When data protection authorities dispute jurisdiction under the GDPR ‘one-stop-shop’: the AG opinion in Facebook Belgium

 

Lorna Woods, Professor of Law, University of Essex

 

Introduction

 

Like their comic-book counterparts, the national data protection authorities in EU Member States, given their super regulatory powers by EU legislation, sometimes pause in battling high-tech villains – to fight with each other instead. To resolve such conflicts of jurisdiction, the GDPR created a one-stop-shop system to determine which authority could bring proceedings in principle.

 

This case is the first judicial test of the one-stop-shop in the GDPR and its lead supervisory authority (LSA) mechanism, according to which the main responsibility with the EU for regulating a data controller under the GDPR falls to the regulator of the jurisdiction in which the controller has its main establishment (Article 56 GDPR).  While Article 56 establishes the idea of the lead supervisory authority based on the location of the controller’s main establishment, it operates without prejudice to Article 55 GDPR, which gives each national supervisory authority competence to regulate, and other provisions envisage that, even when not a lead supervisory authority, national supervisory authorities retain some interests in regulation.  Further, the GDPR envisages cooperation between the national supervisory authorities.  The question here is about the circumstances in which this residual competence may be exercised.  The question arises against a backdrop in which some differences in approach to regulation can be detected and perhaps some distrust between the different national supervisory authorities (as also illustrated with the difficulties in agreeing the fine for Twitter in relation to a data breach that lead to the first decision of the European Data Protection Board (EDPB) under Article 65 GDPR).

 

Facts

 

The Belgian data protection authority commenced proceedings against Facebook in its local courts, alleging that Facebook had unlawfully collected and used personal data relating to the private browsing information of Internet users in Belgium, through the use of cookies and the like (and there was some discussion as to whether the technologies in issue actually fell ratione materiae within the GDPR as opposed to the e-Privacy Directive).  Although initiated under the Data Protection Directive, given the length of time the matter is now concerned with the GDPR and on that basis Facebook argued that the Belgian data protection authority was no longer competent because Facebook fell within the jurisdiction of the Irish Data Protection Commission (DPC).  The matter was referred to the Court of Justice, specifically referring to legal proceedings against Facebook Belgium in respect of the cross-border processing of personal data that took place after the GDPR has become applicable, given that the data-processing entity was Facebook Ireland Ltd.

 

Opinion

 

The Advocate General’s opinion in this case (Case C-645/19 Facebook Belgium v Gegevensbeschermingsautoriteit, Opinion 13 January 2021) sought to chart a middle ground between the two positions argued before the court as to whether only the LSA may take action. While he agreed that the primary responsibility lay with the LSA, in his view the consequences of that position were not as extreme as Facebook sought to claim. 

 

The Advocate General took a literal and systemic approach to the interpretation of Article 56 (referring also to Recital 124 in the GDPR preamble) to find that the LSA has general competence over cross-border data processing.  Any role for other national supervisory authorities is exceptional [45]-[46].  The fact that Article 56, which sets up the LSA mechanism, is said to operate without prejudice to Article 55, attributing competence to the various national supervisory authorities, does not change this position. Such an interpretation would deprive Article 56 of any meaning [52].  This is incompatible with the importance ascribed to the LSA mechanism by where it is placed: the second provision in the relevant section of the regulation, before all the other general provisions on ‘tasks’ and ‘powers’ in that section. Significantly, Chapter VII (cooperation) refers back to Article 56.

 

In the view of the Advocate General, the GDPR makes it ‘clear that that is meant to be the procedure to be followed when enforcement action against cross-border processing is necessary’ (emphasis in original) [56]. Consequently, the term ‘without prejudice’ does not refer to competence but refers to the fact that ‘all supervisory authorities naturally retain the general powers assigned to them by virtue of Article 55 (and Article 58) of the GDPR’ [57].  The Advocate General therefore confirmed the approach of the EDPB in Opinion 8/2019 which views Article 56(1) as an ‘overriding rule’ and as ‘lex specialis’ taking priority over the general rules of competence in Article 55 in the circumstances specified in Article 56. To take the approach put forward by the Belgian data protection authority would frustrate the purpose of the GDPR as found in recital 10, and return the position to that under the Data Protection Directive.

 

It was also argued that Article 58(5) means that all supervisory authorities must be able to start judicial proceedings against any potential infringement of the data protection rules affecting their territory, irrespective of the (local or cross-border) nature of the processing; the one-stop shop mechanism applies only to administrative action.  The Advocate General criticised this interpretation for, again, taking one provision in isolation and out of context.  Article 58(5) of the GDPR sets out ‘powers that are to be given to all supervisory authorities without exception’ but ‘does not regulate the situations and manner in which that power to bring proceedings is to be exercised’ [65].  The distinction between judicial and administrative proceedings was unjustified in the light of the text and structure of Article 58 as a whole. The interpretation proposed by the Belgian data protection authority ‘would not allow a supervisory authority to (administratively) investigate, prepare, process, and decide, but would allow it instead immediately to bring judicial proceedings before a court’ [71], which is netiher reasonable nor appropriate.

 

The Advocate General then supported his arguments through a teleological and historical interpretation of the GDPR and its emphasis to avoid fragmentation (Recital 9), incoherence and double regulation.  The one stop shop mechanism was the means introduced to achieve this goal.  However, the Advocate General noted that the Commission’s original proposal for a very strict idea of the one stop shop gave rise to discussions with the Council and the Parliament, leading to the introduction of a number of exceptions, including a concern to emphasis the proximity between data subjects and the relevant supervisory authorities. [85] The Advocate General described this process as turning the one stop shop mechanism ‘into a more balanced two-pillar mechanism’  with an enhanced role for the other supervisory authorities [87].

 

The third approach to interpreting the GDPR adopted by the Advocate General is that of a Charter -oriented approach, to ensure maximum protection of Articles 7, 8 and 47 of the EU Charter of Fundamental Rights. The Advocate General criticised what in his view was an assumption that a high level of protection requires a multiplicity of authorities that may enforce compliance with the GDPR.  Rather, a high level of protection requires a coherent framework, as seen in recitals 7, 9 and 10 GDPR, for coherent application of the rules.  In the view of the Advocate General

 

a coherent and uniform level of protection certainly does not preclude that protection from being placed at a high level. It is simply a question of where that uniform yardstick should be set [97].

