On 8 October 2020, the European Data Protection Board (EDPB) published new guidelines on relevant and reasoned objection under the General Data Protection Regulation (GDPR). The guidelines cover the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which supervisory authorities have a duty to exchange all relevant information with each other and cooperate in an endeavor to reach consensus when they coordinate investigations that cross borders in the European Union (EU).
Under Article 60 of the GDPR, the lead supervisory authority (LSA) is required to submit draft decisions to the concerned supervisory authorities, who may then raise a “relevant and reasoned objection” to the LSA within a specific timeframe of four weeks. On review of the relevant and reasoned objection, the LSA can either follow the suggestions of the concerned supervisory authorities and produce a revised draft decision, or disagree with the objections and submit the matter to the EDPB for consideration under the GDPR’s consistency mechanism.
The guidelines seek to establish a common understanding of the meaning of “relevant and reasoned” objections, including what should be taken into consideration when assessing whether an objection clearly demonstrates the significance of the risks posed by the draft decision.
For an objection to be considered as “relevant,” there must be a direct connection between the objection and the specific legal and factual context of the draft decision. Additionally, the objection must relate to an infringement of the GDPR or whether the proposed decision in relation to the controller or processor complies with the GDPR. The EDPB also noted that abstract or broad comments or objections and minor disagreements regarding the wording or legal reasoning unrelated to a probable infringement of the GDPR or the envisaged action against the controller or processor are not relevant.
For an objection to be “reasoned,” it must include clarifications and arguments regarding the proposed amendment (either factual or legal mistakes of the draft decision). It also needs to demonstrate how the proposed changes would lead to a different conclusion as to whether there is an infringement of the GDPR or whether the action in relation to the controller or processor complies with the GDPR. The EDPB stated that concerned supervisory authorities should include in their arguments references to the legislation they are basing their objections on (for example, EU law, national laws, guidelines, case law) or facts, if applicable.
The EDPB has also provided practical examples of the above factors to assist supervisory authorities.
So far, the supervisory authorities have been able to reach consensus on cross-border investigation cases through the cooperation mechanism, and the EDPB did not have to use its powers under Article 65 of the GDPR to issue binding decisions to allow for the correct and consistent application of the GDPR. In fact the EDPB is using it now for the first time.
The guidelines clarify and establish a common interpretation of the concepts of “relevant and reasoned” we well as provide a good explanation of the factors that the EDPB will be looking at when considering relevant and reasoned objections. This will be helpful for those supervisory authorities who wish to raise objections to the LSA decisions.
The guidelines are open for consultation until 24 November 2020, and comments can be submitted here. Keep an eye on this blog for future updates!