European and national legal challenges when …...The recent Regulation 679/2016 (the “General...
Transcript of European and national legal challenges when …...The recent Regulation 679/2016 (the “General...
PHAEDRA II - IMPROVING PRACTICAL AND HELPFUL CO-OPERATION BETWEEN DATA PROTECTION AUTHORITIES II http://www.phaedra-project.eu/
Project co-funded by the European Union under the Fundamental Rights and Citizenship Programme (JUST/2013/FRAC/AG/6068).
European and national legal challenges when
applying the new General Data Protection
Regulation provisions on co-operation
Deliverable 3.1
London – Brussels – Warsaw – Castellon,
September 2016
2
A report prepared for the European Commission’s Directorate-General for Justice (DG JUST).
The contents of this deliverable are the sole responsibility of the authors and can in no way be taken to
reflect the views of the European Commission.
Authors
Name Partner
Vagelis Papakonstantinou VUB-LSTS
Cristina Pauner Chulvi UJI
Andrés Cuella UJI
David Barnard-Wills Trilateral Research
Internal Reviewer
Name Partner
Paul de Hert VUB-LSTS
Institutional Members of the PHAEDRA II Consortium
Member Role
Vrije Universiteit Brussel (VUB), Research Group on Law Science
Technology & Society (LSTS) Project Co-ordinator
Trilateral Research Ltd (TRI) Partner
Bureau of the Inspector General for Personal Data (GIODO) Partner
Jaume I University (UJI) Partner
3
Contents
Executive summary ................................................................................................................................. 5
List of abbreviations ............................................................................................................................... 6
1 Introduction ..................................................................................................................................... 7
2 Achieving consistency under the EU data protection legal framework .......................................... 9
2.1 The consistency mechanism .................................................................................................. 10
2.1.1 Article 63 of the GDPR: Consistency mechanism ........................................................ 10
2.1.2 Article 64 of the GDPR: Opinion of the Board ............................................................. 12
2.1.3 Article 65 of the GDPR: Dispute resolution by the Board ............................................ 16
2.1.4 Article 66 of the GDPR: Urgency procedure ................................................................ 18
2.1.5 Other consistency mechanisms ..................................................................................... 21
2.1.6 Conclusions ................................................................................................................... 21
2.2 The “one-stop-shop” mechanism in the GDPR: Article 60, on the Cooperation between the
lead supervisory authority and the other supervisory authorities concerned .................................... 22
2.2.1 Rationale ....................................................................................................................... 24
2.2.2 Basic components: the notions of a “lead DPA”, the actors in the one-stop-shop
mechanism, and the “main establishment” of the controller ........................................................ 25
2.2.3 How is the one-stop-shop mechanism expected to operate? ......................................... 30
2.2.4 Challenges and concerns ............................................................................................... 32
2.3 Consultation mechanisms and distribution of powers .......................................................... 33
2.3.1 Decision-making by the European Data Protection Board in the text of the GDPR..... 34
2.3.2 Mechanisms for DPA consultation with the European Data Protection Board ............ 38
2.3.3 The institutional setting for consistency: Roles and distribution of powers between the
European Data Protection Board and the Commission ................................................................. 39
2.4 Procedural differences and other issues ................................................................................ 40
2.4.1 EU DPAs complaint handling processes....................................................................... 40
2.4.2 The data subjects’ perspective: is there a “right to consistency”? ................................ 45
2.5 Conclusion: Enhancing consistency ...................................................................................... 45
3 Learning from “mutual recognition” experience: the case of the BCR ........................................ 47
3.1 The BCR legal basis and procedure ...................................................................................... 47
3.2 The BCR advantages ............................................................................................................. 51
3.3 The difficulties arising from BCRs’ lack of generalisation .................................................. 52
4 Proposed mutual assistance, co-ordination and co-operation regarding enforcement measures .. 54
4.1 Mapping DPAs’ enforcement powers ................................................................................... 54
4.2 Sharing information (including confidential information) .................................................... 58
4
4.2.1 Regulations governing the exchange of information under the GDPR ......................... 60
4.2.2 The notion of “relevant information” ............................................................................ 63
4.2.3 A variety of procedures for sharing information ........................................................... 65
4.2.4 The question of confidential information. Legal setting among Member States
concerning the exchange of information and the obligation of confidentiality ............................ 70
4.2.5 Learning from practical examples of tools used to exchange information ................... 78
4.2.6 The principle of confidentiality in the GDPR ............................................................... 80
4.2.7. An assessment of the GDPR provisions regarding the exchange of information ............... 82
4.3 Mutual assistance, co-ordination and co-operation regarding enforcement measures .......... 86
5 General conclusions ...................................................................................................................... 97
5
Executive summary
The recent reform of the basic EU data protection legal framework introduced a major change in how
data protection law is applied and enforced in EU Member States. It also introduced major changes in
the character and scope of cooperation between EU DPAs. Cooperation is now not merely a
possibility, but an obligation under EU law. Nevertheless, uncertainties do remain as to how this new
framework will be applied in practice and how it will impact the everyday operation of EU DPAs.
The recent GDPR makes cooperation among DPAs mandatory but does not provide comprehensive
rules on the modalities and procedures involved. The analysis that follows demonstrates that there is a
need for supplementary operational and legal guidance. The objective of this report is to examine the
practical implications of the relevant provisions of the GDPR, to identify aspects that remain
unregulated but which would benefit from a common approach by all DPAs, as well as to highlight
specific areas where there is a need for more operational and legal guidelines or where the
implementations of standardised procedures and rules would be advisable.
The analysis that follows applies this standard axis of analysis upon all different GDPR instances that
are placed under its scrutiny: the consistency mechanism, the “one-stop-shop” mechanism, the
European Data Protection Board, BCRs, DPA enforcement powers, data sharing practices among
DPAs and mutual assistance. An article-by-article approach was considered necessary, in view of the
fact that the GDPR is a relatively recent legal text of only a few months life span, whose provisions
would therefore benefit the most from a detailed legal analysis. While doing this, emphasis was
placed at the “practical” aspects of our research: our constant aim was to provide practical assistance
to DPAs, through identification of these points within the new GDPR that will probably need to be
complemented by additional, practical guidance to be issued, most likely, by the Board. In the same
context, we also strived to provide the Board members that will undertake this task with certain
guiding principles and considerations that will hopefully assist them in their work.
This report forms deliverable 3.1 of the PHAEDRA II project. The project is dedicated to identifying,
developing and recommending measures for improving practical co-operation between European Data
Protection Authorities (DPAs).
Further information about the project, including its previous reports and publications can be found at
http://www.phaedra-project.eu/
6
List of abbreviations
BCRs Binding Corporate Rules
CIRCABC Communication and Information Resource Centre for Administrations,
Business and Citizens
CJEU Court of Justice of the European Union
DPA Data protection authority
DPIA Data protection impact assessment
EDPB European Data Protection Board
EDPS European Data Protection Supervisor
EU European Union
FTC Federal Trade Commission
GDPR General Data Protection Regulation
GPEN Global Privacy Enforcement Network
ISO International Standards Organization
MS Member States
PC privacy commissionner
PIA privacy impact assessment
7
1 Introduction
The recent reform on the basic EU data protection legal framework introduced a major change in how
data protection law is applied and enforced in EU Member States. It also introduced major changes in
the character and scope of cooperation between EU DPAs. Cooperation is now not merely a
possibility, but an obligation under EU law. Nevertheless, uncertainties do remain as to how this new
framework will be applied in practice and how it will impact the everyday operation of EU DPAs.
The recent Regulation 679/2016 (the “General Data Protection Regulation” or the “GDPR”) makes
cooperation among DPAs mandatory but does not provide comprehensive rules on the modalities and
procedures involved. The analysis that follows demonstrates there is a need for supplementary
operational and legal guidance. The objective of this report is to examine the practical implications of
the relevant provisions of the GDPR, to identify aspects that remain unregulated but which would
benefit from a common approach by all DPAs, as well as to highlight specific areas where there is a
need for more operational and legal guidelines or where the implementation of standardised
procedures and rules would be advisable.
In this context, in Part 2 of this analysis, on “achieving consistency under the EU data protection
legal framework”, consistency is identified as a necessary attribute of the EU data protection legal
framework both from a formal and from a functional perspective. With regard to the former,
consistency is an obvious goal within an EU field of law, where common rules are aimed at regulating
in a common manner a particular subject-matter within all EU Member States, as also required by
Article 16 TFEU. With regard to the functional perspective, consistency is a basic assumption of
effective data protection. Because data protection essentially regulates personal data flows which, in
turn, can blatantly disregard national borders, a fundamental pursuit of all relevant international legal
instruments is to achieve a possibly consistent level of protection in all their signatory states.
Consistency within the future EU data protection model is to be achieved through the “consistency
mechanism”, incorporated into Section 2 (Articles 63, 64, 65 and 66) of Chapter VII of the GDPR. In
this context, our analysis takes the format of an article-by-article analysis of the GDPR provisions on
the consistency mechanism. In this way all aspects of this crucial new system for DPA cooperation
will be covered more effectively. Each article analysis is followed by some issues that may already be
identified as difficulties in relation to the GDPR article concerned
Within the same Part 2 the so-called “one-stop-shop” mechanism (its name is not formally adopted in
the regulatory text but is only to be found in the Preamble), as set in Article 60 of the GDPR, is also
analysed, as yet another formal cooperation mechanism among EU DPAs. While doing this, its raison
d’être is analysed, as well as its basic concepts of the “Lead DPA” and the “main establishment”,
upon which it is based. Its expected operation under the GDPR is further elaborated upon, with the
aim of identifying relevant challenges and concerns (laid out in section 2.2.4).
The focus is then turned upon the European Data Protection Board. Under the GDPR the Board is not
merely intended to be the replacement of the Article 29 Data Protection Working Party. Although this
substitution is also necessitated by the new EU data protection structure, the GDPR grants to the
Board a much wider role than that held by the Article 29 Working Party. As evidenced within the
analysis of the consistency and one-stop-shop mechanisms, the Board is to become an administrative
dispute resolution (in other words decision-making) mechanism – a substantial point of departure
from its past. The analysis therefore continues with its article-by-article format, specifically aimed at
highlighting only its decision-making function that is relevant to the purposes of this analysis.
Subsequently attention is turned on complaint-handling procedures by EU DPAs under the current
and future legal framework, identifying those issues that may stand in the way of developing a
8
standardised data subjects’ complaint handing procedure across the EU. Within the same analysis we
also address the issue whether the case of a “right to consistency” could be supported (with a negative
outcome).
Part 3 of this analysis, on “learning from mutual recognition experience”, makes use of the BCR
mutual recognition experience under the legal framework in effect today, in order to extrapolate,
wherever possible, to the forthcoming GDPR environment. In this context it is established that,
despite this procedure’s obvious advantages and the consistent effort by both the Commission and the
Article 29 Working Party to streamline its operation, a lack of generalization (both from the part of
DPAs but also from the part of the controllers and processors it would normally be addressed) reveals
the limitations of any similar attempt to introduce standards and achieve functional DPA cooperation
in the field.
Finally, Part 4 of this analysis, on “proposed mutual assistance, co-ordination and cooperation
regarding enforcement measures”, focuses on the diversity of existing DPA enforcement powers and
the differences between DPAs in the powers at their disposition as well as on current national
limitations on sharing information, because it is considered that all of the above are intrinsically
connected to practical challenges with regard to the proposed mutual assistance, co-ordination and co-
operation enforcement measures under the GDPR. To this end, attention is first given to DPAs’
enforcement powers, so as to highlight obstacles to a common enforcement practice that perhaps the
GDPR will need to overcome. Accordingly, sharing information practices among DPAs are
subsequently analysed, first from a regulatory perspective (their actual legal basis) and then with
regard to their basic components, meaning the concepts of “relevant information” and the mechanisms
through which to achieve such exchanges respectively. The legal setting among Member States on the
exchange of information and the obligation of confidentiality is also attempted. The analysis finds that
the effective exchange of information may be in potential conflict with their confidentiality
obligations and thus may prevent DPAs from releasing restricted information between them. Finally,
taking into account that the legal framework of the GDPR enhances and in certain circumstances
obliges EU DPAS to provide each other with mutual assistance and to co-ordinate or jointly undertake
certain enforcement measures, the last section of this report is aimed at providing an account of
mutual assistance and joint operations as set out in the GDPR, exploring the potential of a common
approach to mutual assistance, co-ordination and joint operations and also, in accordance with this
report’s general approach, to provide some initial best practice guidelines in this regard.
9
2 Achieving consistency under the EU data protection legal framework
Consistency is a necessary attribute of the EU data protection legal framework both from a formal and
from a functional perspective. With regard to the former, consistency is an obvious goal within an EU
field of law, where common rules are aimed at regulating in a common manner a particular subject-
matter within all EU Member States. In particular, Article 8 of the Charter and Article 16 TFEU
require that the fundamental right to the protection of personal data be ensured in a consistent manner
throughout the EU. With regard to the functional perspective, consistency is a basic assumption of
effective data protection: Because data protection essentially regulates personal data flows which, in
turn, can blatantly disregard national borders, a fundamental pursuit of all relevant international legal
instruments is to achieve a possibly consistent level of protection in all their signatory states. It is after
all within this context, that an EU Directive, Directive 95/461, was introduced as early as 1995 in
order to warrant harmonised data protection rules and regulations across the EU.
Consistency formed a basic priority for the amended EU data protection legal framework that recently
(in April 2016) came into effect. Ever since the first Commission communication in this regard,
consistency and harmonisation were highlighted as much sought-after aims for the new legislative
framework2. While the reasons why Directive 95/46 might have failed in this regard do not fall within
the purposes of this analysis, here it is enough to be noted that consistency is aimed at within the new
EU data protection legal framework also both from a formal and from a functional point of view: the
choice of legal instrument itself, a Regulation to replace a Directive, illustrates this aim-setting from a
formal point of view. In addition, a number of specialised provisions included in the Regulation
purport to achieve consistency among EU Member States through their application: in particular the
consistency mechanism and the one-stop-shop, that will be analysed below, are expressly introduced
to serve this purpose. Other mechanisms aimed at consistency, such as the European Data Protection
Board (the “Board”), will also be referred to in the analysis that follows.
At this point however it is perhaps useful to reflect on what exactly the notion of consistency means in
the field of EU data protection. In this regard the GDPR sets that consistency entails an “equivalent”
level of protection in all EU Member States3. It further explains that “consistent and homogenous
application of the rules for the protection of the fundamental rights and freedoms of natural persons
with regard to the processing of personal data should be ensured throughout the Union”4. What is
therefore aimed at is “equivalence” in the level of protection, to be warranted by consistent
application of the rules in effect. Within a Regulation environment, this practically means consistent
application of the rules of the Regulation itself by all EU Member States, but other than that Member
States are free to introduce national provisions wherever necessary that, even if not identical with
these of other Member States, will still need to provide to data subjects an equivalent level of
protection. Consistency therefore is to be assessed in practice through the use of two, broad, criteria:
First, consistent application of the EU legal framework throughout the EU, and, second, introduction
of consistent Member State-specific data protection provisions that complement it locally.
Another point to be taken into consideration at this stage refers to the consistency actors. While
recipients of such consistency refer to both data subjects and data controllers alike, who all share the
1 See also Simitis S/Dammann U, EG-Datenschutzrichtlinie, Kommentar, Nomos, Baden-Baden 1997.
2 European Commission, A comprehensive approach on personal data protection in the European Union,
COM(2010) 609 final. 3 Preamble, 10.
4 Ibid.
10
expectation of an equivalent level of protection across the EU, consistency actors are first and
foremost Data Protection Authorities (“DPA(s)”).5 DPAs hold a central role in EU data protection,
being “responsible for monitoring the application”6
of data protection provisions within their
respective jurisdictions. From this point of view, the task of warranting consistent application of these
same provisions falls largely within their hands. This assumption has been indeed validated in the text
of the GDPR: all mechanisms introduced to this end are addressed at EU DPAs and are based on their
cooperation and coordination.
A final point to be noted refers to the legal framework that this report will take into consideration. EU
data protection is currently found at a transitory phase, in-between changing legal environments.
Directive 95/46 currently in effect, as implemented by each Member State through national
legislation, will be replaced by the General Data Protection Regulation in May 2018. In fact, the EU
data protection framework will be composed of two pieces of legislation, the GDPR replacing
Directive 95/46 and Directive 680/2016 (the “Police and Criminal Justice Data Protection Directive”)
replacing the Framework Decision 977/20087. Despite of the complex current legal environment, this
report will focus only on the GDPR text. This is due not only to the fact that the GDPR actually
constitutes the scope of this workstream, but also due to the fact that the consistency mechanisms
within the new EU data protection environment are described in the most comprehensive manner in
its text: Directive 680/2016 only includes provisions on mutual assistance as well as, evidently, on the
Board8, while Directive 95/46, that remains in effect until May 2018, will most likely have to adjust to
the new (GDPR) reality, taking advantage of this in-between period.
2.1 The consistency mechanism
By definition, consistency within the future EU data protection model is to be achieved through the
“consistency mechanism”, incorporated into Section 2 (Articles 63, 64, 65 and 66) of Chapter VII of
the GDPR. In the text that follows an article-by-article analysis of the GDPR provisions on the
consistency mechanism is undertaken. In this way we believe that all aspects of this crucial new
system for DPA cooperation will be covered more effectively. Each article analysis is followed by
some issues that may already be identified as difficulties in relation to the GDPR article concerned.9
2.1.1 Article 63 of the GDPR: Consistency mechanism
According to Article 63 of the GDPR,
5 For the purposes of this analysis it is assumed that DPAs will undertake the role of “competent supervisory
authorities” referred to in the GDPR. 6 Art. 28.1 Directive 95/46.
7 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data
processed in the framework of police and judicial cooperation in criminal matters. 8 Articles 50 and 51 respectively.
9 The analysis that follows only focuses on the final GDPR provisions, and does not take into consideration the
recommendations of the Council or the Parliament during the EU law-making process. Despite this being
included in the project’s Description of Work, it should be noted that at the time the relevant proposal was
drafted there was no concrete knowledge of the outcome of the GDPR law-making process. Since April 2016
we have a final GDPR text, and it is our belief that it would be more beneficial to the purposes of this project if
all effort was turned to its final provisions, the solutions they provide, and the issues they raise.
11
In order to contribute to the consistent application of this Regulation throughout the Union, the
supervisory authorities shall cooperate with each other and, where relevant, with the Commission,
through the consistency mechanism as set out in this Section.
Accordingly, Recital 135 sets that
In order to ensure the consistent application of this Regulation throughout the Union, a consistency
mechanism for cooperation between the supervisory authorities should be established. That
mechanism should in particular apply where a supervisory authority intends to adopt a measure
intended to produce legal effects as regards processing operations which substantially affect a
significant number of data subjects in several Member States. It should also apply where any
supervisory authority concerned or the Commission requests that such matter should be handled in the
consistency mechanism. That mechanism should be without prejudice to any measures that the
Commission may take in the exercise of its powers under the Treaties.
In this way a specific, new, dedicated mechanism for consistent application of the Regulation is
introduced in the text of the GDPR. The consistency mechanism is actually nothing more than a
method for cooperation among DPAs. However, in view of the expected increased level of
cooperation under the new EU data protection regime, the GDPR takes special care to
“institutionalise” such a mechanism, evidently aiming at streamlining requests for cooperation that are
bound to proliferate. While the consistency mechanism is first and foremost addressed at DPAs, the
Commission is also awarded a role in it, making it therefore the standard, dominant DPA cooperation
mechanism under the GDPR.
Repeated aim of the consistency mechanism is to warrant the “consistent application” of the GDPR.
The GDPR therefore takes due note of the possibility that different rules may exist at Member State
level on data protection, in spite of its existence, and aims at addressing this issue at the last stage of
the law-making process: application. This, according to the Preamble, will particularly be the case
when a DPA intends to deal with a cross-border issue or when a DPA by its own initiative refers a
specific matter to it or when the Commission makes a similar request. However the above listing is
indicative: In fact, the broad wording of Article 63 is to be understood as empowering the consistency
mechanism on all data protection application matters within the EU.
Therein however may lie the first concern regarding the consistency mechanism. The fact that it is
addressed at DPAs means that it essentially constitutes an administrative mechanism. Nevertheless,
DPAs are not the only rule-making body on data protection in the EU. National parliaments may
legislate on data protection matters as well. Other administrative bodies, for instance electronic
communications or financial state agencies, may equally produce personal data processing rules in the
course of exercising their lawful powers. Case law may also be an important source of regulations.
None of these cases falls under the categories of a DPA either adopting a cross-border measure or
referring the matter at its own initiative to the consistency mechanism, as prescribed in the GDPR. In
fact, in some of the above law-making examples there may exist very little space for DPA
involvement at all, depending on the Member State relevant legislation. Although the Commission
may of course intervene at all times, this is a last resort, and most likely not particularly time efficient,
defence. It therefore remains to be seen whether the consistency mechanism will truly deliver on its
promise: Being effectively hampered by its administrative nature, it may not prove the panacea for
12
consistent data protection across the EU. In other words, it may need other, complementary and most
likely high(-er) level tools, to assist itself in its mission.
A second concern with regard to the consistency mechanism refers to the fact that it is introduced in
the text of the GDPR as the standard cooperation tool among DPAs. However, this is a formal tool,
aimed at addressing cross-border or important data protection matters. Given the expected volume of
such matters under the GDPR, it is expected to occupy a lot of resources by DPAs who may be right
in treating it as the only cooperation tool among them. Nevertheless, this would ultimately restrict
cooperation. As seen in previous PHAEDRA deliverables, cooperation among DPAs is both formal
and informal. While informal cooperation is mostly undocumented, it is nevertheless crucial for DPA
cooperation. In other words, not all matters concerning a DPA merit to be referred to the consistency
mechanism, however they would perhaps benefit from informal cooperation with other DPAs. By
introducing a formal cooperation mechanism, the GDPR risks abolishing the cooperation paths
already in existence today, even under the less-developed provisions of Directive 95/46 in this regard,
which is something that could ultimately harm DPA effectiveness.
2.1.2 Article 64 of the GDPR: Opinion of the Board
According to Article 64 of the GDPR,
1. The Board shall issue an opinion where a competent supervisory authority intends to adopt any of
the measures below. To that end, the competent supervisory authority shall communicate the draft
decision to the Board, when it: (a) aims to adopt a list of the processing operations subject to the
requirement for a data protection impact assessment pursuant to Article 35(4); (b) concerns a matter
pursuant to Article 40(7) whether a draft code of conduct or an amendment or extension to a code of
conduct complies with this Regulation; (c) aims to approve the criteria for accreditation of a body
pursuant to Article 41(3) or a certification body pursuant to Article 43(3); (d) aims to determine
standard data protection clauses referred to in point (d) of Article 46(2) and in Article 28(8); (e) aims
to authorise contractual clauses referred to in point (a) of Article 46(3); or (f) aims to approve binding
corporate rules within the meaning of Article 47.
2. Any supervisory authority, the Chair of the Board or the Commission may request that any matter
of general application or producing effects in more than one Member State be examined by the Board
with a view to obtaining an opinion, in particular where a competent supervisory authority does not
comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations
in accordance with Article 62.
3. In the cases referred to in paragraphs 1 and 2, the Board shall issue an opinion on the matter
submitted to it provided that it has not already issued an opinion on the same matter. That opinion
shall be adopted within eight weeks by simple majority of the members of the Board. That period may
be extended by a further six weeks, taking into account the complexity of the subject matter.
Regarding the draft decision referred to in paragraph 1 circulated to the members of the Board in
accordance with paragraph 5, a member which has not objected within a reasonable period indicated
by the Chair, shall be deemed to be in agreement with the draft decision.
4. Supervisory authorities and the Commission shall, without undue delay, communicate by electronic
means to the Board, using a standardised format any relevant information, including as the case may
13
be a summary of the facts, the draft decision, the grounds which make the enactment of such measure
necessary, and the views of other supervisory authorities concerned.
5. The Chair of the Board shall, without undue, delay inform by electronic means: (a) the members of
the Board and the Commission of any relevant information which has been communicated to it using
a standardised format. The secretariat of the Board shall, where necessary, provide translations of
relevant information; and (b) the supervisory authority referred to, as the case may be, in paragraphs 1
and 2, and the Commission of the opinion and make it public.
6. The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1
within the period referred to in paragraph 3.
7. The supervisory authority referred to in paragraph 1 shall take utmost account of the opinion of the
Board and shall, within two weeks after receiving the opinion, communicate to the Chair of the Board
by electronic means whether it will maintain or amend its draft decision and, if any, the amended draft
decision, using a standardised format.
8. Where the supervisory authority concerned informs the Chair of the Board within the period
referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in
whole or in part, providing the relevant grounds, Article 65(1) shall apply.
Accordingly, Recital 136 sets that:
In applying the consistency mechanism, the Board should, within a determined period of time, issue
an opinion, if a majority of its members so decides or if so requested by any supervisory authority
concerned or the Commission. The Board should also be empowered to adopt legally binding
decisions where there are disputes between supervisory authorities. For that purpose, it should issue,
in principle by a two-thirds majority of its members, legally binding decisions in clearly specified
cases where there are conflicting views among supervisory authorities, in particular in the cooperation
mechanism between the lead supervisory authority and supervisory authorities concerned on the
merits of the case, in particular whether there is an infringement of this Regulation.
In addition, Recital 138 sets that:
The application of such mechanism should be a condition for the lawfulness of a measure intended to
produce legal effects by a supervisory authority in those cases where its application is mandatory. In
other cases of cross-border relevance, the cooperation mechanism between the lead supervisory
authority and supervisory authorities concerned should be applied and mutual assistance and joint
operations might be carried out between the supervisory authorities concerned on a bilateral or
multilateral basis without triggering the consistency mechanism.
The Board is set in the text of the GDPR as the body in charge of the consistency mechanism. This is
an obvious choice, given the fact that the Board is to be composed of the head of each DPA and the
14
EDPS as well as its award of formal legal status (legal personality).10
The Board is expected to issue
an opinion on matters referred to it under the consistency mechanism, as set in Article 70.1(t); Under
certain conditions these may have legally binding effect (see also the analysis on Article 65 that
follows). There are three apparent ways for the Board to examine a case under the consistency
mechanism: It can be referred to it by a DPA, by the Commission or even at its own initiative (by
authority of its Chair).
DPA reference of cases to the Board is expected to be the normal way of operation for the consistency
mechanism. This is expected to take place in all cases when a DPA is faced with an important
category or type of personal data processing: Processing operations requiring an DPIA, a sector-
specific code of conduct, certification issues, or personal data exports. There is only one case when a
DPA is obliged to submit a case to the mechanism, as per the GDPR preamble, and that is when it
intends to apply mandatory measures, evidently on an important data protection matter within its own
jurisdiction. Until the Board has reached its final decision on it, the DPA concerned is not allowed to
apply the relevant measure. However, the listing in paragraph 1 ought only be read as indicative:
Under combined reading with the GDPR preamble11
and paragraph 2, where mention is made to
cross-border or important data protection matters in general, a DPA should submit matters to the
consistency mechanism always when the list set in paragraph 1 occurs and, at any event, whenever it
is faced with a cross-border or an important matter, according to its own judgement. In this context,
reference to cases in paragraph 2 where mutual assistance and joint operations are explicitly referred
to ought also be read as indicative, or even as cases where the consistency mechanism may operate as
a first instance dispute resolution mechanism where complaints by a DPA against another may be
treated.
Other than DPAs, the Commission and the Board itself are also empowered to submit a case to the
consistency mechanism. The circumstances under which such reference may be made are identical to
these of DPAs: an important or a cross-border case. The same applies to non-compliance of a DPA to
its mutual assistance or joint operations applications, making thus the consistency mechanism not
only the formal complaint mechanism for DPA cooperation but also the “disciplinary” path for the
Board or the Commission who may identify such a case and submit it to the mechanism, even despite
of the concerned DPAs unwillingness to do so.
With regard to the format of cases referred to the consistency mechanism, when done so by DPAs or
the Commission, the GDPR requires that they communicate electronically all relevant information,
including a summary, the draft decision, its justification as well as the views of other DPAs. The
listing in indicative, so apparently the Board, while examining the case, may request for further
documentation to be submitted to it. Because no details are provided on the documentation required
for Chair of the Board submissions to the consistency mechanism, the above requirements would need
to extend and apply to these cases as well. It should be noted that DPAs are expected to transmit to the
Board fully formed draft decisions, and not merely questions. The consistency mechanism is thus
envisaged as a resolution and not a consulting mechanism.
Case referrals to the consistency mechanism will be addressed to the Chair of the Board. It is the
Chair’s duty, once he or she has received a petition, inform electronically the members of the Board
10
See Article 68 of the GDPR. 11
Par. 135.
15
and the Commission on such event and forward them all relevant documentation. If any translations
are required, these will be undertaken by its secretariat (that will be provided by the EDPS).
Decision-making by the Board under the consistency mechanism depends on the type of case brought
to its attention. In the event of an important data protection matter referred to it, the Board is expected
to first examine whether it has already issued an opinion on the same matter and, if not, it will have up
to altogether fourteen weeks to reach a decision. Decision may be reached by simple majority of its
members. If a DPA submits to it a draft decision it intends to take, acceptance by the Board is to be
established tacitly: Unless its members expressly object within a reasonable deadline set by the Chair,
acceptance shall be deemed reached. Finally, when disputes arise between DPAs, a two-third majority
will be needed (such cases falling under the consistency mechanism only partially when
“infringements of the GDP” are concerned for example by non-compliance with mutual assistance or
joint operations obligations).12
In this case, Article 65, whose analysis follows, provides further
clarifications.