 

A second issue relating to rights concerns the proximity of the complainant and the relevant national supervisory authority and its impact of the right of that individual to complaint (as in Article 78 GDPR). This is specifically so given that the data subject has the right to choose where to launch legal action under Article 79 between the courts of the Member States where the controller or processor has an establishment or where the data subjects reside.  The position would be slightly more difficult as regards the right to challenge the action (or inaction) of a national supervisory authority: such actions should be brought before the courts of the Member State where the supervisory authority is established. (Article 78 and Recital 143). The Advocate General however envisaged that a complaint could be lodged with the complainant’s home supervisory authority, whether or not that authority is the LSA so safeguarding the right to the data subject to take action in his or her home jurisdiction [104].  The Advocate General accepted that this structure may lead to practical problems though these at the moment lie in the realm of conjecture.

 

The Advocate General finally considered concerns about a risk of under-enforcement.  First and specifically as regards criminal enforcement, the Advocate General commented that while the cooperation and consistency mechanisms

 

are obligatory for the supervisory authorities, they do not apply to other Member States’ authorities, in particular those charged with the task of prosecuting criminal offences (emphasis in original) [110].

 

More generally, and in the view of the Advocate General, more importantly the GDPR does not operate so as to make the LSA the sole enforcer in cross border situations. The system is built on cooperation and consensus (Article 60(1)) and persistent disputes are referred to the EDPB to the extent that ‘the LSA’s position in that regard is no stronger than that of any other authority’ [111]. The GDPR also contains provisions to deal with regulatory inertia. The Advocate General suggests two enforcement routes, though he accepts that both are cumbersome and potentially paper tigers:

 

-          a supervisory authority may request another supervisory authority to provide ‘information and mutual assistance in order to implement and apply the GDPR as provided in Article 60 and a failure of the LSA to respond would give rise  by virtue of Article 61 to a right on the part of the requesting authority to ‘adopt a provisional measure on the territory of its Member State in accordance with Article 55(1)’, triggering the urgent processes under Article 66.

-          Article 64 provides a mechanism whereby matters producing effects in more than one Member State  are brought to the EDPB, though it is not clear what the legal effect of such a decision would be.

 

If under-enforcement turns out to be a real problem, for example where the one stop shop mechanism ‘were to lead to regulatory ‘nests’ for certain operators who, after having effectively chosen their national regulator themselves by accordingly placing their main establishment within the Union, rather than being monitored, they would in fact be shielded from other regulators by a specific LSA’ [124], then the entire system would be ripe for major revision. The GDPR is still in its infancy, however, and it would be a bad idea for the Court to fundamentally alter the GDPR structures without evidence.

 

Thus, the GDPR permits the supervisory authority of a Member State to bring proceedings before a court of that State for an alleged infringement of the GDPR with respect to cross-border data processing, despite not being the LSA, provided that it does so in the situations and according to the procedures set out in the GDPR [140]. The position does not change depending on whether the controller has a secondary establishment in another Member State [143]. Nor does it matter whether the national supervisory authority commences legal proceedings against the controller’s main establishment or against the establishment situated in its own Member State [147]. In this, the Advocate General dismissed an argument based on Article 55(1) that a national supervisory authority can only act within its own state, and therefore only against local establishments; the territorial element relates to the effects of the data processing [152].  By creating a central point for enforcement the LSA mechanism implies that the LSA must be able to take action against actors established other than in its territory [155].  Finally, the Advocate General confirmed that Article 58(5) has direct effect as well as direct applicability.

 

Comment

 

Both sides had claimed victory in this opinion. Facebook emphasises the re-iteration of the LSA mechanism and the Belgian authorities point to the fact that the Advocate General made clear that the LSA is not the sole enforcer in such cases.   If the Court follows its Advocate General, this should give some comfort to those operating in multiple jurisdictions that they will not continue to face the difficulties of multiple and potentially incoherent enforcement found under the Data Protection Directive.  Nonetheless, the result of the GDPR is not a simple, bright-line allocation of jurisdiction to one national supervisory authority.

 

Firstly, there are moreover a number of exceptions to the LSA mechanism, which also reflect the ‘two-pillared’ nature of the enforcement system.  These arise when:

 

-          supervisory authorities act outside the material scope of the GDPR;

-          the processing is necessary for compliance with a legal obligation, in the public interest or in the exercise of official authority;

-          processing is carried out by controllers that have no establishment in the European Union;

-          a national supervisory authority other than the LSA considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects (Art. 66 GDPR); or

-          the LSA decides not to handle the case.

 

Beyond this, however, the Advocate General emphasised the importance of cooperation within the system, implicitly pointing towards the need towards an EU settlement on the question of standards that lies in the shadows of this case (see eg. para 97). An LSA cannot ride roughshod over the views of other relevant national supervisory authorities; this is potentially a prophylactic against the creation of ‘nests’ for privacy averse data controllers. The approach to interpretation, while it allowed the Advocate General to bring through the delicate balance between potentially conflicting concerns, reflects approaches typically adopted in the interpretation of EU law, emphasising the purposive approach.  In any event, the Opinion drew out the existence of possible mechanisms by which the failure of an LSA to act – whether through choice or because of resourcing – could be challenged and decisions of the other national regulatory authorities/EDPB put in place.  In this, the Opinion is a welcome review of the mechanisms in the GDPR, a set of systems which are complex and not necessarily easily understood.

 

In terms of enforcement of the GDPR, it is important to remember that enforcement does not lie in the hands of the national regulatory authorities alone; and the Opinion reminds us of this in terms both of direct enforcement of data subjects’ rights but also in terms of challenging the inaction of a national supervisory authority. Here the choice of jurisdiction is not determined by the LSA mechanism.  Strategic litigation, including some forum shopping, may still be possible.

 

Given the starting point for this case was the use of cookies the question of the relationship between the e-Privacy rules and the GDPR arises.  The Advocate General confirmed that more than one legislative instrument could apply. This then raises the question of jurisdiction and whether such overlap might undermine the one stop shop – though this difference might be addressed through the revision of the e-Privacy regime (a process which has been fraught with delay).  A similar question might arise in relation to criminal law enforcement.

