Now that political agreement has been reached on the General Data Protection Regulation (GDPR), the focus has shifted to the implementation requirements and how these can be achieved in practice. One crucial element of the GDPR is the new 'one stop shop' mechanism, intended to help organisations have a single EU regulator even if they operate in more than one Member State, and at facilitating discussions between competent supervisory authorities in cases involving more than one regulator.
The requirement to coordinate between a number of competent data protection regulators is not new to German data protection law. Germany has one regulator in each of its sixteen Federal States, in addition to having a national data protection authority (DPA) and various sector-specific regulators (e.g. for the churches and broadcasting services). This entails comprehensive consultation among the involved authorities, even under the current Data Protection Directive 95/46/EC.
While the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) is a national law, it is generally implemented by the various Federal States. In consequence, there are sixteen Federal States applying and implementing the same data protection law in their respective territories. The situation is somewhat similar to the one proposed at European level under the GDPR so it make sense to have a look at how Germany deals with the (sometimes conflicting) competences of the various Federal States.
Current coordination of German DPAs
German law does not set out specific rules with regard to the territorial competence of the State DPAs and merely stipulates that each Federal State is competent for administrative proceedings in its territory. The significant criterion for competence under German administrative law is the place of the “business premises”, meaning that the DPA of the State where the relevant collection or processing of personal data takes place is competent. In contrast to the GDPR with its emphasis on connection to a “main establishment”, German law does not take the main place of administration of the business into consideration – any branch and subsidiary will be subject to the DPA in the Federal State where it is based. This means the DPA of each State in which a company has a branch will be the competent regulator for that branch and a company will be subject not only to the authority responsible for the main premises but, potentially, to up to sixteen DPAs.
What is the German approach to dealing with this issue?
Even though various DPAs can be competent at the same time for one issue covering several Federal States, the German DPAs have found (unofficial) ways to distribute responsibilities. A binding agreement between all competent authorities to decide on a single competent authority for an organisation would probably violate German constitutional law and the creation of a common data protection body at a federal level to determine a single competent authority would conflict with European law which requires complete independence of DPAs. In the absence of a legally binding approach to determine a single competence, German DPAs have traditionally cooperated in a non-binding manner to agree on commonly arranged actions.
As a result, German DPAs have agreed that organisations should have a 'lead' regulator where its headquarters are based, even if it is processing personal data in several Federal States. This lead authority is supposed to carry out all necessary inquiries and, if required, to draft a formal decision. Having said that, unlike the “lead supervisory authority” provided for under the GDPR, the informally nominated lead authority in Germany, has only advisory functions with respect to the other Federal States. However, as a consequence of the prior coordination, other competent authorities can decide to take similar actions regarding the branch in their territory.
The German approach reaches its limits when a business without an establishment in Germany collects personal data of German data subjects. In this case, German administrative law provides that the place of the affected data subjects is relevant. Again, this means that within Germany, up to sixteen DPAs are potentially competent.
How does the one stop shop under the GDPR impact the situation in Germany?
In cross-border issues, the one stop shop may indeed facilitate proceedings for businesses in cases where a lead supervisory authority outside Germany has regulatory power, with the result that the relevance of the large number of potentially competent German DPAs will be considerably reduced. Nevertheless, in the absence of a European cross-border issue, the German cooperation mechanism will remain applicable to a German business which has its main establishment and several sub-establishments in different German States.
The European Data Protection Board as 'guardian' of EU-wide data protection
The one stop shop will only be a reasonable way of determining which regulator has competence if a coherent interpretation of European Data Protection Law is safeguarded – a requirement which is likely to be difficult to achieve considering the already vast differences in interpretation among the German regulators alone (not to mention the approach of business-friendly regulators in other EU countries, such as the ICO in the UK).
The availability of the European Data Protection Board, composed of representatives of the national European regulators, which may, in some cases, even decide privacy-relevant questions with binding effect on national authorities, is intended to be the body which helps ensure a common European understanding of data protection requirements and a genuinely harmonised regime.
There is, however, one dispute among DPAs which the European Data Protection Board cannot resolve: Germany is only allowed to send one representative (not sixteen) to the Board. German DPAs will have to sort out which Federal State is going to represent Germany – the battle has already begun.