Decisions of the Board are binding only in cases of DPA disputes. In other cases an opinion under
Article 70.1(t) is formed. The Chair of the Board is empowered to transmit the decision to the parties
(DPAs) concerned. These parties then have two weeks to reply to the Chair whether they will adhere
to the Board decision or not. Effectively, the DPA concerned may decide not to follow the Board’s
decision, the GDPR only requires it to pay the “utmost” attention to it. In the event of DPA refusal to
follow the consistency mechanism decision, Article 64 on dispute resolution by the Board applies.
Taking into account the above description on the operation of the consistency mechanism certain
concerns may be raised. First, that the consistency mechanism is introduced in the text of the GDPR
as a court-like mechanism: fully documented cases are brought to its attention, a suspension period
until it reaches its decision is provided for, decision-making majorities are introduced and appeal-like
means are also to be found in the GDPR. Case law effect is granted to its decisions (in the sense that
once it has decided on a particular matter it cannot go back to it). In this context, if the mechanism is
indeed to be operated as a court system, then it is likely that more details will be needed for it to
function in an adequate manner. To this end, provisions on document submission, participation of the
parties affected (non-DPAs), appeal processes, format and publicity of decisions could strengthen its
role further.
A second concern may be derived from the mechanism description above: Because the consistency
mechanism is ultimately a resolution and not a consulting mechanism, the latter is missing from the
GDPR. However, its contribution to the work of DPAs is substantial. Important data protection
matters first require deliberation among the DPAs concerned before reaching a decision, and it is
possible that even the fourteen weeks time period granted at most within the consistency mechanism
may not suffice to this end.
Finally, the GDPR also expects the consistency mechanism to operate as a dispute resolution
mechanism among DPAs. Although a majority of two thirds is expected, that would under normal
circumstances warrant consensus, the fact remains that this role could develop into a function creep
difficulty for the consistency mechanism. The mechanism is devised in order to ensure uniform
application of the GDPR provisions in the EU. Although this is indeed a decision-making function, it
is not a dispute resolution one. If the same mechanism is to address disputes among DPAs, who would
12
Other cases referred to in the preamble, par. 136 falling under the one-stop-shop mechanism.
16
otherwise be expected to reach amicable solutions on important data protection matters, it would risk
damaging its public (DPA) perception and blur its role boundaries.
2.1.3 Article 65 of the GDPR: Dispute resolution by the Board
According to Article 65 of the GDPR,
1. In order to ensure the correct and consistent application of this Regulation in individual cases, the
Board shall adopt a binding decision in the following cases:
(a) where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a
relevant and reasoned objection to a draft decision of the lead authority or the lead authority has
rejected such an objection as being not relevant or reasoned. The binding decision shall concern all
the matters which are the subject of the relevant and reasoned objection, in particular whether there is
an infringement of this Regulation;
(b) where there are conflicting views on which of the supervisory authorities concerned is competent
for the main establishment;
(c) where a competent supervisory authority does not request the opinion of the Board in the cases
referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64. In
that case, any supervisory authority concerned or the Commission may communicate the matter to the
Board.
2. The decision referred to in paragraph 1 shall be adopted within one month from the referral of the
subject-matter by a two-thirds majority of the members of the Board. That period may be extended by
a further month on account of the complexity of the subject-matter. The decision referred to in
paragraph 1 shall be reasoned and addressed to the lead supervisory authority and all the supervisory
authorities concerned and binding on them.
3. Where the Board has been unable to adopt a decision within the periods referred to in paragraph 2,
it shall adopt its decision within two weeks following the expiration of the second month referred to in
paragraph 2 by a simple majority of the members of the Board. Where the members of the Board are
split, the decision shall by adopted by the vote of its Chair.
4. The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to
the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.
5. The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to
the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be
published on the website of the Board without delay after the supervisory authority has notified the
final decision referred to in paragraph 6.
6. The lead supervisory authority or, as the case may be, the supervisory authority with which the
complaint has been lodged shall adopt its final decision on the basis of the decision referred to in
paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has
notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority
with which the complaint has been lodged, shall inform the Board of the date when its final decision
is notified respectively to the controller or the processor and to the data subject. The final decision of
17
the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9).
The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify
that the decision referred to in that paragraph will be published on the website of the Board in
accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in
paragraph 1 of this Article.
A consistency mechanism would be ineffective without a dispute resolution mechanism. If the Board,
in the context of its work within the consistency mechanism, was restricted to only producing
opinions on important data protection matters or interpretations of the GDPR’s provisions, its scope of
work would be incomplete. Disputes may arise at any stage in the data protection application process.
In view of the GDPR’s direct effect, DPAs need a forum within reach, to which they can address
concerns and complaints. In this case, the Board’s decisions need to be binding, so as to resolve
disputes in a decisive and effective manner. However, whether the same (consistency) mechanism
needed to be used for dispute resolution purposes, or whether another one would have preferably been
established in order to avoid the possibility of function creep, is an issue addressed in the preceding
analysis (on Article 64)
The one-stop-shop mechanism is an anticipated source of such disputes. This is perhaps
understandable, given the difficult distinctions that need to be made within its context. The fact that
these need to be made under a consensus environment does not necessarily mean that disagreement
may not occur. In view of the importance of cases treated within it, it is imperative that some sort of
dispute resolution administrative procedure was introduced in the GDPR, so as to avoid first-instance
court intervention. This role has been undertaken by the consistency mechanism, that, in this case,
also produces binding decisions for the parties concerned. Once again its role as a resolution, and not
a consulting, mechanism is highlighted in this sense.
Article 65 perhaps makes a philosophical opening: the “correct” application of the Regulation is to be
warranted through the consistency mechanism. While it is understandable that the Board, under the
provisions of this Article, is the body authorised to interpret the GDPR, one ought not forget that this
is done at a first-instance, administrative level. In fact, the only bodies authorised to make the
“correct” interpretation of the GDPR are the courts, to which, after all, also decisions of the Board
may be brought in the event the parties concerned are not content with the provided solutions.
While the one-stop-shop mechanism is an obvious source of friction, such fact after all explicitly
acknowledged in paragraph 1 of this Article, it is by no means the only way for the Board to become
effective as a dispute resolution mechanism. This will also be the case when a DPA does not address
an important data protection matter (according to the listing of Article 64 above) to the Board, or
when a DPA does not conform to a Board’s decision opinion already issued. In this sense, it could be
argued that the consistency mechanism’s decisions acquire a de facto binding effect, because these
DPAs that are unwilling to conform to the Board’s opinion under Article 64, may be referred back to
it, this time in order for a binding decision to be issued.
The Board as a dispute resolution mechanism is only open to DPAs. In other words, DPAs, or the
Commission, may only be the disputing parties in front of the Board. Other parties affected by the
Board’s decision (data subjects, controllers) may not appear in front of it, nor is there any way
introduced for their views to be heard (for instance, through written submissions).
A dispute resolution mechanism unavoidably undertakes functions similar to a court, and the GDPR
provides guidance in this regard. In particular, the Board has preset time periods in which to reach its
18
decisions; this adds to the legal certainty of the process. It is also the basis for the urgency procedure,
described in Article 66, whose analysis follows. In addition, submission of a case to the Board means
that the parties (DPAs) concerned are not allowed to apply the decision in question or take any
measures that would prejudice the effectiveness of the Board’s decision. Finally, the GDPR awards
the role of informing and communicating to disputing parties to the Chair of the Board.
Paragraph 6 provides the necessary provisions to warrant the binding effect of a Board’s decision
under this Article in practice. In essence, a DPA is expressly obliged to apply the Board’s decision,
and indeed within strict deadlines. This fact, application of a Board’s dispute resolution decision,
needs to be explicitly mentioned in the DPA decision itself. The same DPA also needs to inform the
Board in this regard. In addition, the Board’s decisions are to be published online. In this way a
comprehensive mechanism is setup in order to force DPAs to conform to the Board’s decision. The
GDPR’s description in this regard is comprehensive and the DPA concerned is left with no means to
circumvent it – or, in the same sense, to appeal.
Concerns with regard to this Article 65 again refer to the role of the Board as a dispute resolution
mechanism. While an obvious policy option within the GDPR context, the fact that the same body
resolves disputes and at the same time consults or constitutes a place for cooperation for the same
actors (DPAs) may lead to cases of function creep. Particularly with regard to Article 65, because a
dispute resolution mechanism unavoidably presents court-like characteristics, it is perhaps advisable
to provide additional safeguards in this regard. For example, the case that only DPAs may apparently
appear in front of it may be cause for infringement of the rights of data subjects or controllers whose
cases are being examined by the Board. This same article could also provide further guidance as to
whether sessions of the Board as dispute resolution function are public or not, whether minutes are
held and published etc.
In the same context, the rights to appeal need to be addressed. While it may be perhaps claimed that
DPAs may appeal any Board’s decisions that are binding upon them to the Court, the way to court
redress may not be equally obvious to the parties actually affected, meaning data subjects and
controllers. These may ultimately need to appeal the DPAs’ decision issued on the basis of the Board
decision, as set in paragraph 6, but this is neither clear in the GDPR text nor straightforward to the
parties concerned, especially if they reside in different parts of the EU (effectively, not in the lead
DPA territory).
2.1.4 Article 66 of the GDPR: Urgency procedure
According to Article 66 of the GDPR,
1. In exceptional circumstances, where a supervisory authority concerned considers that there is an
urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of
derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure
referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on
its own territory with a specified period of validity which shall not exceed three months. The
supervisory authority shall, without delay, communicate those measures and the reasons for adopting
them to the other supervisory authorities concerned, to the Board and to the Commission.
19
2. Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final
measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision
from the Board, giving reasons for requesting such opinion or decision.
3. Any supervisory authority may request an urgent opinion or an urgent binding decision, as the case
may be, from the Board where a competent supervisory authority has not taken an appropriate
measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms
of data subjects, giving reasons for requesting such opinion or decision, including for the urgent need
to act.
4. By derogation from Article 64(3) and Article 65(2), an urgent opinion or an urgent binding decision
referred to in paragraphs 2 and 3 of this Article shall be adopted within two weeks by simple majority
of the members of the Board.
Accordingly, Recital 137 sets that:
There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in
particular when the danger exists that the enforcement of a right of a data subject could be
considerably impeded. A supervisory authority should therefore be able to adopt duly justified
provisional measures on its territory with a specified period of validity which should not exceed three
months.
In line with the court-like character of the consistency mechanism, an urgency procedure is provided
for in this Article 66. This is an indispensable component of any decision-making mechanism:
because urgent cases may occur, that require a possibly quick decision in order to address a pressing
problem, derogations needs to be introduced so as to make this possible. This is the need that Article
66 aims to address. It can be invoked by a DPA, whenever there is an “urgent need to act in order to
protect the rights and freedoms of data subjects”. When this occurs is a judgement reserved to the
DPA in question. The GDPR does not preclude any emergency. However, the preamble does provide
some guidance in explicitly stressing the case when “the enforcement of a right of a data subject could
be considerably impeded”. It appears consequently that whenever data subjects’ rights are endangered
a justifiable emergency for the purposes of this Article 66 occurs. On the other hand, this does not
exclude controllers’ emergencies as well: provided that it is justified, an emergency may well refer to
their own rights and freedoms.
At any event, regardless whether data subjects’ or data controllers’ rights are at immediate risk, the
GDPR requires that the DPA justifies its decision to invoke this Article 66. This needs to be done in
written format and to be communicated, together with the relevant measures undertaken by the DPA,
to all the parties concerned: other DPAs that are affected by them, the Board and the Commission.
The GDPR, nevertheless, does not provide for a possibility to question this decision.
The lack of an appeal procedure by parties affected by it is particularly relevant when the DPA
unilaterally undertakes concrete measures so as to address the emergency by derogation of the
consistency mechanism (or, as appropriate, the one-stop-shop mechanism). Indeed, the GDPR allows
two possibilities to DPAs facing an emergency: it can either undertake concrete measures to address
it, justifying them to other parties concerned, or it can request an urgent opinion or binding decision
respectively from the Board (see the analysis on Articles 64 and 65 above). In the event that the DPA
adopts measures, there are expressly provisional and can have a duration of no longer than three
months. This period may be more than enough to cover the emergency, given that the Board is
20
obliged to adopt an urgent opinion or decision within two weeks since submission of the request. No
space for extension or, for the same purposes, request of further information, is permitted in the
GDPR. The only shortcut provided to the Board in this case is the fact that simple majority of its
members (rather than a two-third majority, as is required in binding decisions) is enough.
The other possibility for the urgency procedure within the consistency mechanism to be raised by a
DPA refers to the case when another DPA has failed to act. However, in this case the GDPR
requirements are stricter. In essence, only when a fellow DPA has failed to act and thus endangers the
rights and freedoms of data subjects is another DPA allowed to ask for a binding opinion or decision,
as the case may be, from the Board. Data controllers’ rights do not seem to be valued in the same
manner for the purposes of paragraph 3 of this Article 66. The GDPR does not require that the
applying DPA also formulates the actual measure to be undertaken by the neglecting DPA. Although
this may be the case, in the context of its application to the Board, it is not a formal requirement for
the relevant submission to the Board. The applying DPA need only state the emergency and then ask
for an opinion or a binding decision accordingly. Evidently, it not possible for the applying DPA to
impose measures within the, foreign, jurisdiction of the neglecting DPA; it is less evident, however,
why the GDPR has not provided this option to the Board, if indeed it assesses the situation as urgent
and prior to it reaching its opinion or decision accordingly.
Because this Article 66 does not state anything to the contrary, the general provisions on the character
of a Board’s decision under the consistency mechanism apparently apply. In practice, this means that
a binding decision develops a binding character as per the provisions of Article 65, while an opinion
develops the character afforded to it in Article 64. Particularly with regard to the latter, a dissenting
DPA will have to follow the procedure described in paragraph 8 of Article 64. However, in view of
the curtailed periods referred to in this Article 66, apparently the Board and the DPA concerned will
have to act accordingly.
Concerns regarding Article 66 stem from the description of the process above. The first refers to the
lack of the possibility to appeal. A DPA may undertake emergency measures for cross-border cases
(indeed, applicable only within its own jurisdiction) for as long as three months without other DPAs,
the Commission or the Board being able to object. Presumably the parties directly affected by these
measures could object, following national rules against binding DPA decisions, but this means that
they are left alone (no way for other DPAs, the Commission or the Board to intervene) in this process.
Given the gravity of the cases falling under the urgency procedure category, the consequences of this
unilateral dealing for a three month period may be grave.
The fact that a DPA is effectively “left alone” for a substantial period of time while invoking
emergency measures under the urgency procedure of this Article 66 is further established in its
paragraph 3, when another DPA may apply to the Board against inaction of the DPA concerned.
Although in this case the time for reaction is significantly shorter (the Board needs to reach an opinion
or a binding decision within two weeks) one ought also take into consideration that until a “foreign”
DPA becomes aware of the emergency in another jurisdiction and until a reasonable period of time
has passed, when the local DPA is in vain expected to take measures to deal with it, a significant
amount of time will have passed. This adds up to a reaction time not in accordance with an
emergency. During all that time supposedly the rights and freedoms of individuals are being
infringed. It is for these purposes that a better structure of the urgency mechanism needs to have been
incorporated in the text of the GDPR.
21
2.1.5 Other consistency mechanisms
The GDPR is unique, in the sense that it regulates through a Regulation a daily, routine practice that
affects in a number of ways everyday life across the EU.13
Other fields may also benefit from the use
of Regulations, rather than Directives, with regard to their regulatory framework, however they
usually refer to well-specified, concentrated fields of law or activities (for example consumer law,
competition law, financial law) rather than an activity as wide as personal data processing that today
could cover anything within the employment, recreation, security or even, under certain
circumstances, household areas. From this point of view, a consistency mechanism intended to
support such a wide ranging, open-ended field of law could not possibly be compared to consistency
mechanisms operating under specialised, closed fields of law.
However, as identified in deliverable 2.1 of this project,14
useful lessons may be learned from other
fields of law that, although of a more restricted scope, they profit from years of implementation in
practice. In this context, in the EU consumer protection law, co-ordinated enforcement activities (so-
called “sweeps”) have been organised since 2007 among member States, based on Article 7 of the
CPC Regulation.15
In each “sweep” action, national authorities check hundreds of sites relating to a
particular sector or product in order to check whether the necessary consumer rights are being adhered
to. The sectors proposed for the “sweep” are selected by Member States with the Commission based
on a list of proposed themes that combines evidence on current consumer issues available to national
authorities and the Commission. Such “sweeps” are apparently the preferred way in the field, so as to
cover cross-border cases. Therefore, their usefulness is strongly supported by all participating parties.
This can be used as evidence that, within a field regulated by a Regulation, there is indeed a strong
need for cross-border cooperation and coordination among Member States.
On the other hand, in the private international law field,16
the need for cross-border cooperation
among national authorities is covered by mutual trust. In the absence of a formal cooperation
mechanism, “the EU private international law (PIL) is based on “the presumption of the equal value,
competence and standing of the legal and judicial systems of the individual Member States and of the
judgments of their courts”. This may serve as further evidence of the importance of the installation of
a consistency mechanism in a field as far reaching as data protection, as well as on the need for it to
succeed.
2.1.6 Conclusions
The consistency mechanism is a necessary and essential component of the GDPR. Given its direct
effect, the need for a system to warrant uniform application across all Member States is obvious. Only
in this way will legal certainty with regard to data protection regulations in the EU be provided to data
subjects and controllers alike. The GDPR approach to such a system is reasonable: an administrative
mechanism is installed, headed by the Board – essentially the DPAs themselves as represented in it.
Provisions on procedure, duration of the process and effect of the relevant decisions are indeed to be
13
See De Hert P/Papakonstantinou V, The new General Data Protection Regulation: Still a sound system for the
protection of individuals? Computer Law & Security Review, 2016. 14
Phaedra II, Cooperation among data privacy supervisory authorities by analogy: lessons from parallel
European mechanisms, April 2016. 15
Ibid, pp.59ff. 16
Ibid, pp.41ff.
22
found in its text. The event of an emergency is also expressly taken care of. From this point of view,
the consistency mechanism in the GDPR seems a robust system to address application difficulties
across the EU.
Foreseeable difficulties only refer to the double role of the Board and the depth of process coverage
that the above provisions provide. With regard to the former, the GDPR awards to the Board the
double role of an adjudicator and a consulting mechanism. This could lead to cases of function creep,
when the same body may be called to decide upon cases it has consulted. This double role was not
present in the Article 29 Working Party, the equivalent mechanism established under Directive 95/46,
because it only had a consulting role. A decision-making role is qualitatively different; the Board may
have to struggle so as to accommodate its new powers under the GDPR.
In the same context, if the GDPR aimed at establishing an adjudication mechanism through the
consistency mechanism, it may need to go into more detail on its operation. Although the description
provided in the above provisions covers the basics of such a system, there are issues that are left
unregulated, such as attendance to hearings, the right to intervene by the parties affected (data subjects
and controllers, not only DPAs), appeals, etc. Naturally, by-laws for the Board may complement the
GDPR provisions and provide for further guidance. It therefore remains to be seen how the Board will
apply its newly acquired decision-making powers in relation to the consistency mechanism in
practice.
2.2 The “one-stop-shop” mechanism in the GDPR: Article 60, on the Cooperation between
the lead supervisory authority and the other supervisory authorities concerned
The one-stop-shop mechanism in the GDPR, a name not formally adopted in its text but only to be
found in its Preamble (as introduced in Recital 127 and re-appearing only in Recital 128) is set in its
Article 60:
1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in
accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and
the supervisory authorities concerned shall exchange all relevant information with each other.
2. The lead supervisory authority may request at any time other supervisory authorities concerned to
provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article
62, in particular for carrying out investigations or for monitoring the implementation of a measure
concerning a controller or processor established in another Member State.
3. The lead supervisory authority shall, without delay, communicate the relevant information on the
matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to
the other supervisory authorities concerned for their opinion and take due account of their views.
4. Where any of the other supervisory authorities concerned within a period of four weeks after
having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and
reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the
relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned,
submit the matter to the consistency mechanism referred to in Article 63.
5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it
shall submit to the other supervisory authorities concerned a revised draft decision for their opinion.
23
That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period
of two weeks.
6. Where none of the other supervisory authorities concerned has objected to the draft decision
submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the
lead supervisory authority and the supervisory authorities concerned shall be deemed to be in
agreement with that draft decision and shall be bound by it.
7. The lead supervisory authority shall adopt and notify the decision to the main establishment or
single establishment of the controller or processor, as the case may be and inform the other
supervisory authorities concerned and the Board of the decision in question, including a summary of
the relevant facts and grounds. The supervisory authority with which a complaint has been lodged
shall inform the complainant on the decision.
8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory
authority with which the complaint was lodged shall adopt the decision and notify it to the
complainant and shall inform the controller thereof.
9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or
reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be
adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision
for the part concerning actions in relation to the controller, shall notify it to the main establishment or
single establishment of the controller or processor on the territory of its Member State and shall
inform the complainant thereof, while the supervisory authority of the complainant shall adopt the
decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that
complainant and shall inform the controller or processor thereof.
10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and
9, the controller or processor shall take the necessary measures to ensure compliance with the decision
as regards processing activities in the context of all its establishments in the Union. The controller or
processor shall notify the measures taken for complying with the decision to the lead supervisory
authority, which shall inform the other supervisory authorities concerned.
11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider
that there is an urgent need to act in order to protect the interests of data subjects, the urgency
procedure referred to in Article 66 shall apply.
12. The lead supervisory authority and the other supervisory authorities concerned shall supply the
information required under this Article to each other by electronic means, using a standardised format.
In addition, Recitals 125, 126, 128, 130 and 131 also apply:
(125) The lead authority should be competent to adopt binding decisions regarding measures applying
the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the
supervisory authority should closely involve and coordinate the supervisory authorities concerned in
the decision-making process. Where the decision is to reject the complaint by the data subject in
whole or in part, that decision should be adopted by the supervisory authority with which the
complaint has been lodged.
(126) The decision should be agreed jointly by the lead supervisory authority and the supervisory
authorities concerned and should be directed towards the main or single establishment of the
24
controller or processor and be binding on the controller and processor. The controller or processor
should take the necessary measures to ensure compliance with this Regulation and the implementation
of the decision notified by the lead supervisory authority to the main establishment of the controller or
processor as regards the processing activities in the Union.
(128) The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply
where the processing is carried out by public authorities or private bodies in the public interest. In
such cases the only supervisory authority competent to exercise the powers conferred to it in
accordance with this Regulation should be the supervisory authority of the Member State where the
public authority or private body is established.
(130) Where the supervisory authority with which the complaint has been lodged is not the lead
supervisory authority, the lead supervisory authority should closely cooperate with the supervisory
authority with which the complaint has been lodged in accordance with the provisions on cooperation
and consistency laid down in this Regulation. In such cases, the lead supervisory authority should,
when taking measures intended to produce legal effects, including the imposition of administrative
fines, take utmost account of the view of the supervisory authority with which the complaint has been
lodged and which should remain competent to carry out any investigation on the territory of its own
Member State in liaison with the competent supervisory authority.
The one-stop-shop mechanism constitutes one of the most significant novelties, and at the same time
an important milestone, in the text of the GDPR. The introduction of a single mechanism to treat
cross-border data protection incidents is an indispensable component not only in view of the direct
application of the GDPR but also with regard to any modern legislative approach to current personal
data processing circumstances. At the same time, its success, because of its high profile, is a milestone
for the success of the GDPR itself. Depending on the efficiency of treatment of these, usually highly
visible, cases that will fall within its scope, the whole of the GDPR may or may not acquire the trust
of its addressees, meaning both data subjects and controllers.
2.2.1 Rationale
The rationale of the one-stop-shop mechanism is evident: within a global personal data processing
environment, that transcends effortlessly Member State borders, a locally based data protection
legislation, restricted through application of a legal, jurisdictional approach, would be hopelessly left
behind technological developments. In essence, it would ultimately unable to assist individuals
effectively. One of the most highlighted shortcomings of Directive 95/46 was exactly that, its inability
to efficiently handle cross-border data protection incidents.17
Therefore, a new mechanism had to be
devised, in order to treat similar cases. The one-stop-shop mechanism came as the reply to these
requirements.
17
See European Commission, A comprehensive approach, ibid.
25
2.2.2 Basic components: the notions of a “lead DPA”, the actors in the one-stop-shop
mechanism, and the “main establishment” of the controller
The one-stop-shop mechanism essentially constitutes an administrative mechanism for the treatment
of cross-border data protection incidents. Its premises lie in the designation of a single DPA as the
“lead DPA”, meaning the DPA in charge of addressing the relevant incidents. The crucial question,
which DPA is to be designated as the “lead DPA” in cross-border cases is replied in Article 56 of the
GDPR:
1.Without prejudice to Article 55, the supervisory authority of the main establishment or of the single
establishment of the controller or processor shall be competent to act as lead supervisory authority for
the cross-border processing carried out by that controller or processor in accordance with the
procedure provided in Article 60.
2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a
complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates
only to an establishment in its Member State or substantially affects data subjects only in its Member
State.
3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead
supervisory authority without delay on that matter. Within a period of three weeks after being
informed the lead supervisory authority shall decide whether or not it will handle the case in
accordance with the procedure provided in Article 60, taking into account whether or not there is an
establishment of the controller or processor in the Member State of which the supervisory authority
informed it. 4.5.2016 L 119/67 Official Journal of the European Union EN
4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article
60 shall apply. The supervisory authority which informed the lead supervisory authority may submit
to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take
utmost account of that draft when preparing the draft decision referred to in Article 60(3). 5.Where
the lead supervisory authority decides not to handle the case, the supervisory authority which
informed the lead supervisory authority shall handle it according to Articles 61 and 62. 6.The lead
supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border
processing carried out by that controller or processor.
Consequently, as per paragraph 1, the basic rule underlying the one-stop-shop mechanism is that the
“lead DPA” would be that DPA where the main establishment of the controller concerned is found. In
this context it is important to elaborate upon the law-making approach adopted in the GDPR: Article
56 is not found within the Section of the GDPR where the one-stop-shop mechanism is discussed.
Rather than that, it is placed within the provisions on the “competence, tasks, and powers” of DPAs.
Accordingly, a “lead DPA” is designated not only in the case of controllers or processors with some
presence in more than one Member States but also in the case of a single establishment, where
however the processing undertaken by that actor spreads across national borders.
Further guidance is provided in Recitals 124, 127 and 131 of the GDPR:
(124) Where the processing of personal data takes place in the context of the activities of an
establishment of a controller or a processor in the Union and the controller or processor is established
in more than one Member State, or where processing taking place in the context of the activities of a
single establishment of a controller or processor in the Union substantially affects or is likely to
26
substantially affect data subjects in more than one Member State, the supervisory authority for the
main establishment of the controller or processor or for the single establishment of the controller or
processor should act as lead authority. It should cooperate with the other authorities concerned,
because the controller or processor has an establishment on the territory of their Member State,
because data subjects residing on their territory are substantially affected, or because a complaint has
been lodged with them. Also where a data subject not residing in that Member State has lodged a
complaint, the supervisory authority with which such complaint has been lodged should also be a
supervisory authority concerned. Within its tasks to issue guidelines on any question covering the
application of this Regulation, the Board should be able to issue guidelines in particular on the criteria
to be taken into account in order to ascertain whether the processing in question substantially affects
data subjects in more than one Member State and on what constitutes a relevant and reasoned
objection.
(127) Each supervisory authority not acting as the lead supervisory authority should be competent to
handle local cases where the controller or processor is established in more than one Member State, but
the subject matter of the specific processing concerns only processing carried out in a single Member
State and involves only data subjects in that single Member State, for example, where the subject
matter concerns the processing of employees' personal data in the specific employment context of a
Member State. In such cases, the supervisory authority should inform the lead supervisory authority
without delay about the matter. After being informed, the lead supervisory authority should decide,
whether it will handle the case pursuant to the provision on cooperation between the lead supervisory
authority and other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the
supervisory authority which informed it should handle the case at local level. When deciding whether
it will handle the case, the lead supervisory authority should take into account whether there is an
establishment of the controller or processor in the Member State of the supervisory authority which
informed it in order to ensure effective enforcement of a decision vis-à-vis the controller or processor.
Where the lead supervisory authority decides to handle the case, the supervisory authority which
informed it should have the possibility to submit a draft for a decision, of which the lead supervisory
authority should take utmost account when preparing its draft decision in that one-stop-shop
mechanism.
(131) Where another supervisory authority should act as a lead supervisory authority for the
processing activities of the controller or processor but the concrete subject matter of a complaint or
the possible infringement concerns only processing activities of the controller or processor in the
Member State where the complaint has been lodged or the possible infringement detected and the
matter does not substantially affect or is not likely to substantially affect data subjects in other
Member States, the supervisory authority receiving a complaint or detecting or being informed
otherwise of situations that entail possible infringements of this Regulation should seek an amicable
settlement with the controller and, if this proves unsuccessful, exercise its full range of powers. This
should include: specific processing carried out in the territory of the Member State of the supervisory
authority or with regard to data subjects on the territory of that Member State; processing that is
carried out in the context of an offer of goods or services specifically aimed at data subjects in the
territory of the Member State of the supervisory authority; or processing that has to be assessed taking
into account relevant legal obligations under Member State law.