 

Where this leaves Facebook and the Belgian authorities is not yet clear. This is of course an opinion, not the judgment of the Court.  While the Court usually follows the opinion of its Advocate General it is not obliged so to do.  Moreover, action against the Irish DPC, the LSA as regards Facebook, has settled a judicial review action brought by Max Schrems in respect of the DPC’s failure to stop data transfers to the US. While this is action, it does not cover exactly the same issues brought by the Belgian authorities.

 

 

Who’s responsible for what happens on Facebook? Analysis of a new ECJ opinion

Lorna Woods, Professor of Internet Law, University of Essex

Who is responsible for data protection law compliance on Facebook fan sites? That issue is analysed in a recent opinion of an ECJ Advocate-General, in the case of Wirtschaftsakademie (full title: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht).

This case is one more in a line of cases dealing specifically with the jurisdiction of national data protection supervisory authorities, a line of reasoning which seems to operate separately from the Brussels I Recast Regulation, which concerns jurisdiction of courts over civil and commercial disputes.  While this is an Advocate-General’s opinion, and therefore not binding on the Court, if followed by the Court it would consolidates the Court’s prior broad interpretation of the Data Protection Directive.  While this might be the headline, it is worth considering a perhaps overlooked element of the data-economy: the role of the content provider in providing individuals whose data is harvested.

Facts

Wirtschaftsakademie set up a ‘fan page’ on Facebook.  The data protection authority in Schleswig-Holstein sought the deactivation of the fan page on the basis that visitors to the fan page were not warned that their personal data would be collected by the by means of cookies placed on the visitor’s hard disk. The purpose of that data collection was twofold: to compile viewing statistics for the administrator of the fan page; and to enable Facebook to target advertisements at each visitor by tracking the visitors’ web browsing habits, otherwise known as behavioural advertising.  Such activity must comply with the Data Protection Directive (DPD) (as implemented in the various Member States).  While the content attracting visitors was that of Wirtshaftsakademie, it relied on Facebook for data collection and analysis. It is here that a number of preliminary questions arise:

-          Who is the controller for the purposes of the data protection regime;

-          Which is the applicable national law; and

-          The scope of the national supervisory authority’s regulatory competence?

Opinion

Controller

The referring court had assumed that Wirtschaftsakademie was not a controller as it had no influence, in law or in fact, over the manner in which the personal data was processed by Facebook, and the fact that Wirtschaftsakademie had recourse to analytical tools for its own purposes does not change this [para 28]. Advocate General Bot, however, disagreed with this assessment, arguing that Wirtschaftsakademie was a joint controller for the purposes of the DPD – a possibility for which Article 2(d) DPD makes explicit provision (paras 42, 51, 52].  The Advocate General accepted that while the system was designed by Facebook so as to facilitate a data-driven business model and Wirtschaftsakademie was principally a user of the social network [para 53]. The Advocate General highlighted that without the participation of Wirtschaftsakademie the data processing in respect of the visitors to Wirtschaftsakademie could not occur; and he could end that processing by closing the relevant fan page down. In sum:

Inasmuch as he agrees to the means and purposes of the processing of personal data, as predefined by Facebook, a fan page administrator must be regarded as having participated in the determination of those means and purposes. [para 56]

Advocate General Bot further suggested that the use of the various filters included in the analytical tools provided meant that the user had a direct impact on how data was processed by Facebook. To similar effect, a user can also seek to reach specific audiences, as defined by the user.  As a result, the user has a controlling role in the acquisition phase of data processing by Facebook. The Advocate General rejected an formal analysis based on the terms of the contract concluded by the User and Facebook [para 60] and the fact that the user may be presented with ‘take it or leave it’ terms, does not affect the fact that the user may be a controller.

As a final point, the Advocate General referred to the risk of data protection rules being circumvented, arguing that:

had the Wirtschaftsakademie created a website elsewhere than on Facebook and implemented a tool similar to ‘Facebook Insights’ in order to compile viewing statistics, it would be regarded as the controller of the processing needed to compile those statistics [para 65].

A similar approach should be taken in relation to social media plug ins (such as Facebook’s like button), which allow Facebook to gather data on third party websites without the end-user’s consent (see Case C-40/17 Fashion ID, pending).

Having recognised that joint responsibility was an important factor in ensuring the protection of rights, the Advocate General – referring to the approach of the Article 29 Working Party on data protection – clarified that this did not mean that both parties would have equal responsibility, but rather their respective responsibility would vary depending on their involvement at the various stages of processing activities.

Applicable Law

Facebook is established outside the EU, but it has a number of EU established subsidiaries: the subsidiary which has responsibility for data protection is established in Ireland, while the other subsidiaries have responsibility for the sale of advertising.  This raises a number of questions: can the German supervisory authority exercise its powers and if so, against which subsidiary?

Applicable law is dealt with in Article 4 DPD, which refers to the competence of the Member State where the controller is established but which also envisages the possibility, in the case of a non-EU parent company, of multiple establishments.  The issue comes down to the interpretation of the phrase from Art. 4(1)(a), ‘in the context of the activities of an establishment’, which according to Weltimmo cannot be interpreted restrictively [para 87].  The Advocate General determined that there were two criteria [para 88]:

-          An establishment within the relevant Member State; and

-          Processing in connection with that establishment.

Relying on Weltimmo and Verein für Konsumenteninformation the Advocate General identified factors – which are based on the general freedom of establishment approach to the question of establishment looking for real activity through stable arrangements – the approach is not formalistic. Facebook Germany clearly satisfies these tests.

Referring to Article 29 Working Party Opinion 8/2010, the Advocate General re-iterated that in relation to the second criterion, it is context not location that is important. In Google Spain, the Court of Justice linked the selling of advertising (in Spain) to the processing of data (in the US) to hold that the processing was carried out in the context of the Spanish subsidiary given the economic nexus between the processing and the advertising revenue.  The business set up for Facebook here is the same, and the fact that there is an Irish office does not change the fact that the data processing takes place in the context of the German subsidiary.  The DPD does not introduce a one-stop shop; to the contrary, a deliberate choice was made to allow the application of multiple national legal systems (see Rec 19 DPD), and this approach is supported by the judgment in Verein für Konsumenteninformation in relation to Amazon.  The system will change with the entry into force of the General Data Protection Regulation (GDPR), but the Advocate General proposed that the Court should not pre-empt the entry into force of that legislation (due May 2018) in its interpretation, as the cooperation mechanism on which it depends is not yet in place [para 103].

