The year 2016 came to an end and people are turning their heads towards 2017 with new energy and hope. And as we all know there is significant change on the horizon of European data protection. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR), is slowly yet unavoidably approaching. It won’t get here quite yet in 2017 but that doesn’t mean this upcoming year will be less important for that. On the contrary, we are facing a year of important decisions and tests. How Europe manages to handle these tasks will have a direct influence on the future of data protection under the GDPR.
In order to prepare data protection authorities (DPAs) for the upcoming changes the Article 29 Working Party (WP29) has been keeping busy, creating guidelines and FAQs that will aid DPAs during the transition. During the December 2016 plenary meeting, WP29 discussed certain critical matters with regard to the implementation GDPR and consistent with its 2016 Action Plan decided in February 2016, the WP29 adopted during the December plenary:
- Guidelines on the right to data portability (WP 242),
- Guidelines for identifying a controller or processor’s lead supervisory authority (WP 244), and
- Guidelines on Data Protection Officers (DPOs) (WP 243).
As the PHAEDRA project’s main goal is to identify, develop and recommend measures for improving practical co-operation EU DPAs we believe that the abovementioned guidelines are worth summarising. However, since the issues of DPOs as well data portability don’t relate so directly to DPAs co-operation, we’ll skip it in the following article.
Lead Supervisory Authority
One of the key topics discussed and agreed upon by the WP29 is the issue of cross-border processing of personal data in connection to identifying a lead supervisory authority. As Article 4(23) GDPR clearly states, there are two scenarios in which we’ll be dealing with ‘cross-border processing’. Out of these two cases, one’s “cross-border” character is based on the vague term of “substantial affect”.
A question may arise – what does the Regulation mean by “substantially affects”? Now we won’t find a direct answer in the text of the GDPR so, according to the Opinion WP 244, DPAs will have to determine this on a case-by-case basis. The intention of the wording was to ensure that not all processing activities, with any effect and that take place within the context of a single establishment, fall within the definition of “cross-border processing”. But if we look at a general definition of the word “affect”, we’ll see that there must be influence, that the data processing must impact someone in some way. That way being of “substantial” nature.
So once we establish that we are in fact dealing with cross-border processing, it is mandatory to identify the lead supervisory authority.
Ok, so why do we need this lead supervisory authority? To put it in simple terms, a ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data and the controller/processor is established in more than one EU Member State. The lead supervisory authority will coordinate any investigation, involving other supervisory authorities, according to the consistency mechanism.
Although Article 56 GDPR gives means of determining the lead supervisory authority, often things won’t be so clear and it might be up to data controllers to establish clearly where decisions on the purposes and means of personal data processing activities are being made, thus allowing the lead authority to be appointed. The process of determining where the main establishment is may require active inquiry and co-operation by the supervisory authorities. Conclusions cannot be based solely on statements by the organization under review. The burden of proof ultimately falls on controllers and processors. They should be able to demonstrate to supervisory authorities where decisions about data processing are actually taken and implemented. Effective records of data processing activity would help both organizations and supervisory authorities to determine the lead authority.
One may ask what about other DPAs? Are they excluded from any operations once the lead supervisory authority is established? Well no, quite the contrary. As Article 4(22) GDPR states, other supervisory authorities can be “concerned”. The concept of a concerned supervisory authority is meant to ensure that the ‘lead authority’ model does not prevent other supervisory authorities having a say in how a matter is dealt with when, for example, individuals residing outside the lead authority’s jurisdiction are substantially affected by a data processing activity.
The GDPR requires lead and concerned supervisory authorities to co-operate, with due respect for each other’s views, to ensure a matter is investigated and resolved to each authority’s satisfaction – and with an effective remedy for data subjects. Supervisory authorities should endeavor to reach a mutually acceptable course of action. The formal consistency mechanism should only be invoked where co-operation does not reach a mutually acceptable outcome.
Mutual acceptance of decisions can apply to substantive conclusions, but also to the course of action decided upon, including enforcement activity (e.g. full investigation, investigation with limited scope, a warning or a press statement). It can also apply to a decision not to handle a case in accordance with GDPR, for example because of a formal policy of prioritisation, or because there are other concerned authorities as described above. The development of consensus and good will between supervisory authorities is essential to the success of the GDPR co-operation and consistency process.
To summarise this post, we would like to point out that although the GDPR creates a framework for co-operation and goals which are to be achieved, success depends solely on the DPAs co-operation. With further guidelines from WP29 and enough time to implement, the GDPR can have a positive impact on the data protection in Europe. We will closely follow the WP29’s work and assist DPAs in their difficult task.