In addition, with regard to controller and processor relationships the GDPR clarifies, in its Recital 36,
that
27
[...] In cases involving both the controller and the processor, the competent lead supervisory authority
should remain the supervisory authority of the Member State where the controller has its main
establishment, but the supervisory authority of the processor should be considered to be a supervisory
authority concerned and that supervisory authority should participate in the cooperation procedure
provided for by this Regulation. In any case, the supervisory authorities of the Member State or
Member States where the processor has one or more establishments should not be considered to be
supervisory authorities concerned where the draft decision concerns only the controller. Where the
processing is carried out by a group of undertakings, the main establishment of the controlling
undertaking should be considered to be the main establishment of the group of undertakings, except
where the purposes and means of processing are determined by another undertaking.
The decision which DPA is the lead DPA is not expected to constitute an easy matter to. In principle,
the following process is prescribed in the GDPR: All DPAs having various degrees of relevance with
a particular data protection case form the group of “concerned DPAs”. All of them need to cooperate
between them. While a formal process for accomplishing this is not provided for in the GDPR, it
could be envisaged that multiple exchanges will take place so as to establish (a) the exact number of
the DPAs concerned, (b) which one is the lead DPA among them. A special role is awarded by the
GDPR to the “initiating DPA”.
Given the above, in order to achieve uniform naming for the actors involved in the one-stop-
shop mechanism (an omission in the text of the GDPR that could have achieved linguistic
efficiency in its text) the following roles and names to DPAs participating in it at any given
moment could be allocated:
the “Initiating DPA”, meaning the one opening the investigation or receiving the
complaint (the “supervisory authority which informed the lead supervisory authority”
in the text of the GDPR),
the “DPAs Concerned”, meaning the group of DPAs affected at various degrees by a
cross-border data protection case, and
the Lead DPA, as per the GDPR text (Article 56).
The Initiating DPA either receives a complaint or initiates an investigation in the normal course of
exercising its duties. The criteria indicating that the one-stop-shop mechanism needs to be invoked for
a particular data protection case are provided for (indicatively) in Recital 124: (a) the controller or
processor has an establishment on the territory of their Member State, (b) data subjects residing on
their territory are substantially affected, or (c) a cross-border complaint has been lodged with them.
Immediately when such instances are established by that DPA, it needs to initiate the one-stop-shop
mechanism, thus automatically becoming the Initiating DPA. However, a wide discretionary power is
apparently left to the Initiating DPA: an exhaustive analysis of each case to establish whether cross-
border elements are found in it is taken for granted; efficient means of communication with other
DPAs as well. In addition, effective means need to be introduced so as to accurately formulate the
group of DPAs Concerned – in other words, in order not to omit any one of them.
Once the group of the DPAs Concerned is formed, and in order to decide which DPA is the Lead
DPA among them, the basic factor remains the main establishment of the controller. The Initiating
DPA holds a significant role at this stage: namely, it can designate a Lead DPA, other than itself, on
its own, and inform such other DPA of its decision.
28
However, paragraph 2 of Article 56 grants to the Initiating DPA the chance to overcome such
designation, and act as sole competent DPAs in these cases that “substantially affect data subjects
only in its Member State” even if another DPA is evidently the Lead DPA for the controller or
processor concerned. This is an important derogation within the one-stop-shop mechanism, that,
if exercised extensively by Member State DPAs, could undermine its effectiveness – and,
ultimately, the success of the whole GDPR. An assessment therefore needs to be performed by each
DPA in the event of a complaint or an identification of a possible Regulation infringement, whether
the main establishment of the controller is in another Member State and, if yes, whether or not data
subjects mostly affected by it reside in its own Member State or not. This could be done prior to a
DPA becoming the Initiating DPA, meaning prior to initiating the one-stop-shop mechanism. If the
assessment proves positive, then the one-stop-shop mechanism apparently need not be invoked
at all – a shortcoming within the GDPR, because the Lead DPA ought to be informed of all
matters affecting a controller or processor essentially found within its jurisdiction. In the same
context, whether these cases, the ones that present cross-border relevance but may be withheld for
treatment by a non-main establishment of the controller DPA, are to be communicated to other DPAs
as well, so as to provide them with the chance to dispute this decision, is equally left unregulated in
the GDPR. At any event, Recital 131 proves further, detailed guidance in these cases: in short, the
DPA invoking this Article 56.2 “should seek an amicable settlement with the controller” and only if
this proves unsuccessful, “exercise its full range of powers”. However, these powers necessarily are of
a local character, as confirmed in the same Recital. It is therefore possible that the same controller
is penalised for its practices locally, in one Member State, while being left alone in the place of
its main establishment. The GDPR does not address this possibility – and is evidently left to
good practices of the DPAs not to overuse this opportunity, that could ultimately undermine the
whole notion of harmonisation brought by the GDPR.
Article 56 provides further “technical” guidance with regard to the process of cooperation among the
group of DPAs Concerned while establishing which one among the DPAs concerned is the Lead
DPA. To this end, paragraph 3 sets a deadline of three weeks for any DPA designated by the Initiating
DPA as the Lead DPA on a particular case to accept this designation or not. Here a second level of
examination is introduced, this time by the DPA that is (provisionally) designated as the Lead DPA by
the Initiating DPA. The criteria to apply while making this decision are not detailed in the GDPR, and
presumably include cross-checking whether the reasoning of the decision of the Initiating DPA to
designate it as the Lead DPA is correct. Only Recital 127 provides some further guidance: “When
deciding whether it will handle the case, the lead supervisory authority should take into account
whether there is an establishment of the controller or processor in the Member State of the
supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-
vis the controller or processor”.
Of some relevance with regard to the criteria applicable for designation of the Lead DPA could be the
approach already adopted and employed by EU DPAs in the context of BCRs, as analysed below
(under 3.1).
In the same context, paragraph 4 explicitly sets that Article 60 (the one-stop-shop mechanism) will
apply whenever a DPA accepts its role as the Lead DPA on a particular case. In doing so, it needs
take into the “utmost” account the decision drafted and forwarded to it by the Initiating DPA. In the
same context, if the DPA refuses the Initiating DPA’s designation, then the Initiating DPA may
handle the case, however taking into consideration the GDPR’s provisions on mutual assistance and
joint DPA operations (Articles 61 and 62 respectively). Finally, paragraph 6 of the same article
clarifies what is most important in the one-stop-shop mechanism for data subjects and data
29
controllers, meaning the fact that the Lead DPA, once formally designated, will act as the sole
interface (“interlocutor”) towards them with regard to the case under examination.
Finally, as seen above under 2.1, all disputes among DPAs as to the designation of a particular DPA
as the lead DPA are to be resolved by the Board, under the consistency mechanism.
The other basic component of the one-stop-shop mechanism refers to the notion of the “main
establishment” of the controller or processor. As seen above, the notion of the Lead DPA, while
important in its own merit, is of a dynamic nature: whatever the interpretation given to the notion of
the “main establishment”, through the letter of GDPR or subsequent case law or by any other means
(for example, guidelines issued by the Board, as advised in Recital 124), that will correspond to the
designated Lead DPA.
For the time being guidance as to the notion of the “main establishment” is merely provided in Article
2 of the GDPR:
(16) ‘main establishment’ means:
(a) as regards a controller with establishments in more than one Member State, the place of its central
administration in the Union, unless the decisions on the purposes and means of the processing of
personal data are taken in another establishment of the controller in the Union and the latter
establishment has the power to have such decisions implemented, in which case the establishment
having taken such decisions is to be considered to be the main establishment;
(b) as regards a processor with establishments in more than one Member State, the place of its central
administration in the Union, or, if the processor has no central administration in the Union, the
establishment of the processor in the Union where the main processing activities in the context of the
activities of an establishment of the processor take place to the extent that the processor is subject to
specific obligations under this Regulation;
While it is outside the scope of this analysis to elaborate in detail upon the notion of the “main
establishment” in the GDPR, here a few points will be raised particularly with regard to the one-stop-
shop mechanism requirements. In this context it should be noted that the GDPR, as regards a
controller, places the essence of the distinction between a main establishment and other possible
establishments onto the place where “the decisions on the purposes and means of the processing of
personal data are taken”. This is further complemented by the “power to have such decisions
implemented”. This place is to be understood as the place of the controller’s “central administration”.
Consequently, all of the above criteria, meaning (a) decision on the purposes, and (b) decision on the
means of the processing, as well as (c) the power to have these decisions implemented, need to be
established by the Initiating DPA in order to designate the place of the central administration of a
controller, that will in turn coincide with the Lead DPA for the one-stop-shop mechanism purposes.
The GDPR does not clarify whether the check on the place of the central administration for a
controller is to be done automatically, for all controllers and in all cases by a DPA imitating an
examination within its jurisdiction or whether this checking needs to be done only after a particular
controller raises this issue. For the purposes of the one-stop-shop mechanism, where cross-border
cases are placed in the centre of examination, it would be advisable for any DPA to examine by
definition the place of central administration of any controller that draws its attention. After all, this
policy option is in line with the globalised contemporary processing environment.
30
A final note, that is important to be made at this point but will however not be elaborated any further
because it borders with the paramount issue of extraterritoriality in the GDPR, refers to the
assumption of the GDPR that a controller (or, for the same purposes, a processor) has a place of the
central administration “in the Union”. As far as the one-stop-shop mechanism is concerned, this is a
necessary assumption in order for it to become operational: only EU DPAs are actors in it. However,
given the contemporary globalised processing environment, this may not always be the case.
As far as the processor is concerned, the GDPR again stresses the importance of the “place of its
central administration in the Union”. In this case, because from a law-making perspective it follows
the definition of the “central administration” with regard to controllers, it may be assumed that the
same requirements (meaning, the three-step verification process described above) is applicable in the
case of processors as well. However, in this case the GDPR makes express mention to the possibility
that the processor may not have its central administration in the Union: in the case the Initiating DPA
needs to establish, first, whether the processor is “subject to specific obligations under this
Regulation” and, second, where “the main processing activities take place”. The result of this
assessment is expected to divulge the Lead DPA.
2.2.3 How is the one-stop-shop mechanism expected to operate?
Once the roles are allocated between the DPAs Concerned, Article 60 applies. This is the epicentre of
the one-stop-shop mechanism. Its operation, as expected to take place as per the GDPR description
could be described as follows: Presumably the Lead DPA will have accepted its role and will have
assumed its duties as such – otherwise Article 56 paragraph 5 would apply. In the same context, it is
assumed that the case in question does not pertain to processing carried out by “public authorities or
private bodies in the public interest”, in which cases the local DPA is expressly the only competent
DPA and the one-stop-shop mechanism does not apply (according to Recital 128). However, the
GDPR does not clarify what happens in cases where controllers are both private and public bodies.
Once the Lead DPA assumes its role, it may investigate the case under examination. The Lead DPA
may utilise all means provided in the GDPR in order to reach its decision. Given the cross-border
character of the cases falling under the one-stop-shop mechanism, the GDPR affords it with the
investigation powers that it would normally have had, were this a data protection case within its
jurisdiction. To this end, paragraph 2 allows the Lead DPA to ask either for mutual assistance (under
Article 61) or to request that joint operations are undertaken within the DPAs Concerned (according
to Article 62). Having reached a conclusion, once the investigation process is concluded, the Lead
DPA needs to draft its decision on the matter at hand. In doing so, it needs to take “into the utmost
account” the decision drafted by the Initiating DPA, as forwarded to it together with its appointment
as Lead DPA (as per Article 56.4). Before being finalised, a consultation process needs to be opened
by the Lead DPA, in which all DPAs Concerned may take part. To this end, the Lead DPA is
expected to transmit its draft decision, together will all relevant information, to them for comments.
Any comments other DPAs may have need to reach the Lead DPA, so as for it to “take due account”
of them. The GDPR qualitative differentiates at this point between the views of the Initiating DPA
and the DPAs Concerned, placing more emphasis upon the draft decision (and, consequently, views)
of the former.
The GDPR offers, as per paragraph 4, four weeks to the DPAs Concerned to express their views –
particularly any objections they may have to the draft decision prepared by the Lead DPA. If a DPA
31
agrees with the draft decision of the Lead DPA (or, for the same purposes, any re-submitted and
amended draft decision it forwards them) its tacit acceptance may be inferred by the fact that it has let
this deadline pass without any submission on the matter (as per paragraph 6). In the event of a dispute,
the GDPR provides expressly for the procedure to be followed: objections need to be justified and
reasoned. After receiving any such objections before expiration of the above deadline, the Lead DPA
is invited to consider its way ahead. If it decides not to follow these objections, then it can refer the
matter to the consistency mechanism (see above, under 2.1). If, on the other hand, it decides that it
will follow the objections, it needs to prepare a new draft decision in accordance with them and re-
circulate to the DPAs Concerned for comments (as per paragraph 5). This time the DPAs Concerned
have only two weeks in which to respond. While the GDPR does not clarify what will happen if any
one among the DPAs Concerned has an objection with this new draft decision, it is to be assumed that
the matter will be brought immediately to the consistency mechanism, rather than the Lead DPA
risking another round of objections among the DPAs Concerned.
The preferred way for the GDPR in which all of the above are to take place is through consensus of
the DPAs Concerned. This is expressly instructed in paragraph 1. In the same context, the DPAs
Concerned are expected to exchange “all relevant information with each other”, meaning that any and
all requests need to be addressed. This is likely to particularly burden the Lead DPA, that will
presumably be the recipient of the majority of relevant requests, and that as a result will need to
allocate the relevant resources to this task.
All of the above exchanges are to take place “by electronic means, using a standardised format” (as
per paragraph 12). Apparently, a new electronic platform for these exchanges to be executed within a
secure and comprehensive environment needs to be developed until May 2018, when the GDPR, and
consequently the one-stop-shop mechanism, will come into effect.
The Lead DPA may reach one of the following types of decision with regard to a complaint:
(a) Accept the complaint;
(b) Reject the complaint;
(c) Partially accept and partially reject the complaint.
Accordingly, in the event of an investigation the Lead DPA may decide to take action or not to take
action with regard to the processing concerned. At any event, however, the decisions of the Lead DPA
will have binding character (as per Recital 125).
Once a final decision has been formulated by the Lead DPA according to the procedure described
above, the parties concerned, meaning the controller or the complainant, need to be notified about it
(in paragraph 7). The GDPR distinguishes between the two: in the event of a controller, the Lead DPA
is to make the relevant announcement. In the event, however, of a complainant, the Initiating DPA
will inform him or her on the outcome. Accordingly, paragraph 8 clarifies that, in the event of a
rejection or dismissal of a complaint, the Initiating DPA will inform both the complainant and the
controller. Evidently, other the DPAs concerned also need to be informed of the final decision; this is
expressly the task of the Lead DPA, that also needs to inform the Board. The requirement in the
GDPR that the Lead DPA also includes “a summary of the relevant facts and grounds” probably
refers only to the Board, because all other parties (the DPAs Concerned and the controller) are already
well aware of the case in detail.
The GDPR also takes care of the event that a “split” decision is reached by the Lead DPA, meaning
that it partially accepts and partially rejects a complaint. In this case, as per paragraph 9, the Lead
32
DPA will inform the controller and take relevant action (being after all the competent authority
because that controller’s central administration resides within its jurisdiction) while the Initiating
DPA will inform the complainant on the rejection of part of his or her complaint.
Compliance with the decision coming as a result of the one-stop-shop mechanism by the controller
concerned may be obvious, because it ultimately constitutes a decision of the same controller’s
competent DPA, but it nevertheless is expressly states in the text of the GDPR as well (in paragraph 9
and also Recital 126).
Finally, the GDPR provides for an expedited operation of the one-stop-shop in “exceptional
circumstances” (in paragraph 11). In this case the Initiating DPA may invoke the urgency procedure
referred to in Article 66 (see above, under 2.1).
2.2.4 Challenges and concerns
An assessment of the one-stop-shop mechanism is most likely premature, given that a number of
issues pertaining to it are awaiting for further clarification, both when the first cases are indeed
handled by it and through the Board’s guidelines. Consequently, the following points only constitute a
list of challenges the mechanism will have to tackle:
Successful designation of the Lead DPA. Successful designation of the Lead DPA is not
expected to constitute an easy matter to resolve. While the basic concept of the main
establishment of the controller or the processor provides useful guidance, and is
complemented by further guidance in the Recitals of the GDPR, practical application of these
rules may be tested, particularly within the contemporary globalised personal data protection
environment. Should numerous disputes on this matter arise among DPAs, regardless of the
effectiveness or not of the consistency mechanism while addressing them, the level of public
trust on the GDPR system may be placed at risk;
In the same context, Article 56.2 may constitute an important undermining factor within the
GDPR system, if DPAs exasperated by the practices of the Lead DPA decide to take action
independently, making use of its provisions (the treatment of certain internet social networks
or search engines coming to mind as a precedent in this regard);
Task allocation within the group of DPAs Concerned. While designation of the Lead DPA
is important, participation of all DPAs Concerned is equally significant, so as to warrant
comprehensiveness, transparency and, ultimately, an effective application of the Lead DPA’s
decision. The GDPR distinguishes between the input of the Initiating DPA and DPAs
Concerned; however, all inputs need to be taken into account by the Lead DPA. The Lead
DPA should also inform and engage the group of DPAs Concerned as much as possible.
Although much of this is left to practice and to the actual implementation of the relevant
provisions, the importance of all of the DPAs Concerned active participation in the one-stop-
shop mechanism cannot be stressed enough: its effective, and convincing, application
essentially depends on it. To this end, the Board’s guidelines (see immediately below) ought
to cover this matter extensively, placing concrete obligations in this direction to the Lead
DPA;
A number of operational details are missing; the Board needs to intervene and provide
guidelines that will complement the one-stop-shop mechanism system within the general
33
principles set in the GDPR. While doing this, the following directives could prove of
relevance:
o Ensuring DPA participation and inclusion by placing concrete obligations upon the
Lead DPA;
o Ensuring DPA timely response to Lead DPA requests;
o Clearly articulating all stages of the one-stop-shop process;
o Providing operational instructions as regards the electronic platform to be developed;
o Addressing practical issues (for example, translations, costs, etc.).
In the same context, the electronic platform required for exchanges among DPAs within the
one-stop-shop mechanism, as per the requirement of Article 60.12, needs to be developed –
and to be continuously operated and maintained to the highest technological standards;
The one-stop-shop mechanism is essentially an intra-EU administrative mechanism to
address cross-border issues. Its limitations are therefore easily observed through its
description: it cannot handle international, non-EU cases, and it is not a judicial mechanism,
meaning that persistent disputes will ultimately need to be brought in front of courts. In
addition, it is a mechanism assuming a clear and straightforward distinction between
processing undertaken in the public and the private sector. Given these limitations, a
reasonable amount of time will probably be needed for the mechanism to address all its
inherent difficulties and fully develop its potential – in the meantime, the treatment of cross-
border cases may not present the legal certainty that the GDPR aims at.
As stated above, the success of the mechanism constitutes a milestone for the success of the GDPR
itself. Because much of personal data processing undertaken today is of a cross-border nature, and this
is particularly relevant to high profile cases that attract the public’s attention, an efficient operation of
the mechanism when addressing them will warrant public trust to the new GDPR itself. If this is not
the case, if the one-stop-shop mechanism fails to address cross-border issues in a competent manner,
then its addressees (data subjects and controllers) will have lost faith in a substantial part of the
rationale behind the introduction of a Regulation to replace Directive 95/46.
2.3 Consultation mechanisms and distribution of powers
An indispensable role in the GDPR system is to be held by the European Data Protection Board. The
Board is not merely intended to be the replacement of the Article 29 Data Protection Working Party.
Although this substitution is also necessitated by the new EU data protection structure, the GDPR
grants to the Board a much wider role than that held by the Article 29 Working Party. As already seen
in the preceding Chapters, the Board is to become an administrative dispute resolutions, in other
words decision-making, mechanism upon which the consistency as well as the one-stop-shop
mechanism are based. Its role is therefore central in the EU data protection edifice and the way it
decides to exercise its newly (if considered to be the successor of the Article 29 Working Party)
acquired powers will constitute a basic metric for the success of the GDPR itself.
A necessary clarification at this point refers to the fact that decision-making is understood in this
analysis as a process leading to a decision of (some) binding character (in the sense that it is binding
to its addressees, meaning the DPAs concerned). While decision-making is also involved in the
drafting of opinions and recommendations or guidelines of non-binding, voluntary character of the
Board, the consultation mechanism with DPAs in this case or lack (or deficiency) thereof ultimately
affects EU data protection in a less resolute manner. This is because binding Board decisions may
34
affect directly individuals and controllers, when adopted at Member State level by the DPAs
concerned, while non-binding Board decisions do not have, at least directly, such a potential.
However, the issue of the “soft” binding power of the Board opinions will indeed by discussed in the
analysis that follows.
The GDPR introduces the Board in Section 3 of its Chapter VII on “Cooperation and Consistency”. It
is placed immediately after the provisions on the one-stop-shop and the consistency mechanism.
Because of the central role it holds in both of them, this is considered a wise law-making choice.
The analysis that follows aims at examining the mechanisms for DPA consultation regarding
envisaged decisions and decision-making process within the Board, as introduced in the final text of
the GDPR. It will continue applying the methodology employed above, in the sense of an article by
article commentary. In this case, however, given its specific aim and the number of GDPR provisions
pertaining to the Board, a selection will be made, targeted to the subject-matter under discussion.
2.3.1 Decision-making by the European Data Protection Board in the text of the GDPR
Aim of the analysis is to examine DPA potential for consultation with the Board while the latter is
engaged in decision-making processes. As such, it is first imperative to highlight the decision-making
powers afforded to the Board in the final text of the GDPR. Admittedly, the Board, exactly as its
predecessor, the Article 29 Working Party, essentially constitutes an advisory mechanism, as
evidenced by the majority of the items listed in Article 70 (see immediately below). However, there
are cases where the Board is afforded with decision-making power, perhaps most importantly with
regard to the consistency mechanism as outlined above (under 2.1). At any event, identification of the
decision-making powers of the Board under the GDPR is neither a straightforward nor a final task, in
the sense that the listing in Article 70 is expressly indicative and the Board has yet to assume its role
and issue its by-laws.
In addition, the wording of the GDPR does not provide much assistance in this regard, because it
employs the same terminology, “opinions”, for all opinions issued by the Board, regardless of
the binding character of some of them (at least to their addressees, Member State DPAs). In
practice, only through inference and combined reading of certain GPPR provisions, particularly those
included in its Article 65, may the binding character of Board opinions be derived. A clear distinction
between these “opinions” and others, that are indeed of a voluntary, consulting status and do not
develop any binding character whatsoever, would have assisted the reading of the GDPR.
Consequently, only through examination of the GDPR provisions, and particularly its Article 65, the
following may be highlighted in this regard:
Decision-making powers of the Board within the consistency mechanism.
This may probably prove the most important decision-making powers afforded to the Board under the
GDPR. As discussed above, under 2.1, the Board is to act as the administrative dispute resolutions
body within the consistency mechanism (see its Articles 65 and 70.1(t)). Any DPA disputes pertaining
to it are to be brought in front of the Board. The Board’s decision is binding upon the disputing DPAs.
35
Decision-making powers of the Board within the one-stop-shop mechanism.
As also outlined above, under 2.2, designation of the Lead DPA within the context of the one-stop-
shop mechanism is not expected to be a straightforward task. In this sense, it is neither expected to be
an undisputed one. Here again, the administrative body empowered to decide, in a binding way for
competing DPAs, is the Board (see Article 65).
Other decision-making powers of the Board
Article 70 of the GDPR lists, indicatively, the tasks of the Board:
1.The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on
its own initiative or, where relevant, at the request of the Commission, in particular:
(a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles
64 and 65 without prejudice to the tasks of national supervisory authorities;
(b) advise the Commission on any issue related to the protection of personal data in the Union,
including on any proposed amendment of this Regulation;
(c) advise the Commission on the format and procedures for the exchange of information between
controllers, processors and supervisory authorities for binding corporate rules;
(d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or
replications of personal data from publicly available communication services as referred to in Article
17(2);
(e) examine, on its own initiative, on request of one of its members or on request of the Commission,
any question covering the application of this Regulation and issue guidelines, recommendations and
best practices in order to encourage consistent application of this Regulation;
(f) issue guidelines, recommendations and best practices in accordance with point (e) of this
paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant
to Article 22(2);
(g) issue guidelines, recommendations and best practices in accordance with point (e) of this
paragraph for establishing the personal data breaches and determining the undue delay referred to in
Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is
required to notify the personal data breach;
(h) issue guidelines, recommendations and best practices in accordance with point (e) of this
paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to
the rights and freedoms of the natural persons referred to in Article 34(1).
(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph
for the purpose of further specifying the criteria and requirements for personal data transfers based on
binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors
and on further necessary requirements to ensure the protection of personal data of the data subjects
concerned referred to in Article 47;
36
(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph
for the purpose of further specifying the criteria and requirements for the personal data transfers on
the basis of Article 49(1);
(k) draw up guidelines for supervisory authorities concerning the application of measures referred to
in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;
(l) review the practical application of the guidelines, recommendations and best practices referred to
in points (e) and (f);
(m) issue guidelines, recommendations and best practices in accordance with point (e) of this
paragraph for establishing common procedures for reporting by natural persons of infringements of
this Regulation pursuant to Article 54(2);
(n) encourage the drawing-up of codes of conduct and the establishment of data protection
certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;
(o) carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and
maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited
controllers or processors established in third countries pursuant to Article 42(7);
(p) specify the requirements referred to in Article 43(3) with a view to the accreditation of
certification bodies under Article 42;
(q) provide the Commission with an opinion on the certification requirements referred to in Article
43(8);
(r) provide the Commission with an opinion on the icons referred to in Article 12(7);
(s) provide the Commission with an opinion for the assessment of the adequacy of the level of
protection in a third country or international organisation, including for the assessment whether a third
country, a territory or one or more specified sectors within that third country, or an international
organisation no longer ensures an adequate level of protection. To that end, the Commission shall
provide the Board with all necessary documentation, including correspondence with the government
of the third country, with regard to that third country, territory or specified sector, or with the
international organisation;
(t) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism
referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding
decisions pursuant to Article 65, including in cases referred to in Article 66;
(u) promote the cooperation and the effective bilateral and multilateral exchange of information and
best practices between the supervisory authorities;
(v) promote common training programmes and facilitate personnel exchanges between the
supervisory authorities and, where appropriate, with the supervisory authorities of third countries or
with international organisations;
(w) promote the exchange of knowledge and documentation on data protection legislation and
practice with data protection supervisory authorities worldwide.
(x) issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and
37
(y) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and
courts on issues handled in the consistency mechanism.
2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into
account the urgency of the matter.
3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the
Commission and to the committee referred to in Article 93 and make them public.
4. The Board shall, where appropriate, consult interested parties and give them the opportunity to
comment within a reasonable period. The Board shall, without prejudice to Article 76, make the
results of the consultation procedure publicly available.
As is easily observable in the above listing, the tasks of the Board almost exclusively pertain to
issuing “guidelines”, “recommendations” and “best practices”. Therefore, its role as a mostly advisory
body cannot be challenged. However, decision-making powers, other than the important ones outlined
above (pertaining to the consistency and the one-stop-shop mechanisms), may perhaps be identified in
the above listing.
This, for example, is particularly the case with regard to the accreditation of certification bodies. As
per paragraphs (o) and (p), the Board is empowered to carry out the accreditation of certification
bodies as per the criteria it has established on its own, and also to perform a periodic review and also
maintain a relevant public register.
In the same context, of some interest, although definitely not of a decision-making nature, is the
power of the Board to maintain an electronic register “of decisions taken by supervisory authorities
and courts on issues handled in the consistency mechanism”, according to paragraph (y).
“Soft” decision-making powers of the Board
While, as stated above, decision-making by the Board is understood in this analysis as pertaining to
decisions developing some type of binding character to their addressees (the DPAs concerned), an
unquestionable “soft” decision-making power is to be expected in all Board decisions,
recommendations or guidelines – at least to Member State DPAs. This is an inevitable development
on account of the Board’s composition: it is to be composed by the head of each DPA as well as the
EDPS (Article 68.3). In addition, the Board is expected to decide on all matters by simple majority of
its members (see Article 72.1). Consequently, if one takes into consideration that heads of DPAs are
essentially the ones, even by majority, making decisions within the Board, even if these decisions are
of an otherwise voluntary nature, it is to be expected that upon their return to their respective DPAs,
they will indeed follow these decisions in practice.
Therefore, despite of the focus of this analysis on binding decisions to be issued by the Board,
because of their potential to ultimately affect the rights and obligations of data subjects and
controllers, the issue of DPA participation and consultation in all Board procedures ought not be
underestimated.
38
2.3.2 Mechanisms for DPA consultation with the European Data Protection Board
DPA consultation in the cases listed above, under 2.3.1, is expressly provided for in the text of the
GDPR. As established in the analysis above, under 2.1 and 2.2 respectively, the DPAs participating in
any way in the consistency or the one-stop-shop mechanisms have clearly identified roles in the
respective articles of the GDPR. In the same context, consultation with regard to certification is
warranted through the fact that the criteria are issued by the Board, and therefore by the DPAs
constituting it, as well as through the accreditation of certification bodies that will presumably be
made through normal decision-making processes of the Board (by simple majority of its, DPA,
members).
