EU data body commits to GDPR enforcement mechanism with reforms looming

Data protection law experts Malcolm Dowden and Nicola Barden of Pinsent Masons said businesses will be concerned that the changes as proposed may not ultimately deliver decisions faster or provide greater legal certainty.

Before the GDPR was introduced, businesses operating across the EU could be required to engage with data protection authorities (DPAs) in each EU country over a single issue having cross-border impact. It meant potentially having to respond to multiple investigations progressing at different speeds and with varied requests for information or documents, with often stark differences between the conclusions reached and decisions taken on enforcement action.

With the GDPR, law makers sought to reduce the administrative burdens on businesses in respect of enforcement and ensure greater consistency in how data protection rules were applied, by providing for a ‘one stop shop’ mechanism under which businesses only have to deal directly with one national data protection authority (DPA) in cross border cases.

While the lead supervisory authority – commonly, where the business in question has its main establishment in the EU – has powers to drive investigations and make provisional findings in cross border cases, the Regulation makes provision for the cooperation of DPAs in other jurisdictions where an alleged infringement occurs. In such cases, the lead supervisory authority must enter into dialogue with the other DPAs, which in turn have scope to input to the enquiries and to raise “relevant and reasoned” objections against proposed decisions of the lead authority.

Where the DPAs cannot then reach a consensus on the final decision to issue, the case is referred to the EDPB – an umbrella body that brings together representatives of all the national DPAs in the EU as well as the European data protection supervisor – for a binding decision.

Since the GDPR came into effect, a number of cases have been resolved in this way, but there has been criticism that decisions subject to this process take too long to reach, and that it adds to legal uncertainty for businesses and administrative burdens for DPAs.

Last summer, to address those concerns, the European Commission published proposed new procedural rules designed to streamline the process by which DPAs cooperate on cross border cases under the GDPR.

Under those proposals, new criteria are planned around the admissibility of complaints, while DPAs that are not the lead authority in cases would be given an opportunity to input to the lead authority’s investigations at an earlier stage than they can currently.

The Commission’s proposals are subject to scrutiny by the European Parliament and Council of Ministers – both law making bodies must agree on the text and formally adopt it for it to become EU law.

Earlier this month, a report published by a researcher with the European Parliamentary Research Service (EPRS) warned that, as currently formulated, the implementation of the Commission’s proposals “may just as well slow down cross-border enforcement and deepen discord among [supervisory authorities]”.

“The envisaged rules may contribute to the efficient cooperation of supervisory authorities (SAs) by streamlining the handling of complaints; fostering early consensus building among SAs; deterring SAs that disapprove of how the procedure is evolving from undertaking lengthy and belated interventions; and standardising other interactions among SAs,” the report said. “Nevertheless, overall, the proposal may well fail to reach its efficiency objective, because it primarily builds on the GDPR's cooperation and consistency mechanism and risks inheriting or even exacerbating crucial flaws instead of remedying them.”

“It would likely strengthen the role of the lead supervisory authorities (LSAs), some of which are being heavily criticised for stifling strong enforcement and shielding controversial industry data practices. Conversely, it would limit the powers the current guidelines ascribe to the supervisory authorities concerned (CSAs) and the European Data Protection Board (EDPB), to undertake corrective action against the possibly flawed approaches of LSAs,” it said, warning that the proposals might allow some LSAs to “increase procedural efficiency” simply by “systematically (and whenever permissible) disregarding interventions by fellow SAs”.

“Empowering the LSAs to disregard the CSAs' concerns without entering into EDPB dispute resolution would implicitly give the views of a single LSA priority and disqualify the SA majority from resolving disputes as members of the EDPB,” the report said. “This may reduce critical dialogue among SAs, threaten the substantive accuracy of outcomes, diminish coherence of GDPR enforcement decisions and relegate CSAs to launching uncertain and cumbersome procedures to challenge or override binding draft decisions of which they disapprove. Considering that fellow SAs are equally competent, concerned and (functionally) capable, it seems questionable whether opinions of single LSAs should take priority.”

Despite the concerns, a “key action” that the EDPB has committed to as part of its strategy for 2024 to 2027 concerns the operation of the ‘one stop shop’ mechanism.

It said: “We will reiterate our commitment to the smooth functioning of the one stop shop and other cooperation and consistency provisions set out under the GDPR. As part of this, the EDPB will continue to ensure that any requests for opinions or binding decisions under the GDPR consistency mechanisms are fulfilled efficiently by providing clear and robust responses.”

“The EDPB will support efforts for the adoption of the EU Regulation laying down additional procedural rules relating to the enforcement of the GDPR, including by continuing to provide feedback on and suggestions for that proposal during the legislative process, as appropriate. Further, we will prepare for its practical implementation. These preparations will include, among other things, a proactive examination of our working methods and procedures to ensure the full application of the opportunities provided by this Regulation,” it said.

Dowden and Barden said businesses may be concerned that the proposed reforms to the procedural rules are not aimed at addressing the right target. They said the proposals assume that a front-loaded procedure, restricting CSAs to early stage and more narrowly defined “relevant reasoned objections”, will address the problem of later intervention and subsequent delays, but that it is arguable that the bigger problem is disagreement among supervisory authorities based on conflicting interpretations of the GDPR and their views about the appropriate type or level of penalty to levy. They said any efficiencies that could be obtained earlier in the process could be sapped if CSAs trigger the EDPB’s involvement in dispute resolution.

Barden said: “The proposal reignites concerns about the balance of power and competence among supervisory authorities and reflects ongoing tension between those who would prefer a more centralised and streamlined approach to enforcement and supervisory authorities in several member states that argue for greater involvement on the part of CSAs and adherence to a ‘majority rule’ approach.”

“Arguably, the debate over detailed procedural rules for enforcement highlights tensions over the bigger question of speed v coherence in enforcement. When the GDPR consistency mechanism has been called into action, it has often reflected sharp divisions between supervisory authorities on how the GDPR provisions should be interpreted. Arguably, procedures that confer greater power on an LSA would improve the speed of enforcement but would risk ineffective enforcement if particular LSAs are seen as being too lenient,” she said.

Dowden said there are advantages to multinational businesses to falling within the scope of the ‘one stop shop’ system of regulation under the GDPR, but that an opinion issued by the EDPB earlier this year on the concept of ‘main establishment’ under the Regulation raises an issue that some companies – particularly those based in the US – will need to consider carefully.

Dowden said: “In its ‘main establishment’ opinion, the EDPB concluded that there could be a ‘main establishment’ within the EU only if decisions on the purpose and means of processing personal data were taken at a controller’s location within the EU, and if that location had the power to implement those decisions. If decisions were, in fact, taken in another jurisdiction, then there would be no ‘main establishment’,” Dowden said.

“One effect of that opinion is that for many large US organisations, where decisions are taken at parent organisation level, it is quite likely that the ‘one stop shop’ would not be available in the event of enforcement or of breach reporting. That can have a major effect on the speed, complexity, and costs of meeting enforcement action and on breach reporting. The practical response from US-based or other third country data controllers might be to put in place – and document – arrangements under which relevant decisions are taken in and implemented from within the EU. It is possible, though, that some member state supervisory authorities would challenge those arrangements if they thought them to have been artificially put in place to gain access to the ‘one-stop shop’,” he added.