The Future of One Stop Shop: Part 1
GDPR Enforcement and Procedural Fairness examined by the EDPB, EDPS and European Commission
Administrative fines may have been the headline when GDPR became effective in May 2018, however, recent focus has shifted to who is imposing the fines. Lead supervisory authorities (“LSAs”) are responsible for supervising the cross border processing of entities that have their “main establishment” in the supervisory authority’s jurisdiction and ultimately taking enforcement actions against those entities for infringements. Financial impacts of enforcement under the GDPR are becoming significant, with over €1.5 billion of fines issued by the Data Protection Commission, a leading LSA, in in the first half of 2023 alone.
Recent commentary has come from the European Data Protection Board, the European Data Protection Supervisor and the European Commission on the procedural framework that supports the enforcement of the GDPR across the EU with the potential for an interesting reshaping of the roles played by LSAs, Concerned Supervisory Authorities (“CSAs”) and the parties to enforcement proceedings themselves.
In this briefing, the first of a two part series on the future of one stop shop, we look at the significance of this recent commentary for the role of the LSA.
In May 2023, the EDPB adopted Guidelines 03/2021 on the application of Article 65(1)(a) GDPR (version 2.0), which set out its views the process for its decision-making where there is disagreement between a lead supervisory authority and concerned supervisory authority on a draft enforcement decision (the “EDPB Guidelines”). Shortly after, on 4 July 2023, the European Commission published a proposal for a regulation laying down additional procedural rules relating to the enforcement of the GDPR (the “Commission Proposal”). Last week the EDPB and EDPS issued a joint opinion welcoming the proposed regulation and calling for it to be adopted in a timely fashion, noting this as being of “paramount importance” to improving the efficient and consistency of GDPR enforcement (the “Joint Opinion”).
Some common themes emerge across the EDPB Guidelines and the Commission Proposal, which are drawn out in the Joint Opinion, with the following being notable areas of overlap.
Right to be Heard
Both the EDPB Guidelines and the Commission Proposal discuss the procedural rights of affected parties.
The EDPB Guidelines note the right to be heard in particular. The EDPB indicates that this right applies in administrative proceedings of which the outcome is likely to affect a person’s interests. As a corollary, the EDPB state that this could involve the EDPB hearing from parties who will be adversely affected by a decision Article 65(1)(a) GDPR and that accommodation of this right is an “essential element of the procedure, in the absence of which the dispute cannot be settled by the EDPB”.
The Commission Proposal notes the need for harmonisation of procedural rights of parties as presently the procedural rights of parties under investigation vary substantially across the Member States. In particular, the Commission note elements of these rights that should be harmonised by the proposed regulation. The Joint Opinion welcomes these changes and seeks that even greater clarity is provided in the proposed regulation. On the right to be heard, the Commission notes a lack of clarity around when parties have a right to be heard under the Article 65(1) GDPR procedure in particular as an area that renders findings of the EDPB under this mechanism as more vulnerable to challenge. In order to address this issue, the Commission Proposal would provide a right for affected parties to be heard at key procedural stages including in certain circumstances where a draft decision that has been revised by the LSA to incorporate CSA feedback under Article 60(5) GDPR and prior to the adoption of a binding decision by the EDPB under Article 65(1)(a) GDPR.
Completeness of File prior to EDPB Decision
The completeness of an investigation file is another area where the EDPB Guidelines and Commission Proposal both have points to raise.
In the EDPB Guidelines, the EDPB notes the need for the file to be complete. The guidelines note in particular that while the LSA is responsible for ensuring that the file is complete and submitting all relevant information to the EDPB, the EDPB can request additional information from the LSA and/ or CSAs. The guidelines note that such requests will relate to the completeness of the file and do not imply any judgment regarding the merit of objections or the subject matter referred to the EDPB.
In the Commission Proposal, again with the aim of streamlining procedure, the proposed regulation prescribes requirements for the information to be submitted by the LSA to submit to the EDPB when submitting a matter for dispute resolution. This includes the draft decision, summary of relevant facts, views of the parties under investigation and the complaint and any relevant and reasoned objections from CSA not followed by the LSA along with an explanation from the LSA on why those objections were either not followed or not considered to be relevant or reasoned. Notably, the Joint Opinion urges legislators to go further and provide for exhaustive harmonisation of admissibility requirements, in particular, to pre-empt conflicting national requirements.
Relevant and Reasoned Objections from Concerned Supervisory Authorities
Under the Article 60 GDPR cooperation process, CSAs can make relevant and reasoned objections (“RROs”) to a draft decision of the LSA. Where LSA has rejected the objections or does not consider them to be relevant or reasoned, the EDPB has competence to adopt a binding decision under Article 65(1)(a) GDPR.
In the EDPB Guidelines, the EDPB notes that RROs set the parameters of its competence to adopt binding decisions and clarifies its understanding of this threshold. It notes the definition of ‘relevant and reasoned objection’ under Article 4(24) GDPR, namely whether the objection (a) relates to a decision on whether the GDPR has been infringed or (b) whether the envisaged action in relation to the subject of the decision complies with the GDPR, which clearly demonstrates the significance of the risks posed by the draft decision to the rights of data subject and/ or the free flow of data in the EU. The EDPB indicates that it will consider whether each element of this definition has been met and that it will not take a position on the merits of any substantial issues raised by objections that do not meet this threshold.
The Commission Proposal also notes RROs and envisages these as one area where the process for enforcement could be streamlined. Its proposal sets out detailed requirements for the form and structure of these objections with the aim of facilitating effective participation of all CSAs and swift resolution of cases. Notably, the Joint Opinion takes issue with the envisaged scope of RROs, seeing it as unduly narrow and urge that these provisions should be removed from the proposed regulation.
Interestingly, RROs are not the only process that the Commission Proposal targets for streamlining. The proposal sets out new requirements that would oblige LSAs to share “relevant information” with CSAs at an earlier stage in the investigation process. Article 9 of the proposal sets out a requirement to share a summary of key issues with CSAs once the LSA has formed a “preliminary view on the main issues in an investigation” while Article 8 of the proposal requires the LSA to regularly update CSAs “at the earliest convenience” with information that may include the opening of an investigation, the envisaged rejection of a complaint, preliminary findings and the responses of parties to the investigation to those findings.
Lead in Name Only?
A unifying theme across both the EDPB Guidelines, the Commission Proposal and the Joint Opinion is the centralisation of enforcement via cooperation of all supervisory authorities and the decision-making power of the EDPB. Centralisation as an approach aligns with the enforcement framework of new regulations including the Digital Services Act, where the European Commission directly regulates VLOPs and VLOSEs. This role will be examined in Part 2 of this series. While centralised enforcement can lead to efficiencies and streamlining, a potential cost is a substantive lead role for the LSA in enforcement matters. The changes contemplated in the Commission Proposal appear to share this substantive effort among the LSA and CSAs, with a potential impact being the LSA remaining the lead in administrative matters on an enforcement action only.