On the other hand, the operation of the actual dispute resolution mechanism, while occupying a whole
article of the GDPR (its Article 65) may need to be further expanded in the Board’s by-laws,
particularly with regard to DPA consultation. Such consultation may be the result of disputing DPAs’
representations in front of the Board or interventions by other DPAs Concerned. The GDPR, while
introducing the process and the relevant deadlines for the Board to reach a decision, does not describe
in detail how the DPAs involved may take part. The Board needs indeed to reach “reasoned”
decisions, but clearer instructions as to DPA consultation probably need to be established in
relevant by-laws of guidelines to be issued by the Board.
At this point, DPA consultation needs perhaps to be distinguished from DPA participation.
Although the GDPR fails to make such a distinction, in certain cases, particularly when the Board
issues binding decisions, it may have been useful. Binding decision of the Board within the
consistency or the one-stop-shop mechanisms directly affect only the disputing DPAs or the Initiating
and the Lead DPA, however they are also (a) binding for all DPAs Concerned, and (b) binding for all
other DPAs. While point (a) is evident, and indeed the DPAs Concerned are afforded the right to
express their views and thus even become a disputing DPA, point (b) probably needs some further
clarification. Because the Board in its capacity as a dispute resolution mechanism is expected to
operate in a court-like manner, its decisions and findings therein will most likely constitute “case law”
for its own aims and purposes. In other words, the assumptions, methodology and interpretations to be
found in any binding decisions of the Board will most likely be binding, by way of “case law” for
future disputes as well. Therefore, in this way they will, indirectly, affect all other DPAs.
Therein lies the problem of non-DPA participation in these cases, unless the DPA is among the DPAs
Concerned. The GDPR does not expressly clarify if, in the relevant discussions within the Board, all
other DPAs, even if not a DPA Concerned, may intervene or not. However, given the ultimately
binding character of the decision in question for them as well, they need to be provided with the
opportunity to intervene as well – something that is ultimately not against the spirit of the GDPR.
This could perhaps be clarified in the relevant by-laws.
Finally, with regard to DPA consultation in all other Board decision-issuing regardless whether
developing binding character or not (as per the “soft” law distinction discussed above), this is to be
taken for granted taking into consideration the composition of the Board. Essentially, in all these
matters, DPAs, by simple majority, will reach decisions on all EU data protection matters that will
ultimately be applied by the same DPAs. However, even in this case the process could benefit from
established, institutional means of DPA consultation (that could perhaps be made public,
particularly dissenting DPA opinions); the relevant electronic platform to be developed could
provide a useful means to this purpose.
39
2.3.3 The institutional setting for consistency: Roles and distribution of powers between the
European Data Protection Board and the Commission
While the consultation and participation mechanisms between the DPAs and the Board is an
indispensable element of the latter’s operation, the role of the Commission also needs to be examined,
as an equally important institutional setting for warranting consistency. In view of the fact that the
GDPR has not yet come into effect, neither are the Board by-laws available yet, the provisions of the
GDPR with regard to the role of the Commission in this regard will constitute the only terms of
reference for the respective analysis.
An overlook of the relevant provisions (these relating to the consistency and one-stop-shop
mechanisms as well as these listing, indicatively, the tasks of the Board) divulges that the role of the
Commission is that of an active, yet silent, participant.
The Commission holds an active role in the work of the Board as well as in the operation of the above
mechanisms, because the GDPR repetitively grants it the right to initiate the relevant procedures. For
example, Article 64 sets that “any supervisory authority, the Chair of the Board or the Commission
may request that any matter of general application or producing effects in more than one Member
State be examined by the Board” (paragraph 2). Or, Article 65 grants it the right to “communicate the
matter to the Board”, whenever “a competent supervisory authority does not request the opinion of the
Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued
under Article 64” (in (c)). Also, the Board is to inform the Commission of its decisions within the
dispute resolution mechanism (Article 65.5). Perhaps more importantly, in the sense that this is a
“blanket” authorisation, Article 70 commences by stating that “the Board shall ensure the consistent
application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at
the request of the Commission, in particular [...]”. Consequently, the Commission may initiate any
procedure in front of the Board.18
However, at the same time the role granted to the Commission is, perhaps, a silent one, in the sense
that relatively little attention is given in the text of the GDPR on the details of its participation in the
process initiated by it. Apart from the fact that it has no voting rights in the Board whatsoever, in
practice the Commission is empowered to initiate a process under certain circumstances and is also to
be informed by the outcome of any dispute resolution process, but the exact content, and context, of
its intervention once these processes are under way is not provided for in the text of the GDPR. In the
same context, there is no specific guidance as to the Commission’s possible participation in a process
in front of the Board, which has not been initiated by it. Is it to be assumed that the Commission will
not take part in the relevant workings, and only be informed by the Board’s final decision? Or, for
example, it has the right to intervene if it is informed of a case of particular interest to it? This could
also be supported, in view of the fact that, as per Article 68.5, “the Chair of the Board shall
communicate to the Commission the activities of the Board”. Therefore, all of the matters
regarding Commission participation, particularly in the consistency and one-stop-shop
mechanisms, need to be defined in the guidelines and by-laws to be issued by the Board.
18
Some reservation needs to be made with regard to the interpretation of the “where relevant” provision in
practice, that, however, is not expected to be applied in a way that will significantly restrict the power afforded
to the Commission expressly, and repeatedly, in the text of the Regulation.
40
Viewed from a different perspective, it is among the duties of the Board to advise the Commission
with regard to EU data protection matters (see also Recital 139). This may be done either on its own
initiative or at the request of the Commission (see Article 70). In addition, “where the Commission
requests advice from the Board, it may indicate a time limit, taking into account the urgency of the
matter” (paragraph 2). Also, “the Board shall forward its opinions, guidelines, recommendations, and
best practices to the Commission [...] and make them public”. The GDPR therefore describes a two-
way process, whereby the Board may advise the Commission and the Commission may ask for the
advice of the Board. The Board will make the content of such consultation public, offering thus
transparency to this process.
The general, overreaching aim of all GDPR actors is to warrant consistency and efficient application
of its provisions throughout the EU. With this in mind, the interplay among the bodies directly
involved in this process (DPAs, the Board, the Commission and the EDPS) is crucial in ensuring
consistency. The GDPR grants to the Commission an important role, albeit of a singular status: it is
an active participant in all work of the Board and is permitted also to initiate processes against it,
however it has no voting right. A careful balancing of each body’s duties and obligations needs
therefore to take place, so as to benefit the most for this introduction of an impartial (because it is not
a DPA nor does it have particular Member State connections itself) actor in the field, without risking a
“turf war” among competing bodies that would ultimately damage the GDPR’s application and
personal data protection in the EU.
2.4 Procedural differences and other issues
Aim of this analysis is to consider how differences in national procedures might impede consistency.
This will be done in particular with regard to the way DPAs handle complaints. Although the legal
regime under which such an assessment will be performed remains that of Directive 95/46, that will
only be replaced in May 2018 by the GDPR, we believe that useful lessons may be learnt from current
DPA practices across the EU in this regard.
2.4.1 EU DPAs complaint handling processes
The EU data protection legal edifice currently in effect is based on Directive 95/46. According to its
Article 28,
1. Each Member State shall provide that one or more public authorities are responsible for monitoring
the application within its territory of the provisions adopted by the Member States pursuant to this
Directive. These authorities shall act with complete independence in exercising the functions
entrusted to them.
2. Each Member State shall provide that the supervisory authorities are consulted when drawing up
administrative measures or regulations relating to the protection of individuals' rights and freedoms
with regard to the processing of personal data.
3. Each authority shall in particular be endowed with:
41
- investigative powers, such as powers of access to data forming the subject-matter of processing
operations and powers to collect all the information necessary for the performance of its supervisory
duties,
- effective powers of intervention, such as, for example, that of delivering opinions before processing
operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such
opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or
definitive ban on processing, of warning or admonishing the controller, or that of referring the matter
to national parliaments or other political institutions,
- the power to engage in legal proceedings where the national provisions adopted pursuant to this
Directive have been violated or to bring these violations to the attention of the judicial authorities.
Decisions by the supervisory authority which give rise to complaints may be appealed against through
the courts.
4. Each supervisory authority shall hear claims lodged by any person, or by an association
representing that person, concerning the protection of his rights and freedoms in regard to the
processing of personal data. The person concerned shall be informed of the outcome of the claim.
Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data
processing lodged by any person when the national provisions adopted pursuant to Article 13 of this
Directive apply. The person shall at any rate be informed that a check has taken place.
5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report
shall be made public.
6. Each supervisory authority is competent, whatever the national law applicable to the processing in
question, to exercise, on the territory of its own Member State, the powers conferred on it in
accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority
of another Member State. The supervisory authorities shall cooperate with one another to the extent
necessary for the performance of their duties, in particular by exchanging all useful information.
7. Member States shall provide that the members and staff of the supervisory authority, even after
their employment has ended, are to be subject to a duty of professional secrecy with regard to
confidential information to which they have access.
Accordingly, Recital 63 states that
Whereas such authorities must have the necessary means to perform their duties, including powers of
investigation and intervention, particularly in cases of complaints from individuals, and powers to
engage in legal proceedings; whereas such authorities must help to ensure transparency of processing
in the Member States within whose jurisdiction they fall;
Evidently, of relevance to the purposes of this analysis is paragraph 4 of Article 28. In essence, it
grants to Member State DPAs the power to hear complaints by any person against infringements of its
right to data protection. DPAs’ authorisation is set in a wide manner: not only are infringements of the
Directive’s provisions to be investigated by it, but also the lawfulness of any derogations (exemptions
and restrictions) introduced by Member States that limit the scope of certain of its rights for purposes,
among others, of national or public security or defence. Consequently, DPAs are not viewed in
Directive 95/46 as merely administrative bodies for addressing individual complaints but also as
judicial bodies assessing the lawfulness of legislative measures that affect the right to data protection.
42
In the same context, the person that launched the complaints needs to be informed of the outcome of
the DPA relevant investigation. In cases other than those pertaining to the above exemptions (national
security, defence, etc. as listed in Article 13) the complainant may not be informed of the details of
the investigation, while, a contrario, in all other cases this needs to be done. Accordingly, DPAs need
to be granted under their respective national law with powers of investigation and intervention as well
as with power to engage in legal proceedings, so as to effectively carry out their tasks.
While the above constitute a brief description of the requirements and specifications found in the text
of Directive 95/46 regarding the power of DPAs to receive and examine complaints by individuals,19
the exact way national laws across the EU have implemented them is not straightforward.20
A number
of important reasons have led to, unavoidable, differences among EU Member States in this regard:
Complaint handling processes need to be compatible with the respective Member State
judicial system. Being essentially placed within the public law edifice, the relevant
provisions need to streamlined with existing legal provisions and systems of individual
redress;
The DPAs essentially constituting state (administrative) agencies, their powers and
authorities also need to be compatible with the respective legal, administrative system.
In certain EU Member States there is constitutional provision on independent state agencies,
while in others such a possibility does not exist. Accordingly, state agencies may or may not
have the power to impose fines or carry out a full-length investigation (see point immediately
below);
The legal framework of reference itself (meaning, national Data Protection Acts) may
differ among different Member States. This is a well-identified difficulty, aimed at being
addressed through the GDPR;
Complaints themselves may be of a cross-border character, meaning that DPA
cooperation needs to take place under the current legal framework, where however similar
processes are not established;
The notions of “investigation” and “intervention” may have different meanings in
different Member States. For example, should they include also the power to physically
intervene and seize processing means? Perform digital forensics? Conduct on-site visits? And,
if yes, under what procedural conditions?
The notion of “complaint” may also have different meanings across the EU. While in
certain Member States it could refer to a formal submission of a complaint, written by a legal
advisor in a legal manner, alleging specific infringements and asking for specific measures, in
other Member States it may only relate to an informal notification to a DPA so as to further
inquire into a specific personal data processing.
Finally, the means of redress are not uniform across the EU. While in some Member
States DPAs have the power to impose fines to controllers but not pay this money to the
complainants, elsewhere this may well be the case.
In view of the above, brief, listing of insurmountable (at least, under the current legal framework)
difficulties when it comes to complaint handling by DPAs across the EU, it comes as no surprise that
19
On this issue see also European Union Agency for Fundamental Rights, Data Protection in the European
Union: the role of National Data Protection Authorities, p.25, where also a helpful comparative table is
included. 20
See also the analysis below, on DPA enforcement measures, under 4.
43
substantial differences appear to be in place with regard to DPAs’ relevant practices. The following
list is indicative of areas where such differences may occur:
The nature of complaints that may be brought to the attention of a DPA. Individual
“complaints” may be described in national law in many ways and formats, ranging from
simple, unofficial notifications to DPAs to legally-written formal complaints that are placed
within a judicial or formal dispute resolution system and lead to concrete measures;
The legal powers afforded to a DPA. Legal powers under Member State law afforded to
DPAs may range from “soft” intervention and reference of more important cases to courts to
full and formal adjudication and enforcement powers;
The discretionary power of a DPA to respond. While DPAs generally have the
discretionary power to select to which complaints they will respond and which do not merit
further examination, the methodology behind such selection may not be the same across the
EU;
The investigation and intervention powers afforded to a DPA. While part of the legal
powers discussed above, it is important to distinguish between the possibilities afforded to
any specific DPA to engage in a particular case. In this context, the conditions under which an
investigation may be conducted as well as its scope may vary significantly among EU DPAs;
The procedure of examination in front of a DPA may vary substantially. Examination of
complaints may consist of a mere classification and archiving of the complaint for further
future action to a court-like procedure, in which complainants and defendants together with
their legal counsel make full representations of their case to the competent DPA;
Time limits and deadlines. In certain DPAs specific or general (administrative law)
deadlines may apply, in which individual complaints need to be addressed in one way or
another. This may not be the case in other EU DPAs;
Enforcement powers. While this stage of complaint-handling by DPAs also falls within the
legal powers afforded to them, as listed above, it is important to distinguish because of its
wide implications for controllers and data subjects alike. Certain DPAs have the power to
enforce fines, while others do not. Equally, certain DPAs may request for other measures to
be applied by controllers on the basis of their findings, such as data destruction, while other
DPAs are not afforded with this option. Finally, an important distinction refers to whether
through the complaint-handling process by a DPA money can be paid directly to the
complainant, if an infringement of his or her rights has been indeed established, or not.
Appeal processes. A complaint-handling process may or may not end through the issuing of
the relevant decision of the DPA. Differences among Member State laws also refer to whether
these decisions may be challenged in front of courts or whether a second level of
examination, within the same DPA, is prescribed in national law.
Nevertheless, the question how individuals are affected by these differences is not easy to reply.
Cross-border cases evidently placed aside (because they are obviously affected by any different
treatment of the same case among multiple DPAs that may be called upon to examine it), at local,
national level the different complaint-handling processes among EU DPAs may not have a practical
effect on the individuals concerned. For example, an individual residing in Belgium and filing a
complaint with the Belgian DPA, within whose exclusive competence the handling of this complaint
falls, is not directly affected by the fact that, for example, in Italy a different procedure would have
been followed. Ultimately, this is a matter of warranting adequate legal protection to individuals;
whether this is achieved exclusively at DPA level or some involvement of national courts is also
needed is irrelevant to the individuals concerned, as long as the protection afforded to them is at the
44
end of the day efficient (meaning, measures are imposed on the infringing controller and/or the
individual is compensated for the relevant infringement of its rights). Consequently, it could be
argued that from the data subjects’ point of view, when remaining exclusively at national level,
different complaint-handling processes among EU DPAs are not of great concern.
However, harmonisation among such practices is indeed important. Cross-border cases are increasing
in volume. Even at local level, cross-EU legal certainty is warranted through possibly standardised
complaint-handling methods. This is evident from a controller point of view, that may feel compelled
to engage in forum-shopping in order to address national differences. Individuals too will profit from
a possibly standardised approach in their complaint-handling by DPAs across the EU, not only
because of its increased legal certainty and level of awareness (a single process for all the EU), but
also due to the, indirect, result of the process acquiring more experience and in-depth knowledge due
to the fact that it will draw from the, comparable at that point, practices of all EU Member States.
At any event, the GDPR aims at addressing the above differences, and thus warranting consistency,
once it comes into effect. As a first, obvious, step, it will provide a common legal framework for
DPAs to apply. In addition, cross-border cases will fall under the one-stop-shop and consistency
mechanisms discussed above (under 2.2 and 2.1, respectively). However, at the same time it is not
entirely clear, nor self-evident, that the GDPR will successfully resolve national differences when it
comes to complaint handling by DPAs. Despite of its direct effect, the fact remains that national
provisions and national adjudication legal systems continue to apply; the new data protection
provisions will somehow need to be aligned with them. Member States may decide to make the most
of the space for national law flexibility afforded to them by the GDPR in this regard.
In view of the above, consistency in DPA complaint-handling, particular with regard to
exclusively “local” cases that do not transcend national borders, constitutes a target to be
attained, rather than an issue already resolved merely through the introduction of the GDPR.
Member State law is expected to differ while implementing the relevant provisions and it will require
the attention of all actors involved (DPAs, the EDPS, the Commission) to align differentiated national
approaches to this matter. A “standardised” complaint-handling procedure across the EU is an
important harmonisation metric to be achieved by the GDPR. However, while striving to achieve this
cause, the following issues21
also need to be taken into account:
While consistency is a shared aim among DPAs, flexibility is also an important concern
among them. DPAs wish to retain a level of flexibility while handling local complaints, in
accordance with local law, practices and public expectations;
Overregulation is a concern among DPAs. The GDPR system ought to achieve consistency
in complaint-handling without overregulating in the field, through going into great detail on
local processes and procedures;
DPA autonomy needs to be respected;
Financial aspects, and limitations of human resources, also need to be taken into account;
The connection of this system with the one-stop-shop and the consistency mechanisms
needs to be clearly established.
21
As derived also through interviews with DPAs held under Deliverable D1.1 of this project.
45
2.4.2 The data subjects’ perspective: is there a “right to consistency”?
While consistency is an important aim of the GDPR that, as discussed above, needs to be pursued by
all actors involved in its application (DPAs, the Board, the Commission), it is doubtful whether at the
same time it creates a corresponding legal right for individuals. A legal right in the sense of a
judicially pursuable right that creates concrete obligations to its addressees is hard to envisage in the
context of consistency. Consistent application of the GDPR provisions across the EU is listed
expressly as one of its aims, however the same wording does not grant to individuals a right in this
regard. On the other hand, in all cases where the GDPR affords rights to data subjects (see its Chapter
III), this is done in an explicit manner, together with operational instructions as to their exercise. This
is not the case with consistency. Inference of such an important right just from the GDPR’s Preamble,
where relevant mention is made, would probably appear exaggerated.
Even from a practical point of view, it is hard to imagine the standard against which such a, new, right
afforded to individuals would need to be measured against, in order to establish possible
infringements or to allocate obligations. A number of reasons, among which express place for national
law flexibility afforded in the text of the GDPR, enable different levels of application among Member
States. In other words, lack of consistency may well be lawful under the GDPR. An individuals’
indiscriminate claim for consistent application of the same provisions across the EU could hit against
these exact provisions. Even if this is not the case, courts that would conceivably assess claims of
infringement of this right would first have to assess which one of the different Member State
implementations is the correct one according to the GDPR – therefore opening up new issues on
lawfulness. It is for the above reasons that we consider an interpretation of the GDPR provisions as
awarding a “right to consistency” to data subjects as both impractical and ultimately unbeneficial to
the level of data protection afforded within the EU.
2.5 Conclusion: Enhancing consistency
In view of the importance of consistency under the new GDPR edifice, ways to enhance it ought to be
explored. These ways need not coincide with the adequate and efficient application of the relevant
provisions themselves, which after all constitutes a basic and self-evident first step for warranting
consistency. Other than that, new ways that would supplement and strengthen the consistency
mechanism need to be devised by all the actors concerned (DPAs, the Board, the Commission). In this
regard, the following list is aimed at providing relevant guidance:
Knowledge exchange among DPAs. Exchange of knowledge, in the form of case-specifics,
legal theories applied, and balancing of rights etc. is imperative in order to warrant a same
level of understanding and interpretation among DPAs on the GDPR provisions, that in turn
constitutes a fundamental basis for the consistency mechanism.
Know-how exchange among DPAs. Know-how differs from knowledge, in that it pertains to
practical information. As such it may not refer to the reasoning behind the decision of a DPA
but rather on the way a complaint or a case has been treated, especially towards the parties
concerned (data subjects and controllers).
Established ways of communication among DPAs. The above information needs to be
exchanged among DPAs in a common, preferably electronic, accessible, searchable and
secure platform.
46
Training of DPAs. Continuous training of DPA personnel involved in case-handling is an
important step in achieving consistency, ultimately aimed at the individuals in charge of
effectuating it.
DPA access to academic and related material. In order for DPAs to reach informed, up-to-
date and scientifically valid decision within the consistency mechanism they need to be
provided with full access to all supporting material available.
Dissemination activities aimed at data subjects. Data subjects, who are ultimately the users
of the consistency mechanism needs to be made aware of its existence and its potential
contribution to identified infringements of their rights.
Publication and openness. The consistency mechanism should strive to achieve a possibly
maximum level of openness and transparency, given the fact that it may function as a dispute
resolution mechanism and thus affect the rights and obligations of individuals and controllers.
In this regard, any documentation pertaining to a case that is publishable needs to be
accessible to the public, preferably by being placed online.
Continuous re-assessment and re-evaluation. The consistency mechanism is a new
introduction through the text of the GDPR that is aimed at addressing a critical aspect of
contemporary personal data processing. It is therefore expected to constitute a leraning
experience for all bodies and individuals involved in its operation. This is why a mechanism
for continuous re-evaluation and re-assessment will assist its continuous improvement
through incorporation in its workings of lessons learned and best practices.
47
3 Learning from “mutual recognition” experience: the case of the BCR
Under the EU data protection legal framework in effect today, meaning the one based on Directive
95/46, Binding Corporate Rules (BCRs) constitute a relevant example with regard to cooperation and
mutual recognition processes among EU DPAs. Indeed, this paradigm is relevant within the GDPR
environment soon to come into effect from more than one aspects. In particular, apart from
constituting a working example of DPA cooperation and mutual recognition, it also involves
identification of the Lead DPA, a central, as seen above (under 2.2.2) component of the one-stop-shop
mechanism. It is in this regard that BCRs will be analysed in this Chapter; although by now of limited
legal effect, in the sense that the GDPR will come into effect in May 2018 while the Privacy Shield
that recently became effective22
may affect them as well, because they are related to such an important
issue as international data transfers they constitute a useful example on the possible ways of DPA
cooperation, the advantages of its existence as well as the difficulties arising from the lack of
generalisation.
3.1 The BCR legal basis and procedure
According to Article 26 of Directive 95/46,
1. By way of derogation from Article 25 and save where otherwise provided by domestic law
governing particular cases, Member States shall provide that a transfer or a set of transfers of personal
data to a third country which does not ensure an adequate level of protection within the meaning of
Article 25 (2) may take place on condition that:
(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the
controller or the implementation of pre-contractual measures taken in response to the data subject's
request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest
of the data subject between the controller and a third party; or
(d) the transfer is necessary or legally required on important public interest grounds, or for the
establishment, exercise or defence of legal claims; or
22
See the relevant press release, European Commission launches EU-U.S. Privacy Shield: stronger protection
for transatlantic data flows, Brussels, 12 July 2016, available at http://europa.eu/rapid/press-release_IP-16-
2461_en.htm
48
(e) the transfer is necessary in order to protect the vital interests of the data subject; or
(f) the transfer is made from a register which according to laws or regulations is intended to provide
information to the public and which is open to consultation either by the public in general or by any
person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for
consultation are fulfilled in the particular case.
2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of
personal data to a third country which does not ensure an adequate level of protection within the
meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the
protection of the privacy and fundamental rights and freedoms of individuals and as regards the
exercise of the corresponding rights; such safeguards may in particular result from appropriate
contractual clauses.
3. The Member State shall inform the Commission and the other Member States of the authorizations
it grants pursuant to paragraph 2. If a Member State or the Commission objects on justified grounds
involving the protection of the privacy and fundamental rights and freedoms of individuals, the
Commission shall take appropriate measures in accordance with the procedure laid down in Article 31
(2). Member States shall take the necessary measures to comply with the Commission's decision.
4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that
certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member
States shall take the necessary measures to comply with the Commission's decision.
According to the Commission, BCRs are “internal rules (such as a Code of Conduct) adopted by
multinational group of companies which define its global policy with regard to the international
transfers of personal data within the same corporate group to entities located in countries which do not
provide an adequate level of protection”.23
Their legal basis is to be found in paragraph 2 of the above
article 26. This has been further elaborated in Working Paper 74 by the Article 29 Data Protection
Working Party.24
In particular, with regard to their raison d’etre, the Working Party noted that
(emphasis placed by the authors):
Data Protection Authorities receive requests for authorisations for the transfer of personal
data to third countries within the meaning of Article 26 (2) of the Directive. Traditionally
23
Information from http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-
rules/index_en.htm 24
Working Document: Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data
Protection Directive to Binding Corporate Rules for International Data Transfers, WP74, 3 June 2003.
49
most of these requests have required contractual solutions which national authorities have
considered in the light of the principles outlined in WP 12, other documents issued by this
group and particularly the Commission decisions on standard contractual clauses.
[…]
In so far as a unilateral undertaking is able to deploy real and ensured legal effects, in
particular as regards the effective protection of data subjects after the transfer and as
regards the possible intervention of national supervisory authorities or other authorities,
as further clarified under chapters 3 and 5 below, there should not be any reason to
exclude such a possibility: Article 26 (2) of Directive 95/46/EC offers the Member States
a broad margin of manoeuvre in this regard.
[…]
Binding corporate rules should not be considered as the only or the best tool but for
carrying out international transfers but only as an additional one where the use of existing
instruments (i.e. Commission decisions on standard contractual clauses or the Safe
Harbor Principles where applicable) seem to be particularly problematic. This working
document may not be used as forcing or even simply as inciting the Member States to
use a given tool in responding to the requests of multinational companies. National
supervisory authorities or any other competent bodies are entirely free to analyse and
answer the proposals submitted to them in the way that fits best with their national laws
and the given elements of the submission.
Subsequently, the DPA cooperation procedure is outlined in the Working Paper 107.25
Because of its
length, here the, shortened, version provided in the Commission website26
is provided:
First step: the company shall designate the lead authority, i.e. the authority which will be
handling the EU co-operation procedure amongst the other European DPAs.
Second step: the company drafts the BCR which meet the requirements set up in the
working papers adopted by the Article 29 Working Party. This draft is submitted to the
lead authority which reviews it and provides comments to the company to ensure that the
document matches the requirements set out in paper WP 153.
Third step: the lead authority starts the EU cooperation procedure by circulating the
BCR to the relevant DPA i.e. of those countries from where entities of the group transfer
personal data to entities located in countries which do not ensure an adequate level of
protection.
Fourth step: the EU co-operation procedure is closed after the countries under mutual
recognition have acknowledged of receipt of the BCR and those which are not under
mutual recognition have considered that the BCR complies with the requirements set out
in WP29 (within one month).
25
Working Document, Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate
Safeguards Resulting From “Binding Corporate Rules, WP107, 14 April 2005. 26
Information available at http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-
rules/procedure/index_en.htm
50
Fifth step: once the BCR have been considered as final by all DPA, the company shall
request authorisation of transfers on the basis of the adopted BCR by each national DPA.
An important step, therefore, in the BCR process is identification of the Lead DPA. This, as seen
above (under 2.2.2), may constitute useful precedent and provide relevant guidance to the consistency
mechanism. The criteria through which a controller designates a Lead DPA (in the same way as an
Initiating DPA as per the analysis above) are listed in WP107 above as follows (emphasis placed by
the authors):
2. An applicant corporate group should justify the selection of the lead authority on the
basis of relevant criteria such as:
a. the location of the group’s European headquarters;
b. the location of the company within the group with delegated data protection
responsibilities;
c. the location of the company which is best placed (in terms of management function,
administrative burden etc.) to deal with the application and to enforce the binding
corporate rules in the group;
d. the place where most decisions in terms of the purposes and the means of the
processing are taken; and
e. the member states within the EU from which most transfers outside the EEA will take
place.
2.1. Priority will be given to factor described under 2 (a) above.
2.2. These are not formal criteria. The data protection authority to which the application
is sent will exercise its discretion in deciding whether it is in fact the most appropriate
data protection authority and, in any event, the data protection authorities among
themselves may decide to allocate the application to a data protection authority other than
the one to which the corporate group applied.
Once the BCR process has begun at the initiative of a controller, who also has to decide on the Lead
DPA, the actual DPA cooperation process takes place. According again to WP 107 (emphasis placed
by the authors),
4. Once a decision on the lead authority has been made, the latter will start the
discussions with the applicant. The result of these discussions should be a “consolidated
draft” which will be distributed among all DPAs concerned for comments. In normal
circumstances, the period for comments on the consolidated draft will not exceed one
month.
5. The lead authority will transmit these comments on the “consolidated draft” to the
applicant and may resume discussions, if necessary. If the lead authority is of the view
that the applicant is in a position to address satisfactorily all comments received, it will
invite the applicant to send a “final draft” on which the lead authority will invite
confirmation from the DPAs that they are satisfied as to the adequacy of the
safeguards proposed.
51
6. Such confirmation will be regarded by all the participant authorities and the
organisation concerned as an agreement to provide the necessary permit or authorisation
at national level (if required). However, additional requirements that may exist in each
country such as notification or administrative formalities may also have to be complied
with.
