It is over three years since the European Commission published a package of proposals to reform EU data protection law. This package included a draft General Data Protection Regulation (GDPR), intended to replace the current patchwork of Member State laws implementing the data protection Directive 95/46/EC with a single law having direct effect.
A key driver behind the reform process has been the desire for greater clarity and consistency of regulation of data protection across Europe, thereby aligning the law with the broader objectives of a single European market. In a Commission press release published at the time, the then EU Justice Minister, Viviane Reding pointed to how "a strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation."
The Commission proposal
One of the key ways the Commission's draft of the GDPR sought to deliver uniformity, was by allocating responsibility for the supervision of processing of data controllers or data processors established in more than one Member State to the Data Protection Authority (DPA) in the location of the controller or processor's "main establishment". This concept, more commonly known as the 'one stop shop', would do away with the approach in the current data protection framework, where organisations are responsible to the DPAs of each EU country in which they are established.
To ensure uniform application of the law across all Member States, the 'one stop shop' concept would be supported by a requirement that DPAs cooperate with one another and with the Commission through a consistency mechanism. Under the current data protection framework there can be an element of an 'all pile on' approach to enforcement where different EU regulatory authorities can, and often do, separately investigate and enforce the same compliance issue against a business. This can lead to businesses being sucked onto a merry-go-round of regulatory authority inspections and sanctions.
The objectives behind the 'one stop shop' concept and the supporting consistency process were, therefore, broadly to be welcomed, however the journey to mould these legislative objectives into a workable mechanism is proving to be anything but straightforward.
Points of concern
Questions about the effectiveness of the original 'one stop shop' concept were soon to emerge. In particular:
- Whether the provision that the DPA of the main establishment of a business has competence could lead to forum shopping by multinational businesses choosing to set up their European base in countries where the DPA is seen as having a history of weak data protection enforcement?
- Could the proposed 'one stop shop' approach make it harder for data subjects in different countries to exercise their rights or get an effective remedy if individuals had a lack of proximity to the competent DPA?
- Had the Commission envisaged too overarching a role for itself in the operation of the consistency mechanism? Under the mechanism it was proposed that draft decisions of a DPA in one Member State that may also affect data subjects in another Member State, should be reported to the Commission and to the independent European Data Protection Board (EDPB) (whose membership comprises the heads of the DPAs of the Member States). The EDPB, at the request of the authority, at its own initiative, or at the request of the Commission, would issue an opinion within one month of the referral on the DPAs' proposed approach. The Commission, in addition to having powers to require opinions from the EDPB, could also oblige DPAs to make changes to proposed measures and ultimately suspend the implementation by that authority of those measures by up to 12 months.
The European Parliament approach
The preferred approach of the European Parliament in relation to the 'one stop shop' concept and the consistency mechanism was to move away from the suggestion of any sole competence of a DPA.
The Parliament's version of the GDPR, retained the concept of a lead authority taking legal measures, but introduced a new requirement that the lead authority reaches decisions in coordination and consultation with other affected authorities (e.g. those where residents of that Member State are also affected by the processing) and taking the utmost account of their opinions before implementing a measure. Individuals would also be able to lodge complaints with their local DPA and it would be for the lead authority to coordinate with these other authorities.
The European Parliament approach also removed the overarching role of the Commission as the final decision making body over the consistency mechanism, shifting the role of arbiter to the EDPB.
Contention within the Council of Ministers
The most heated debates on the 'one stop shop' concept and the supporting consistency mechanism were to be found within the Council of the Justice Ministers of the Member States.
In particular, the question of whether the 'one stop shop' was lawful was resurrected when the Head of the Council's legal service deemed it a "very bad outcome" for EU citizens and potentially a breach of their human rights if the 'one stop shop' obstructed the effective exercise of their rights (including here the financial and language barriers that trying to file complaints in another jurisdiction may present).
There followed a protracted period of negotiation where proposals and counter proposals on a reworked structure for the 'one stop shop' concept and consistency mechanism were put forward by different presidencies of the Council only for these to be rejected as insufficient or unworkable. The Council's final general agreed approach significantly limits the 'one stop shop' to cases that substantially affect data subjects in more than one Member State and where this is subject to detailed criteria for consultation, cooperation and mutual decision making between the lead authority and other concerned authorities. This model seeks to be balanced and fair to all, including to data subjects who would be able to get their complaints handled closer to home.
