A guilty pleasure for fans of superhero comic books is the moment when our heroes pause in their valiant efforts to save the public from the nefarious plans of the supervillains – and start beating the hell out of each other instead. This is usually triggered by some trivial difference of opinion, perhaps concerning a continuity error or intellectual property rights.
Similarly, the EU vests its hopes for the effective enforcement of data protection law upon national data protection authorities (DPAs): the superheroes of the data protection world. They have considerable powers under the current data protection Directive, and the proposed Regulation would also give them more powers. But what if they disagree with each other? There’s nothing in the current legislation to settle this problem, which gives each DPA the power to regulate actions on its own territory without addressing the obvious complications that result in a digital age, when many forms of processing of personal data (most obviously via the Internet) take place across borders.
To deal with this problem, the Commission proposal contains a conflict rule to determine who is the lead regulator in cross-border cases, with the possibility that a ‘European Data Protection Board’ or the Commission itself can issue an opinion on the issue. This has been dubbed the ‘one-stop shop’ rule. However, due to legal concerns, both the Council (which is about to adopt its position on this part of the proposed Regulation: see the draft text here), and the European Parliament (EP), which has already adopted its position on the entire text, propose instead that the Board must be able to make binding decisions to settle disputes.
So this is set to become one of the most significant innovations of the new legislation. Let’s take a look at what the future rules will likely say about the role of national DPAs, the one-stop-shop process and the powers of the Board.
National data protection authorities
The current Directive already provides for the existence of DPAs, and insists that they must exercise their powers in ‘complete independence’. CJEU case law (discussed here) has set out a very strong interpretation of this notion, ruling that Germany, Austria and Hungary breached it, because they provided for too much accountability to national parliaments (Germany), failed to separate the DPA from the ordinary civil service (Austria) and defenestrated the DPA boss before his normal term of office expired (Hungary).
The proposed Regulation would retain and elaborate upon this concept, and the Council and EP agree with most of the Commission’s suggestions. Admittedly, the DPAs have to be appointed by public authorities in the first place: after all, their powers don’t stem from being bitten by a radioactive spider, or orphaned in a bat-infested back alley. The Council would amend the proposal so that they don’t have to be appointed by the government or parliament, but could instead be appointed by the head of state or independent body. Only the last alternative would fully ensure their independence from the outset (although who appoints the ‘independent body’?)
Three points of concern here. First, the proposal would usefully require the national DPAs to be adequately funded. That is easier said than done, for most DPAs complain of an absence of sufficient funding. For instance, the Irish DPA occupies a small office next to a corner shop – but purports to regulate (among many other things) all of Facebook’s activities in the EU. Secondly, the Council would remove the proposed rule requiring that DPAs be independent ‘beyond doubt’ when they are appointed; but DPAs should not be a resting ground for political hacks and bagmen. Thirdly, the Council would remove most of the details concerning the loss of office of DPAs, retaining only the minimum rule of four years in office. As the termination of the Hungarian DPA showed, it’s hard to exercise your powers independently if you constantly fear that there may be Kryptonite in your coffee.
As for the powers of the DPAs, the Regulation would strengthen and elaborate upon their current advisory and enforcement roles. In particular, the current powers to investigate, intervene and engage in legal proceedings would be fleshed out, by adding powers concerning audits, access to the premises of the controller and processor, ordering compliance with a data subject’s request, the suspension of data flows, or the imposition of fines.
But with these great powers will come only limited accountability. DPAs will have to publish an annual public report (and the EP even wants to weaken this obligation). But that’s the only way that their decisions can be controlled, unless a cross-border complication means that other DPAs, or the European Data Protection Board (a sort of uber-DPA) gain jurisdiction, as discussed below. Otherwise, the only bodies which can watch these watchmen are the courts.
Although the Commission is often accused of favouring over-centralisation in the EU, its proposed model for a ‘one-stop-shop’ was highly decentralised. Where a data processor or controller was established in the EU in more than one Member State, the supervisory authority of the ‘main establishment’ would have competence to regulate all that controller’s or processor’s activity in all Member States. There would be new rules on cooperation between supervisory authorities, in particular as regards mutual assistance (each DPA would usually have to comply with requests from another DPA) and joint operations.
