The European Data Protection Board (EDPB) has published a report (Report) assessing the implementation and enforcement of the General Data Protection Regulation (EU) 2016/679 (GDPR). The Report focusses on how the cooperation and consistency mechanisms are being used by EU supervisory authorities (SAs).
Where cases involve cross-border processing, SAs cooperate through:
- Mutual assistance;
- Joint operations; and/or
- The one-stop shop mechanism.
Communication is facilitated through the Internal Market Information system (IMI). IMI is an IT system that facilitates confidential and structured communications between SAs.
At the initial stages of a cross-border case, it is necessary for a lead SA to be determined. Cross-border cases may involve:
- A controller or processor who has an establishment in more than one Member State; or
- Data processing affecting individuals in more than one Member State.
The lead SA will lead the cooperation procedure among SAs and draft the initial enforcement decision. This will then be reviewed by other relevant SAs. For the data controller or processor, the lead SA will be its point of contact in relation to investigation and enforcement.
If there is a dispute about which SA should lead, the EDPB can issue a binding decision. At the date of publication of the Report, the EDPB has yet to exercise its dispute resolution function.
Forty-five one-stop shop procedures have been initiated since GDPR came into force. The EDPB believes that the limited number may be due to draft decisions being subject to national administrative procedural laws. The EDPB has recently seen the rate of starting one-stop shop procedures increase.
Often useful in one-stop shop procedures, mutual assistance allows for the provision of information and ‘any other measures for effective cooperation’ between SAs. IMI sets a response deadline of one month where mutual assistance is formally requested. The majority of mutual assistance requests have seen answers returned within 23 days, whether formal or informal.
GDPR also allows SAs to carry out joint operations and enforcement measures. Again, these can also be employed within the one-stop shop procedure. However, to date, no joint operations have been initiated.
One of the key responsibilities of the EDPB is to ensure consistent application of GDPR across the EU. This has taken the form of publishing general guidelines and reports. However, the EDPB may at times be required to adopt consistency opinions and decisions to inform the decision of a SA at the national level. These opinions can be requested by the SA directly, or requested by the European Commission if it will affect more than one Member State. Since the coming into force of GDPR, the EDPB has adopted 29 opinions with three ongoing procedures.
GDPR at the national level
SAs have received 206,326 cases in the nine months since GDPR came into force. The majority of these have been complaints, with the second largest category being data breach notifications by controllers. SAs have also reported a general shortfall in budget and staffing. SAs expect an increase in the number of cases they will have to deal with this year.
The Report offers an interesting snapshot of how GDPR is bedding down across the EU. The limited time between the coming into force of GDPR and the Report’s publication means that data for some elements of assessment is limited. However, the EDPB has been clear that in certain areas, such as its role as a dispute resolution body, more intervention will be required. After an eventful initial nine months of GDPR, the next 12 promise to be just as interesting. Make sure to keep an eye on Technology Law Dispatch over the next year to keep fully up to date!