One of the central pillars of the General Data Protection Regulation (the “Regulation”) is the concept of the ‘one-stop shop’. As the Regulation slowly works its way through the European legislative process, the proposition that large tech companies with presences in many member states will be required to deal only with a single data protection authority has remained at the core of the proposal. However, a recent proposal from the Italian Presidency of the European Union has suggested significant changes to the ‘one-stop shop’ concept.
In its Paper dated 28 November 2014 (the “Paper”), the then Italian Presidency of the Council of the European Union, stated that other EU data protection authorities (“DPAs”) should be able to pass their concerns to the lead regulator who is investigating a company or organisation. These DPAs are known as ‘concerned regulators’. The lead regulator will remain as the only regulator empowered and entitled to interact with the company under investigation.
The Paper makes it very clear that the ‘lead DPA’ will be the DPA in the member state in which the data controller or processor is established. Equally, in situations where a data controller or processor is established only in one member state but affects large numbers of individuals across separate member states, the ‘lead DPA’ will be the DPA of the member state in which the data controller or processor is established, regardless of where the users are located.
For example, if there was an investigation of a large multinational tech company with a presence in each member state of the European Union but with an Irish EMEA headquarters, the Irish Data Protection Commissioner (“DPC”) is to be considered the ‘lead regulator’.
Convoluted Decision Making
One significant change that has been proposed by the Paper is to strengthen the involvement of all concerned DPAs in the decision-making process of the ‘lead DPA’. A DPA can be considered to be a ‘concerned DPA’ where there is an establishment of the data controller or processor in its member state or because data subjects in its member state are substantially affected by the complained of data processing. In other words, if an individual in Italy complains about the operations of an Irish based company, the Italian DPA could become a ‘concerned DPA’.
The Paper envisages a situation where the lead DPA cooperates with the concerned DPAs to reach consensus. Once it has completed its investigation, the lead DPA submits a draft decision to all concerned DPAs for their opinion. The lead DPA and concerned DPAs can then jointly agree on the decision proposed or a concerned DPA can submit a reasoned objection.
It appears that the relevant outcome of a legal investigation will now be negotiated between the lead DPA and the concerned DPAs. If a jointly agreed decision is reached, it will be adopted by the DPA best placed to enforce its findings. For example, if the Irish DPC was to uphold a complaint regarding a data controller with an EMEA headquarters in Dublin from a complainant in Italy, that decision will be enforced by the Irish DPC.
The Paper introduces a dispute resolution system for cases concerning an important cross-border situation where no agreement can be reached between DPAs involved.
The Paper states that the European Data Protection Board (“EDPB”) (which will consist of all EU DPAs and will replace the Article 29 Working Party) will settle any such disputes by binding decision which must be reached by two-thirds majority. The decision of the EDPB will be appealable directly to the Court of Justice of the European Union or via national courts.
These draft rules do not enjoy uniform support in Europe. The Irish, UK, Polish and Danish governments have all voiced their concerns. Commenting after the Justice and Home Affairs Council at which the Paper was presented, Minister of State with special responsibility for Data Protection, Dara Murphy T.D. said, ‘if we agree to a poor system, we will have set back Europe’s ability to position itself at the forefront globally of the digital revolution. Whatever system we agree upon must be workable’.
Twists and Turns Ahead
What these rules suggest is that a business can still benefit from having a ‘lead DPA’ but that reaching agreement with that DPA on a specific complaint or matter may not be the end of the issue. Even if the lead DPA is satisfied that a cross-border issue has been resolved, one still needs to navigate the views of the other ‘concerned’ DPAs and, if matters escalate, the EDPB and possibly, courts. It will be interesting to see if these new proposals make it into the final draft of the Regulation.