7. The Chairman of the Article 29 Working Party will be informed of this decision and
will share this information with other EU/EAA DPAs immediately via CIRCA.
8. Translations: as a general rule and without prejudicing to other translations where
necessary or required by law, first and consolidated drafts should be provided both in
the language of the leading authority and in English. The final draft must be translated
into the languages of those DPAs concerned.
The Lead DPA is, consequently, in charge of the relevant process; it is its duty to identify the DPAs
concerned, circulate the first BCR draft, receive DPA comments and transmit back to the applicant,
re-submit a “final draft” for confirmation by DPAs, and be prepared to re-initiate the same process, if
needed until confirmation by all DPAs concerned, “that they are satisfied as to the adequacy of the
safeguards proposed”, has been received.
DPA confirmation on the final version of BCRs, as forwarded to them by the Lead DPA, does not
have a formal legal status, neither is it binding upon its addressees (the DPAs concerned). It only
constitutes an “agreement to provide the necessary permit or authorisation” by the same DPA at
national level, which is usually indeed required. Therefore, the mutual recognition mechanism in the
case of BCRs is based on an informal, in the sense that it has no concrete legal status, understanding
between DPAs (keeping in mind that the Working Party’s opinions are not binding and WP 107 is,
indeed, merely a “working document”) that, if one of them has confirmed the adequacy of the BCRs
forwarded to it by the Lead DPA, it will not change its mind at a later stage, when the same controller
submits the same BCRs to it for approval, and indeed will issue the relevant permit. In the same
context, no other mechanisms are introduced with regard to appeals or a dispute resolution
mechanism. From this point of view, the BCRs cooperation mechanism, as in effect today, constitutes
an informal cooperation mechanism among DPAs, aimed at facilitating multinational controllers’
personal data processing and based on, essentially, the participating DPAs’ good will.
3.2 The BCR advantages
Within a globalised personal data processing environment the advantages of BCRs are easily
identifiable. The Commission, after all, provides a relevant list in this context:27
BCR make it possible to:
be in compliance with the principles set out by with article 25 and 26 of the European
Directive 95/46 for all flows of data within the group which are covered by the scope of
the BCR,
harmonise practices relating to the protection of personal data within a group,
27
European Commission, What are the advantages of BCR?, information available at
http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm
52
prevent the risks resulting from data transfers to third countries,
avoid the need for a contract for each single transfer,
communicate externally on the company's data protection policy,
have an internal guide for employees with regard to the personal data management,
make data protection integral to the way the company carries out its business.
Indeed the list is comprehensive with regard the BCR advantages. BCR are specifically addressed at
multinational controllers or processors that would otherwise need to file for multiple permits in EU
Member States, according to requirements posed by the Directive 95/46 and its transposing national
legislations.28
Such a process could prove counter-productive, in view of the fact that it ultimately
refers to the same region (the EU) applying essentially the same rules (these of Directive 95/46). BCR
therefore develop a twofold function: from the part of their addressees (processors and controllers)
they streamline and simplify processes. From the part of DPAs and the right to data protection, they
constitute a de facto consistency and one-stop-shop mechanism: identification of a Lead DPA to
handle the matter centrally and adherence to the relevant outcome by all DPAs concerned constitute
basic parts of the respective GDPR mechanisms discussed above (under Chapter 2). Evidently, the
advantages of such mechanisms within the contemporary personal data processing environment have
well been identified by EU DPAs over the past decade, and practical, case-specific solutions, as the
one pertaining to BCR, were introduced to address them. The GDPR, in a way, institutionalises these
approaches, validating at the same time their significance for personal data protection.
3.3 The difficulties arising from BCRs’ lack of generalisation
Since their introduction, as streamlined and particularised in the Article 29 Working Party’s
documents described above (under 3.1) and in the Commission’s corresponding webpages filled with
practical instructions and guidance, the BCR became over the years one of the basic alternatives for
international data transfers. They therefore attracted significant attention in legal theory.29
With regard
to difficulties identified, the issues of practical difficulty and cost in drafting have been, repeatedly,
highlighted. Apparently, the preparation of a series of BCR drafts in cooperation with the Lead DPA
and their revisions until all DPAs concerned are satisfied with them, so as to become final, is a length,
not straightforward and costly procedure. Perhaps expectedly so, however, given that the personal
data processing of multinationals is involved, that may span in several EU and non-EU countries.
However, the implementation per se of BCR is not the aim of this analysis. Rather than that, this
analysis focuses on the lessons learned through them in view of DPA cooperation and mutual
recognition under the new GDPR processes (one-stop-shop and consistency mechanisms) to become
28
In particular, “BCR are a solution for multinational companies which export personal data from the European
Economic Area to other group entities located in third countries which do not ensure an adequate level of
protection”, ibid. 29
See, for instance, Bender D/Ponemon L, Binding Corporate Rules for Cross-border Data Transfer, Rutgers
Journal of Law & Urban Policy, Vol 3:2, 2006, Wugmeister M/Retzer K/Rich S, Global Solution for Cross-
Border Data Transfers: Making the Case for Corporate Privacy Rules, 38 Geo. J. Int'l L. 449 (2006-2007),
Kulesza J, Walled Gardens of Privacy or Binding Corporate Rules: A Critical Look at International Protection
of Online Privacy, 34 UALR L. Rev. 747 (2011-2012), Moerel L, Binding corporate rules: Fixing the
regulatory patchwork of data protection, doctoral thesis, Tilburg Institute for Law, Technology, and Society
(TILT), 2011.
53
effective in the near future. From this point of view, a number of issues may be highlighted with
regard to BCR that we consider also of relevance to these forthcoming mechanisms:
Not all EU DPAs participate in this “mutual recognition” mechanism. As clarified in the
Commission website, “at the moment twenty-one countries are part of the mutual recognition
procedure”.30
In view of the BCR mechanism self-evident practical importance as well as the
many years it has been in effect, it could be assumed that lack of uniformity on behalf of
certain EU DPAs is intentional. Therefore, if this finding is to serve as a relevant example for
the future, the reasons that have led to this difficulty need to be addressed in a convincing
manner for all EU DPAs;
Only eighty-five companies have “closed” the BCR procedure. This is perhaps a
surprising finding, given BCRs’ clear advantages for all multinational processors or
controllers whose personal data processing spans across several EU and non-EU countries.
Here again it could be assumed that the practical, because they are not viewable from a lege
lata perspective, disadvantages of BCRs are such that they probably outweigh their
advantages, leaving them relevant only for a handful of companies who are willing to provide
the resources and effort needed. Equally, if one wished to extrapolate in the GDPR
environment, attention needs to be given so that the one-stop-shop mechanism becomes
reachable by the majority of controllers and processors in the EU and not only by a minority
who can afford it;
Cost and time restraints need to be taken into account. This constitutes perhaps an
obvious observation, that has however probably “condemned” BCR to very few applicants
over the past decade and is relevant to the GDPR environment particularly because it takes
special attention to the needs of “specific needs of micro, small and medium enterprises”;31
Flexibility is important. In view of the above limitations (not uniform EU participation,
limited appeal to its addressees, two findings that could well be feeding each other), it is
conceivable that the vast majority of international data transfers makes use of the other
alternatives provided for in Directive 95/46. This is an important finding, that may come as a
surprise to EU DPAs aspirations when they introduced BCR back in 2003 with the intention
for them to cover multinational cross-border personal data processing (see above, under 3.1).
However, reality has proven differently, and controllers and processors apparently found
other legal paths (model clauses, the “safe harbour” arrangement) more desirable. This is why
under the GDPR it is not advisable to adopt a “patronizing” approach, trying to promote any
one of its mechanisms over the others, but rather provide for a multitude of legal instruments
and then leave their addressees to decide which one suits their specific needs better.
30
Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Estonia, France, Germany, Iceland, Ireland, Italy,
Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain, and the United
Kingdom (information available at http://ec.europa.eu/justice/data-protection/international-transfers/binding-
corporate-rules/mutual_recognition/index_en.htm). 31
See, for example, its Recitals 13, 98 and 132.
54
4 Proposed mutual assistance, co-ordination and co-operation regarding enforcement
measures
The analysis of challenges that apply in practice with regard to the proposed mutual assistance, co-
ordination and co-operation enforcement measures under the GDPR needs to take into account the
diversity of existing DPA enforcement powers and the differences between DPAs in the powers at
their disposition as well as current national limitations on sharing information. The analysis that
follows is divided into three chapters, that address these issues and the diversity of approaches
respectively.
4.1 Mapping DPAs’ enforcement powers
The issue of mapping of DPAs enforcement powers has been addressed under this project’s
Deliverable 1.32
The relevant text, that in part justifies why a detailed mapping exercise is considered
impractical particularly at this period in time is therefore copied below:
One activity of the PHAEDRA II project is the mapping of the enforcement powers of
DPAs. We asked DPAs if they felt this would be a useful exercise, and if they could make
use of a centralised database of the foundation legislation granting DPAs their authority
and powers, or if a mapping exercise would need to summarise powers and capacities
more succinctly.
Several DPAs expressed their support for the activity. This was based upon the
advantages of knowing the capacities of other DPAs when it came to joint investigations
and other forms of co-operation, such as sharing information. Knowing what others were
capable of, without having to ask direct questions was seen as potentially aiding planning
activities, particularly in their initial early stages. It was also seen as potentially useful
when a complaint from a data subject has to be channeled through another country. DPAs
acknowledged the often significant differences between their capacities and their
enforcement powers under the current framework. Differences raised included access to
police files, sanctions and the ability to levy fines (of differing amounts). Having powers
visible was seen as relatively important goal.
DPAs generally did not think that a straightforward gathering of foundational legislation
would be sufficient or particularly useful, given that such legislation could exist across
and make reference to multiple acts, and a reader would have to be able to parse these
potentially complex legal documents in order to understand the particular powers of a
fellow DPA. Therefore a mapping exercise would need to extract competencies from the
foundational legislation, and make the former available in a more structured, easily
understood, comparable form - some form of "country fact sheet". Other information on
this could include international contact points for key issues. Mapping the enforcement
powers of the EDPB was also raised in this context.
32
Phaedra II: Authorities' views on the impact of the data protection framework reform on their co-operation in
the EU, July 2015, Chapter 5.3.
55
Some DPAs did not see any added value from the creation of such a map or database. In
this case they either felt familiar with the enforcement powers of their peers, or did not
believe additional information would alter their decision making. Several DPAs informed
us that they felt that this activity had been performed previously and that the results of
these exercises should be available. The Article 29 Working Party, the European
Commission and other parties may have performed mapping exercises. DPAs felt that
they had certainly answered similar questions in the past.
A fundamental issue raised by DPAs in this context was the extent to which this exercise
would be conducted before the passing of the GDPR, or afterwards. As a Regulation,
some DPAs felt that the GDPR would harmonise the enforcement powers of DPAs. They
therefore saw little value in conducting a mapping exercise that would be accurate for
only a small number of months, until the Regulation is passed. A mapping exercise
conducted afterwards would, theoretically, reveal little difference between the
enforcement powers of European DPAs. A more nuanced approach for the mapping
exercise was therefore seen as necessary by some DPAs – the mapping exercise would
not focus upon core enforcement powers under the GDPR, but instead upon the way that
the enforcement powers in the GDPR interacted with additional and existing legislation at
the Member State level (for example administrative law, audit laws, laws on minor
offenses, etc.). One DPA raised the challenge that a mapping of DPA enforcement
powers might, to be meaningful, also have to map DPA enforcement strategies (for
example, the balance between education, consultancy and enforcement, and the
willingness to use particular powers) and that this would be a political issue for DPAs.
However, in the post-GDPR context, a global mapping exercise was still seen as useful.
The above constitute the DPAs approach on the matter and, as explained, partially explain our
corresponding finding that a detailed mapping exercise of EU DPAs enforcement powers is, at this
point in time at least, impractical. The following explanatory reasons are intended to complement the
above – and at the same time provide some feedback on the necessary considerations of such an
exercise:
As also identified by DPAs, a mere gathering of foundational information on the
enforcement powers of DPAs and their subsequent insertion into a table would not be
sufficient or particularly useful. In order to understand them so as to provide practical
guidance a reader would indeed have to be able to navigate complex legal documents in order
to understand the particular powers of a DPA. Consequently, in order for the exercise to
become useful it first and foremost needs to be preceded by a comparative law analysis in
civil law, administrative law and also potentially criminal law among Member States;
The term “enforcement” itself may be perceived differently in different Member States,
so the same preparatory exercise would have to closely define it, taking account of various
local legal system parameters, such as the law on investigations/criminal procedure, the legal
status of DPAs, what enforcement measures actually include for each Member State, the
existence of any appeal processes, etc.;
Even identifying and paralleling the legal provisions does not provide an accurate
picture of DPA enforcement in a specific Member State, because practices also matter
and these cannot be evidenced. For example, shortcomings in a DPA’s founding documents
with regard to its investigatory powers may be resolved in practice through its seamless
56
cooperation with the state agencies needed to assist it in this regard. Consequently, while in
theory, by cross-examining the legal provisions in effect, a shortcoming, in the sense of lack
of relevant powers, may be presented, this may well not be the case in practice;
In the same regard, experience is an important factor in enforcement that also may not be
evidenced. A DPA may in theory possess all the legal tools for enforcement, but unless it has
long experience in applying them, it will not be aware of the practical issues that may lie
ahead of it: for example, case law through an appeal launched by a dissatisfied controller or
data subject against an enforcement decision by a DPA, if the court decides against such
DPA, may affect substantially its enforcement powers;
The purposes, and inherent limitations, of the mapping exercise need to be clear to its
recipients. A comparative mapping exercise on enforcement risks being used for purposes
other than to inform and educate other Member State DPAs;
In the same context, the notion of enforcement needs to be clearly distinguished from the
notion of efficiency in applying data protection provisions by any DPA;
Finally, and perhaps most importantly for the purposes of this analysis, the GDPR is expected
to soon redraft the field in all Member States. Because it comes into effect in May 2018,
developing immediately its direct effect over all of the EU, practically all Member States are
in the process of amending their national legislation in order not only to accommodate its
requirements but also to issue all secondary legislation needed. This process unavoidably
affects the legal status of DPAs in more than one ways, enforcement after all constituting a
substantial (if not the most important) part of DPAs powers and competences. A mapping
exercise carried out today would unavoidably have to reflect the law in effect in each Member
State, which is practically the one that transposed Directive 95/46 into Member State national
law. From this regard, it would almost certainly be outdated by the time it would have
been concluded.
In view of the above, we believe that a high-level approach would perhaps provide more relevant
results today, that could also be taken into consideration by Member States while drafting their
amended data protection legal frameworks. By keeping all other variables (Member State legal
systems, the legal status of DPAs within each one of them, the interplay of the relevant provisions
with the judicial system in place) outside the limits of this analysis, and by examining only the
provisions of the Member State data protection acts as well as the perceptions of DPAs themselves, as
evidences in interviews under Deliverable 1 of this project,33
the following may be concluded:
Important differences among the enforcement powers of Member State DPAs are to be
found in their founding legal texts, meaning Member State data protection acts. While
certain DPAs are equipped with powers resembling these of a judicial authority (investigation
of all controllers and power to impose fines to anybody) others may be faced with limitations
in this regard (for example, not being able to levy fines on state agencies). While the reasons
for these differences may be attributed to legal or other reasons, they most likely will need to
be eradicated by the time the new GDPR (particularly its one-stop-shop mechanism) comes
into effect. A common minimum set of enforcement powers could be useful in this
regard;
Evidently, important differences exist among Member States’ legal systems, that in turn
affect substantially the enforcement powers of their DPAs. In view, however, of the
33
Ibid.
57
analysis above, this factor of complexity is difficult to address, if only to map. A level of
flexibility for DPAs to deal themselves with their national legal systems, which they
evidently know better than anyone else, probably needs to be afforded to them, focusing
therefore on the result of enforcement and not on the national law details behind it;
Finally, important differences exist with regard to the approach each DPA adopts on its
enforcement powers. As evidenced in this project’s Deliverable 1, approaches range widely
from strict and judicial-like application of the law in effect to user-friendly and guidance-
oriented approaches that only resort to resolute measures against controllers if no other
alternative exists. Here again a level of flexibility is advised, because ultimately DPAs
reflect local cultures and practices upon local controllers, without however endangering
the overall data protection level;
An important question refers to how, and whether, these identified differences will be
justified under the GDPR. In particular the one-stop-shop mechanism is based on the idea of
mutual trust among DPAs. In essence, each EU DPA ought to trust that all of its colleagues,
who may be appointed as the Lead DPA in any case affecting also its own jurisdiction, will
achieve an end-result on that specific case (meaning, against a specific controller) comparable
to what it would have achieved itself, if it were the only DPA handling the case. If differences
remain, and this leads to dissatisfied DPAs believing that fellow-DPAs did not pursue a case
adequately because of local lack of enforcement powers, then this will undermine the
mechanism, and ultimately the GDPR itself;
The consistency mechanism may be too high level to address differences in enforcement
among EU DPAs. As seen above (under 2.1), this mechanism is designed to be called upon
only in important cases and cross-border processing. Unless therefore a particular difference
develops into an important issue for EU data protection overall, this mechanism will most
likely not be used to eradicate differences in enforcement across the EU. Another formal
mechanism to deal with them is not foreseen, perhaps other than ad hoc intervention of the
Board or the Commission. It is therefore important for EU DPAs to try and align their
enforcement powers with fellow DPAs under the new regulatory framework of the
GDPR at the law-making process within their respective Member States.
58
4.2 Sharing information (including confidential information)
Effective cooperation among DPAs depends, inter alia, in the ability to exchange case-related
information. This exchange of information not only constitutes a common practice among DPAs but it
is also necessary to fulfil their functions. Moreover, cooperation is now situated at the heart of the
institutional system created by the GDPR, well aware about the serious challenges that present
globalized data flows to ensure privacy and data protection compliance. This increased transborder
data flows must be backed by increased cross-border information sharing and enforcement
cooperation between supervisory authorities both inside the EU and internationally. And this
development is at the forefront of the GDPR and cooperation among national data protection
authorities on issues with a wider European impact is a key element of the new approach. As the
WP29 affirms, the new governance model established by the Regulation is built on three pillars: a
higher role to the national DPAs, enhanced co-operation between authorities and EDPB level for
consistency.34
The three priorities lie on the premise of a common and well-designed system for the
exchange of information.
As explained below, the GDPR determines that EU DPAs shall cooperate with each other in regard to
some of the most important data protection enforcement powers, that is, provision of information and
mutual support regarding authorisations and consultations, inspections and investigations. So far
exchanges of information have been taking place in the context of activities of a very different nature
and DPAs have informed about the wide plethora of types of information that they share, including
plans and intentions, case law, decisions, experiences and best practices, informal thinking, opinions,
and requests for opinions35
. Nonetheless, within the framework of their supervision activities,
Member States attached a vital importance to the activities of investigation, monitoring and
enforcement of EU data protection law.
Indeed, within the European Union, the Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data (or the Data Protection Directive) refers to the exchange
of information in general terms in its Article 28(6): “The supervisory authorities shall cooperate with
one another to the extent necessary for the performance of their duties, in particular by exchanging all
useful information”. So it does the GDPR in the list of what are considered to be the main and generic
tasks of each supervisory authority in Article 57(1). In the broader European framework, the
Convention 108 of the Council of Europe – now pending modernisation – also promotes cooperation
in Article 13 which stipulates the obligation of mutual assistance between signatories36
.
34
Article 29 Data Protection Working Party, Statement on the 2016 action plan for the implementation of the
General Data Protection Regulation (GDPR), 2 February 2016.
35 Barnard-Wills, David and David Wright, Deliverable D1: Authorities’ views on the impact of the data
protection framework reform on their co-operation in the EU, London-Brussels-Warsaw-Castellón, July 2015,
p. 16.
36 Article 13 of the Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data determines that, in order to implement the Convention, the Parties agree to render each other
mutual assistance and places the obligation to share all factual information, that is non-personal data, in relation
to a case. The Consolidated text of the modernisation proposals of Convention 108 finalised by the CAHDATA
in June 2016/Article 12.bis (paragraph 7bis) of the Draft modernised Convention for the Protection of
Individuals with Regard to the Processing of Personal Data in September 2016 nuances this limitation and
59
Coming back to Europe and according to Article 57(1) of the GDPR,
1. Without prejudice of other tasks set out under this Regulation, each supervisory authority shall on
its territory:
(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory
authorities with a view to ensuring to the consistency of application and enforcement of this
Regulation.
Together with this general provision, many other articles in the GDPR refer to sharing information
from one DPA to another or to the EDPB, as it is a precondition for the effective implementation of
the new cooperation mechanisms laid down in Chapter VII of the GDPR, which implementation will
require the exchange of information between DPAs and this will certainly require swift, flexible and
secure procedures.
Most of the mentioned articles incorporate detailed procedures that specify deadlines, means and
conditions for the transmission of information. All of them include the reference to the exchange of
relevant information for the purposes of cooperation between the lead supervisory authority and the
other supervisory authorities concerned (Article 60), of providing mutual assistance (Article 61), and
of implementing the consistency mechanism (Section 2, Articles 63 and following articles). This
mention arises a major concern as the provisions contain no explicit clause on exchange of
confidential or otherwise protected information. Yet, national laws often protect such information as it
is considered as confidential, restricted or secret. These laws usually impose on their authorities the
obligation of professional secrecy, which may in turn limit the DPAs’ powers to share such
information with DPAs in other Member States.
In this chapter, a brief statement of the regulations generally referring to the governing the exchange
of information is presented in Section 2 followed by an analysis of the notion of relevant information
and a reference to the specific cooperation mechanisms requiring the exchange of information
(Sections 3 and 4). The effective exchange of information is in potential conflict with the
confidentiality obligations that may prevent DPAs for releasing restricted information between them.
This question is developed in Section 5.
In the current and future state of play, some questions arise concerning the way Member State
legislations empower DPAs regarding to the exchange of information, the current safeguards applied
by Member States when information is exchanged, the types of information set out in Member States
national law and the procedures for requesting such information. This part of the chapter will show
that the absence of procedures framing information requests in national laws does not preclude
information exchange among DPAs, including confidential information. These issues will be treated
in Section 6 of this study which ends with practical examples of tools used to exchange information.
The principle of confidentiality in the GDPR will be analysed in Section 7 and Section 8 provides a
final assessment of the GDPR provisions regarding the exchange of information.
stipulates that shared information the shared shall not include personal data undergoing processing unless such
data are essential for co-operation, or where the data subject concerned has given explicit, specific, free and
informed consent to its provision.
60
4.2.1 Regulations governing the exchange of information under the GDPR
As mentioned above, the Data Protection Directive does not directly address the issue of the exchange
of information, neither it regulates what constitutes confidential or otherwise protected information or
the conditions under which it can be shared. In practice, there is a variety of provisions in the
legislation of DPAs and privacy enforcement authorities that enhance, constrain or qualify the sharing
of information with other DPAs37
. Indeed, the exchange of information among EU DPAs in relation
with investigations is very common. Many DPAs understand that they are authorised to do so in
accordance to the already mentioned provisions or the Data Protection Directive or the 108
Convention (Estonia, Finland, Netherlands). Other DPAs limit the information transferred taking into
account the results from the performed inspection (Bulgaria), to the extend that it is required in order
to give compliance with the provisions of national data protection legislation (Denmark), within its
scope of power (Slovakia), or limited by the principle of confidentiality (United Kingdom).
Concerning the exchange of information, the new Regulation requires DPAs to share “relevant”
information with each other in several articles but the most relevant ones are devoted to the regulation
of the new cooperation and mutual assistance mechanisms.
Concerning the cooperation between the lead supervisory authority and the other supervisory
authorities concerned, Article 60(1) of the GDPR provides:
1. The lead supervisory authority shall cooperate with the other supervisory authorities
concerned in accordance with this Article in an endeavour to reach consensus. The lead
supervisory authority and the supervisory authorities concerned shall exchange all relevant
information with each other.
Moreover, concerning mutual assistance, Article 61(1) of the GDPR reads as follows:
1. Supervisory authorities shall provide each other with relevant information and mutual
assistance in order to implement and apply this Regulation in a consistent manner, and shall put
in place measures for effective cooperation with one another. Mutual assistance shall cover, in
particular, information requests and supervisory measures, such as requests to carry out prior
authorisations and consultations, inspections and investigations
2. Each supervisory authority shall take all appropriate measures required to reply to a request
of another supervisory authority without undue delay and no later than one month after
receiving the request. Such measures may include, in particular, the transmission of relevant
information on the conduct of an investigation.
3. Requests for assistance shall contain all the necessary information, including the purpose of
and reasons for the request. Information exchanged shall be used only for the purpose for which
it was requested.
4. The requested supervisory authority shall not refuse to comply with the request unless:
37
Wright D, Enforcing privacy. Regulatory, Legal and Technological Approaches, in Wright D/De Hert P
(editors), Springer, 2016, pp. 28ff.
61
(a) it is not competent for the subject-matter of the request or for the measures it is requested to
execute; or
(b) compliance with the request would infringe this Regulation or Union or Member State law
to which the supervisory authority receiving the request is subject.
5. The requested supervisory authority shall inform the requesting supervisory authority of the
results or, as the case may be, of the progress of the measures taken in order to respond to the
request. The requested supervisory authority shall provide reasons for any refusal to comply
with a request pursuant to paragraph 4.
6. Requested supervisory authorities shall, as a rule, supply the information requested by other
supervisory authorities by electronic means, using a standardised format.
7. Requested supervisory authorities shall not charge a fee for any action taken by them
pursuant to a request for mutual assistance. Supervisory authorities may agree on rules to
indemnify each other for specific expenditure arising from the provision of mutual assistance in
exceptional circumstances.
8. Where a supervisory authority does not provide the information referred to in paragraph 5 of
this Article within one month of receiving the request of another supervisory authority, the
requesting supervisory authority may adopt a provisional measure on the territory of its Member
State in accordance with Article 55(1). In that case, the urgent need to act under Article 66(1)
shall be presumed to be met and require an urgent binding decision from the Board pursuant to
Article 66(2).
9. The Commission may, by means of implementing acts, specify the format and procedures for
mutual assistance referred to in this Article and the arrangements for the exchange of
information by electronic means between supervisory authorities, and between supervisory
authorities and the Board, in particular the standardised format referred to in paragraph 6 of this
Article. Those implementing acts shall be adopted in accordance with the examination
procedure referred to in Article 93(2).
The GDPR is aiming to encourage and facilitate the exchange of information not only within the EU
but also with third countries, a provision not found in the Data Protection Directive.
Indeed, Article 45(1) specifies that
1. A transfer of personal data to a third country or an international organisation may take place
where the Commission has decided that the third country, a territory or one or more specified
sectors within that third country, or the international organisation in question ensures an
adequate level of protection. Such a transfer shall not require any specific authorisation.
Furthermore, Article 50(4) specifies that
62
1. A transfer of personal data to a third country or an international organisation may take place
where the Commission has decided that the third country, a territory or one or more specified
sectors within that third country, or the international In relation to third countries and
international organisations, the Commission and supervisory authorities shall take appropriate
steps to:
(a) develop international cooperation mechanisms to facilitate the effective enforcement of
legislation for the protection of personal data;
(b) provide international mutual assistance in the enforcement of legislation for the protection
of personal data, including through notification, complaint referral, investigative assistance and
information exchange, subject to appropriate safeguards for the protection of personal data and
other fundamental rights and freedoms;
(c) engage relevant stakeholders in discussion and activities aimed at furthering international
cooperation in the enforcement of legislation for the protection of personal data;
(d) promote the exchange and documentation of personal data protection legislation and
practice, including on jurisdictional conflicts with third countries.
Accordingly, Recital 116 provides that:
When personal data moves across borders outside the Union it may put at increased risk the ability of
natural persons to exercise data protection rights in particular to protect themselves from the unlawful
use of disclosure of that information. At the same time, supervisory authorities may find that they are
unable to pursue complaints or conduct investigations relating to the activities outside their borders.
Their efforts to work together in the cross-border context may also be hampered by insufficient
preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource
constraints. Therefore, there is a need to promote closer cooperation among data protection
supervisory authorities to help them exchange information and carry out investigations with their
international counterparts. For the purposes of developing international cooperation mechanisms to
facilitate and provide international mutual assistance for the enforcement of legislation for the
protection of personal data, the Commission and the supervisory authorities should exchange
information and cooperate in activities related to the exercise of their powers with competent
authorities in third countries, based on reciprocity and in accordance with this Regulation.
And Recital 133 sets that:
The supervisory authorities should assist each other in performing their tasks and provide mutual
assistance, so as to ensure the consistent applicant and enforcement of this Regulation in the internal
market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it
receives no response to a request for mutual assistance within one month of the receipt of that request
by the other supervisory authority.
These exchanges of information do not enter in the scope of this analysis. The scope of the study will
be limited to the 28 EU Member States, countries that will have to abide to the new Regulation from
May 2018. Concerning information-sharing and more generally cooperation between a DPA of an EU
Member State and another DPA of a third country, ad hoc agreements are signed between DPAs,
which appear under a plethora of titles: Memorandum of Understanding, Cooperation Agreement,
63
Collaboration Declaration, Declaration on Further Collaboration, Declaration on Joint Co-operation,
Memorandum of Multilateral Cooperation, among others38
.
4.2.2 The notion of “relevant information”
The boost given by Chapter VII of the GDPR affects the exchange of information in two different
aspects: its nature and its definition. The latter becomes mandatory; the former includes the term
“relevant information”.
