This is Part 5 — the final part — of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In Part 4 we discussed the consistency mechanism applicable to supervisory authorities. In this Part we look at the application of sanctions by the lead SA across the EU, disagreements between SAs, complaints and litigation for affected data subjects, the application of foreign laws by the lead SA, and matters of language and culture.
Application of sanctions by lead SA across the EU
A Council debate note of 26 May 2014 flagged that at least one EU Member State had raised constitutional problems regarding the legal effect of applying measures decided by the lead SA in other EU Member States.
The Italian Presidency of the Council has addressed these concerns by clarifying that the lead SA would be competent in applying its supervisory powers, deciding on the case and directing the decision, on its own territory, to the main establishment of the controller or processor. It would then be for the data controller or data processor to implement the decision as regards all its establishments in the EU.
The ‘Partial Agreement’ reached between members of the Council on 13 March 2015 (the Council March 2015 Position) attempts to address concerns over proximity and sovereignty by altering the procedure so that the lead SA is no longer able to take decisions unilaterally. Instead, the lead SA and all concerned SAs are to jointly agree decisions, which will then be directed towards the main establishment of the controller or processor and will be binding on them.
Disagreements between SAs
In altering the balance of decision-making powers to give greater input to other concerned SAs, the consistency mechanism would change significantly to provide a forum for disagreements to be resolved.
Attitudes towards data protection vary substantially between EU Member States, and it is inevitable that disagreements will arise over lead SAs’ proposed decisions. The Council March 2015 Position sets out a process for resolution of such disputes:
- where a concerned SA expresses a ‘relevant and reasoned objection’ to a draft decision of the lead SA, or the lead SA has rejected an objection as not being relevant and/or reasoned, then under the consistency mechanism the EDPB will adopt a binding decision concerning all the matters subject to that objection (in particular whether there is an infringement of the Regulation); and
- the EDPB will also adopt a binding decision where there are conflicting views as to which of the SAs should be the lead SA, and/or where an SA does not: (1) follow an opinion issued by the EDPB; or (2) seek an opinion of the EDPB when it should.
This process gives rise to several important implications:
- effectively, these changes place the EDPB at the top of a regulatory hierarchy, whose decisions may only be overturned by the European Court of Justice (ECJ), and this extra step has the potential to incentivise concerned SAs to push for the decision they believe to be correct at the expense of finding a consensus view with its peers;
- it has been argued by commentators that the process may also lead to ‘capricious referrals’; and
- potentially the process places a lot of strain on the EDPB, and commentators have expressed concerns that the regime would result in a process that is more bureaucratic than the existing implementation of the Data Protection Directive (Directive 95/46EC).
The European Commission’s proposal for the new Regulation (the Commission 2012 Proposal) notes the need to provide adequate resources to the European Data Protection Supervisor, who would take on the role of secretariat for the EDPB for the purposes of the consistency mechanism, and Article 47 requires EU Member States to ensure their SAs are adequately resourced. However, there is nothing in the Regulation that provides for funding for the EDPB.
If it is to work as a major forum for decisions, then the EDPB will need to have adequate manpower and infrastructure to be able to review potentially high volumes of cases.
Attitudes towards data protection issues will continue to differ across the EU’s 28 Member States, making it a realistic possibility that the EDPB could become flooded with objections from concerned SAs. While there undoubtedly are advantages to the proposal set out in the Council March 2015 Position, it will only work with properly financed institutions.
Complaints route for affected data subjects
The need for a complaints route for affected data subjects gives rise to a number of potential issues:
- a pan-European standard of service needs to be established;
- lead SAs will need to be resourced to meet it; and
- lead SAs must treat complaints from foreign data subjects as zealously as complaints from local data subjects.
Every data subject has a right to complain to their local SA. However, that local SA will be obliged to pass the complaint to the lead SA (as described previously) for a decision and a remedy.
Under the Council March 2015 Position, where the complaint does not affect data subjects in other EU Member States, the lead SA may permit the local SA to handle the complaint itself, taking into consideration a number of factors (even where the lead SA decides to take on the case, it must seriously consider the suggested remedy provided by the local SA).
It is clear that all substantial regulatory remedies will be imposed by the lead SA, even where the local SA is heavily involved in the investigation. If the data subject is dissatisfied with the remedy imposed by the lead SA, it is open to him/her to bring judicial review proceedings against the lead SA in the lead SA’s jurisdiction.
We doubt whether this right will be much used by data subjects situated outside the lead SA’s jurisdiction (the Commission 2012 Proposal and the European Parliament’s adopted text of 12 March 2014 (the Parliament March 2014 Position) contemplated that the data subject’s local SA would bring proceedings against the lead SA on its behalf. The last Council position on this point has dropped this).
In order to avoid criticism from data subjects and consumer rights groups, it will be essential that lead SAs are seen to be responsive to matters relating to data subjects outside their jurisdiction. Resourcing shortages and cultural differences in managing cases may cause problems once the system is implemented. Despite the challenges in doing so, common service levels will need to be established across SAs early on.
Litigation route for affected data subjects
The ability of a data subject to bring proceedings against controllers or processors in local courts gives rise to the risk that there might be divergent interpretations by local courts across the EU.
All of the EU institutions’ current positions include the right for data subjects to bring judicial proceedings against the controller or processor in the EU Member State in which the data subject has its habitual residence (it will also be possible for it to bring proceedings in any other EU Member State in which the controller has an establishment).
The Commission 2012 Proposal and the Parliament March 2014 Position allow for such proceedings to be stayed if the matter was already the subject of the consistency mechanism. The last Council position appears to have removed the possibility of such a stay (although it remains where proceedings are being brought in another EU court).
As a result, it is possible that national courts may develop jurisprudence that diverges. Their jurisprudence may also diverge from the approach taken by other SAs.
The problem of divergent jurisprudence could result in different interpretations of the Regulation, legal uncertainty, ECJ references and further questions about the status of EDPB guidance and Commission positions on issues.
Application of foreign law by lead SAs
When finalised, the Regulation will harmonise the main data protection law across the EU. However, the Regulation will not be interpreted in a vacuum – data protection laws interact with other local laws in a wide variety of ways.
For example, where processing is justified because it is required by law, or where there is an exception to subject access rights where the information is covered by professional secrecy laws, the lead SA may well need to decide what the law of another jurisdiction requires or permits.
Presumably this information will be provided by the local SAs. There is potential for significant challenges to the lead SA’s position in interpreting the Regulation in the context of jurisprudence in respect of which may have no expertise.
The local SA has an option to make an objection, which would force the decision to be scrutinised by the EDPB. However, this is not an ideal solution as it is likely to delay the satisfactory resolution of the issue.
A multitude of national languages exists throughout the EU, some of which are spoken very little outside their national borders. Even where translations are used, there are occasions where an exact translation is impossible. This could lead to uncertainties over the exact meaning of decisions or the precise effect of measures taken by lead SAs.
There are clear cultural variances throughout the EU, and this is particularly noticeable in relation to data privacy and regulatory enforcement.
Whether a breach of the Regulation would be considered to be serious may be interpreted according to different standards. For example, French and German SAs (whose jurisdictions have traditionally prioritised issues of data privacy) could set a lower threshold for establishing a breach than the UK SA.
Culture and attitudes towards data privacy are also likely to influence how potential breaches are investigated, the resources that are assigned to any investigation, and the sanctions imposed where there is a finding that there has been a breach.