In several cases, however, a DPA would have had to send a draft measure to the European Data Protection Board for its opinion. In particular, this would have applied to measures regulating processing concerning ‘offering of goods or services to data subjects in several Member States, or monitoring of their behaviour’, or which would ‘substantially affect’ the free movement of data. Following the Board’s opinion, the Commission could give its opinion, and then could ultimately adopt a binding measure if necessary. A decision of any supervisory authority is enforceable in all Member States, except where that DPA breaches the consultation rules, in which case its decision isn’t valid.
However, the Council and EP both agree to strip the Commission of all dispute settlement powers, and to confer binding powers on the Board instead. In the Council’s version, the DPA of the main establishment or single establishment of the controller or processor would not be the sole authority, but only the lead supervisory authority for transnational processing. Even then, each national supervisory authority would be competent to deal with an issue which only concerned an establishment in its State, or ‘substantially affects data subjects only in’ that State, unless the lead DPA decided to step in.
There’s a complex process for trying to reach a consensus on a decision between the lead DPA and the other DPAs involved. But in the event of a dispute between them, as regards the content of a draft decision, or who is the lead DPA in the first place, or where the procedures aren’t followed, then the European Data Protection Board can adopt a binding decision. The Council would remove the rules on enforceability and unenforceability of DPA decisions, but the EP wants to strengthen them. In the event of disputes about the Board’s decisions, the preamble sets out detailed rules on whether litigation would take place before the national or EU courts.
The European Data Protection Board
It isn’t spelled out in the main text of the proposed Regulation, but the future Board is clearly a super-powered version of the current ‘Article 29 working party’, an advisory body which is (like the future Board) made up of members of the national DPAs. That working party can give opinions on national data protection law, data protection in the EU and third countries, the amendment of the Directive and codes of conduct. It has indeed issued many such opinions, which can be found on its website. They are interesting documents which fascinate data protection specialists, but which have not yet had any direct impact on the interpretation of the law by the CJEU. In the Commission’s proposal, the working party would be renamed and it would have more advisory powers, but its essential role would not change.
However, this puny body is about to be transformed at the behest of the Council and EP, which would both confer significant powers upon it as regards dispute settlement (discussed above), along with a longer list of advisory powers. The Council would also take the logical step of defining the Board as a ‘body’ of the EU, with express legal personality.
Finally, it should be noted that the future European Data Protection Board should not be confused with the current European Data Protection Supervisor (EDPS) – although I suspect that this warning will be in vain for many years to come. The EDPS is created by separate legislation, and has the role of enforcing data protection law against the EU’s institutions and other bodies, as well as advising on the development of EU data protection law. Its role in the new Regulation will be very limited. The Commission wants it to have a seat and a deputy chair post on the Board, but the Council rejects the first suggestion (relegating the EDPS to an observer role instead) and both the Council and the EP reject the second one. The EDPS will provide the Board’s secretariat, but the Council wants to build a firewall between the two administrations. In effect, while both the Board and the EDPS will have a significant role in the EU’s data protection architecture, there will be almost no crossover between them – rather like comic books produced by competing publishers.
It is certainly necessary for the EU to ensure that DPAs have effective powers to ensure the application of data protection law. Although it will still be possible for individuals to bring legal action directly against data processors or controllers (under other parts of the Regulation, which the Council has not yet agreed), DPAs remain the principal method of enforcing the rules. However, the draft legislation does not fully address the key practical question of sufficient ensuring resources for DPAs, and there is also not enough protection against dismissal or for the initial independence of DPA staff in the Council’s draft position.
As for settlement of disputes, the Commission’s idea of a lead DPA having full jurisdiction was fairly attractive, although apparently it was torpedoed by the objections of the Council’s legal service. The replacement system is comparatively convoluted, and it has one key weakness – the absence of procedural rights for the original complainant before the Board. Also, it leaves intact greater possibilities of multiple DPAs acting as regards the same data processor or controller, with resulting greater complications for data subjects, DPAs and data processors and controllers alike. It will probably take some time (and possibly even litigation) before the new system will be working effectively. Furthermore, the Council’s removal of the rules about the unenforceability of DPA decisions which are taken in contravention of the rules could lead to complications in the event of rebellious DPAs. Finally, the existence of parallel bodies with similar names (the Board and the EDPS) may be unavoidable, but it unlikely to help public understanding of the EU’s data protection system.