Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

European Commission Explains: “Where There is EU-wide Impact,” National DPAs May Be Superseded

The European Commission’s DG Justice recently issued an explanation of how the proposed “consistency mechanism”  in the General Data Protection Regulation will work, explaining that “the main innovations of the proposed [] Regulation relate to the institutional system it creates rather than to the substance of data protection law.”   In summary, the Commission explained that ” [t]he consistency mechanism establishes a graduated procedure that preserves the role of national DPAs, ensures cooperation between DPAs within the Board and gives the Commission a role as a backstop.” 

 DG Justice explains that where there is an EU-wide impact, the matter is referred to the Board.  The Board meets, discusses, agrees and  issues an opinion (non-binding) which must be taken into account by the national DPA .  After the Board has issued its opinion,  the Commission may adopt a (non-binding) opinion.  Thereafter, the Commission may issue an order superseding the local DPA.

In parsing the Commission’s explanation, a number of questions arise, notably when a matter is deemed to have a “pan-European” impact — an EU-wide impact –, thus taking matters solely out of a national DPA’s authority.  The Commission goes to lengths to explain that  “[t]he role of the Commission does not interfere with the independence of DPAs who remain competent to tackle individual cases. ”  According to the Commission, in cases where there is no EU-wide impact, individual decisions are taken by national DPAs without further review or interference.  Notably, the Commission does not explain in any detail what would constitute a case with “EU-wide impact” other than to state

The flaws of the present system were illustrated in the Google Street View case. The actions of a single company affected individuals in several Member States in the same way. Yet they prompted uncoordinated and divergent responses from DPAs.

The individual DPA  has to take the Commission’s initial non-binding opinion into account before taking action and deciding the contested matter.  Then, if the Commission or the Board have “serious doubts as to whether the [national DPA’s action]would ensure the correct application of the Regulation” the Commission may require the DPA to suspend its action by a maximum of 12 months “in order to reconcile diverging positions between a DPA and the Board; or to adopt an implementing measure in particular where the proper functioning of the internal market is at issue.”

The main justification offered for this dilution of individual DPA authority is that  “[t]he threat of action by the Commission ensures that DPAs do not shy away from difficult cases.”  The Commission goes on to explain that a “consistency mechanism without the Commission would be bad for business. The Commission is the guardian of the internal market and is responsible for the proper implementation of EU law. The Regulation will not be properly applied based on knowledge of data protection laws alone.  The internal market must be brought about and the consistency mechanism, with the Commission as backstop, is the only way to do this.”

Still, the recent explanation from DG Justice does not explain how a business should operate as the consistency mechanism procedures play out.  Would a business offering a new service or using a new technology be subject to greater penalties if it proceeds during the administrative process in which a DPA’s decision is challenged by the Board and/or Commission, and the ultimate decision is adverse to the business?   

The Commission notes that allowing the Board to take binding decisions would be illegal because under only the Commission can take decisions that are binding on the Member States.

The role of the Commission does not interfere with the independence of DPAs who remain competent to tackle individual cases. The proposed Regulation strengthens DPAs by making sure they act in concert. The Commission’s role is to ensure coherence and build the single market. During this mandate, the Commission has fought hard with several Member States over the independence of national data protection authorities.

Chart from DG Justice Web Site