Regulatory Competence

By contrast to Weltimmo, where the supervisory authority was seeking to impose a fine on a company established in another Member State, here the supervisory authority would be imposing German law on a German company.  There is a question, however, as to the addressee of any enforcement measure. On one interpretation, the German regulator should have the power only to direct compliance on the company established on its territory, even though that might not be effective. Alternatively, the DPD could be interpreted so as to allow the German regulator to direct compliance from Facebook Ireland. Looking at the fundamental role of controllers, Advocate General Bot suggested that this was the preferred solution. Article 28(1), (3) and (6) DPD entitle the supervisory authority of the Member State in which the establishment of the controller is located, by contrast to the position in Weltimmo, to exercise its powers of intervention without being required first to call on the supervisory authority of the Member State in which the controller is located to exercise its powers.

Comment

The novelty in this Opinion relates to the first question is significant because the business model espoused by social media companies depends on the participation of those providing content, who seem at the moment to take little responsibility for their actions.  The price paid by third parties (in terms of data) is facilitated by them, allowing them to avoid or minimise their business costs.  Should there be a consistency of enforcement applications against such users, this may gradually have an effect on the underlying platform’s business model.  While it is harder to regulate mice than elephants, at least these mice appear to be clearly within the geographic jurisdiction of the German regulator – and will remain so even when the GDPR is in force.

The Advocate General went out of his way to explain that there was no difference between the situation in issue here and that in the other relevant pending case, Case C-40/17 Fashion ID.  This case concerns the choice by a website provider to embed third party code allowing the collection of data in respect of visitors in the programming for the website for its own ends (increased visibility of and thus traffic to the website): the code in question is that underpinning the Facebook ‘like’ button, but would also presumably include similar codes from Twitter or Instagram.

If there was any doubt from cases – for example Weltimmo – about whether there is a one-stop shop (ie only one possible supervisory authority with jurisdiction across the EU) in the Data Protection Directive, the Advocate General expressly refutes this point.  In this context, it seems that this case adds little new, rather elaborating points of detail based on the precise factual set-up of Facebook operations in the EU. It seems well-established now that – at least under the DPD - clever multinational corporate structures cannot funnel data protection compliance through a chosen national regime.

It may be worth noting also the broad approach of the Advocate General to Google Spain when determining whether processing is in the context of activities. There the Court observed that:

‘in such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed [Google Spain, para 56]

Here, the Advocate General focussed on the fact that social networks such as Facebook generate much of their revenue from advertisements posted on the web pages set up and accessed by users and that there is therefore an indissoluble link between the two activities.  Thus it seems that the Google Spain reasoning applies broadly to many free services paid for by user data, even if third parties – for example those providing the content on the page visited – are involved too. 

Of course, the GDPR does introduce a one-stop shop. Arguably therefore these cases are of soon to be historic interest only.  The GDPR proposes that the regulator in respect of the controller’s main EU establishment should have lead responsibility for regulation, with regulators in respect of other Member States being ‘concerned authorities’.  There are two points to note: first, there is a system in place to facilitate the cooperation of the relevant supervisory authorities Art 60), including possible recourse to a ‘consistency mechanism’ (Art 63 et seq); secondly, the competence of the lead authority to act in relation to cross-border processing in Article 66 operates without prejudice to the competence of each national supervisory authority in its own territory set out in Article 55.  The first of these two points concerns the attempt to limit regulatory arbitrage and a downward spiral of standards in the GDPR as applied and the broad approach to establishment. The interest of the recipient state in regulating means that there may be many cases involving ‘concerned authorities’.  The precise implications of the second point are not clear; note however that it seems that the one-stop shop as regards Facebook would not stop data protection authorities taking enforcement action against users such as Wirtschaftsakademie.

Photo credit: Deccan Chronicle

Data protection: the CJEU clarifies the applicable law and jurisdiction

Lorna Woods, Professor of Internet Law, University of Essex*

The CJEU recently gave judgment in the Weltimmo case, concerning the reach of data protection supervisors, ruling that one Member State’s supervisor can have jurisdiction on organisations mainly established beyond the border of that State. This ruling could have an impact on two key issues under discussion as regards the proposed data protection Regulation: the external scope of that Regulation (discussed here) and the powers of national data protection authorities and the relationships between them - particularly whether there should be a 'one-stop shop' for regulation (discussed here).

Facts 

Weltimmo is a company registered in Slovakia. It runs a website advertising the sale of properties in Hungary and, for that purpose, it processes the personal data of the advertisers of the property. Many advertisers sent a request by email for the deletion of both their advertisements and their personal data but Weltimmo did not delete such data and charged the advertisers for the price of its services. As the sums claimed were not paid, Weltimmo forwarded the personal data of the advertisers to debt collection agencies.  The advertisers complained to the Hungarian data protection office. 

Article 28(6) of the Data Protection Directive specifies:

Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.

Weltimmo argued the Hungarian supervisor did not have jurisdiction but should instead have referred the matter to the Slovakian supervisory authority.  The Hungarian authority referred, however, to Article 4 of the Directive, which states:

Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable….

The question then was where Weltimmo was established.  In any event, no matter what the applicable law, the Hungarian authority took the view that under Article 28 it had jurisdiction.  It was these questions of interpretation that were referred to the Court of Justice.

Judgment

The Court's judgment broadly follows the approach of the Advocate General (Opinion 25^thJune 2015).  The Court determined that the national law applicable to the controller in respect of that processing must be determined in the light of Article 4; Article 28 deals with role and powers of the national authorities. So the key question was whether the processing was 'in the context of activities of an establishment' – and to ensure protection of fundamental rights, this concept should be interpreted broadly. In this, the Court referred to Google Spain (discussed here). Drawing on the approach of the Advocate General, the Court noted that the meaning of 'establishment' here is a broad and flexible concept – and specifically not just the question of where the data controller is registered.  The test relates to:

both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet. [para 29]

The Court emphasised that the concept of 'establishment' extends to any real and effective activity, even a minimal one, exercised through stable arrangements. Specifically, depending on the circumstances, the presence of even one representative can suffice.  In this case, Weltimmo was certainly established in Hungary.  Not only was there a representative, a bank account and contact details in Hungary, but Weltimmo pursues a real and effective activity there. 

