Please enable javascript in your browser to view this site

Are DPAs ready for the consistent approach required by GDPR?

Among the significant changes it will bring about, the GDPR includes detailed rules for Data Protection Authorities (DPAs) to adopt consistent approaches and interact more regularly and effectively with one another. To this end, the newly founded European Data Protection Board (EDPB) will play a key role in overseeing the consistency mechanism created by GDPR. However, DPAs will need time and adequate resources to adjust to it, and its adoption will not be without initial glitches. Assembly’s Privacy and Data Protection Tracker shows there are still striking differences in funding and staff across DPAs.

The European Data Protection Board will ensure consistency, but may not be fully functional from the outset

The entry into force of GDPR will also mean the start of activities for a new body created by the Regulation. It is the European Data Protection Board, which will be made up of the head of each DPA and of the European Data Protection Supervisor, or their representatives. The EDPB will be an independent body, with its own legal personality. Most of the EDPB’s decisions will be taken by a simple majority; this signals the intention to give the EDPB effective decisive powers, thereby limiting DPAs’ ability to veto the board’s decisions.

The EDPB will replace the current Article 29 Working Party, which groups together DPAs of all EU member states, and will have much wider powers compared to the Working Party. Crucially, it will play a key role in the functioning of the “consistency mechanism” envisaged by GDPR, which will ensure a coordinated approach across the EU in applying the Regulation, and will facilitate interaction between the different DPAs. With the inevitable differences, the EDPB will monitor and influence DPAs’ activities much like the EC makes sure telecoms regulators review regulated markets according to a consistent set of criteria. It will scrutinise DPAs’ decisions to ensure they decide based on the same criteria, and will also make binding decisions on disputes between DPAs.

The EDPB will start its activities on 25th May, when GDPR will come into force. Article 29 WP appointed the head of EDPB in February 2018; it chose Andrea Jelinek, current head of Austria’s DPA, as the chairwoman. However, there are doubts as to whether the EDPB will be able to function fully from the outset, as most member states have not yet passed law to complement GDPR which, among other provisions, should designate a country’s representative in the EDPB.

Establishing a lead authority will not always be a straightforward exercise

One of the key points of the GDPR relates to the establishment of a “lead authority” for cross-border processing of personal data. This is generally the authority of the country where a business has its “main establishment”, although exceptions can occur to this principle.

Article 29 WP adopted guidelines on the Lead Supervisory Authority. These set out the criteria through which a Lead Authority is identified, and provide examples where there can be more than one lead authority. This can occur when a company’s decisions about purposes and means of a processing activity are made elsewhere; companies will have to identify precisely where these decisions are taken, in order to deal with the right DPA For example, if a bank takes insurance-related processing decisions in a place other than where it takes banking-related processing decisions, each of these activities will be subject to two different lead authorities.

Even in the guidelines, Article 29 WP admits that borderline cases are likely to arise in many circumstances. This is particularly likely to happen when a controller has establishment in several EU states, without any of them being the main one. However, the regulator’s intention is not to allow “forum shopping” by letting a company decide which is the lead DPA. The affected authorities, and potentially the EDPB, will decide based on evidence; the burden of proof will fall on data controllers.

It is worth noting that companies without any establishment in the EU are not subject to the consistency mechanism and cannot benefit from the “one-stop-shop” principle. They will have to deal with DPAs in every EU state in which they are active.

DPAs will need more power and funding, and will have to interact more with one another

Despite the timely setting up of the EDPB, and the presence of guidelines around the establishment of lead authorities, the level of coordination GDPR aims to establish will not come overnight. Not only will DPAs have to communicate with one another much more frequently and effectively in cases involving parties in more than one country; they will also have to be given new powers by legislators, and be awarded adequate resources.

Article 52 of the GDPR requires national legislators to ensure DPAs are independent. This requires legislation to minimise the risk of external influence, including political influence; accordingly, means of funding and financial control shall also not affect the DPA’s independence. While some DPAs are already granted formal independence, under the GDPR their members’ mandate cannot be shorter than four years; the Regulation leaves each state to decide whether members can be eligible for reappointment.

Assembly’s Privacy and Data Protection Tracker found that, among the EU5 and Ireland, only Germany has already finalised legislation implementing GDPR. All other countries covered have draft legislation under discussion, though they are unlikely to be ready by 25th May. DPAs’ funding also currently varies significantly across those countries.