European data protection authorities are on a roll. This year started with the unprecedented coordination of enforcement actions across the EU for the alleged breaches by Google to provide sufficiently clear and detailed information about its practices. Then the Article 29 Working Party (WP29) underwent what is possibly its most prolific period ever – with many opinions on topics ranging from breach notification and surveillance to international data transfers and legitimate interests. In fact, WP29 has already adopted seven opinions so far this year – the same number as in the whole of 2013. Further ground breaking enforcement actions for things like not obtaining consent for cookies have also taken place in the past months. More recently, the European Court of Justice (ECJ) sided with the Spanish authority in the landmark ‘right to be forgotten’ case.
So European DPAs could be forgiven for thinking that they have become a focal point of reference for the functioning of the current and forthcoming EU data protection regime. This has been reinforced even more by the importance given to the one-stop-shop (OSS) debate within the Council of the EU. OSS was originally presented as one of the fundamental pillars of the future Data Protection Regulation. If EU data protection harmonisation was the top priority of the EU Commission’s policy, OSS was regarded as an essential tool to achieve that objective. The notion of one single DPA taking exclusive responsibility for supervising compliance with the law for all data activities undertaken by a controller throughout the EU was not only an ambitious one, but a bold statement about the ideal regulation of privacy in a harmonised Europe.
But the Council always adds a dose of sobriety to the Commission’s idealistic thinking and this matter is no exception. The debate within the Council and indeed amongst the EU legislative institutions is far from over, but the latest stance of the Council on this issue after two and half years of debate is quite telling. The documentation prepared by the Greek Presidency of the Council at the end of May 2014 summarises the position rather neatly. Long gone is the Commission’s concept of exclusive competence, which has been replaced by the Council – as was by the EU Parliament in March – by the ‘lead authority’ model. Under the Council’s latest position, the lead authority must always avoid going solo and will need to involve other concerned authorities in its decision-making process.
There are several building blocks to the Council’s view of OSS. The overall principle is that a lead authority must seek the cooperation of other DPAs when individuals in various Member States are affected by the use of their personal data by the same controller. In fact, OSS does not even apply where a controller or processor is established in more than one Member State, which could make OSS rather useless given the broad interpretation of a local establishment adopted by the ECJ. In any event, where individuals in more than one Member State are affected by data-related operations, the DPAs of all of those Member States must have a say in any enforcement decision.
In addition, any authority in a Member State where an individual has lodged a complaint about the use of their data can in turn prepare a draft enforcement decision and run it past the lead authority, reversing the OSS process altogether. The bottom line is that the DPAs of the countries where individuals whose data is being processed by the same controller reside must be consulted by the lead authority. If following that consultation, a DPA raises any objections to whatever proposal is being made by the lead authority, the matter must then be dealt with by the whole European Data Protection Board (EDPB) under the so-called consistency mechanism. It is of course impossible to know how frequently the consistency mechanism will be invoked but what is clear is that the EDPB, as the successor to the WP29, is likely to end up acting as an EU-wide super-regulator. Ironically, this may have been what the Commission intended in the first place, but the effectiveness of such a system would rely on the DPAs’ ability to act as a well-coordinated, closely aligned and highly efficient team.
This article was first published in Data Protection Law & Policy in June 2014.