Having determined that there is an establishment, the next question is whether the data processing takes place in connection with the activities carried out through that establishment.  Again, we see the Court referring to its reasoning in Google Spain: that the processing is not required to be 'by' the establishment, but instead the broader concept of 'in the context of' activities carried out through it. The Court found that aspect satisfied here. In so doing, it noted that the nationality of those whose data was processed is not relevant.  The analysis is all about the data controller not the data subject here.  This reasoning suggests that the applicable law could be that of Hungary but the Court directed the national court to verify the finding of facts.

The Court continued that, in the event of the application of the law of another Member State, Article 28 of the Directive would come into play.  According to that provision, each authority has the responsibility and the power to ensure compliance on that territory with data protection rules, that is, it has jurisdiction to act.  Obviously, this is different phraseology than that found in Article 4 but the Court did not address the question of what 'on the territory of its own Member State' means (which may not be clear in a digital context). Instead it held that where a complaint is referred to a national authority, it may investigate whatever the applicable law.  As the Advocate General pointed out, the powers of intervention of the supervisory authority must be exercised in compliance with the territorial sovereignty of the other Member States and respect for the rule of law, with the result that a national authority cannot impose penalties outside the territory of its own State.  In such a situation the authority should request the cooperation of the relevant national authority, as foreseen by Article 28, to ensure that the rules are enforced.

Comment

The upshot of this decision is that it is clear that there is no one-stop-regulation approach currently in effect.  This means that a business with operations in more than one Member State may be subject to multiple interpretations of the data protection rules.  In determining which and how many authorities have competence, the key question becomes that of 'establishment'.  While the data subjects and their nationality are not relevant, the Court has not taken a formal legal approach.  We can look at whether there are employees or a physical representation, but also business practice can be taken into account. It is significant that the Court notes the specificities of Internet businesses.  Implicitly, if the business is reaching into the territory on an on-going basis, physical representation would be unnecessary to find 'establishment'.

This approach is re-affirmed by the Court's re-iteration of its stance in Google Spain with regard to the connection between the processing and the business. The Court is taking a broad view of whether such connection will arise; arguing points based on legal form will not help here. That could have consequences for companies such as Facebook which are currently clinging to the argument that they are regulated by Ireland to try to defend claims from authorities across the EU.  On the basis of Weltimmo, that might not now be such a good argument.  This expansive scope of applicable law may also mean that the situation in Article 28(6) will occur less frequently.

Looking more generally, the reasoning in Weltimmo suggests that the Court is sticking to its stance in Google Spain, emphasising the fundamental nature of privacy and data protection and the need to interpret legal concepts broadly to ensure an adequate protection for those rights.  This trend has, of course, since been confirmed by the subsequent judgment in Schrems. It remains to be seen whether the judgment in Weltimmo has an impact upon the planned Regulation.

*This is based on a blog post previously published on the SCL Blog, and republished with kind permission

Photo credit: DC Comics; Meme: Steve Peers

American Mass Surveillance of EU citizens: Is the End Nigh?

Steve Peers

*This blog post is dedicated to the memory of the great privacy campaigner Caspar Bowden, who passed away recently. What a tragedy he did not leave to see the developments in this case. To continue his work, you can donate to the Caspar Bowden Legacy Fund here.

A brilliant university student takes on the hidebound establishment – and ultimately wins spectacularly. That was Mark Zuckerberg, founding Facebook, in 2002. But it could be Max Schrems, taking on Zuckerberg and Facebook, in the near future – if the Court of Justice decides to follow the Advocate-General’s opinion in the Schrems case, released today.

In fact, Facebook is only a conduit in this case: Schrems’ real targets are the US government (for requiring Facebook and other Internet companies to hand over personal data to intelligence agencies), as well as the EU Commission and the Irish data protection authority for going along with this. In the Advocate-General’s opinion, the Commission’s decision to allow EU citizens’ data to be subject to mass surveillance in the US is invalid, and the national data protection authorities in the EU must investigate these flows of data and prohibit them if necessary. The case has the potential to change much of the way that American Internet giants operate, and to complicate relations between the US and the EU in this field.

Background

There’s more about the background to this litigation here, and Simon McGarr has summarised the CJEU hearing in this case here. But I’ll summarise the basics of the case again here briefly.

Max Schrems is an Austrian Facebook user who was disturbed by Edward Snowden’s revelations about mass surveillance by US intelligence agencies. Since such mass surveillance is put into effect by imposing obligations to cooperate upon Internet companies, he wanted to complain about Facebook’s transfers of his personal data to the USA. Since Facebook’s European operations are registered in Ireland, he had to bring his complaints to the Irish data protection authority.

The legal regime applicable to such transfers of personal data is the ‘Safe Harbour’ agreement between the EU and the USA, agreed in 2000 – before the creation of Facebook and some other modern Internet giants, and indeed before the 9/11 terrorist attacks which prompted the mass surveillance. This agreement was put into effect in the EU by a decision of the Commission, which used the power conferred by the EU’s current data protection Directive to declare that transfers of personal data to the USA received an ‘adequate level of protection’ there.

The primary means of enforcing the arrangement was self-certification of the companies concerned (not all transfers to the USA fall within the scope of the Safe Harbour decision), enforced by the US authorities.  But it was also possible (not mandatory) for the national data protection authorities which enforce EU data protection law to suspend transfers of personal data, if the US authorities or enforcement system have found a breach of the rules, or on the following further list of limited grounds set out in the decision:

there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism concerned is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects; and the competent authorities in the Member State have made reasonable efforts under the circumstances to provide the organisation with notice and an opportunity to respond.

In fact, Irish law prevents the national authorities from taking up this option. So the national data protection authority effectively refused to consider Schrems’ complaint. He challenged that decision before the Irish High Court, which doubted that this system was compatible with EU law (or indeed the Irish constitution). So that court asked the CJEU to rule on whether national data protection authorities (DPAs) should have the power to prevent data transfers in cases like these.

