The European Commission has pledged to introduce a new system for monitoring GDPR enforcement by national data protection authorities (DPAs). This new monitoring system is being introduced by the Commission after complaints from a civil society organisation that the Commission does not gather sufficient information to monitor the application of the GDPR in Ireland and, more broadly, that the European Commission is not doing enough to ensure that the GDPR is adequately enforced.
In the proposed system, the Commission intends to examine every large-scale cross-border investigation by every national DPA in the EU. The purpose of this system is that the European Commission can better assess whether the enforcement of the GDPR by national DPAs is adequate. As part of the oversight, the Commission will request all national DPAs to share an overview of their large-scale cross-border investigations under the GDPR on a bi-monthly (and strictly confidential) basis. Among other things, the DPAs need to provide information on the main procedural steps and what investigative or other measures they have taken in the relevant investigations. The Commission's intention implies that, to some extent, accountability also applies to national DPAs.
What does this new monitoring system mean for the independent status of national DPAs?
The Commission has the competency to monitor the application of EU law by the Member States (Article 17 Treaty of the European Union). In this regard, the Commission has the power to e.g. initiate an infringement procedure against a Member State that fails to implement EU law (Article 258 Treaty of the Functioning of the European Union). On top of that, the GDPR stipulates that DPAs shall contribute to the consistent application of the GDPR. For that purpose, the DPAs must cooperate with each other and the Commission (Article 51(2) GDPR). In the light of the above, it makes sense that the Commission needs information from DPAs on the status of (large) cross-border investigations.
However, the European Commission's initiative to request and assess information from national DPAs is somewhat at odds with the independent status of national DPAs. The DPAs derive this independent status from Article 52 GDPR (and Article 8(3) of the EU Charter of Fundamental Rights).
In a different context, the independent status of national supervisors is also under discussion. Recently, the EDPB instructed the Irish Data Protection Commissioner (DPC) to conduct a new investigation that would cover all data processing activities of a data controller based in Ireland. The DPC ignored the follow-on instruction of the EDPB and announced it will challenge certain far-reaching instructions from the EDPB. According to the DPC these directions involve an ‘jurisdictional overreach’ on the part of the EDPB: “the EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.”
Concluding remarks
The Commission hints that it will come up with a proposal later this year to ‘further harmonise relevant procedures for DPAs […] to further enhance cooperation in cross-border cases’. It is not yet exactly clear when the Commission will start with requesting information from the DPAs. No DPAs have yet publicly responded to the Commission's intention. It will be interesting to see whether the DPAs will see the Commission's intended role as affecting their independence (in this regard also see the difference of opinion between the Commission and the Dutch DPA on the scope of the "legitimate interest").
