GDPR guidance: Multinationals can influence which data watchdog leads oversight of cross-border processing

Out-Law Analysis | 05 Jan 2017 | 5:02 pm | 4 min. read

FOCUS: Guidance drafted by EU data protection authorities (DPAs) allows multinational businesses to influence which national regulator will oversee their processing of personal data across EU borders under the General Data Protection Regulation (GDPR).

The GDPR, which takes effect on 25 May 2018, will introduce for the first time a formal process for cooperation of national DPAs across the EU in respect of certain cross-border data processing activities.

Although the new system provides a qualified right for every national DPA to get involved in enforcement action concerning a business' cross-border processing in the EU, it only requires the business concerned to engage with one of those authorities in such cases. This is the 'one-stop-shop' principle. The emphasis is instead on the lead authority to share information with the other DPAs and to take account of their views in reaching a decision.

Should disputes arise between different DPAs over the decisions taken in cross-border processing cases by the lead authority, the new European Data Protection Board (EDPB) will step in and make an assessment. The EDPB is a committee made up of representatives from every national DPA and the European data protection supervisor.

The Article 29 Working Party, which will be replaced by the EDPB under the GDPR, recently published guidance (11-page / 491KB PDF) which explains to businesses how it will be determined which DPA will be considered the 'lead supervisory authority' in cases of cross-border processing.

According to the GDPR and the new guidance, the lead supervisory authority will generally be considered to be the one based in the EU country in which the business has its 'main establishment'.

In the case of data controllers with establishments in multiple EU countries, the 'main establishment' will be considered to be "the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment".

However, according to the Article 29 Working Party's guidance, data controllers might be considered to have more than one 'main establishment' in the EU. In those cases data controllers can influence which DPA would be considered to be 'lead supervisory authority' responsible for overseeing the compliance of their cross-border processing.

"In cases where decisions relating to different cross-border processing activities are taken within the EU central administration, there will be a single lead supervisory authority for the various data processing activities carried out by the multinational company," the Working Party said. "However, there may be cases where an establishment other than the place of central administration makes autonomous decisions concerning the purposes and means of a specific processing activity."

"This means that there can be situations where more than one lead authority can be identified, i.e. in cases where a multinational company decides to have separate decision making centres, in different countries, for different processing activities. In these situations it will be essential for companies to identify precisely where the decisions on purpose and means of processing are taken. Correct identification of the main establishment is in the interests of controllers and processors because it provides clarity in terms of which supervisory authority they have to deal with in respect of their various compliance duties under the GDPR," it said.

Similarly, there may be cases where, as the Working Party points out, "there is no central administration in the EU and none of the EU establishments that may exist are taking decisions about the processing (i.e. decisions are taken exclusively outside of the EU)". The Working Party said that in such cases where "the GDPR does not provide a solution"  the "pragmatic way to deal with this would be for the company to designate the establishment that will act as its main establishment."

It is therefore open to businesses to organise themselves in a way which allows them to effectively select which DPA they will have primary dealings with over cross-border data processing activities and indeed the Working Party in effect encourages companies to devote attention to this.

However, the Working Party said that 'forum shopping' is prohibited under the GDPR. Simply stating that your 'main establishment' is in one country in order to select a more favourable lead authority won't cut it, it suggested. Businesses will have to be able to provide evidence to support such a decision upon request.

This is confirmed in its guidance, which addresses 'borderline' cases where it is difficult to identify the main establishment or to determine where decisions about data processing are taken.

The guidance said: "The GDPR does not permit ‘forum shopping’. If a company claims to have its main establishment in one member state, but no effective and real exercise of management activity or decision making over the processing of personal data takes place there, the relevant supervisory authorities (or ultimately EDPB) will decide which supervisory authority is the ‘lead’, using objective criteria and looking at the evidence. The process of determining where the main establishment is may require active inquiry and co-operation by the supervisory authorities."

"Conclusions cannot be based solely on statements by the organisation under review. The burden of proof ultimately falls on controllers and processors. They should be able to demonstrate to supervisory authorities where decisions about data processing are actually taken and implemented. Effective records of data processing activity would help both organisations and supervisory authorities to determine the lead authority," it said.

In short, in the cases described, analysis followed by preparation of suitable evidence will be important for companies that wish to take control of the issue. In broad terms, these activities are analogous to those that are already familiar to companies with cross-border issues in relation to corporate tax planning and structuring, though the relevant tests will not be the same. These activities would need to include ongoing monitoring by companies to ensure that subsequent corporate acts remain consistent with the evidence in support of the initial representations as to main establishment.  

While the Working Party is optimistic that "in most cases, we expect that the relevant supervisory authorities will be able to agree a mutually satisfactory course of action [so requiring no escalation to the EDPB]", Brexit is of course likely to add an additional dimension for companies with British and other EU operations. 

Data controllers that have only a representative presence in the EU and no 'main establishment' in the trading bloc cannot benefit from the one-stop-shop principle and must engage with each national DPA in the countries they are active in, the Working Party said.

Where data processing activities concern EU citizens based in one country only, the local DPA in that country will be responsible for oversight of that activity.

Marc Dautlich is an expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com.