The Opinion

The Advocate-General first of all answers the question which the Irish court asks, and then goes on to examine whether the Safe Harbour decision is in fact valid. I’ll address those two issues in turn.

In the Advocate-General’s view, national data protection authorities have to be able to consider claims that flows of personal data to third countries are not compatible with EU data protection laws, even if the Commission has adopted a decision declaring that they are. This stems from the powers and independence of those authorities, read in light of the EU Charter of Fundamental Rights, which expressly refers to DPAs’ role and independence. (On the recent CJEU case law on DPA independence, see discussion here). It’s worth noting that the new EU data protection law under negotiation, the data protection Regulation, will likely confirm and even enhance the powers and independence of DPAs. (More on that aspect of the proposed Regulation here).

On the second point, the opinion assesses whether the Safe Harbour Decision correctly decided that there was an ‘adequate level of protection’ for personal data in the USA. Crucially, it argues that this assessment is dynamic: it must take account of the protection of personal data now, not just when the Decision was adopted back in 2000.

As for the meaning of an ‘adequate level of protection’, the opinion argues that this means that third countries must ensure standards ‘essentially equivalent to that afforded by the Directive, even though the manner in which that protection is implemented may differ from that’ within the EU, due to the importance of protecting human rights within the EU. The assessment of third-country standards must examine both the content of those standards and their enforcement, which entailed ‘adequate guarantees and a sufficient control mechanism’, so there was no ‘lower level of protection than processing within the European Union’. Within the EU, the essential method of guaranteeing data protection rights was independent DPAs.

Applying these principles, the opinion accepts that personal data transferred to the USA by Facebook is subject to ‘mass and indiscriminate surveillance and interception’ by intelligence agencies, and that EU citizens have ‘no effective right to be heard’ in such cases. These findings necessarily mean that the Safe Harbour decision was invalid for breach of the Charter and the data protection Directive.

More particularly, the derogation for the national security rules of US law set out in the Safe Harbour principles was too general, and so the implementation of this derogation was ‘not limited to what is strictly necessary’. EU citizens had no remedy against breaches of the ‘purpose limitation’ principle in the US either, and there should be an ‘independent control mechanism suitable for preventing the breaches of the right to privacy’.

The opinion then assesses the dispute from the perspective of the EU Charter of Rights. It first concludes that the transfer of the personal data in question constitutes interference with the right to private life. As in last year’s Digital Rights Ireland judgment (discussed here), on the validity of the EU’s data retention directive, the interference with rights was ‘particularly serious, given the large numbers of users concerned and the quantities of data transferred’. In fact, due to the secret nature of access to the data, the interference was ‘extremely serious’. The Advocate-General was also concerned about the lack of information about the surveillance for EU citizens, and the lack of an effective remedy, which breaches Article 47 of the Charter.

However, interference with these fundamental rights can be justified according to Article 52(1) of the Charter, as long as the interference is ‘provided for by law’, ‘respect[s] the essence’ of the right, satisfies the ‘principle of proportionality’ and is ‘necessary’ to ‘genuinely meet objectives of general interest recognized by’ the EU ‘or the need to protect the rights and freedoms of others’.  

In the Advocate-General’s view, the US law does not respect the ‘essence’ of the Charter rights, since it extends to the content of the communications. (In contrast, the data collected pursuant to the data retention Directive which the CJEU struck down last year concerned only information on the use of phones and the Internet, not the content of phone calls and Facebook posts et al). On the same basis, he objected to the ‘broad wording’ of the relevant derogations on national security grounds, which did not clearly define the ‘legitimate interests’ at stake. Therefore, the derogation did not comply with the Charter, ‘since it does not pursue an objective of general interest defined with sufficient precision’. Moreover, it was too easy under the rules to escape the limitation that the derogation should only apply when ‘strictly necessary’.

Only the ‘national security’ exception was sufficiently precise to be regarded as an objective of general interest under the Charter, but it is still necessary to examine the ‘proportionality’ of the interference. This was a case (like Digital Rights Ireland) where the EU legislature’s discretion was limited, due to the importance of the rights concerned and the extent of interference with them. The opinion then focusses on whether the transfer of data is ‘strictly necessary’, and concludes that it is not: the US agencies have access to the personal data of ‘all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security’.

Crucially, the opinion concludes that ‘[s]uch mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference’ with Charter rights. The Advocate-General agreed that since the EU and the Member States cannot adopt legislation allowing for mass surveillance, non-EU countries ‘cannot in any circumstances’ be considered to ensure an ‘adequate level of protection’ of personal data if they permit it either.

Furthermore, there were not sufficient guarantees for protection of the data. Following the Digital Rights Ireland judgment, which stressed the crucial importance of such guarantees, the US system was not sufficient. The Federal Trade Commission could not examine breach of data protection laws for non-commercial purposes by government security agencies, and nor could specialist dispute resolution bodies. In general, the US lacks an independent supervisory authority, which is essential from the EU’s perspective, and the Safe Harbour decision was deficient for not requiring one to be set up. A third country cannot be considered to have ‘an adequate level of protection’ without it. Furthermore, only US citizens and residents had access to the judicial system for challenging US surveillance, and EU citizens cannot obtain remedies for access to or correction of data (among other things).  

So the Commission should have suspended the Safe Harbour decision. Its own reports suggested that the national security derogation was being breached, without sufficient safeguards for EU citizens. While the Commission is negotiating revisions to that agreement with the USA, that is not sufficient: it must be possible for the national supervisory authority to stop data transfers in the meantime.

Comments

The Advocate-General’s analysis of the first point (the requirement that DPAs must be able to stop data flows if there is a breach of EU data protection laws) is self-evidently correct. In the absence of a mechanism to hear complaints on this issue and to provide for an effective remedy, the standards set out in the Directive could too easily be breached. Having insisted that the DPAs must be fiercely independent of national governments, the CJEU should not now accept that they can be turned into the tame poodles of the Commission.

