Data Protection Report - Norton Rose Fulbright

This is Part 3 of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In this Part we consider the scope of authority (i.e., “competency”) of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB).

Competency of supervisory authorities

Please note that the proposed EU Data Protection Regulation uses the term “competency” to refer to the scope of authority and jurisdiction of each SA, both to monitor and enforce the Regulation and to contribute to its consistent application throughout the EU. Under the Regulation each EU Member State will be required to set up and adequately resource its own ‘competent’ SA.

Article 51 in all three bodies’ proposals for the Regulation addresses competence of SAs, who are also given supervisory powers under Article 53 to uphold the Regulation in their own territories.

Of particular interest is the way in which the Regulation deals with the competency of SAs where the controller or processor is established in multiple jurisdictions:

  • under Article 51(2) of the European Commission’s proposal for the new Regulation (Commission 2012 Proposal), where processing takes place in the EU and the controller or processor is established in more than one EU Member State, the SA of its main establishment is competent to supervise its processing activities in all EU Member States;
  • the ‘Partial Agreement’ reached between members of the Council on 13 March 2015 (the Council March 2015 Position) proposes a more complex way of dealing with this question. This reflects the Council’s desire for a mechanism that gives more input to concerned SAs in jurisdictions away from the country of main establishment, and supports a view that it is not always appropriate for the SA of the main establishment to act as lead SA. The concept of the ‘concerned supervisory authority’ (a creation of the Council March 2015 Position) covers SAs concerned with the processing because:
  • the controller or processor is established in the SA’s EU Member State;
  • there are data subjects residing in the EU Member State who are substantially affected or likely to be substantially affected by the processing; or
  • the underlying complaint was made to it;
  • in both proposals, the SA of the main establishment is competent to act as the lead SA in transnational matters, provided that it cooperates with the other concerned SAs. According to Article 54a of the Council March 2015 Position, this includes exchanging relevant information with concerned SAs, requesting mutual assistance and conducting joint operations where necessary, and communicating relevant information and draft decisions to other concerned SAs.

An issue of potential concern in these proposals is that overlapping competency of SAs should be avoided:

  • in the Commission 2012 Proposal, the lead SA does not appear to have sole or exclusive competence. This creates regulatory uncertainty – data controllers may face action from another local SA whose jurisdiction they fall under but who, in principle, should allow the lead SA to act on its behalf;
  • the European Parliament’s adopted text of 12 March 2014 (the Parliament March 2014 Position) does not appear to resolve this conflict;
  • the Council March 2015 Position appears to give exclusive competence to the lead SA where the controller is established in more than one EU Member State. At the same time, each other concerned SA has exclusive competence to deal with a case where its subject matter concerns processing activities that only relate to an establishment in its EU Member State or only affect data subjects in its EU Member State. The process requires:
  • the concerned SA to obtain agreement from the lead SA where the concerned SA considers itself competent;
  • the lead SA to take into account whether there is an establishment of the controller or processor in that local EU Member State when making its decision;
  • that, where there are conflicting views on which of the concerned SAs is competent for the main establishment, the EDPB will make a binding decision.

We understand that this position has been adopted in order to ensure proximity to the data subject. However, from a controller’s or processor’s perspective, it is unpalatable that there should be a risk of a dispute between regulators as to competence which escalates to a reference to the EDPB for resolution. Such a process seems contrary to the objective of delivering regulatory efficiencies.

Cooperation with the lead SA

The principle that a lead SA is to have exclusive or semi-exclusive competency means that the lead SA and local SAs will have to cooperate so that:

  • facts can be investigated outside their own jurisdiction;
  • the non-lead SA has reassurance that the matter is being properly handled by the lead SA and corresponds with data subjects in its jurisdiction on the matter; and
  • the lead SA is able to apply the connected non-data protection laws of the non-lead SA’s jurisdiction that will necessarily intersect with the Regulation and which need to be taken into account in its decisions (we discuss this point in more depth later on).

Collaboration between SAs will be crucial to the effectiveness of the One Stop Shop mechanism. Article 55 creates obligations on SAs to share information and provide mutual assistance to SAs in other EU Member States. This should include information requests and supervisory measures (such as inspections) in situations where data subjects in multiple EU Member States are likely to be affected by the processing of personal data.

Where an SA receives a request from an SA in another EU Member State, it has one month to respond. If it does not, the SA that made the request is deemed to be competent to take a provisional measure in relation to the territory of its EU Member State. This may last up to three months, and the SA can submit the issue to the EDPB under the consistency mechanism.

The envisaged procedure could allow:

  • the lead SA to take a provisional measure while waiting for a local SA to give it information; or
  • a local SA to take a provisional measure necessitated by a delay of the lead SA. However, the primacy of the lead SA’s final measure should be provided for in the text in order to avoid any confusion in this regard.

Joint operations and investigations are also permitted and encouraged under Article 56. The Parliament March 2014 Position and Council March 2015 Position introduce a procedure under which the lead SA would submit draft decisions (on measures to be taken that address issues affecting the other EU Member States) to their SA for consultation prior to adoption. The Council March 2015 Position includes a 4 week period in which comments can be made.  After that time the lead SA decision would be deemed to have been agreed by all other SAs.

There are also provisions that allow a lead SA to implement a decision urgently under Article 61, but only with the agreement of a simple majority of the EDPB.

We have not commented on the other differences between the Commission 2012 Proposal and the Parliament and Council positions in this context because they are not materially different on the issues discussed.

EDPB

The EDPB will replace the Working Party on Individuals with Regard to the Processing of Personal Data (currently known as the Article 29 Working Party).

The EDPB will consist of the heads of each EU Member State’s SA and the European Data Protection Supervisor, and will both advise the Commission and promote cooperation between SAs throughout the EU.

The EDPB therefore has an important role in maintaining consistency throughout the EU. Under the Council March 2015 Position, the EDPB’s role in the complaints procedure is expanded to include responsibility for decisions where there is disagreement between the lead SA and other concerned SAs in respect of the decision reached.

Check back for Part 4 of the “One Stop Shop” series, which will discuss the mechanism for ensuring enforcement consistency across SAs.