During an Article 29 Working Party (WP29) press conference on 7 February 2018, the outgoing chair and French privacy chief, Isabelle Falque-Pierrotin, expressed concerns that EU data protection authorities (DPAs) may not be able to enforce the General Data Protection Regulation (GDPR) effectively and in a unified manner in accordance with the consistency mechanism, by 25 May 2018.
On 25 May 2018, the WP29 will be replaced by the European Data Protection Board (EDPB), which will invoke the consistency mechanism to streamline the enforcement of data protection laws throughout the region. According to Falque-Pierrotin, 26 of the 28 EU member states (with Germany and Austria being the exceptions) are yet to align their national laws with the GDPR. This is concerning because if one member state’s supervisory authority is unable to take part in the consistency mechanism, the whole system of regulation and enforcement under the GDPR could be undermined.
DPAs are responsible for enforcing data protection laws at the national level, and provide guidance on the interpretation of those laws. To ensure the consistent application of the GDPR, DPAs in each member state should cooperate through the consistency mechanism (GDPR, article 63). The consistency mechanism kicks in when a DPA makes a decision affecting data processing across multiple members states that would substantially impact a significant number of data subjects, i.e., legal effects relating to data processing operations (GDPR, recital 135). This decision must be notified to the EDPB, which would then produce an opinion on the decision within eight weeks (extending to 14 weeks for complex cases).
The consistency mechanism is also known as the ‘one-stop shop’. However, the GDPR is a wide-ranging legislative instrument, covering often divergent regulatory regimes, so transitioning to a one-size-fits-all regulatory approach will be difficult.
There is some concern, as evidenced in the recent WP29 press conference, that DPAs and the EDPB will not be able to regulate trans-border data protection law issues effectively, if member states do not pass the necessary national GDPR-implementing legislation in time. However, given the strong operational and political pressures to have GDPR-mandated data protection laws in force by 25 May 2018, there is likely to be much more movement on this issue over the next couple of months.