On the other hand, his analysis of the second point (the validity of the Safe Harbour Decision) is more problematic – although he clearly arrives at the correct conclusion. With respect, there are several flaws in his reasoning. Although EU law requires strong and independent DPAs within the EU to ensure data protection rights, there is more than one way to skin this particular cat. The data protection Directive notably does not expressly require that third countries have independent DPAs. While effective remedies are of course essential to ensure that data protection law (likely any other law) is actually enforced in practice, those remedies do not necessarily have to entail an independent DPA. They could also be ensured by an independent judiciary. After all, Americans are a litigious bunch; Europeans could join them in the courts. But having said that, it is clear that in national security cases like this one, EU citizens have neither an administrative nor a judicial remedy worth the name in the USA. So the right to an effective remedy in the Charter has been breached; and it is self-evident that processing information from Facebook interferes with privacy rights.

Is that limitation of rights justified, however? Here the Advocate-General has muddled up several different aspects of the limitation rules. For one thing, the precision of the law limiting rights and the public interest which it seeks to protect are too separate things. In other words, the public interest does not have to be defined precisely; but the law which limits rights in order to protect the public interest has to be. So the opinion is right to say that national security is a public interest which can justify limitation of rights in principle, but it fails to undertake an examination of the precision of the rules limiting those rights. As such, it omits to examine some key questions: should the precision of the law limiting rights be assessed as regards the EU law, the US law, or both?  Should the US law be held to the same standards of clarity, foreseeability and accessibility as European states’ laws must be, according to the ECHR jurisprudence?

Next, it’s quite unconvincing to say that processing the content of communications interferes with the ‘essence’ of the privacy and data protection rights. The ECHR case law and the EU’s e-privacy directive expressly allow for interception of the content of communications in specific cases, subject to strict safeguards. So it’s those two aspects of the US law which are problematic: its nature as mass surveillance, plus the inadequate safeguards.

On these vital points, the analysis in the opinion is correct. The CJEU’s ruling in Digital Rights Ireland suggests, in my view, that mass surveillance is inherently a problem, regardless of the safeguards in place to limit its abuse. This is manifestly the Advocate-General’s approach in this case; and the USA obviously has in place mass surveillance well in excess of the EU’s data retention law. The opinion is also right to argue that EU rules banning mass surveillance apply to the Member States too, as I discuss here. But even if this interpretation is incorrect, and mass surveillance is only a problem if there are weak safeguards, then the Safe Harbour decision still violates the Charter, due to the lack of accessible safeguards for EU citizens as discussed above. Hopefully, the Court of Justice will confirm whether mass surveillance is intrinsically problematic or not: it is a key issue for Member States retaining data by way of derogation from the e-privacy Directive, for the validity of EU treaties (and EU legislation) on specific issues such as retaining passenger data (see discussion here of a pending case), and for the renegotiation of the Safe Harbour agreement itself.

This brings us neatly to the consequences of the CJEU’s forthcoming judgment (if it follows the opinion) for EU/US relations. Since the opinion is based in large part upon the EU Charter of Rights, which is primary EU law, it can’t be circumvented simply by amending the data protection Directive (on the proposed new rules on external transfers under the planned Regulation, see discussion here). Instead, the USA must, at the very least, ensure that adequate remedies for EU citizens and residents are in place in national security cases, and that either a judicial or administrative system is in place to enforce in practice all rights which are supposed to be guaranteed by the Safe Harbour certification. Facebook and others might consider moving the data processing of EU residents to the EU, but it’s hard to see how this could work for any EU resident with (for instance) Facebook friends living in the USA. Surely in such cases processing of the EU data in the USA is unavoidable.

Moreover, arguably it would not be sufficient for the forthcoming EU/US trade and investment agreement (known as ‘TTIP’) to provide for a qualified exemption for EU data protection law, along the lines of the WTO’s GATS. Only a complete immunity of EU data protection law from the TTIP – and any other EU trade and investment agreements – would be compatible with the Charter. Otherwise, companies like Facebook and Google might try to invoke the controversial investor dispute settlement system (ISDS) every time a judgment like Google Spain or (possibly) Schrems cost them money.

Barnard and Peers: chapter 9

Photo credit: www.techradar.com

When super-regulators fight: the ‘one-stop shop’ in the proposed Data Protection Regulation

Steve Peers

A guilty pleasure for fans of superhero comic books is the moment when our heroes pause in their valiant efforts to save the public from the nefarious plans of the supervillains – and start beating the hell out of each other instead. This is usually triggered by some trivial difference of opinion, perhaps concerning a continuity error or intellectual property rights.

Similarly, the EU vests its hopes for the effective enforcement of data protection law upon national data protection authorities (DPAs): the superheroes of the data protection world. They have considerable powers under the current data protection Directive, and the proposed Regulation would also give them more powers. But what if they disagree with each other? There’s nothing in the current legislation to settle this problem, which gives each DPA the power to regulate actions on its own territory without addressing the obvious complications that result in a digital age, when many forms of processing of personal data (most obviously via the Internet) take place across borders.  

To deal with this problem, the Commission proposal contains a conflict rule to determine who is the lead regulator in cross-border cases, with the possibility that a ‘European Data Protection Board’ or the Commission itself can issue an opinion on the issue. This has been dubbed the ‘one-stop shop’ rule. However, due to legal concerns, both the Council (which is about to adopt its position on this part of the proposed Regulation: see the draft text here), and the European Parliament (EP), which has already adopted its position on the entire text, propose instead that the Board must be able to make binding decisions to settle disputes.

So this is set to become one of the most significant innovations of the new legislation. Let’s take a look at what the future rules will likely say about the role of national DPAs, the one-stop-shop process and the powers of the Board.

National data protection authorities

The current Directive already provides for the existence of DPAs, and insists that they must exercise their powers in ‘complete independence’. CJEU case law (discussed here) has set out a very strong interpretation of this notion, ruling that Germany, Austria and Hungary breached it, because they provided for too much accountability to national parliaments (Germany), failed to separate the DPA from the ordinary civil service (Austria) and defenestrated the DPA boss before his normal term of office expired (Hungary).

The proposed Regulation would retain and elaborate upon this concept, and the Council and EP agree with most of the Commission’s suggestions. Admittedly, the DPAs have to be appointed by public authorities in the first place: after all, their powers don’t stem from being bitten by a radioactive spider, or orphaned in a bat-infested back alley. The Council would amend the proposal so that they don’t have to be appointed by the government or parliament, but could instead be appointed by the head of state or independent body. Only the last alternative would fully ensure their independence from the outset (although who appoints the ‘independent body’?)