Sharing relevant information is specifically mentioned in Articles 60 (1, 3), 61 (1, 2) and 64 (4, 5):
Article 60
1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in
accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and
the supervisory authorities concerned shall exchange all relevant information with each other.
3. The lead supervisory authority shall, without delay, communicate the relevant information on
the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision
to the other supervisory authorities concerned for their opinion and take due account of their views.
Article 61
1. Supervisory authorities shall provide each other with relevant information and mutual assistance
in order to implement and apply this Regulation in a consistent manner, and shall put in place
measures for effective cooperation with one another. Mutual assistance shall cover, in particular,
information requests and supervisory measures, such as requests to carry out prior authorisations and
consultations, inspections and investigations.
2. Each supervisory authority shall take all appropriate measures required to reply to a request of
another supervisory authority without undue delay and no later than one month after receiving the
request. Such measures may include, in particular, the transmission of relevant information on the
conduct of an investigation.
Article 64
4. Supervisory authorities and the Commission shall, without undue delay, communicate by
electronic means to the Board, using a standardised format any relevant information, including as
the case may be a summary of the facts, the draft decision, the grounds which make the enactment of
such measure necessary, and the views of other supervisory authorities concerned.
5. The Chair of the Board shall, without undue, delay inform by electronic means:
38
Information on the aforementioned agreements is available in previous studies of PHAEDRA. Specifically,
Part 3 of Deliverable 2.1, A compass towards best elements for cooperation between data protection authorities,
includes the full text of the online available agreements between DPAs and a brief analysis of agreements
between DPAs that are not available online but that were shared with the PHAEDRA consortium. A deep
research on BCR is provided in this study (see Chapter 3, pp. 24-27).
64
(a) the members of the Board and the Commission of any relevant information which has been
communicated to it using a standardised format. The secretariat of the Board shall, where necessary,
provide translations of relevant information;
Relevance can be defined as the quality or state of being closely connected or appropriate. In this
regard, the indications given by some of the consulted DPAs in previous studies of PHAEDRA are
particularly pertinent. Indeed, DPAs considered relevant information the information necessary to
respond or to resolve a specific case. The relevance was assessed through contextual criteria39
.
Ultimately, the requesting authority determines whether the information received is sufficient, as set
out by Article 61 (3) of the GDPR: “Requests for assistance shall contain all the necessary
information, including the purpose of and reasons for the request. Information exchanged shall be
used only for the purpose for which it was requested.”
Furthermore, it is understood that the term “relevant information” allows certain flexibility to
encompass all conceivable elements of the information. Indeed, the legislator has chosen this general
term instead of an exhaustive list -which by nature is limited- with the aim of not leaving behind some
actual or future elements of what it could be considered as “relevant information”. In the present case,
the choice of the term “relevant” suits well to successfully address this problematic issue.
The uncertainty remaining in the GDPR about the limits in the exchange of information leaves three
main doubts open: (1) the need of homogeneous interpretation of the confidentiality clause throughout
Europe so it could not be wielded against the request of other supervisory authority, (2) the
implementation of a mechanism allowing DPAs to trust the exchange of reserved information, and (3)
the creation of a secure, well-designed and appropriate system for information exchange. Doubts that
were already expressed by the DPAs during the ordinary legislative procedure but that were not
cleared in the final text40
.
Another note concerning the interpretation of information must not be disregarded. The request for
sharing information may include materials which contain information considered as confidential – or
restricted, reserved, secret – but also information related to personal data, in the definition that results
from Article 4 of the GDPR. Cooperation on enforcement activities among EU DPAs may include
providing non-confidential or confidential information, which may or may not contain personal data.
In case of exchange of information containing personal data, this exchange is limited by the
compliance of the general agreed data protection principles to the extent to which is necessary for
effective data protection enforcement. This implies, in one hand, the respect of the right of
information concerning the purpose of the exchange, the possible storage or processing of data by the
39
For the most part, DPAs suggested that they currently share information as necessary and as required for a
particular case, in relation to the context of that case. There was therefore not a standard set of information that
was exchanged. Relevancy was determined through contextual criteria, ranging from "all pieces of information
that are useful in assessing the issue at hand" to "all relevant information need(ed) to take the appropriate
procedural and material measures in order to solve a case" and "the information which we consider as necessary
for adoption of a decision". Relevancy was determined by the informing DPA, with the possibility of
negotiation and discussion if the receiving DPA felt there was some information missing (Barnard-Wills, David
and David Wright, Deliverable D1: Authorities’ views on the impact of the data protection framework reform on
their co-operation in the EU, London-Brussels-Warsaw-Castellón, July 2015, p. 14).
40 Barnard-Wills D/Wright D, Deliverable D1: Authorities’ views on the impact of the data protection
framework reform on their co-operation in the EU, London-Brussels-Warsaw-Castellón, July 2015, p. 14.
65
receiving authority (as well as the identity of the latter), the categories of the affected data, and the
possibility to exercise the right of access and rectification. In the other hand, it implies the limitation
of the rights of access, rectification cancellation and opposition in the case it would be necessary for
the effectiveness of the enforcement action or it would interfere with other domestic law obligations.
Finally, it implies the guarantee of a secure treatment of sensitive data as well as the consent of the
data subject.
4.2.3 A variety of procedures for sharing information
As this chapter will show, cooperation among DPAs has been taking place for a long time. This
cooperation has been characterized for being irregular, heterogeneous and often based on questions of
geographical proximity and trust. In fact, among the findings of the first report delivered by
PHAEDRA II, many DPAs affirmed that the exchange of information through "unstructured"
methods was not problematic and cooperation between authorities could work41
.
The Data Protection Directive do not include a specific procedure framing information requests from
one EU DPA to another EU DPA nor a general provision creating an obligation towards Member
States to develop national procedures on this matter. Legislations of Member States remain silent in
regards to specific procedures that could frame the multiples exchanges among DPAs. Nevertheless,
DPAs do exchange information, mainly through existing frameworks where they exchange
informally. These informal exchanges take place in different fora and through various means. Indeed,
DPAs participate, to a greater or lesser extent, to different conferences and seminars organized
worldwide where they have the opportunity to share about good practices or new policies, present
new projects or to formalize bilateral agreements.
Among the existing EU framework, the most relevant platform within the EU where EU DPAs are
able to exchange information is the Article 29 Data Protection Working Party (WP29)42
. During its
plenary sessions or during the meeting of the different groups (including the sub group of
“cooperation”, in charge of discussing cooperation issues), representatives from the EU DPAs are able
to exchange information about particular files or issues of interest. Sometimes, within the framework
of the WP29, task forces are created voluntary by several DPAs to work together on a precise case43
.
Additionally, the WP29 may agglutinate interested DPAs to create a working group to cooperate in a
certain case44
.
41
Even more, the conclusion was that “clever and well-designed systems for information exchange would likely
not harm DPA co-operation, but if their absence was not the key barrier or challenge, then they would have
little positive impact”, Barnard-Wills D/Wright D, ibid, p. 16.
42 The WP29 is composed of representatives from the different EU DPAs, the European Data Protection
Supervisor and the European Commission. It is the most important European platform for cooperation among
EU DPAs and its main role is advisory and promotion of uniform application of EU data protection law. The
WP29 meets about 5 times a year in Brussels.
43 This was the case for the drafting of the Opinion 04/2013 on the Data Protection Impact Assessment Template
for Smart Grid and Smart Metering Systems prepared by Expert Group 2 of the Commission’s Smart Grid Task
Force.
44 For instance, following a Facebook statement regarding the amendment of its privacy policy, a working group
was set up in March 2015 in the framework of the WP29 composed by five DPA that decided to investigate the
matter (France, Belgium, The Netherlands, Spain and Hamburg),
66
The European Conference of Data Protection Authorities (or Spring Conference) is also used by EU
DPAs to share information. Indeed, this Conference is composed by DPAs from EU Member States
and from the Council of Europe that meet every year in spring to discuss issues of common interest
and to exchange information and experiences on different topics. The EDPS is also represented and
contributes to the discussions. The conference usually ends with the adoption of documents.
EU DPAs also exchange information at the meetings of the Council of Europe Consultative
Committee on the protection of personal data45
(the TPD, which stands for traité de protection des
données). This Committee acts as a forum for exchanges on privacy challenges and developments.
Chapter V of the Council of Europe Convention 108 on the protection of personal data established the
Committee.
Other platforms46
where EU DPAs are able to exchange information are the Meetings of the Central
Eastern European Data Protection Authorities (CEEDPA)47
and the Conference of Balkan Data
Protection Authorities48
.
A special cooperation is set up by the Nordic DPAs, conformed by DPAs of Denmark, Sweden,
Finland, Norway and Iceland. Joint Nordic Inspections or usually performed once per year, and the
Nordic DPAs provide assistance to each other few times a year. These inspections have proved to be
“successful and have led to good results and practices”49
.
Among the existing international framework, the most relevant platforms where EU DPAs are able to
exchange information are the International Conference of Data Protection and Privacy Commissioners
(ICDPPC) and the Global Privacy Enforcement Network (GPEN). The purposes of the ICDPPC are,
inter alia, to promote and enhance internationally personal data protection, to draft and adopt joint
resolutions and to encourage and facilitate cooperation and the exchange of information50
The GPEN
aims at facilitating cross border cooperation in the enforcement of privacy laws. The Network enables
privacy regulators worldwide to work and cooperate as they address risks to the personal information
of their citizens. 17 out of the 28 EU DPAs are members to the GPEN.
Finally, at a sectorial and thematic level51
, four mechanisms exists where a small number of EU DPAs
are able to exchange information.
Regionally, EU DPAs are part of larger networks: the Ibero-American Data Protection Network and
the Association of Francophone Data Protection Authorities52
.
45
More detailed information available here: Barnard-Wills D/Wright D, Workstream 1 report: Co-operation
and Co-ordination between Data Protection Authorities, London-Brussels-Warsaw-Castellón, July. pp.87ff.
46 Ibid, pp.91ff.
47 EU DPAs participating in these meetings: Poland, Czech Republic, Slovenia, Estonia, Hungary and Bularia.
48 EU DPAs participating in these conferences: Czech Republic, Hungary and Slovenia.
49 Quote from the Finish Data Protection Ombudsman, available at
http://www.tietosuoja.fi/en/index/ajankohtaista/nordicdataprotectionauthorities8217meetinginhelsinki.html
50 Text available at
https://privacyconference2013.org/web/pageFiles/kcfinder/files/RULES_AND_PROCEDURES2.pdf
51 Following the classification of Wright D, in Enforcing privacy, ibid, pp. 38-39.
67
Thematically, EU DPAs exchange in the area of Telecommunications, through the International
Working Group on Data Protection in Telecommunication53
, and in the area of spam, through The
International Cybersecurity Enforcement Network (or so-called LAP -London Action Plan). The
London Action Plan seeks to promote international spam enforcement cooperation and address spam
related issues (online fraud and deception, phishing, dissemination of viruses…). Both private sector
representatives and government and public agencies are represented. DPAs from Ireland, Spain and
UK are part of this network. Moreover, other EU Member States –Belgium, Finland, Hungary, Latvia,
the Netherlands, Portugal and Sweden– are represented through other governmental bodies, mainly
consumer agencies54
.
In front of this plethora of mechanism for exchange of information among DPAs, the Regulation
gives further insight on practical cooperation and addresses some important details concerning the
way in which mutual assistance and cooperation in going to be implemented in practice. The
specification of procedural steps is positively assessed as proper implementation of the exchange of
information has to be based on predefined, clear and common rules. Thus, some aspects related to
information exchange procedures are found in the GDPR, especially as regards to the obligation to
respond and the deadlines to apply, making a clear distinction depending on the mechanism that is
being implemented.
The cooperation mechanism provided in Article 60 (cooperation between lead supervisory authority
and the other supervisory authorities concerned), shows an effort from the legislator to specify key
practical issues of the cooperation. For instance, it provides specific delays in paragraphs 4 and 555
and imposes the obligation to “notify” the decision at stake in paragraphs 7-10. However, paragraph 3
remains very vague when it establishes the obligation to “communicate the relevant information”.
Indeed, it does not specify the nature of the “relevant information” nor it indicates the timing to
perform the communication (“without delay”). The time of submission of the draft decision referred
to on the last sentence of paragraph 3 is also not stipulated56
.
In the second mechanism, set out in Article 61 under the title of “mutual assistance”, the legislator has
given both specific and general instructions. For instance, it provides in its first paragraph details on
what should mutual assistance cover (“requests to carry out prior authorisations and consultations,
inspections and investigations”). It also specifies the delays to be respected in Article 61(2)57
or
52
A comprehensive analysis of this mechanism is available here: Barnard-Wills D/Wright D, Workstream 1
report: ibid, pp. 128ff.
53 Ibid, p.90.
54 http://londonactionplan.org/member-organizations/
55 Article 60(4). “Where any of the other supervisory authorities concerned within a period of four weeks after
having been consulted in accordance with paragraph 3 of this article, expresses a relevant and reasoned
objection to the draft decision, the lead supervisory authority shall (…) submit the matter to the consistency
mechanism (…)”. (5). Where the lead supervisory authority intends to follow the relevant and reasoned
objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their
opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period
of two weeks.”
56 Article 60(3), “The lead supervisory authority shall, without delay, communicate the relevant information on
the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the
other supervisory authorities concerned for their opinion and take due account of their views.”
57 Article 61(2), “Each supervisory authority shall take all appropriate measures required to reply to a request
of another supervisory authority without undue delay and no later than one month after receiving the request.”
68
61(8)58
, imposes the use of electronic means and standardised format (paragraph 6) and prohibits
requested supervisory authorities to charge a fee for any action taken by them pursuant to a request of
mutual assistance (paragraph 7). Nevertheless, the regulation lacks of any precision when it comes to
defining “relevant information” (paragraph 1), “all appropriate measures” to be taken (paragraph 2) or
“all the necessary information” (paragraph 3).
The consistency mechanism (Articles 63 to 67) imposes new obligations. Apart from the obligation to
use electronic means and standardised format (paragraph 4 of Article 64), Article 64(5a) requires the
secretariat of the Board to provide translations when necessary. Moreover, Article 65(5) compels the
Board to publish on its website the decisions taken in the context of the dispute resolution. The
legislator in this mechanism has performed a clear effort of definition, leaving less uncertainty59
if
compared to the other two mechanisms. Indeed, delays are known60
, limits to the “without undue
delay” expression are set out61
, “relevant information” is defined62
and the majorities needed to adopt
decisions are outlined63
.
Even if the GDPR’s provisions deserve a very positive opinion as they will encourage and guarantee a
free flow of information among the concerned DPAs and the EDPS, a comprehensive regulation on
how the exchange of information will be ensured should also include other important issues, inter alia:
use of language, amount and nature of the information requested as well as technical means, formats
and procedures for information sharing and budget for supervisory activities. In day to day practice
these questions are vital to ensure effective cooperation among DPAs. In this sense, the GDPR
appoints the European Commission as the entity in charge of regulating these details through
implementing acts.
Indeed, Article 61(9) of the GDPR refers to the mutual assistance mechanism and provides that
9. The Commission may, by means of implementing acts, specify the format and procedures for
mutual assistance referred to in this Article and the arrangements for the exchange of
information by electronic means between supervisory authorities, and between supervisory
authorities and the Board, in particular the standardised format referred to in paragraph 6 of this
Article. Those implementing acts shall be adopted in accordance with the examination
procedure referred to in Article 93(2).
Concerning the consistency mechanism Article 67 of the GDPR reads as follows:
58
Article 61(8), “Where a supervisory authority does not provide the information (…) within one month of
receiving the request of another supervisory authority, the requesting supervisory authority may adopt a
provisional measure on the territory of its Member State in accordance with Article 55(1).”
59 Mainly, in the use of the expression “without undue delay”, see Articles 64(4) and (5) or 66(1).
60 Articles 64 (3, 7, 8), 65 (2, 3), 66 (1, 4).
61 Article 65 (6).
62 Article 64 (4). “Supervisory authorities and the Commission shall (…) communicate (…) any relevant
information, including as the case may be a summary of the facts, the draft decision, the grounds which make
the enactment of such measure necessary, and the views of other supervisory authorities concerned.”
63 Articles 64 (3), 65 (2,3), 66 (4).
69
1. The Commission may adopt implementing acts of general scope in order to specify the
arrangements for the exchange of information by electronic means between supervisory
authorities, and between supervisory authorities and the Board, in particular the standardised
format referred to in Article 64.
2. Those implementing acts shall be adopted in accordance with the examination procedure
referred to in Article 93(2).
Accordingly, Recital 168 provides that:
The examination procedure should be used for the adoption of implementing acts on standard
contractual clauses between controllers and processors and between processors; codes of conduct;
technical standards and mechanisms for certification; the adequate level of protection afforded by a
third country, a territory or a specified sector within that third country, or an international
organisation; standard protection clauses; formats and procedures for the exchange of information by
electronic means between controllers, processors and supervisory authorities for binding corporate
rules; mutual assistance; and arrangements for the exchange of information by electronic means
between supervisory authorities, and between supervisory authorities and the Board.
The European Commission is also the body legitimated to give precisions in the context of the
procedures of exchanges of information with third countries. Indeed, Article 47 (3) of the GDPR
provides that
3. The Commission may specify the format and procedures for the exchange of information
between controllers, processors and supervisory authorities for binding corporate rules within
the meaning of this Article. Those implementing acts shall be adopted in accordance with the
examination procedure set out in Article 93(2).
The decision to appoint the EC did not come without criticism during the elaboration and discussion
of the Regulation as some Member States feared that this would impinge upon the independence of
the supervisory authority. Moreover, the EDPB was seen by some Member States as the best body to
further detail about these issues (formats, procedures…). But, in the final wording of the GDPR, the
EDPB occupies a secondary position as a mere advisor in this issues, as set out by Article 70(1):
(c) The Commission advise the Commission on the format and procedures for the exchange of
information between controllers, processors and supervisory authorities for binding corporate
rules;
(u) promote the cooperation and the effective bilateral and multilateral exchange of information
and best practices between the supervisory authorities;
(w) promote common training programmes and facilitate personnel exchanges between the
supervisory authorities and, where appropriate, with the supervisory authorities of third
countries or with international organisations;
70
4.2.4 The question of confidential information. Legal setting among Member States
concerning the exchange of information and the obligation of confidentiality
To fully understand the progress that the new regulation will involve on the exchange of information
and the challenges it faces, it is relevant to concisely present how has the exchanges developed so far.
The conditions and limitations imposed by national laws in this activity have been decisive in shaping
the practice of this activity. The analysis of Member States legislation in this point leads to a threefold
classification: some Member States foresee legal provisions explicitly making reference to
“information sharing” and thus empowering DPAs concerning exchange of information, others
foresee legal provisions mentioning protected (secret, confidential…) information versus other
information that can be freely shared, and finally, in other Member States there is an absence of legal
provisions making reference to types of information or information-sharing but nevertheless making a
distinction and exchanging information in practice. Alongside this threefold classification it is of
paramount importance to analyse the existing legal provisions of confidentiality for the DPAs and
their staff.
Legal provisions explicitly making reference to “information sharing” and thus empowering DPAs
concerning exchange of information
Among the 28 EU Member States, few are those that incorporate explicit references to “information
sharing” in their national legislations. Indeed, the authors identified the following six Member States
under this category: Bulgaria, Germany, Luxembourg, Lithuania, Malta, and United Kingdom64
.
The Bulgarian Law for Protection of Personal Data of 2002 does not explicitly make reference to
information sharing. Nevertheless, the “Legal Affairs, Training and International Cooperation
Directorate” established by Article 25 of the Rules on the activity of the Commission for Personal
Data Protection and its administration65
has the responsibility, amongst other things, of “[...] 10.
support[ting] the Commission in its contacts and cooperation with the national and international
institutions on personal data protection matters as well as by the exchange of information in
connection with exercising of obligations under international contract to which the Republic of
Bulgaria is party”.
The German Federal Data Protection Act of 2003 provides in its Section 38 (1, third and fourth
sentences) that “[t]he supervisory authority may process and use data it has recorded for supervisory
purposes only; [...] In particular, the supervisory authority may transfer data to other supervisory
authorities for supervisory purposes. On request, it shall provide supplementary assistance
64
Most of the information gathered in this section has been extracted from De Hert P/Boulet G, Deliverable 2.1
– “A Compass towards best elements for cooperation between data protection authorities”, Brussels, February
2014 (updated May 2014).
65 The first Rules of the Commission on the Protection of Personal Data Protection was promulgated in 2002,
with the act entering into force on 31.01.2003. At the time, the so-called Special Administration was divided
into three different Directorates (Legal, Technical, and Information), but it was the responsibility of the
Common administration, Directorate "Financial and international activity", to coordinate actions with
international institutions, and contractual obligations fell within the scope of the Legal Directorate. A merge of
responsibilities into a single entity was performed in 2008 and today this obligation is solely within the scope of
the Special Administration's responsibilities. This particular provision -Article 25 (10)- first appeared in the
revised version of the Rules which was promulgated on 10.02.2012.
71
(administrative assistance) to the supervisory authorities of other Member States of the European
Union”.
It is important to note that the Section referred to above concerns the supervisory authorities of the
German Bundesländer, but is equally applicable to the Federal Commissioner for Data Protection and
Freedom of Information, as regards cooperation and information sharing with other EU DPAs, on the
basis of Section 26 (4) sentence 2 of the Federal Data Protection Act. Indeed, Section 26(4) of the
Federal Data Protection Act provides that “[t]he Federal Commissioner shall work to cooperate with
the public bodies responsible for monitoring compliance with data protection provisions in the Länder
and with the supervisory authorities under Section 38. Section 38 (1) third and fourth sentences shall
apply accordingly”.
The Luxembourgish Coordinated Text of the Law of 2 August 2002 on the Protection of Persons
with regard to the Processing of Personal Data, modified by the Law of 31 July 2006, the Law of 22
December 2006 and the Law of 27 July 2007, stipulates in its Article 32§3(9) that the Luxembourgish
Data Protection Authority “will co-operate with its counterparts which are supervisory authorities set
up in other Member States of the European Union to the extent required for them to perform their
duties, notably by exchanging any appropriate information”. This provision has been present since the
first version of the Law of 2002.
The Lithuanian Law on legal protection of personal data of 21 January 2003 with amendments of 13
April 2004 provides in Article 41(7) that “[t]he State Data Protection Inspectorate shall be
empowered: [...] to exchange information with personal data supervisory authorities in other countries
and with international organisations to the extent necessary for the discharge of their duties”. This
provision has been present since the first version of the Law of 2003.
The Maltese Chapter 440 Data Protection Act of 2001 provides in Article 40(me) that the Data
Protection Commissioner “shall have the following functions: [...] to collaborate with supervisory
authorities of other countries to the extent necessary for the performance of his duties, in particular by
exchanging all useful information, in accordance with any convention to which Malta is a party or
other any international obligation of Malta”.
Section 54(3) of the United Kingdom Data Protection Act 1998 on “international cooperation” reads
as follows: “The [Secretary of State] may by order make provision as to co-operation by the
Commissioner with the European Commission and with supervisory authorities in other EEA States in
connection with the performance of their respective duties and, in particular, as to (a) the exchange of
information with supervisory authorities in other EEA States or with the European Commission”. This
provision has been present since the first version of the Law of 1998.
Legal provisions mentioning protected (secret, confidential…) information versus other
information that can be freely shared
Likewise, few Member States incorporate explicit references to “protected information” in their
national legislations. The authors identified the following seven Member States under this category:
Bulgaria, Greece, Latvia, Netherlands, Poland, Spain and Sweden.
The Bulgarian law distinguishes between business secret and confidential classified information.
Indeed, concerning confidential information a “differentiation should be made to whether this
72
information is classified as business secret or as confidential under the Classified Information
Protection Act (CIPA). If the data are classified as business secrets, then there is no obstacle for the
exchange of information between interested data protection authorities or privacy commissioners. If
the data are classified as confidential under the CIPA, then special certification is required for access
and use of data. The procedure for granting access is applied by another national body, the State
Commission on Information Security. Exemptions are made in cases where international treaty exists
to which Republic of Bulgaria is party or on the basis of reciprocity and to the citizens of other
countries, who perform tasks assigned to them by the state concerned or by international organization,
provided that the person have been cleared for access to classified information by the relevant
competent information security body or international organization”66
.
The Hellenic DPA, in the case of explicit provisions in laws other than the privacy law prohibiting the
sharing of confidential information, will not share that confidential information. Indeed, during the
drafting of Deliverable 2.1 the Hellenic DPA was contacted and informed that “[i]n principle, the
Hellenic DPA would be able to share information (including confidential information) with other
DPAs, unless this is prohibited by provisions including in laws other than the privacy law. Therefore,
such cases, which require such an exchange of information, are always examined ad hoc, taking into
consideration the principle of proportionality and other specific laws” 67
.
The Latvian Personal Data Protection Law provides in Section 4 that “The protection of personal
data which have been declared to be official secret matters shall be regulated by the Law on Official
Secrets”.
The Dutch DPA was also contacted during the drafting of the Deliverable 2.1 and clarified that “if the
assistance provided for in Article 61(6) Wbp leads to the exchange of confidential information,
Article 2:5 of the Dutch Administrative Law (Awb) applies. Pursuant to this provision, a[n]
administrative body shall not disclose confidential information, unless (1) such is required by a [...]
statutory obligation or (2) disclosure is necessary for the performance of its duties. If the sharing of
confidential information with other DPA’s in the EU is necessary for the purpose of enforcement
action, the conditions of the second exception will be met and disclosure will be permitted under
Article 2:5 Awb”68
.
The Polish DPA was contacted during the drafting of the Deliverable 2.1 and stated that “Polish
legislation envisages restrictions in making the confidential information available to other DPAs or
privacy commissioners based on the provisions of the Law on protection of classified information, or
due to other secrets protected by Law, to which the Inspector General has access to” 69
.
The Spanish Organic Law 15/1999 of 13 December on the Protection of Personal Data provides in
its Article 2(2-b) that “The system of protection of personal data laid down by this Organic Law shall
not apply to: (…) b) Files subject to the legislation on the protection of classified materials.” The
Spanish DPA will not be authorised to share information considered as secret pursuing Law 9/1968 of
66
De Hert P/Boulet G, ibid, p.26.
67 Ibid, p.69.
68 Ibid, p.85.
69 Ibid, p.89.
73
5 April about Official Secrets and its implementing rules. Nevertheless, in other cases “it would be
able to share information, including confidential information”70
.
The Swedish DPA would not be able to fully share information, including confidential information,
as “there could be restrictions according to the Swedish law on public access and secrecy”71
.
Absence of legal provisions making reference to types of information or information-sharing but
nevertheless making a distinction and exchanging information in practice
Even if some Member States do not foresee legal provisions making reference to types of information
or information sharing they do nevertheless distinguish and exchange information in practice. The
authors identified eleven Member States in this category: Austria, Belgium, Cyprus, Czech Republic,
Denmark Estonia, Germany, Ireland, Italy, Portugal and Hungary.
The Austrian Data Protection Act 2000 does not distinguish between normal and confidential
information. The Austrian DPA was contacted with the purpose to find out more about their practice
in dealing with confidential information72
. In its response, the Austrian DPA mentioned that it rarely
dealt with confidential information. In its practice, when the Austrian DPA is confronted with a
request for assistance from another DPA, the Austrian DPA assesses whether it is competent to share
the requested information. In case of doubt, the Austrian DPA may ask for further clarifications.
Moreover, the Austrian DPA is able to share any relevant information with EU requesting DPAs as
long as the requesting DPA can demonstrate that it needs the information for exercising its duties.
The Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of
personal data (the Privacy Act) does not have any provisions distinguishing between normal and
confidential information. Nevertheless, the Belgian Privacy Commission was contacted during the
drafting of the Deliverable 2.173
and referred to the provisions on professional secrecy in Article 28.7
of Directive 95/46/EC.
The Cypriot Processing of Personal Data (Protection of individuals) Law 138 (I) 2001 does not
distinguish between normal and confidential information. Nevertheless, in practice, sharing
information, including confidential information, is possible but that it would request from PCs and
DPAs to treat information as confidential “if the particulars of the case impose, for effective
enforcement action, the need to share confidential information with other CoE / EU Privacy
Commissioners and DPAs” 74
.
The Czech Republic Act 101 of April 4, 2000 on the Protection of Personal Data and on Amendment
to Some Acts does not include any specific provisions distinguishing between normal and confidential
information. Nevertheless, the Czech DPA was contacted during the drafting of the Deliverable 2.1
and indicated “[s]haring information would be possible even in case of confidential information
70
Ibid, p.104.
71 Ibid, p.105.
72 Date of the email: 31 July 2016.
73 De Hert P/Gertjan B, ibid, p. 21.
74 Ibid, p.34.
74
(which however should be conveyed in a special manner such as sealed envelope, secured line,
etc.)”75
.
The Danish Act No. 429 of 31 May 2000 on Processing of Personal Data does not distinguish
between normal and confidential information. Nevertheless, the Danish DPA was contacted during
the drafting of the Deliverable 2.1 and replied that “it thinks that it would be possible to share
information, including confidential information, to the extent necessary, but depending on the specific
situation” 76
.
The Estonian DPA was contacted during the drafting of the Deliverable 2.1 and affirmed that “there
are no restrictions to share information, including confidential information” 77
.
