On July 14th the European Data Protection Board (EDPB), an independent European body to ensure consistent application of the General Data Processing Regulation (GDPR), adopted a set of criteria to determine cross-border cases of strategic importance for privacy enforcement by the local data protection authorities (DPAs). The step fits within the EDPB’s larger strategy of improving cooperation between DPAs and enhancing enforcement of the GDPR. It merits a closer look as it constitutes a small but significant shift in the process for cross-border cases.
Cross-border cases in the (trustful) hands of the lead supervisory authority
Since GDPR’s entry into force four years ago, data processing in the EU is subject to a largely unified substantive framework with decentralised enforcement by data protection authorities (DPAs). This begs the question which DPA is competent to enforce the law in the frequent cross-border cases, where, for example data controller and data subject reside in different member states. GDPR foresees in principle that DPAs in both the data subjects’ and the controllers’ member states are competent.
Crucially however, the DPA at the controller’s main establishment is considered the Lead Supervisory Authority (LSA) that serves as a one-stop-shop for the controller and is responsible for issuing a decision – in consensus with the other concerned DPAs. This first decision usually has a determining influence on timing, scope and the direction of the case. Although other DPAs can give their views on the decision, any fundamental changes at such a late stage would considerably delay the entire proceedings.
While the concept of one-stop-shop has significant advantages in terms of efficiency and legal predictability, some DPAs have felt at odds with the wait and see position conferred to them and would like to act quicker on certain cases involving controllers or data subjects in their territory. The EDPB’s strategy intends to address those concerns for certain high profile “strategic cases”.
The EDPB’s enforcement strategy for strategic cases: towards a team effort
Where a strategic case is selected, heads of DPAs from each member state will then, at an EDPB level and under the direction of the LSA for the strategic case, develop an action plan on how to proceed with the case. The action plan may include fixed timelines, information sharing, cooperation across DPAs and even joint investigations. All DPAs can (voluntarily) submit proposals.
Strategic cases can be proposed by DPAs and will be chosen by the EDPB based on qualitative and quantitative criteria of the case:
Qualitative criteria
- intersection with other areas of law
- relevance to a fundamental issue within the EDPB policy
- high risk under the General Data Protection Regulation (e.g. processing special categories of data; processing of vulnerable individuals such as minors; situations where a data protection impact assessment is required)
Quantitative criteria
- structural or recurring problems in several member states, especially general interpretation, application or enforcement issues
- large number of data subjects in several member states
- large number of complaints in several member states
The EDPB also intends to further promote cooperation and consistency between DPAs by issuing more consistent opinions on the application of GDPR to specific scenarios and organising regular workshops and strategic information exchanges.
What’s next?
The EDPB’s announcement marks a substantial deviation from the procedure the GDPR lays out, where the LSA drives the case and submits its decision draft to other concerned DPAs for their opinion. DPAs were essentially required to wait on the LSA’s decision or adopt a – provisional – urgency decision for the time being. The EDPB stepped in only where a consensus between the LSA and DPAs could not be reached and – in rare cases – issued a binding decision to be observed by the LSA.
By involving all DPAs at an early stage, the EDPB intends to almost reverse that procedure in the hopes to (i) expedite the timeline on cross-border investigations and (ii) enhance consensus between DPAs on the correct application of the GDPR. The decision is political as in the past, some DPAs publicly expressed discontent with how other DPAs dealt with cross-border cases where they were in the lead.
The EDPB already agreed on three (undisclosed) cases to kick-start the project, so we can expect to see the strategy in action quite soon. While the substantive wording of the GDPR and the decisive role of the LSA remain (formally) untouched, the strategy may well lead to swifter enforcement, especially on prominent, cross-border cases. With more eyes on the case from an early stage, strategic cases might take on a broader scope with different authorities scrutinising different aspects of a business’s data processing. Businesses facing enforcement may also notice certain DPAs taking on a more active role in cases where they would otherwise deal with their LSA, for instance in the form of joint investigations. Given the deviation from the GDPR, some of these measures may be challengeable on procedural grounds.
