On the 14th of July, the European Data Protection Board (EDPB) adopted a set of criteria to assess whether a cross-border case may qualify as a case of ’strategic importance’ for which cooperation amongst Supervisory Authorities (SAs) will be prioritized and supported. Additionally, the Board developed guidelines on steps to be taken following identification of a strategic case. The newly adopted recommendations make a substantial deviation from the procedure set forth in the General Data Protection Regulation (GDPR), providing non-Lead Supervisory Authorities with an enlarged scope of initiation in cross border cases, despite the Regulation’s ‘One Stop Shop’ (OSS) mechanism.
One Man Job: Lead Supervisory Authority
Prior to the implementation of the GDPR, national supervisors were responsible for the separate enforcement of each European Union member state’s domestic data protection laws. Because of this, businesses operating within the EU frequently had to interact with several authorities about the same set of issues; at times dozens or more regulators may be engaged. Companies found this to be unmanageable, and it effectively discouraged them from wanting to engage in trade across member states.
To make it easier for enterprises operating within the EU, the GDPR’s OSS method of regulation and enforcement was created, allowing enterprises to deal with one data protection authority, the lead supervisory aauthority, in cases involving cross-border processing. In accordance with the Regulation, the SA of the main or single establishment of the data controller or processor is competent to act as a lead SA. Regarding judgment enforcement pertaining to cross-border processing, the lead SA serves as an organization’s exclusive interlocutor. In consensus with other ‘concerned’ SAs, it drafts a decision to be adopted where no objections are raised.
Organizations stand to benefit from the OSS mechanism, as their processing tasks are increasingly carried out across state borders to service clients or users in other nations or to support multinational business operations. The mechanism provides significant advantages in terms of preventing administrative burden to controllers and processors, as well as decreasing compliance costs for companies. Additionally, organizations and individuals can expect regulatory choices that are uniform across the Union.
However, some SAs are in conflict with the passive role that has been bestowed upon them as lead SAs, which in many cases is the overstrained Irish Data Protection Commission, steer the course of high-risk investigations. Data protection authorities are now looking to move more swiftly and strongly in cases involving controllers or data subjects in their region. For a few prominent and strategic cases, the EDPB’s strategy aims to calm these worries.
EDPB Moves Towards Further Cooperation
According to EDBP’s new enforcement strategy, when a cross-border case has been identified as being of strategic importance, all respective SAs will be given the opportunity to design action plans on how to proceed with the case at EDPB level and under the guidance of the lead SA. Timelines, information exchange, coordination amongst SAs, and even joint investigations may be included in the action plan, which is submitted on a voluntary basis.
To determine whether a case is strategic, prompting further collaboration between SAs, the Board first evaluates the qualitative and quantitative criteria of the case, including the risk posed to the rights and freedoms of data subjects and the number of complaints logged across member states. The Board likewise considers whether a case is related to an intersection between data protection and other legal fields or concerns a fundamental issue regarding the enforcement and application of GDPR, to establish its importance.
What Does the Change Entail?
The EDPB’s announcement represents a significant departure from the process outlined in the GDPR, in which the lead SA manages the case and presents its draft conclusion for review by other relevant SAs. Data protection authorities were forced to wait for the lead SA’s decision or, alternatively, to make a temporary urgent decision as outlined in Article 63 of the Regulation. The EDPB only intervened when the lead SA and concerned SA’s were unable to agree, and in very unusual circumstances, it issued a legally enforceable ruling that the lead SA was had to observe.
Everything from timing, scope, and course of the case were often determined by the lead SA’s initial decision, as adjustments further down the line proved to be difficult, slowing down the already complex process of enforcement. This strategy is set to reverse the process so far that it relates to strategic cases, by involving all SAs at an early stage to speed up the schedule for cross-border investigations and strengthen SA consensus on the appropriate application of the GDPR.
Yet, as partner and head of media disputes at Stewarts, Emily Cox says, the new collaborative pathway “will not be the silver bullet for all investigations—only those that the EDPB members have determined are of strategic importance at a European level”. Therefore, non-lead supervisory authorities may be conferred to their customary passive role when dealing with cross-border cases which have not been assessed by the EDPB as relaying qualities of high importance. However, it would be fair to note that the formula designed to assess cross-border cases is not narrow in scope, but rather quite expansive and inclusive, ensuring that all aspects of a case are thoughtfully considered, whether qualitative or quantitative. The guidelines were in essence designed to maximize cooperation amongst SAs.
Other concerns regarding this new strategy include whether businesses are capable of managing SAs taking on a more active role in cases where they would otherwise deal with only the lead SA. Noting the divergence from the GDPR, we may even begin to see that the strategy is subjected to procedural challenges from disgruntled businesses. In any case, we do not have to wait too long before discovering how the new enforcement strategy plays out in practice, as the EBDP has announced that three cases have already been chosen as a trial test, including a case involving Lithuanian online marketplace provider, Vinted UAB.