The German Federal Data Protection Act promulgated on 14 January 2003 does not differentiate
between normal and confidential information. Nevertheless, the German DPA was contacted during
the drafting of the Deliverable 2.1 and affirmed that sharing information would be possible, including
confidential information, “in the context of administrative assistance to other EU supervisory
authorities and in line with our federal legislation” 78
.
The Irish DPA was contacted during the drafting of the Deliverable 2.1 and replied that it “would be
able to share information, including confidential information” 79
.
The Italian DPA was contacted during the drafting of the Deliverable 2.1 and replied that it
“considers that a source of concern, among others, has to do with the confidentiality of the
information shared in coordinated actions (in terms of disclosure of confidential information or
materials received from another DPA/organization, etc.). Under Article 156(8) of the DP
Consolidated Code [Personal Data Protection Code, Legislative Decree no. 196 of 30 June 2003] staff
and members from the DPA are required to keep confidential any data that is to remain confidential.
This means that any classified information received from another entity might not be disclosed.
However, this does not prevent (has not prevented) exchanges of documents and information
(especially those submitted by complainants) with other DPAs in respect of cross-border cases
whenever this was deemed necessary to pursue the relevant inquiries [...] In this context, a request
from another DPA is considered as a qualified request, thus allowing the [...] Italian DPA to carry out
several activities, whilst a similar request from the [...] Italian DPA needs a specific legal basis” 80
.
The Portuguese DPA was contacted during the drafting of the Deliverable 2.1 and stated that “the
decisions made by the DPA have a public nature. The inspection reports may remain confidential, but
it depends on the content. So, it would be a case-by-case analysis” 81
.
The Hungarian Act CXII of 2011 on the Right of Informational Self-determination and Freedom of
Information (Privacy Act) does not distinguish between normal and confidential information.
75
Ibid, p.37.
76 Ibid, p.44.
77 Ibid, p.48.
78 Ibid, p.67.
79 Ibid, p.74.
80 Ibid, p.77.
81 Ibid, p.92.
75
Nevertheless, Section 72(1)82
“imply that confidential information (qualified data) falling outside the
scope of the respective data protection case may not be subject to sharing” 83
.
Legal provisions creating an obligation of confidentiality for the DPAs and their staff
A majority of Member States foresee in their legislations provisions creating an obligation of
confidentiality for the its DPAs and their staff. Indeed, the authors identified seventeen Member
States, including Bulgaria, Croatia, Cyprus, Finland, France, Greece, Ireland, Italy, Lithuania,
Luxembourg, Malta, the Netherlands, Portugal, Romania, Slovakia, Slovenia and the United
Kingdom.
Article 13§1 of the Bulgarian Law for protection of the personal data provides that “the chairman
and the members of the commission and the employees of its administration shall be obliged not to
make public and not to use for their or somebody’s else benefit the information representing a secret
protected by law for the administrators of personal data which has become known to them in
fulfil[l]ment of their activity, till the elapse of the period [...] [o]f its protection”.
Article 35 of the Croatian Act on Personal Data Protection provides that “[t]he Agency director,
deputy director and employees of the Agency’s professional service shall consider all personal and
other confidential data they come across while performing their duties professionally confidential or
as another relevant type of secret, all in accordance with the act establishing data confidentiality. The
obligation referred to in Paragraph 1 of this Article continues to apply after the Agency director and
deputy director cease to perform their duties or upon their termination of employment in the Agency’s
professional service”.
Article 36 of the Act on Personal Data Protection provides that “[a] fine of HRK 20,000.00 to
40,000.00 shall be charged for the following violations: [...] if the Agency director, deputy director
and employees of the Agency’s professional service disclose confidential data they came across while
performing their duties (Article 35)”.
The Cypriot Commissioner for Personal Data Protection is subject to a duty of confidentiality as
provided by Article 21(1) of the Processing of Personal Data (Protection of individuals) Law 138 (I)
2001.
The Finnish Act on the Openness of Government Activities (621/1999) contains in its Sections 24, 29
and 30 provisions on the right of access to official documents in the public domain, officials' duty of
non-disclosure, document secrecy and any other restrictions of access that are necessary for the
protection of public or private interests. Moreover, the Finnish DPA was contacted during the drafting
of the Deliverable 2.1 and affirmed that “it would not be able to share all information, including
confidential information” 84
.
82
Section 72(1) reads as follows: “In its proceedings the Authority shall be entitled to process - to the extent and
for the duration required - those personal data, and classified information protected by law and secrets obtained
in the course of professional activities, which are related to the given proceedings, or which are to be processed
with a view to concluding the procedure effectively”
83 De Hert, P/Gertjan B, ibid, p.71.
84 Ibid, p.58.
76
Article 20 of the French Act n°78-17 of 6 January 1978 on Information Technology, Data Files and
Civil Liberties provides that “Members and officers of the Commission are bound by a duty of
confidentiality in respect of the facts, acts and information of which they have knowledge by virtue of
their functions, according to the conditions provided for in Article 413-10 of the Criminal Code and,
subject to what shall be necessary for the preparation of the annual report, in Article 226-3 of the
same Code.”
Article 10 of the Hellenic Law 2472/1997 on the Protection of Individuals with regard to the
Processing of Personal Data provides that “The processing of personal data shall be confidential. It
shall be carried out solely and exclusively by persons acting under the authority of the Controller or
the Processor and upon his/her instructions”.
Section 9(10) of the Irish Data Protection Act of 1998 provides that “A person who holds or held the
office of Commissioner or who is or was a member of the staff of the Commissioner shall not disclose
to a person other than the Commissioner or such a member any information that is obtained by him or
her in his capacity as Commissioner or as such a member that could reasonably be regarded as
confidential without the consent of the person to whom it relates.” This provision was inserted
through an amendment to the Act in 200385
.
Section 156(8) of the Italian Personal Data Protection Code, Legislative Decree no. 196 of 30 June
2003 reads as follows: “Staff and consultants working for the Office of the Garante shall be subject to
secrecy rules as regards the information they may come to know in discharging their duties, where
such information is to remain confidential”.
Article 24(5) of the Lithuanian Law on Legal Protection of Personal Data provides that: “The
employees of the data controller, the data processor and their representatives who are processing
personal data must keep confidentiality of personal data if these personal data are not intended for
public disclosure. This obligation shall continue after leaving the public service, transfer to another
position or upon termination of employment or contractual relations.”
Article 24 of the Luxembourgish Law of 2 August 2002 on the protection of individuals with regard
to the processing of personal data provides: “(1) Members of the Commission Nationale and any
other person who carries out duties at the Commission Nationale or on its behalf, as well the official
in charge of data protection, are subject to the compliance with professional secrecy obligations as
provided under Article 458 of the Code Pénal [Criminal Code] even after their duties have ceased. (2)
Officials in charge of data protection when carrying out these functions may not plead the
professional secrecy to which they are subject to the Commission Nationale. (3) Certified service
providers may not plead the professional secrecy to which they are subject in accordance with Article
19 of the Law of 14 August 2000 relating to electronic commerce to the Commission Nationale.
The Maltese Chapter 440 Data Protection Act of 2001 provides in Article 45 that “The
Commissioner and any officer and employee of the Commissioner shall, before assuming their duties,
take an oath of office contained in the First Schedule to carry out their duties with equity and
impartiality and in accordance with the provisions of this Act and shall be subject to the provisions of
the Official Secrets Act, and the Code of Ethics applicable to public officers. The oath of office shall
be taken before the Attorney General”.
85
Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 20, S.I. No. 207 of 2003.
77
Article 2(5) of the Dutch Administrative Law (Awb) reads as follows: “1. Anyone involved in the
performance of the duties of an administrative authority who in the process gains access to
information which he knows, or should reasonably infer, to be of a confidential nature, and who is not
already subject to a duty of secrecy by virtue of his office or profession or any statutory regulation,
shall not disclose such information unless he is by statutory regulation obliged to do so or disclosure
is necessary in consequence of his duties. 2. Subsection 1 shall also apply to institutions, and persons
belonging to them or working for them, involved by an administrative authority in the performance of
its duties, and to institutions and persons belonging to them or working for them performing a duty
assigned to them by or pursuant to an Act of Parliament.”
Article 17 of the Portuguese Act on the Protection of Personal Data reads as follows: “1 –
Controllers and persons who obtain knowledge of the personal data processed in carrying out their
functions shall be bound by professional secrecy, even after their functions have ended. 2 –Members
of the CNPD shall be subject to the same obligation, even after their mandate has ended. 3 – The
provision in the previous numbers shall not exclude the duty to supply the obligatory information
according to the law, except when it is contained in filing systems organised for statistical purposes. 4
– Officers, agents or staff who act as consultants for the CNPD or its members shall be subject to the
same obligation of professional secrecy.”
Article 21(4) of the Romanian Law no. 677/2001 on the person’s protection regarding the processing
of personal data and the free circulation of these data reads as follows: “[t]he entire staff of the
supervisory authority has the obligation of permanently keeping the professional secrecy, except for
the cases set out by law, regarding the confidential or classified information they have access to in
carrying out their duties, even after termination of their legal employment relations with the
supervisory authority”.
An obligation to maintain secrecy arises from Section 18 of the Slovakian Act No. 122/2013 Coll. on
Protection of Personal Data and on Protection of Personal Data and on Changing and Amending of
other acts, but is not applicable in respect of the Office for Personal Data Protection of the Slovak
Republic (§5): “(5) [...] the obligation to maintain secrecy imposed on controllers, processors and
entitled persons pursuant to special regulations shall not apply in respect of the Office in the course of
fulfil[l]ment of its tasks [...].”
The Slovenian Personal Data Protection Act (ZVOP-1), in its Article 58 provides protection of
secrecy: “(1) The Supervisor shall be obliged to protect the secrecy of personal data he encounters in
performing inspection supervision, and also after ceasing to perform the Supervisor’s service. (2) The
obligation from the previous paragraph shall also apply to all civil servants at the National
Supervisory Body. (…) (4) Functionaries, employees and other individuals performing work or tasks
at persons that process personal data shall be bound to protect the secrecy of personal data with which
they become familiar in performing their functions, work and tasks. The duty to protect the secrecy of
personal data shall also be binding on them after termination of their function, work or tasks, or the
performance of contractual processing services.”
Section 59 of the United Kingdom Data Protection Act 1998 is on “Confidentiality of information”
provides that: “(1) No person who is or has been the Commissioner, a member of the Commissioner’s
staff or an agent of the Commissioner shall disclose any information which— (a) has been obtained
by, or furnished to, the Commissioner under or for the purposes of the information Acts, (b) relates to
an identified or identifiable individual or business, and (c) is not at the time of the disclosure, and has
not previously been, available to the public from other sources, unless the disclosure is made with
78
lawful authority.” Section 2 of the same article mitigates this prohibition: “a disclosure of information
is made with lawful authority if”, inter alia, “the disclosure is necessary in the public interest”. For
instances, collaborating with other DPA to investigate data protection offenders can be assumed to be
in the public interest.
Member States legal provisions use different denominations when referring to protected information.
For instance, Bulgaria considers personal information as confidential and as a type of secret. Finland
uses the term “secret official documents”86
. Greece considers the processing of personal data as
confidential. Romanian officials must maintain professional secrecy regarding “the confidential or
classified information”. Even it the denomination may differ from one Member State to another, the
adjective does not characterize the grade of limitation.
4.2.5 Learning from practical examples of tools used to exchange information
The majority of DPAs have been contacted by PHAEDRA and have been asked to provide practical
examples of how they have exchanged information (including confidential information) with other
EU DPAs and to share other relevant information (how the information is conveyed, number of
exchanges taking place every year, etc.). PHAEDRA has received a total 15 responses.
The most mentioned framework on which DPAs have exchanged information was the cooperation
mechanism of Schengen Information System II (SIS II), used to allow data subjects to exercise its
access, rectification and deletion rights. The information is usually exchanged by email. A DPA stated
that it exchanged information about 25 times a year; the others did not provide this information, as
statistic information in this matter is not collected.
DPAs mentioned a wide variety of examples of cooperation involving the exchange of information:
A DPA explained that it received “several” cooperation requests within the period 2014-2016 from
four EU DPAs in order to handle several complaints that the latter had received concerning a data
controller established in its country. Moreover, within the same period, the DPA received inquiries
from nine EU DPAs. The inquiries referred to the procedure used by that DPA for handling
complaints and to data protection aspects in very different matters: processing of personal data by
churches and other religious associations, video surveillance in law enforcement activities, processing
of genetic data and retention of personal data in the banking sector. The information was exchanged
through “regular channels”, namely “post, electronic post” and no classified information was
exchanged.
Another DPA explained that the DPA is contacted on a regular basis by other DPAs concerning legal
questions, in particular concerning the application of the Data Protection Directive. In most cases, the
requesting DPA needs information about a specific case handled in that DPA or how certain
provisions are interpreted by that DPA. Besides, the DPA was contacted by two DPAs with the
request for assistance in a specific case (one concerning a Schengen-alert entered by the DPA’s
country authorities; another concerning an alleged violation of data protection principles by a
company registered in the DPA’s country). Moreover, the DPA was contacted by another DPA in
order to get more information about the project of one company not registered in the DPA’s country
but whose project will also be carried out on the DPA’s country territory. Information is exchanged
86
Extended enumeration of documents considered as secret are listed in Section 24 of Act on the Openness of
Government Activities (621/1999), available at http://www.finlex.fi/en/laki/kaannokset/1999/en19990621.pdf.
79
about eight times a year, “mostly by email, sometimes by letter” and no classified information has
been exchanged in the period 2014-201687
, as “confidential information was not part of any request”.
A different DPA made reference to a “spam case” where information was exchanged. In the case, the
data controller was established in another Member State and the DPA sent a complaint with evidence
to the DPA of the place of establishment of the controller. In general, the information is exchanged by
“any informal means” and security measures may be applied, such as encryption of the attachment to
an email.
One of the DPAs considered that it “actively participates” in cooperation and exchange of information
with DPAs as information about case studies, legal files, data transfers and data abuse is exchange on
a daily basis. The DPA is also engaged in cooperation within the EU institutional framework, which
necessitates information flows on matter such as BCRs, nomination of leading authority and legal
opinions on pressing authorities. The information exchanged is channelled in different ways, in most
cases through email. Paper mail is used in cases dealing with SIS II access or when legal provisions
required this mode of communication. Nevertheless, the DPA has not had any case of confidential
information being conveyed in the last three years.
A DPA explained that even if there were no specifics for the treatment of confidential information in
its national law, it is customary to treat exchanged information as confidential in the course of joint
enforcement actions, if this is requested by one or more DPAs involved in the mentioned action.
Nevertheless, the DPA had not been involved in any joint enforcement actions during the period
2014-2016.
A different DPA gave examples of cases where it exchanged information with another EU DPA. For
instance, the DPA clarified that it might be necessary to exchange the personal data of a complainant
and the supporting documents in order to investigate a specific complaint (e.g. in case of an access
request). Moreover, certain information pertaining to data controllers such as business secrets,
information covered by professional secrecy or the security measures of the data controllers cannot be
shared due to legal restrictions. The most common scenario, as the DPA explained, is where the
sending authority transmits a complaint to its DPA due to applicable law, including the personal data
of the complainant and all relevant documents. The DPA then takes over the matter and corresponds
directly with the complainant about the follow-up and the outcome of the complaint. A less common
scenario is where the requesting authority informs the DPA of a possible data protection violation by
a data controller established in the country of the DPA. In this case, there is usually no need to
mention the concerned data subject’s personal information and the requesting authority receives
feedback about the outcome of the investigation. Another example of information exchange occurs
when a foreign DPA requests information about administrative formalities applicable to a given data
controller established in the country of the DPA. This information may be shared in accordance with
the country’s Data Protection Act. Moreover, when a company wishes to adopt BCRs as a means of
data transfers to third countries, data protection authorities share information on BCRs and other
documents submitted by the applicant, as part of the co-operation procedure pursuant to WP107. In
the years 2014 to 2016, the DPA received approximately 15 cross border complaints per year from
other EU DPAs. In most of these cases, the DPA was the receiving authority and no further
information was requested by or exchanged with the sending authority after the case was accepted.
87
When referring to the period 2014-2016 in this section, the reader should understand from January 2014 to
June 2016.
80
The DPA also receives approximately 10 information requests per year from other DPAs. Most of the
time, no information regarding a specific case is requested or exchanged. The DPA reminded that the
public servants of its DPA are all subject to professional secrecy obligations as provided for by the
country’s Data Protection Act. Therefore, if information must be exchanged with another DPA, it
takes place on a case-by-case and strict need-to-know basis. Practice has shown that every DPA
usually has its specific contact points (international relations officers, complaint handling officers),
who are authorised to exchange information with their DPA counterparts and who are also bound to
strict confidentiality rules. Finally, the DPA informed PHAEDRA that the information is usually
conveyed via mail or e-mail and occasionally by telephone and that it ensures the highest level of IT
security when exchanging information per e-mail.
The Nordic DPAs have exchanged information in the framework of the Joint Nordic Inspections. The
Scandinavian DPAs have several times carried out joint inspections or audits on commonly interesting
topics. These inspections are usually carried out once per year. Executive assistance is both asked and
provided few times a year by Nordic DPAs. One Nordic DPA has assessed the possibility to exchange
secret or confidential information and has concluded that this kind of information can be disclosed to
other DPAs in EU or EEA Member States in the context of Nordic Inspections. This information is
conveyed by letter or through a classified message, which is sent via certain web service.
The Baltic DPAs have exchanged information in the framework of joint supervisions, which are
performed once a year. One Baltic DPA has exchanged requests of explanations and proceeding
information (mostly spam cases) with other DPAs. For instance, in May 2016, the Baltic DPA
(country X) received a “request to exercise powers” from a DPA (country Y) in order to initiate
proceedings against a company of X nationality, which sent commercial e-mails to a Y citizen. As a
result of this request, the DPA from country X initiated supervisory proceedings and issued a
prescription. In this case the information exchange between DPAs did not expect previous agreements
and information was sent through e-mails. The DPA from country X does not held separate statistics
or separate (internal) regulation about cases that are connected with other DPAs.
The way of conveying information sometimes depends on the legislation constraints of each Member
State or on the specific practice of the DPA. For instance, if the information is considered as
“confidential personal data”, the DPA concerned will use a “normal letter” since public authorities are
only allowed in that specific country to transmit data over the Internet if this is ensured by the
appropriate encryption of the data transmitted. If the information is not considered as “confidential
personal data” the DPA will use “normal email”. Another DPA explained that a continuous
assessment is performed in order to separate information that can be freely shared and information
that could be confidential. In practice, only information of general nature is provided to other DPAs.
If the information that is going to be conveyed contains “secret information”, the DPA will decide to
“adjust” the information in order to provide useful information “while not revealing secret
information”.
4.2.6 The principle of confidentiality in the GDPR
The term confidentiality referred to data processing is present in numerous passages throughout the
GDPR. Obviously, this condition is predicated of the data processor (Article 28) and the Data
Protection Officer (Article 38). The principle of confidentiality is also invoked as regards some
discussions of the Board where deemed necessary (Article 76). Nevertheless, what affects this study is
81
the obligation of confidentiality of staff working in the DPAs, reflected in Article 54 (2) of the
GDPR.
“The member or members and the staff of each supervisory authority shall, in accordance with Union
or Member State law, be subject to a duty of professional secrecy both during and after their term of
office, with regard to any confidential information which has come to their knowledge in the course of
the performance of their tasks or exercise of their powers. During their term of office, that duty of
professional secrecy shall in particular apply to reporting by natural persons of infringements of this
Regulation”.
The effective enforcement in third countries is difficult not only because there is a lack of
internationally accepted data protection standards but also because of the potential conflicts with the
confidentiality obligations laid down in Article 28(7) of the Data Protection Directive and Article 15
of the Convention. In our regard, the hopes placed in the GDPR to overcome the ambiguity contained
in the Data Protection Directive have been dashed with its final version because this ambiguity has
not been overcome by the new Regulation. Indeed, even if its wording is more detailed, it introduces
no substantial changes on this issue.
Indeed, Article 28 (7) of the Data Protection Directive reads as follows:
“Member States shall provide that the members and staff of the supervisory authority, even after their
employment has ended, are to be subject to a duty of professional secrecy with regard to confidential
information to which they have access.”
It can be understood that the new provision does not provide any relevant developments compared to
its shorter version in the Data Protection Directive as the explicit mention to the provisions of
domestic laws may prevent the sharing of information even within the EU. Whilst recognising the
progress made by the GDPR in providing mandatory cooperation, further steps might be taken in view
of mitigating any obstacles. In this sense, some agreements provide an example which can be taken as
a basic reference. The Global Cross Border Enforcement Cooperation Arrangement includes specific
safeguards relating the most sensitive issues regarding sharing information including confidential
information.
The Global Cross Border Enforcement Cooperation Arrangement adopted in Mauritius in 2014 by the
36th International Conference of Data Protection and Privacy Commissioners represents a major
landmark in the efforts to advance in effective privacy enforcement cooperation88
. Even if the
Arrangement is not intended to create legally binding obligations (Clause 4), it is certainly a
significant step towards fostering a more coordinated approach in the aim of addressing cross-border
privacy issues.
This new tool for cross-border enforcement cooperation is of particular importance as it represents an
addition to the existing MoUs, signed with some international DPAs. Moreover, the Arrangement sets
out in the EU scene grounds rules for the sharing of confidential information related to enforcement
work as well as explanations on how information supplied will be processed by the addressee.
88
The proponents of Mauritius Agreement culminated the work of the previous International Conferences of
Data Protection and Privacy Commissioners, namely the work of the International Enforcement Cooperation
Working Group established at the 33rd Conference in Mexico City in 2011.
82
The agreement sets forth the participant’s commitment with regard to international cross-border
privacy enforcement cooperation, particularly on reciprocity, confidentiality, data protection and
coordination (Clauses 5 to 8). Regarding confidentiality, the Preamble of the Arrangement clearly
stipulates that “to effectively respond to data protection and privacy violations that affect multiple
jurisdictions a multi-lateral approach is required and therefore appropriate mechanisms to facilitate
the information sharing of confidential enforcement related material, and coordination of enforcement
amongst privacy enforcement authorities to tackle said violations is much needed.” More specifically,
Clause 6 of the Arrangement implements the Confidentiality principle. It rightly states how
participants will treat confidential information shared from other participants. This will be done,
mainly, by giving the same “qualification” to the information, by making arrangements to comply
with the domestic legal requirements of the sending participant, by preventing further disclosures and
asking for consent of the participant who shared the information, by respecting the purpose limitation
and by taking appropriate technical and organizational measures to keep the information secure. The
Arrangement introduces a final clause allowing derogation from complying with the rules listed above
if the domestic law of any Participant requires doing so, provided that the Participant will inform the
sending Participant prior to the exchange of information. Clause 7 of the Arrangement outlines the
rules guaranteeing de rights of the persons who may be affected when personal data information is
exchanged. The clause provides that “the exchange of such personal data should be limited to what is
necessary for effective privacy and data protection enforcement” and that participants will “use their
best efforts” to respect the data protection safeguards of each other. This respect must be provided by
assuring that they will comply with the requirements included in a final Schedule (principles of
necessity, proportionality, purpose limitation, accuracy and kept-up to date, respect to the rights of
information and access to data subjects, adoption of security measures, notification to and consent of
the other participants on the disclosure of the shared information, redress mechanisms).
The Arrangement is valuable as it shows in more concrete ways measures for improving enforcement
cooperation through information sharing. Indeed, in addition to the Sections mentioned above, in the
Arrangement can be found, among the mechanisms mentioned in Clause 3(iv), an encouragement to
Participants to use “secure electronic information sharing platforms to exchange enforcement related
information, particularly confidential information about on-going or potential enforcement activities”
or in Clause 11, the instructions on the limits on the use of the shared materials. Return of evidence no
longer required shall be done under requirement of the sending participant. If no request for return of
the materials is made, the receipting participant may dispose of the materials using methods
prescribed by the sender, or if no such methods have been prescribed, by other secure methods, as
soon as practicable after the materials are no longer required.
These indications are highly valuable as they can easily be transferred to the strict framework on
information sharing among European Agencies. For instance, European DPAs could strive to further
their efforts to develop a platform for the secure transmission of information, to guarantee a sufficient
level of personal data protection for the subjects affected or to establish precautions and limits to the
receiving authority of confidential information to ensure respectful treatment of the issuer’s national
laws.
4.2.7. An assessment of the GDPR provisions regarding the exchange of information
In a previous research developed by PHAEDRA, a comparative comprehensive study has analysed six
areas of cooperation among European authorities (migration and border control, private international
83
law, consumer protection, competition law, criminal justice and fundamental rights) with the purpose
of examining their mechanisms of cooperation and be able to draw lessons, with the aim of increasing
efficiency of cooperation in EU data privacy law89
. The obstacles that the relevant authorities face in
the area of cooperation are very similar to those posed by the cooperation among DPAs. These are
both of legal (such as capacity, procedures, sharing information) and practical nature (resources,
technical tools, sharing costs). On the basis of the similarity with these parallel cooperation
mechanisms, the research finally offers recommendations to improve the efficiency of cooperation,
which at the same time can be adapted to the needs of EU data protection law. These “lessons” are
divided into existential and practical lessons for cooperation. The former include the necessity of
mutual trust, legal basis, respect to national and regional differences, acceptance of extraterritorial
jurisdiction, broad geographical scope and gradual and periodically reviewed development. The latter
are the minimum need for translation and interpretation of the exchanged information, the
assumption of costs of cooperation by stakeholders, the use of information and communication
technologies, the fostering of preventive cooperation, the support of alternative dispute resolution
methods such as electronic means and the empowerment of supervisory authorities for urgent reaction
to cross-border data privacy violations.
These lessons are especially interesting for the present analysis and they may serve to assess the
extent to which the GDPR complies with them in relation to the regulation of the exchange of
information. Based on the analysis of the provisions of Chapter VII of the GDPR, some positive
conclusions can be achieved as it meets several of the above-mentioned lessons.
Legal basis – unlike the little relevance given to cooperation in the Directive, the cooperation
mechanisms have been determined on a legal and comprehensive basis. The Regulation is not only a
binding legal tool, it also engages supervisory authorities in such cooperation, making it compulsory.
Furthermore, the GDPR allows the introduction of exceptions when these are specifically provided by
national laws.
Use of ITCs – GDPR clearly stipulates that the exchange of information must be completed by
electronic means between supervisory authorities and between supervisory authorities and the Board
and under a standardised format (Articles 60, 61, 64 and 67 of the GDPR). Article 67 of the GDPR
appoints the EC to develop implementing acts of general scope in order to specify the arrangements
for the exchange of information by electronic means between supervisory authorities and between
supervisory authorities and the Board, in particular the standardised format referred to in Article 64.
Obviously, the decision on the communication infrastructure which will give support to the exchange
of information and the rules under it will work are very difficult and complex and it has to be taken in
a further step. A secure, well-designed and efficient system should be established to allow the flow of
information between supervisory authorities. The detailed explanation on the functioning of the
databases of SIS II, VIS, Eurodac or CIS represent the multiple principles that the platform should
guarantee and comply with. Questions related to the definition of terms, the purpose of the exchange
of information, the designation of the accessing authorities and the conditions for access, the
implementation of data protection and data security rules, the guarantee of data protection principles,
the implementation of effective supervision or the definition of responsibilities are the most relevant
ones.
Translation and interpretation – GDPR does not mention the thorny issue of multilingualism, which
89
Galetta A/Kloza D/De Hert P, ibid, April 2016.
84
brings other issues after the request of an exchange of information: the time and money resources to
be spent for multiple translations. Some cooperation systems do not have problems with
multilingualism as they process information under alphanumeric format90
. That is the case of SIS II,
VIS and Eurodac. But, generally speaking, providing translation is necessary and this raises the issue
of the costs. These concerns are managed in many different ways (previous agreement of the
authorities, such in consumer law; assumption of the costs by the authority in criminal justice
cooperation; use of certification in private international law, etc.) but in most occasions, the common
practice in parallel systems of cooperation is that translation is provided by the Member State that
introduces a request for notification. The GDPR has taken this direction and Article 61 (7) sets out
that “Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to
a request for mutual assistance. Supervisory authorities may agree on rules to indemnify each other
for specific expenditure arising from the provision of mutual assistance in exceptional circumstances.”
This broad expression obviously goes beyond and includes other costs, for instance, the physical
sending of a certain document or the travel costs of DPAs’ staff if this would be deemed necessary.
The great difference among DPAs concerning human resources and budget may allow us to conclude
that the impact of this provision will greatly differ among the supervisory authorities, and will
negatively affect the smallest DPAs.
Concerning the costs of running the data bases, sharing costs between the EU budget and the Member
State is the general rule, respectively covering the costs of the central unit in each Member State and
the national unit of the system. Therefore, the same conclusion that was just presented can be applied
in this area: the differences in terms of human and financial resources among DPAs would negatively
the smallest DPAs.
Trust – Any cooperation system must be based in the mutual trust of its participants. This study has
reflected that trust is precisely one of the grounds used to assess the collaboration that DPAs have
been developing so far. The generalisation of this mutual trust among all DPAs is necessary and is a
first step towards successful information sharing. Having said that, the GDPR deals with detailed
provisions of the mechanisms of cooperation at least in the basic procedural elements and determines
assertive obligations for the supervisory authorities in terms of deadlines and responsibilities.
Although the necessity to rely on the counterpart authorities is present, the compulsory nature of the
obligation to share information as designed by the GDPR may help to build mutual confidence.
