The GDPR’s 'one stop shop' mechanism of regulation and enforcement was designed to enable businesses operating across the EU to deal with just one data protection authority instead of 27 different authorities across each member state. However, the Regulation makes provision for the cooperation of data protection authorities in cases where alleged infringement occurs in more than one jurisdiction. In such cases, the ‘lead supervisory authority’ must enter into dialogue with the authorities in the other countries where data subjects are impacted by the data processing at issue.
While the responsibility for investigating alleged infringement sits with the lead authority, which in many cases is the Irish Data Protection Commission (DPC), the GDPR gives other national data protection authorities scope to input to the enquiries and to raise 'relevant and reasoned' objections against proposed decisions of the lead authority. In cases where consensus on a final decision cannot be reached, the EDPB operates as final arbiter.
However, a ruling by the EU’s highest court last year confirmed that the existence of the ‘one stop shop’ mechanism does not preclude possible parallel unilateral GDPR investigations being undertaken where national DPAs have concerns about the cross-border personal data processing undertaken by multinational businesses.
The EDPB said there are qualitative and quantitative criteria that the authorities will refer to for collectively identifying when a cross-border case is to be subject to the enhanced cooperation measures. Examples of where the enhanced cooperation might apply were cited in its statement and include “cases affecting a large number of data subjects in the EEA, cases dealing with a structural or recurring problem in several member states, cases related to the intersection of data protection with other legal fields”.
“There’s potential for this to be quite a change to how DPAs handle large investigations with a cross-border angle,” said data protection law expert Rosie Nance of Pinsent Masons. “The measures may create processes to tackle the issue of uneven workloads between DPAs, although in practice it could be challenging to make this work in a way that speeds up investigations.”
Amsterdam-based Wouter Seinen of Pinsent Masons said: “Lack of consistency and the risk of being put on the spot by different national regulators at the same time is one of the bigger fears for data protection officers at online business and international companies. Often, they simply do simply not have the scale to deal with a plenitude of parallel discussions and it gets even more complicated if regulators are sending them in different directions. Against this background the call for more closer cooperation and making greater use of consistency opinions is a positive development and something companies can remind national regulators of.”
In its statement, the EDPB also committed to explore the potential “administrative procedural law” reforms to “maximise the positive impact of GDPR cooperation” and “bridge differences” in the way national DPAs conduct proceedings in cross-border cases. It also pledged to “streamline” the procedures for resolving disputes arising under the ‘one stop shop’ mechanism and for fast-tracking cases.
A more coordinated approach to enforcement of the GDPR across the EU could also materialise in future, the EDPB suggested.
It said: “The DPAs commit to further exchanging information on national enforcement strategies with a view to agreeing on annual enforcement priorities at EDPB level, which can be reflected in national enforcement programmes. DPAs that wish to do so can prepare a common enforcement framework, including common instruments for inspections.”
The EDPB also said that it will develop a new template that DPAs will be able to use for handling complaints about data subject access requests.