Three points of concern here. First, the proposal would usefully require the national DPAs to be adequately funded. That is easier said than done, for most DPAs complain of an absence of sufficient funding. For instance, the Irish DPA occupies a small office next to a corner shop – but purports to regulate (among many other things) all of Facebook’s activities in the EU.  Secondly, the Council would remove the proposed rule requiring that DPAs be independent ‘beyond doubt’ when they are appointed; but DPAs should not be a resting ground for political hacks and bagmen. Thirdly, the Council would remove most of the details concerning the loss of office of DPAs, retaining only the minimum rule of four years in office. As the termination of the Hungarian DPA showed, it’s hard to exercise your powers independently if you constantly fear that there may be Kryptonite in your coffee.

As for the powers of the DPAs, the Regulation would strengthen and elaborate upon their current advisory and enforcement roles. In particular, the current powers to investigate, intervene and engage in legal proceedings would be fleshed out, by adding powers concerning audits, access to the premises of the controller and processor, ordering compliance with a data subject’s request, the suspension of data flows, or the imposition of fines.  

But with these great powers will come only limited accountability. DPAs will have to publish an annual public report (and the EP even wants to weaken this obligation). But that’s the only way that their decisions can be controlled, unless a cross-border complication means that other DPAs, or the European Data Protection Board (a sort of uber-DPA) gain jurisdiction, as discussed below. Otherwise, the only bodies which can watch these watchmen are the courts.

Settling disputes

Although the Commission is often accused of favouring over-centralisation in the EU, its proposed model for a ‘one-stop-shop’ was highly decentralised. Where a data processor or controller was established in the EU in more than one Member State, the supervisory authority of the ‘main establishment’ would have competence to regulate all that controller’s or processor’s activity in all Member States. There would be new rules on cooperation between supervisory authorities, in particular as regards mutual assistance (each DPA would usually have to comply with requests from another DPA) and joint operations.

In several cases, however, a DPA would have had to send a draft measure to the European Data Protection Board for its opinion. In particular, this would have applied to measures regulating processing concerning ‘offering of goods or services to data subjects in several Member States, or monitoring of their behaviour’, or which would ‘substantially affect’ the free movement of data. Following the Board’s opinion, the Commission could give its opinion, and then could ultimately adopt a binding measure if necessary. A decision of any supervisory authority is enforceable in all Member States, except where that DPA breaches the consultation rules, in which case its decision isn’t valid.

However, the Council and EP both agree to strip the Commission of all dispute settlement powers, and to confer binding powers on the Board instead. In the Council’s version, the DPA of the main establishment or single establishment of the controller or processor would not be the sole authority, but only the lead supervisory authority for transnational processing. Even then, each national supervisory authority would be competent to deal with an issue which only concerned an establishment in its State, or ‘substantially affects data subjects only in’ that State, unless the lead DPA decided to step in.

There’s a complex process for trying to reach a consensus on a decision between the lead DPA and the other DPAs involved. But in the event of a dispute between them, as regards the content of a draft decision, or who is the lead DPA in the first place, or where the procedures aren’t followed, then the European Data Protection Board can adopt a binding decision.  The Council would remove the rules on enforceability and unenforceability of DPA decisions, but the EP wants to strengthen them. In the event of disputes about the Board’s decisions, the preamble sets out detailed rules on whether litigation would take place before the national or EU courts.

The European Data Protection Board

It isn’t spelled out in the main text of the proposed Regulation, but the future Board is clearly a super-powered version of the current ‘Article 29 working party’, an advisory body which is (like the future Board) made up of members of the national DPAs. That working party can give opinions on national data protection law, data protection in the EU and third countries, the amendment of the Directive and codes of conduct. It has indeed issued many such opinions, which can be found on its website. They are interesting documents which fascinate data protection specialists, but which have not yet had any direct impact on the interpretation of the law by the CJEU. In the Commission’s proposal, the working party would be renamed and it would have more advisory powers, but its essential role would not change.

However, this puny body is about to be transformed at the behest of the Council and EP, which would both confer significant powers upon it as regards dispute settlement (discussed above), along with a longer list of advisory powers. The Council would also take the logical step of defining the Board as a ‘body’ of the EU, with express legal personality.

Finally, it should be noted that the future European Data Protection Board should not be confused with the current European Data Protection Supervisor (EDPS) – although I suspect that this warning will be in vain for many years to come. The EDPS is created by separate legislation, and has the role of enforcing data protection law against the EU’s institutions and other bodies, as well as advising on the development of EU data protection law. Its role in the new Regulation will be very limited. The Commission wants it to have a seat and a deputy chair post on the Board, but the Council rejects the first suggestion (relegating the EDPS to an observer role instead) and both the Council and the EP reject the second one. The EDPS will provide the Board’s secretariat, but the Council wants to build a firewall between the two administrations. In effect, while both the Board and the EDPS will have a significant role in the EU’s data protection architecture, there will be almost no crossover between them – rather like comic books produced by competing publishers.

Conclusion

It is certainly necessary for the EU to ensure that DPAs have effective powers to ensure the application of data protection law. Although it will still be possible for individuals to bring legal action directly against data processors or controllers (under other parts of the Regulation, which the Council has not yet agreed), DPAs remain the principal method of enforcing the rules. However, the draft legislation does not fully address the key practical question of sufficient ensuring resources for DPAs, and there is also not enough protection against dismissal or for the initial independence of DPA staff in the Council’s draft position.  

As for settlement of disputes, the Commission’s idea of a lead DPA having full jurisdiction was fairly attractive, although apparently it was torpedoed by the objections of the Council’s legal service. The replacement system is comparatively convoluted, and it has one key weakness – the absence of procedural rights for the original complainant before the Board. Also, it leaves intact greater possibilities of multiple DPAs acting as regards the same data processor or controller, with resulting greater complications for data subjects, DPAs and data processors and controllers alike. It will probably take some time (and possibly even litigation) before the new system will be working effectively. Furthermore, the Council’s removal of the rules about the unenforceability of DPA decisions which are taken in contravention of the rules could lead to complications in the event of rebellious DPAs. Finally, the existence of parallel bodies with similar names (the Board and the EDPS) may be unavoidable, but it unlikely to help public understanding of the EU’s data protection system.