Gradual development – the need of a gradual development and continuous process of revision and
improvement of all mechanisms and cooperative components, including the exchange of information,
shall be planned for the whole range of cooperation mechanisms under the GPDR. Among them, the
specific characteristics of the procedure for the exchange of information, from the use of a platform to
the strengthening of mutual trust among DPAs, must be progressively defined, developed and
improved.
Thought the treatment of the principle of confidentiality does not seem to be clearly defined in the
Regulation, the improvement of cooperation among DPAs under the GDPR present good prospects
for the future as it is developed among countries that share a common culture and similar legal
backgrounds. Nevertheless, this starting point should not lead to naively expect that cooperation, and
more specifically, information exchange, will be carried out smoothly and without hindrances. In this
respect, the regulation set out by the GDPR is realistic and sensitive to fundamental national rules and
90
Galetta A/Kloza D/De Hert P, ibid, p.33.
85
principles. This flexibility could be the first step towards a workable and efficient framework of
collaboration.
86
4.3 Mutual assistance, co-ordination and co-operation regarding enforcement measures
The legal framework of the GDPR enhances and in certain circumstances obliges EU DPAS to
provide each other with mutual assistance and to co-ordinate or jointly undertake certain enforcement
measures. This section of the report aims to do the following:
Provide an account of mutual assistance and joint operations as set out in the GDPR including
the key issues raised by this.
Explore the potential of a common approach to mutual assistance, co-ordination and joint
operations.
Provide some initial best practice guidelines91
The relevant sections are as follows.
Mutual Assistance
Article 57, "Tasks" requires that the supervisory authorities shall
(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory
authorities with a view to ensuring the consistency of application and enforcement of this
Regulation;
The key details on mutual assistance in the GDPR can be found in Article 61 "mutual assistance"
Article 61
Mutual assistance
1. Supervisory authorities shall provide each other with relevant information and mutual assistance
in order to implement and apply this Regulation in a consistent manner, and shall put in place
measures for effective cooperation with one another. Mutual assistance shall cover, in particular,
information requests and supervisory measures, such as requests to carry out prior authorisations and
consultations, inspections and investigations.
2. Each supervisory authority shall take all appropriate measures required to reply to a request of
another supervisory authority without undue delay and no later than one month after receiving the
request. Such measures may include, in particular, the transmission of relevant information on the
conduct of an investigation.
91
As part of this activity, the PHAEDRA consortium has sought the views of DPAS on the particular and
practical questions that arise with respect to implementation of these provisions. In particular, this activity has
included, interviews with senior representatives of EU DPAs (as reported upon in PHAEDRA II D1
http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA2_D1_20150720.pdf) Roundtable events with
DPAs and other stakeholders held in Brussels, January 2016 and Budapest, May 2016, The PHAEDRA II
workshop conducted at the 37th International Conference of Data Protection and Privacy Commissioners in
Amsterdam, October 2015, as well as ongoing contact with individual authorities.
87
3. Requests for assistance shall contain all the necessary information, including the purpose of and
reasons for the request. Information exchanged shall be used only for the purpose for which it was
requested.
4. The requested supervisory authority shall not refuse to comply with the request unless:
(a) it is not competent for the subject-matter of the request or for the measures it is requested to
execute; or
(b) compliance with the request would infringe this Regulation or Union or Member State law to
which the supervisory authority receiving the request is subject.
5. The requested supervisory authority shall inform the requesting supervisory authority of the
results or, as the case may be, of the progress of the measures taken in order to respond to the request.
The requested supervisory authority shall provide reasons for any refusal to comply with a request
pursuant to paragraph 4.
6. Requested supervisory authorities shall, as a rule, supply the information requested by other
supervisory authorities by electronic means, using a standardised format.
7. Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to a
request for mutual assistance. Supervisory authorities may agree on rules to indemnify each other for
specific expenditure arising from the provision of mutual assistance in exceptional circumstances.
8. Where a supervisory authority does not provide the information referred to in paragraph 5 of this
Article within one month of receiving the request of another supervisory authority, the requesting
supervisory authority may adopt a provisional measure on the territory of its Member State in
accordance with Article 55(1). In that case, the urgent need to act under Article 66(1) shall be
presumed to be met and require an urgent binding decision from the Board pursuant to Article 66(2).
9. The Commission may, by means of implementing acts, specify the format and procedures for
mutual assistance referred to in this Article and the arrangements for the exchange of information by
electronic means between supervisory authorities, and between supervisory authorities and the Board,
in particular the standardised format referred to in paragraph 6 of this Article. Those implementing
acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
The Regulation codifies a number of procedures for mutual assistance on cross-border investigations,
intensified cooperation between DPAS, and common responsibility will have profound consequences
on both policy and personal levels. Most fundamental is in making cooperation with a request for
assistance a requirement, with only limited grounds for refusal (the request would be illegal, or the
lack of competence).
From this we gather the definition of mutual assistance: " Mutual assistance shall cover, in particular,
information requests and supervisory measures, such as requests to carry out prior authorisations and
consultations, inspections and investigations." which potentially opens up mutual assistance to include
assistive use of any of the investigative, corrective, authorisation and advisory powers of a DPA, as
set out under Article 58, which have (relatively) harmonised the powers of DPAs across the EU. The
exercise of some of these powers at the request of another DPA will have more formal structures, due
to the consistency mechanism, and the requirements of the one-stop-shop approach. Given that DPAs
88
should be able to exercise competence across their tasks under the Regulation, this also provides a
framework for the forms mutual assistance might take.
Further elements of the Regulation provide more detail on the scope of mutual assistance, as well as
the various governance arrangements that surround it.
Recital 123 essentially works to preserve the independence of DPAs and their ability to provide
mutual assistance in the absence of other agreements on legal cooperation between Member States:
Recital 123: The supervisory authorities should monitor the application of the provisions pursuant to
this Regulation and contribute to its consistent application throughout the Union, in order to protect
natural persons in relation to the processing of their personal data and to facilitate the free flow of
personal data within the internal market. For that purpose, the supervisory authorities should
cooperate with each other and with the Commission, without the need for any agreement between
Member States on the provision of mutual assistance or on such cooperation.
Recitals 125 through to 131 provide legal requirements for enforcement cooperation where this
cooperation includes multiple DPAs and results in either a decision to use enforcement powers, or to
reject a complaint. This is based primarily around the one-stop-shop approach for lead authorities and
supervisory authorities concerned, and the distribution on fundamental responsibilities in a decision.
For example Recital 125:
The lead authority should be competent to adopt binding decisions regarding measures applying the
powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the
supervisory authority should closely involve and coordinate the supervisory authorities concerned in
the decision-making process. Where the decision is to reject the complaint by the data subject in
whole or in part, that decision should be adopted by the supervisory authority with which the
complaint has been lodged.
Recital 126:
The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities
concerned and should be directed towards the main or single establishment of the controller or
processor and be binding on the controller and processor. The controller or processor should take the
necessary measures to ensure compliance with this Regulation and the implementation of the decision
notified by the lead supervisory authority to the main establishment of the controller or processor as
regards the processing activities in the Union.
Recital 127:
Each supervisory authority not acting as the lead supervisory authority should be competent to handle
local cases where the controller or processor is established in more than one Member State, but the
subject matter of the specific processing concerns only processing carried out in a single
Member State and involves only data subjects in that single Member State, for example, where the
subject matter concerns the processing of employees' personal data in the specific employment
context of a Member State. In such cases, the supervisory authority should inform the lead
supervisory authority without delay about the matter. After being informed, the lead supervisory
authority should decide, whether it will handle the case pursuant to the provision on cooperation
between the lead supervisory authority and other supervisory authorities concerned (‘one-stop-shop
mechanism’), or whether the supervisory authority which informed it should handle the case at local
89
level. When deciding whether it will handle the case, the lead supervisory authority should take into
account whether there is an establishment of the controller or processor in the Member State of the
supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-
vis the controller or processor. Where the lead supervisory authority decides to handle the case, the
supervisory authority which informed it should have the possibility to submit a draft for a decision, of
which the lead supervisory authority should take utmost account when preparing its draft decision in
that one-stop-shop mechanism.
More specifically, Recital 133 links mutual assistance to the consistent application of the Regulation.
It suggests that it is only though close cooperation by EU DPAs and their working in harmony, that a
consistent application is possible:
Recital 133: The supervisory authorities should assist each other in performing their tasks and provide
mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the
internal market. A supervisory authority requesting mutual assistance may adopt a provisional
measure if it receives no response to a request for mutual assistance within one month of the receipt of
that request by the other supervisory authority.
Recital 138, refers to the consistency mechanism, but also sets out how the consistency mechanism
does not exhaust the requirement for mutual assistance. It appears that the expectation is that in many
cases, mutual assistance will be provided between DPAs on bilateral and multilateral basis, as
arranged, set up and negotiated by the relevant DPAs involved. This arguably points towards a
situation where cooperation between DPAs is much more routine than it was under Directive
95/46/EC where joint investigations were relatively uncommon, and when conducted were often
coordinated through the Article 29 Working Party:
The application of such mechanism should be a condition for the lawfulness of a measure intended to
produce legal effects by a supervisory authority in those cases where its application is mandatory. In
other cases of cross-border relevance, the cooperation mechanism between the lead supervisory
authority and supervisory authorities concerned should be applied and mutual assistance and joint
operations might be carried out between the supervisory authorities concerned on a bilateral or
multilateral basis without triggering the consistency mechanism.
The requirements for mutual assistance may change in the future, following any implementing acts
adopted by the Commission in this area. Article 61(9) and Recital 168 bring mutual assistance
(alongside the other areas open to implementing acts by the Commission) under the examination
procedure of the comitology process.92
The examination procedure should be used for the adoption of implementing acts on standard
contractual clauses between controllers and processors and between processors; codes of conduct;
technical standards and mechanisms for certification; the adequate level of protection afforded by a
third country, a territory or a specified sector within that third country, or an international
92
http://ec.europa.eu/transparency/regcomitology/index.cfm?do=implementing.home Comitology applies when
the Commission has been granted implementing powers by a particular EU legal act which has also provided for
the Commission to be assisted by a committee. In practice, implementing measures, under which the
Commission implements the fine details of the EU acts concerned (individual financing decisions, decisions to
place certain products on the market, etc.) vary in terms of frequency (many need to be performed regularly, e.g.
to quickly respond to changes in a specific market) and political/economic/financial importance.
90
organisation; standard protection clauses; formats and procedures for the exchange of information by
electronic means between controllers, processors and supervisory authorities for binding corporate
rules; mutual assistance; and arrangements for the exchange of information by electronic means
between supervisory authorities, and between supervisory authorities and the Board.
Article 60 "Cooperation", sets out the mechanisms of cooperation, it provides lead supervisory
authorities with the ability to request mutual assistance from concerned supervisory authorities
pursuant to Article 61.
Finally, it should be noted that Article 50 of Directive (EU) 2016/680 also engages with mutual
assistance between supervisory authorities under that Directive, many of which will also be
supervisory authorities under the GDPR. The subsections of both Articles are identical apart from the
differences due to one being a Regulation and the other a Directive, to be implemented by Member
States.93
The two components of the the data protection reform package are therefore aligned on
mutual assistance.
Joint operations
Recital 134 and Article 62 of the GDPR set out the legal framework for joint operations between
supervisory authorities.
Recital 134: Each supervisory authority should, where appropriate, participate in joint operations with
other supervisory authorities. The requested supervisory authority should be obliged to respond to the
request within a specified time period.
Article 62
Joint operations of supervisory authorities
1. The supervisory authorities shall, where appropriate, conduct joint operations including joint
investigations and joint enforcement measures in which members or staff of the supervisory
authorities of other Member States are involved.
2. Where the controller or processor has establishments in several Member States or where a
significant number of data subjects in more than one Member State are likely to be substantially
affected by processing operations, a supervisory authority of each of those Member States shall have
the right to participate in joint operations. The supervisory authority which is competent pursuant to
Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to take part
in the joint operations and shall respond without delay to the request of a supervisory authority to
participate.
3. A supervisory authority may, in accordance with Member State law, and with the seconding
supervisory authority's authorisation, confer powers, including investigative powers on the seconding
supervisory authority's members or staff involved in joint operations or, in so far as the law of the
Member State of the host supervisory authority permits, allow the seconding supervisory authority's
93
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0089.01.ENG&toc=
OJ:L:2016:119:FULL
91
members or staff to exercise their investigative powers in accordance with the law of the
Member State of the seconding supervisory authority. Such investigative powers may be exercised
only under the guidance and in the presence of members or staff of the host supervisory authority. The
seconding supervisory authority's members or staff shall be subject to the Member State law of the
host supervisory authority.
4. Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in
another Member State, the Member State of the host supervisory authority shall assume responsibility
for their actions, including liability, for any damage caused by them during their operations, in
accordance with the law of the Member State in whose territory they are operating.
5. The Member State in whose territory the damage was caused shall make good such damage under
the conditions applicable to damage caused by its own staff. The Member State of the seconding
supervisory authority whose staff has caused damage to any person in the territory of another
Member State shall reimburse that other Member State in full any sums it has paid to the persons
entitled on their behalf.
6. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of
paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting
reimbursement from another Member State in relation to damage referred to in paragraph 4.
7. Where a joint operation is intended and a supervisory authority does not, within one month,
comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other
supervisory authorities may adopt a provisional measure on the territory of its Member State in
accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed
to be met and require an opinion or an urgent binding decision from the Board pursuant to Article
66(2).
This is a relatively straightforward article, the key novelty of which is the requirement to invite EU
DPAs with an interest (based upon the nature of the data processing being investigated and in
particular the countries in which the investigated party is established, and the potential impact of that
processing) into a joint investigation.
There appears to follow from this a need for DPAS to consider the metrics they will use to determine
what they consider as "a significant number of data subjects", and "substantially affected" (under
Article 62:2). This also forms part of the consistency mechanism. These determinations might be
developed at the level of the individual DPA, based upon their existing processes for determining how
to respond to complaints or when an investigation is appropriate, and in many cases, EU DPAs will
have an organisational sense of what these terms mean in practice. These determinations may of
course be open to legal challenge. Alternatively, EU DPAs might be minded to adopt a collective
decision on what these terms mean in practice as part of a common approach to mutual assistance.
Similarly, a developed understanding of how any given DPA intends to go about determining main
and significant establishments in the process leading up to an investigation, would be beneficial for
collaboration, as this determines which DPAs have a right to participate in a joint operation and
should be invited to do so. The second point may be complex in that in some contexts the locations of
processing, and the establishments of controllers might become clearer during the course of an
investigation, and more DPAs may have to be invited. This suggests the need for regular review
during the process of an investigation, essentially to determine if any other DPAs count as concerned
parties. In practice, and on the basis of examples of previously collaboration, it is unlikely that any
92
DPA that was aware of a joint investigation and wanted to participate would be blocked from doing
so.
The conferral of powers under paragraph three is mostly, given the relatively harmonisation of powers
amongst EU DPAs a conferral of the ability to operate within a particular Member State legal
jurisdiction. Management of liability may become something of a concern, in that host supervisory
authorities are liable for any damages caused by hosted staff or the operations of a DPA in another
Member State, but this balanced by the paragraph providing for re-imbursement. This limits the
potential liability primarily to reputation and public image. It does however, suggest the need for
seconded staff to be properly and professional trained prior to their secondment, simply to reduce the
risk of damaging trust between DPAs. Simply put, for this reason and others, it would not be
appropriate for a DPA to respond to a request for mutual assistance by providing under-trained staff.
The potential for a general approach to mutual assistance
From the above legal framework, there appears to be no inherent legal requirement upon EU DPAs,
the EDPB or even the Commission to generate a generalised approach to requests for mutual
assistance and joint investigations, beyond meeting the requirements as set out above. However, there
is clearly space around the Regulation for DPAs themselves to build more process or set out shared
assumptions. This is not a necessary precursor to mutual assistance requests being made and joint
operations being initiated, and a general approach may develop in an evolutionary manner, with some
EU DPAs participating in its development, adopting it or finding their own approaches. This is a
separate issue to the possibility of a common enforcement strategy, but does fall within the category
of strategic planning and management identified by PHAEDRA II as an area of high benefit if high
difficulty.94
PHAEDRA II D195
summarises the response from EU DPAs on the usefulness of
standardised approach to requests for assistance:
DPAs were asked their opinions on desirability and feasibility of standardising the way that DPAs
approached their European counterparts with requests for assistance. Several DPAs stated that such a
standardised approach was a necessity. Others expressed that a standardised approach to the
presentation of requests for assistance would be useful and that it could facilitate co-operation and co-
ordination. A standardised approach might allow DPAs to make better informed decisions about the
requests being presented to them, and allow for clearly setting the parameters of any joint or
transferred investigation and for organising the division of work (based upon, for example technical or
investigative experience), as well as increasing the speed and efficiency of communication. The
awareness that similar procedures were being followed was seen as useful. Others contextualised this
form of operational co-operation against a background of global data protection issues that did not
follow national borders, and the need to provide high quality and effective services to both data
subjects and data controllers.
Any standardised approach to requests for assistance was seen as needing clear and simple rules, to be
agreed collectively by EU DPAs, and finding a resolution to several practical issues, particularly in
relation to language and translation. Such a system, we were told, should also retain some space for
information that did not fit within the structure, but that nevertheless needed to be exchanged as part
of a request. The approach must therefore have some capacity to respond to the particular nature of a
case. Standardised templates for requests for assistance would have to be well developed, and if so,
94
See Barnard-Wills, D/Papakonstantinou V, ibid, p.69 and p.74. 95
Ibid.
93
they would serve as a reminder to include appropriate information. Information that was identified as
an appropriate part of such a structured approach included the subject of the complaint, the technical
circumstances, any other data subjects affected by the breach, and involvement of an IT or manual
system. However, some DPAs suggested that it was the attitude to co-operation that was most
important, regardless of the approach or template used in practice.
One perspective was that the current system of bilateral requests, often formal written memos from
one DPA to another, worked acceptably well for the relatively low volume of cross-border complaints
received by DPAs. Some DPAs provided details of the Memoranda of Understanding (MoU) that they
had established with particular peers, which provided some structure to their interaction and co-
operation. One DPA expressed concern that a standardised approach might actively hinder and limit
co-operation and communication that was already occurring in less formal ways.
It was suggested by one DPA that it could be useful to take the Google Spain judgement
recommendations of the Article 29 Working Party as a reference model.96
DPAs provided examples
of systems in different fields that could be used as examples and inspiration for data protection. These
included the field of asylum claims, the system for passing on fines for violations of traffic rules
between different EU states, criminal law co-operation in the Council of Europe, and the well-
established tradition of mutual legal assistance. These systems were not seen as perfect, but
sufficiently functional to learn from.
The following table sets out the driving factors and potential barriers to a common approach to mutual
assistance
Factors pushing towards a common approach Factors mitigating against a common
approach
As noted above, a shared approach would
simplify and facilitate requests for assistance, and
reduce overheads in this area. DPA staff involved
in mutual assistance requests can become familiar
with this approach rather than starting afresh with
each request.
DPAs have different strategic priorities, and
different internal processes, as well as operating
in different national legal contexts. Finding a
common approach that meets all of these needs
may be impossible.
Cases themselves are potentially highly divergent
and a common approach that could meet all the
possible variations might itself be too complex to
be widely adopted.
International case volumes are widely expected to
increase under the GDPR regime as compared to
the Directive. Current method may be
inappropriate for this new reality. Organisations
A common approach to mutual assistance
requests is perceived as unnecessary by some
DPAs. This may not change over time, depending
upon the actual experienced volume of mutual
96
These recommendations included common criteria to be used by data protection authorities when handling
complaints. See Article 29 Data Protection Working Party, Guidelines on the implementation of the court of
Justice of the European Union judgment on the "Google Spain and inc V. Agencia Espanola de protection de
datos (AEPD) and Mario Costeja Gonzalez" C-131/12, WP225, 26 November 2014,
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-
recommendation/files/2014/wp225_en.pdf
94
tend to routinise and turn into formal processes
the activities they conduct on a regular basis.
assistance requests.
61(6) and 61(9) suggests that some form of
standardised format is necessary for information
requested by other supervisory authorities, but
this might be understood as supplying the
information in commonly used electronic
document formats standards, which can be
opened by the recipient.
There appears to be no current legal requirement
(pending implementing acts by the Commission)
to further develop a common process for mutual
assistance requests.
A mutual approach does not initially require full
consensus agreement on all elements. It might be
adopted starting from a sub-group of willing
parties, and still provide efficiency benefits. This
might provide sufficient incentive for other
authorities to align themselves with what
becomes a de facto standard approach. Even
competing approaches are possible.
Best practice recommendations
It is apparent that the formal legal requirements do not exhaust the potential ways in which DPAS
might provide mutual assistance or conduct joint operations. Based upon this legal framework, DPA's
perspectives97
, parallel mechanisms98
, as well as the case-studies of existing cooperation between
DPAs99
as well as general approaches to collaborative and multi-agency working, we present the
following suggestive list of best practices to improve mutual assistance and joint investigations
between data protection authorities in the EU.
1. As in other areas of cooperation, mutual assistance and joint operations should be based upon
cooperation and the presumption of the equal value, competence and standing of each
supervisory authority and of the legal system in its jurisdiction and thus on the principle of
mutual trust.100
This includes recognising independence and discretion of peers and having
respect for each other’s way of doing things.
2. When embarking on a joint initiative, first get comfortable – take time to establishing
trust and positive communication on a human level with occupational counterparts. Get used
to the idea that you will be sharing information, but that some information will rightfully be
withheld. We continue to support the recommendation made by PHAEDRA I that authorities
should continue and increase the number of short term visits, staff exchanges and
secondments and even joint training in order to foster connections prior to requests for
97
Barnard-Wills D/Wright D, ibid, 2015 98
Galetta A/Kloza D/De Hert P, ibid. 99
Barnard-Wills D/Wright D, ibid.
95
assistance and joint operations. 101
Promoting such exchanges and training is an explicit task
of the EDPB.
3. Strong initial planning. Establish budgets and plans, specifiying person-hours and other
resources should be made and agreed by all participants. Set well defined goals, project
directives and workload distribution. It is at this stage that initial decisions and plans for
reporting and public communication should also be developed.102
4. Lots of communication. for example, In the WhatsApp case, after some initial discussions
the two authorities kept in touch by standing teleconferences, with team leads in
communication daily by telephone and encrypted email.
5. Recognise each other strengths and weaknesses, and take account of this when allocating
work (e.g. geographical location, pre-existing relationships, tech capacity). In the WhatsApp
investigation the Canadian system allowed more contact with the data controllers under
investigation, whilst the Dutch threat of punitive enforcement encouraged compliance with
the investigation as a whole.
6. Leadership and senior-level support for mutual assistance and joint operations – spreading
a message within organisations that commissioners are strongly committed to the project,
making sure that teams are told they would be supported in making it work. For joint
operations investigative teams need to be creative and adaptive, and this becomes easier with
the support of senior management.103
Based upon their experience, Nordic DPAs have
recommended that joint project participants should report to a reference group composed of
executives from each participating authority.104
7. Relationship management. Authorities should pay attention to the way in which their
international relations are managed, particularly in terms of maintain contacts and sharing
expertise internally, and managing the potential loss of connects that can occur with staff
changeover. Relationship management, and in particular continuity planning approaches
therefore offer strong potential value to DPAs.
8. Training for less senior staff on mutual assistance and joint operations - senior level staff
at EU DPAs are increasingly familiar with cross-border cooperation, particular at the
commissioner level. The new legal framework of the GDPR will very likely increase
international cooperation. With respect to recommend Six above, much of this will occur at
operational levels, not at the level of strategic leadership. DPAs therefore need to consider
how best to provide their less senior staff with sufficient, training, knowledge and
international awareness to do this effectively.
9. Clarity and transparency about criteria and reasons for cooperation decisions,
particularly when a decision has been made by a DPA to decline to provide mutual assistance
in a manner requested by one of their peers. Being able to provide a clear rationale, including
101
http://www.phaedra-project.eu/wp-content/uploads/Findings-and-recommendations-18-Jan-2015.pdf 102
For a more detailed perspective on current best practices in joint communications, see chapter 4 of Barnard-
Wills D/Papakonstantinou V, ibid. 103
Recommendations two , three and five were provided by Wilbert Tomesen of the Dutch DPA at a joint
round-table between the PHAEDRA II project and the cooperation sub-group of the Article 29 Working Party,
held in Hungary in May 2016. For a summary of the round-table see http://www.phaedra-project.eu/phaedra-ii-
second-round-table-event-at-the-spring-conference-of-european-dpas/ 104
Svahn Starrsjo K, Successful collaboration requires commitment, EDPS Newsletter, No.46, Brussels,
December 2015,
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Newslett
ers/Newsletter_46_EN.pdf, p.6
96
sharing the constraints, allows the requesting party to understand the decision, and encourages
trust between the two agencies, and advises future requests where the situations may be
similar.
10. Determine if assistance is necessary or nice to have? Recognise that requests for assistance
will create a potential resource drain upon the requested party, especially as unless either of
the two exceptions in 61(4) come into play, the request cannot be refused, and that
supervisory authorities cannot charge a fee for any action taken. This decision will be driven
by the needs of the particular case, complaint or investigation.
11. Conversely, be generous with invitations to participate in joint operations. Although there
are costs in terms of time and increasing difficulty of achieving consensus, taking a broad
view of which DPAs are likely to constitute a concerned party avoids the risk of excluding a
potential partner.
12. Consider strategic level agreements and memoranda of understanding amongst regular
co-operators which include detail on how requests for assistance will be made and how they
will be responded to, as well as the process to be used in developing joint operations. These
agreements can fill in the gaps still present in the legal requirements and provide both parties
with confidence in how mutual assistance and joint operations will occur in the future. They
reduce the start-up cost of joint investigations as some of the initial planning work will have
been covered by the MOU.
13. Conduct regular review of cooperation processes during and after the period of specific
cooperation. As well as shared project management, this includes understanding if additional
authorities should be invited to participate. These reviews should be conducted collectively.
14. Transparency of process. Consider publishing (or making accessible to DPA colleagues) the
steps of the process through which an investigation or operation is decided upon and planned,
including explicitly identifying the stages in which other concerned supervisory authorities
are identified and contacted, and the approach that will be used to make this determination.
15. Arrange internal processes for mutual assistance and arranging joint operations so that
decisions can be taken within the one-month window provided for by various aspects of the
legislation.
16. Personal processes to support mutual assistance and joint operations. If staff are to be
seconded to another DPA for the duration of a joint investigation, or as a form of mutual
assistance, and they will be hosted by that DPA, the success of this can be increased by
putting the secondment agreement in writing, making it clear where management
responsibility lies, put in place process for longer term management (sick pay, absences,
disciplinary and performance issues), ensure that the agreement provides for compliance with
the host authorities instructions and policies, assign mentors from the host and the sending
agency, establish an agreement in advance on costs (e.g. transportation, accommodation).
97
5 General conclusions
In view of the diversity and multitude of the issues analysed in this report, general conclusions may
not be easily drawn – and could even place at danger the analysis upon which they are based, by
failing to refer to any set of its findings. Indeed, such issues as the consistency mechanism, the “one-
stop-shop” mechanism, the European Data Protection Board, BCRs, DPA enforcement powers, and
data sharing practices among DPAs are not easy to summarise and therefore to present adequate
concluding remarks. Readers are therefore invited to go over each specific chapter that may be of
interest to them, in order to find there the specific conclusions reached each time through our
research.
Aim of this workstream was to examine the practical implications of the GDPR, to identify aspects
that remain unregulated and would benefit from a common approach by all DPAs, and to highlight
specific areas where there is a need for more operational and legal guidelines. The analysis above
attempted to apply this standard axis of analysis upon all different GDPR instances placed under its
scrutiny: the consistency mechanism, the “one-stop-shop” mechanism, the European Data Protection
Board, BCRs, DPA enforcement powers, and data sharing practices among DPAs. An article-by-
article approach was considered necessary, in view of the fact that the GDPR is a relatively recent
legal text of only a few months life span, whose provisions would therefore benefit the most from a
possibly detailed legal analysis. While doing this, emphasis was placed at the “practical” aspects of
our research: our constant aim was to provide practical assistance to DPAs, through identification of
these points within the new GDPR that will probably need to be complemented by additional,
practical guidance to be issued, most likely, by the Board. In the same context, we also strived to
provide the Board members that will undertake this task wish certain guiding principles and
considerations that will hopefully assist them in their work. As such our recommendations are
addressed to the professionals involved in these processes.
The GDPR is an ambitious legal text that has undertaken an unprecedented mission. The
implementation of consistent data protection across the EU constitutes undoubtedly a worthy cause,
that is nevertheless burdened by such seemingly insurmountable difficulties as differences in legal
systems, differences in judicial systems and, even, differences in culture among Member States. Many
of the issues analysed in this report constitute measurable metrics, against which the GDPR success
(in terms of providing efficient protection to individuals and creating legal certainty to controllers and
processors) will be judged. The DPAs are the competent authorities that will apply the GDPR’s
provisions within their respective jurisdictions and, in this regard, the recipients of the GDPR’s
obligation to co-operate and co-ordinate. Despite of its length, the GDPR cannot provide complete
details how best to achieve such DPA cooperation and coordination. The mechanisms through which
to do this are indeed introduced in its text, but are then described in generally broad terms. It is
therefore the task of EU DPAs, or of the Board, to complement these rules with adequate guidelines
and principles and to also develop the relevant culture of cooperation among them, in order to succeed
in achieving consistency and therefore the GDPR’s main objective: the creation of a uniform
regulatory environment on data protection across the EU.