The complex model is summarised below:
- Each DPA is competent in the country of its own Member State to enforce the GDPR.
- Where the processing by a controller or processor is in the context of an establishment in more than one Member State, or a single establishment and substantially affects or is likely to substantially affect data subjects in more than one Member State, the DPA for the main or single establishment of the controller or processor should act as the lead authority.
- The lead authority should cooperate with the other concerned authorities (e.g. where the controller or processor is also established in that country or because data subjects in that country are substantially affected by the processing or because the DPA has had a complaint lodged with it).
- Any other DPAs who receive complaints about the processing should be treated as concerned authorities.
- The EDPB may issue guidelines on the criteria to be considered in determining whether the processing substantially affects data subjects in more than one Member State.
- The lead authority can adopt binding decisions and should closely involve and coordinate the concerned DPAs in the decision making process.
- Where a decision is to reject a complaint by a data subject, the DPA to which the complaint was lodged should adopt that decision.
- The decision should be agreed jointly with the lead authority and the concerned DPAs and notified to the data controller or processor by the lead authority.
- Each DPA (not acting as lead authority) should be competent to deal with local cases where a controller or processor is established in more than one Member State but where the specific processing concerns only processing carried out in a single Member State and involving only local data subjects. In such cases the DPA should inform the lead authority without delay.
- Where the lead authority is informed of the action by another DPA it must decide whether the case should be dealt with under the 'one stop shop' process or if it should be dealt with by the DPA that informed it.
- Where the lead authority takes on a case under the 'one stop shop' mechanism, the DPA that informed it can submit a draft decision for the lead authority to consider in preparing its draft decision.
- Where the DPA to which a complaint has been lodged is not the lead authority, the lead authority should cooperate and liaise closely with the other authority.
- The EDPB should issue opinions on the application of the consistency mechanism if a majority of its members so decide, or where requested by any concerned DPA, or the Commission. The EDPB can also adopt legally binding decisions in the case of disputes between DPAs for example around the merits of a case or whether or not there is a breach of the GDPR.
As the EU Commission, Parliament and Council negotiate their respective positions through the ongoing trilogue process, it seems that the original objectives of clarity, uniformity and consistency have somehow been lost along the way. The proposals for the 'one stop shop' and consistency process have also moved from an arguably simplistic Commission view, to one put forward by the Council that is horribly complex and bureaucratic to manage. This complexity at the heart of the Council model may itself create a barrier for data subjects looking for an effective remedy in good time.
A further potential complication for the trilogue negotiation of these positions also exists in the form of the decision on 1 October 2015 of the Court of Justice of the European Union (CJEU) in the case of Weltimmo. The Weltimmo case considered, among other things, whether the Hungarian DPA could fine a Slovakian registered company with a website that targeted users in Hungary for breaching the Hungarian data protection law.
In reaching its decision, the CJEU considered the scope of competence of DPAs and also what is meant by establishment for the purpose of the European Data Protection Directive. It determined that national DPAs are entitled, at their own initiative to instigate investigations into alleged data protection breaches by data controllers in other countries. Whether, however the DPA can then impose sanctions will depend on whether the controller is established in that country and is therefore subject to its data protection laws.
The CJEU placed a wide interpretation around what constitutes establishment. In the Weltimmo case, the company was registered in Slovakia and not Hungary, however it conducted no business in Slovakia and did have a representative in Hungary helping to collect debts as well as a local bank account and post box.
The CJEU, in determining there was an establishment in Hungary, pointed to recital 19 in the preamble to the Data Protection Directive that the legal form of the establishment, whether by way of a subsidiary or branch, is not the determining factor and that establishment extends to any real and effective activity, even a minimal one. Further, where a controller is established on the territory of several Member States, it must ensure that each of the establishments complies with the national law applicable to its activities.
The decision (made under the current Data Protection Directive) has the effect of taking us even further away from a concept of a single competent authority and appears to put the original proposal of the Commission for the GDPR out of reach.
Clearly much remains undecided about the final form of a 'one stop shop' however businesses should not hold out too much hope for a reduced compliance burden. Businesses may still find that they are subject to multiple national DPAs and many-faceted investigations. The one point of consistency upon which an organisation may all be able to rely, (but not draw any comfort from) is the prospect of one big fine from a single regulator in the event of a breach where the 'one stop shop' is engaged.