LSA. There is no prescribed process whereby the parties to the investigation or complaint will be invited to make submissions in response to or as part of consultations with CSAs or as part of the EDPB’s work to arrive at a binding decision. Putting submissions into the LSA’s inquiry stage may be the sole opportunity for an organization to have its submissions form part of the record that is considered by CSAs and the EDPB (i.e., following an invitation by the DPC, Meta made submissions in response to the objections of the CSAs but neither Meta nor noyb were part of the EDPB’s dispute resolution mechanism.)
- Expect diverging views among the supervisory authorities. The ubiquity of Meta’s services across Europe resulted in more than 47 CSAs being consulted, comprising all EU member state national authorities and some sub-national authorities (e.g., in Germany, there are 18 supervisory authorities). The more complex the matter, the less likely it is there will be unanimity among such a diverse constituency of authorities. There were objections from CSAs in 10 countries in the recent Meta cases, objections from CSAs in eight countries in Decision 01/2020 against Twitter, from seven countries in Decision 01/2021 against WhatsApp (transparency), from six in Decision 02/2022 on Instagram (children), and from one in Decision 1/2022 against Accor.
- The LSA’s draft decision may change, regardless of how many CSAs raise objections. In the Meta cases, the objections from a minority of 10 countries ultimately grew into a two-thirds majority of EDPB members, sufficient for the adoption of a binding decision on legal basis that was different to that proposed by the DPC. Additionally, January’s cases show no signs of the LSA’s investigative proximity or decisional autonomy resulting in the EDPB or its members giving the LSA’s draft decision greater deference. While the LSA is very much the lead when it comes to the procedural and substantive investigation, once its draft decision is submitted to the CSAs, the objections of the CSAs are considered by the EDPB with seemingly equal weight to the LSA’s views.
- The EDPB is not limited to resolving a dispute on the matters contained within the LSA’s draft decision. In its Guidelines on the application of Article 65, the EDPB states a CSA can argue in its objection that, in its view, the findings amount to an infringement of the GDPR other than or additional to those already analyzed by the LSA in its draft decision. The EDPB’s ability to consider “all the matters” which are the subject of objection(s) mean that it may direct the LSA on matters that were not in the scope of the LSA’s draft decisions, but which were raised via the objections of a CSA. As was the case with the Meta enforcement, the EDPB could agree with CSA objections that further investigation is required on new matters of alleged infringements of the GDPR.
- Consider the EDPB’s binding decisions to be as good as binding for all related cases. While the EDPB’s binding decisions are addressed to and bind the LSA and the CSAs with respect to the specific case before it, such decisions are likely to be influential – if not authoritative – for other cases. The EDPB’s binding decisions are likely to be interpreted by DPAs as having significant precedential weight as concerns the regulatory enforcement of similar cases, creating its own de facto jurisprudence. When conducting their own investigations, LSAs may consider it prudent to arrive at draft decisions it believes will command consensus among CSAs by divining inspiration from past EDPB binding decisions. The EDPB itself, charged with promoting the consistent application of the GDPR across the EU, is also likely to cleave closely to its past precedent, where appropriate.
With more cases going all the way to the EDPB, and with such diversity and division among the bench of EU supervisory authorities, the investigative and decisional work of having sole supervisory authority in the “lead” may not tell privacy professionals much about how substantive cross-border enforcement issues will ultimately get resolved. This is perhaps especially true given the diversity of regulatory views on some of the most important and challenging data privacy issues of the day. Whether, and the extent to which, these views will cohere or become superseded by the authority of the EDPB and, above the EDPB, the Court of Justice of the EU, remain to be seen.
On the process, the national inquiry and investigative process took more than three years in the Meta cases. Objections from CSAs were raised within a month and a binding decision was adopted from the EDPB in exactly two months.
Some may criticize parts of this process for taking too long, others may be critical of the expediency. Some, including the EDPB, may point to the variety of national laws and procedures governing the powers and ways in which SAs can investigate complaints and may argue that such variety makes it even harder to identify and shape common and predictable enforcement approaches across Europe (e.g., the thresholds for eligible complaints and admissibility of evidence, issues called out ).
That diversity and division, coupled with the procedural governance of the one-stop shop, is likely to make resourcing work and forecasting outcomes of investigations and complaints challenging for privacy professionals. Making the GDPR cross-border enforcement mechanisms more coordinated, predictable, and ultimately more effective are challenges that the European Commission is gearing up to assess and address via the launch of a new review plan and by triggering the process for a new regulation.
Look out for:
- Ireland DPC seeking to annul the EDPB’s binding direction that it conduct a “fresh” investigation as to whether special category/sensitive personal data was processed by the Meta services, on account of its allegation that the EDPB is “overreaching.”
- The referral to the dispute resolution mechanism of another matter (also originating from Ireland). The DPC was unable to resolve objections from CSAs to its draft decision on Meta Ireland’s transfers of personal data to the U.S. through its use of standard contractual clauses. An EDPB spokesperson told Politco that the EDPB will issue a binding decision by April 14.
- The launch of the European Commission’s new enforcement review plan. This new plan will require EU SAs to file “an overview of large-scale cross-border investigations under the GDPR” every two months. Reports will include a summary of the investigation’s scope along with documentation on procedural steps and investigatory actions.
- The launch of the European Commission’s new initiative, likely in the form of a new regulation, to “streamline cooperation” with respect to the one-stops shop, by harmonizing some of the administrative and procedural requirements.
Irish DPC decisions