Since the fall of Safe Harbor, regulating cross-border processing has certainly enjoyed its time in the spotlight and the advent of the General Data Protection Regulation (GDPR) has further posititoined this as a hot topic.
Although the GDPR has not achieved the Commission's original proposal of a true one stop shop with one sole authority for all data processing by a data controller in their main establishment, it does seek to establish the one stop shop in principle. The GDPR creates a mechanism for determining a chief authority for cross-border processing, the Lead Supervisory Authority (Lead SA) while also addressing issues such as forum shopping, protecting data subjects' rights and balancing requirement for consistency of approach with local channels for complaints.
While determining the Lead SA may be straightforward for some, in complex situations, a detailed analysis of the footprint and local activities of the business may be required. As with many of the newer aspects of the GDPR, guidance is key in helping to navigate those more complicated situations and this is one of the first areas on which the Article 29 Working Party (WP29) published guidance (Guidance) which reviews the key concepts of the Lead SA mechanism.
Cross-border processing of data
The Lead SA mechanism is only triggered where there is cross-border processing. That is, establishments in more than one Member State or where the processing substantially affects or is likely to substantially affect data subjects in more than one Member State.
As the GDPR does not define "substantially affect". Lead SAs will review this on a case by case basis. In analysing, Lead SAs will take into account the context and purpose of the processing, type of data and factors which largely centre around whether damage, distress, or unwanted consequences will be or will likely be caused to individuals. The Guidance is clear that the intention is not to ensure that all processing with any effect is caught, for example, processing which does not have a substantial effect will not trigger the cross-border processing obligations. However, significantly the substantial effect does not need to be actual, if it is more likely than not to result in substantial effect, it will be caught within Lead SA requirements.
Where the relevant processing thresholds have been met, a Lead SA must be identified. The Lead SA will be tasked with the primary responsibility for dealing with any cross-border processing activity, including complaints from individuals and coordination of any investigation involving other "concerned" supervisory authorities. To determine the Lead SA, the "main establishment" or "single establishment" of the data controller must be identified.
Steps to identify the Lead SA
Main establishment for controllers
Identifying the establishment responsible for the central administration of the data controller is the first step towards determining the "main establishment". The idea is that the central administration in the EU is likely to be the establishment that has the power to implement decisions about data processing.
The WP29 says that where a company has a single establishment in the EU but processing activities will or are likely to substantially affect individuals in other EU countries, the Lead SA will be the place of that single establishment (provided it also has the power to implement decisions relating to the purposes and means of processing activities). Similarly, if a company has widespread local operations in the EU but centralises the administration and processing decision-making power in a particular Member State, it is in that Member State that the main establishment will be located.
However, if a business has multiple EU establishments and the central administration establishment location is not where key decisions are made, the alternate establishment where these powers to reside would be the main establishment.
Inevitably, determining a main establishment will be a complicated exercise for some businesses and it may be that multiple Lead SAs can be identified where processing decisions are made at a local level and differ from country to country. The Guidance suggests that it is in the interests of companies themselves to determine the main establishment to provide clarity in terms of which Supervisory Authority (SA) to deal with for their various compliance obligations which are significantly increased under GDPR. For example, registering a data protection officer or consulting for a higher risk processing activity.
If it is not clear where the central administration establishment is located the Guidance points to the recitals of the GDPR as helpful in providing clarification that the identifying factor will be "where the effective and real exercise of management activities that determine the main decisions as to the purposes and means of processing through stable arrangements". Furthermore, that the location of technological capabilities does not in itself constitute a main establishment, the key factor is where the decisions with regard to the processing will be made.
The data controller will make the determination as to their Lead SA but it can be challenged by the applicable SA concerned after the data controller has made its election. In the first instance, if the SA doubts that it is, in practice, the location of the main establishment it is likely to ask the data controller to provide details of how the determination was made and/or request further information. As throughout the GDPR, documenting compliance is fundamental.
Groups of undertakings
If processing is carried out by a business across multiple locations which has its headquarters in the EU, that establishment with overall control (and presumed decision maker with regard to data processing) should be considered the main establishment for the group. Often, this is likely to be the parent or operational headquarters of the group, except where the purposes and means of processing are established by decided by another establishment. Of course, if decisions are not centralised in any one establishment, a more complicated analysis is needed to determine a main establishment. The WP29 identifies the following as useful factors for determining the location of a main establishment:
- Where are decisions about the purposes and means of the processing given final ‘sign off’?
- Where are decisions about business activities that involve data processing made?
- Where does the power to have decisions implemented effectively lie?
- Where is the Director (or Directors) with overall management responsibility for the cross border processing located?
- Where is the controller or processor registered as a company, if in a single territory?
Joint data controllers
Where two or more controllers based in the EU jointly make decisions, as with all joint controller processing, they must determine their respective responsibilities under the GDPR. The WP29 suggest that this will extend to the Lead SA mechanism so that the joint controllers will designate one establishment that will have the requisite power to implement decisions with regard to the processing.
The WP29 recognises that there will be borderline and complex cases where determining main establishment is not straightforward, particularly, for example, where a business has multiple establishments throughout the EU but decisions about the processing are taken exclusively outside the EU. Unfortunately, the GDPR does not provide a solution for situations like these which are not uncommon in the today's globalised connected world. The WP29 suggests that, in such circumstances, a company should designate an establishment to be the main establishment. This establishment should have the authority to implement decisions about processing and have sufficient assets to take liability for the processing. Without this, a Lead SA will not be able to be designated and each relevant SA will have the ability to investigate further where needed.
One issue which was discussed throughout the drafting of the GDPR was how to ensure "forum shopping" was prevented in the creation of the one stop shop. The GDPR addresses this and the Guidance further sets out that if a company designates one establishment as the main establishment but has "no effective and real exercise of management activity or decision making power" the SA or ultimately the European Data Protection Board (EDPB) will decide which SA should be the lead. Relevant SAs may coordinate an investigation and "conclusions cannot be solely based" on statements made by the company in question. Documenting decisions around designation of the Lead SA and records of data processing more generally will prove useful, particularly if inquiries are made by SAs.
In some cases, following the SAs' review of evidence provided by data controller and where SAs involved have conflicting views, the SAs may refer the case to the EDPB. The WP29 suggests that, in most cases, they do not anticipate a need for an EDPB referral.
Data processors may also benefit from the one stop shop mechanism. Following similar parameters, the main establishment will be the location of the central administration, or if this is not based in the EU, where the main processing activities in the EU take place.
Where cases involve both a data controller and data processor, the Lead SA for the controller will be the competent authority and the processor Lead SA will be a "supervisory authority concerned". This follows even where processors provide services to controllers based in different Member States, so for example, large cloud based service providers may have to deal with multiple SAs even where they have appointed their own Lead SA
Other relevant issues
Role of the Supervisory Authority concerned
The Lead SA will not operate in isolation as other SAs may offer their view and recommended actions, particularly where processing relates to individuals in their own jurisdiction which have been adversely affected. An SA will be "concerned" where the company has an establishment in that jurisdiction, or, individuals living (note not citizens but residing data subjects) in that jurisdiction are or are likely to be affected, or, it has received a complaint directly.
In some circumstances, it may be possible for a concerned SA to take a role in reviewing a case without being the lead SA. If the Lead SA decides not to handle the case, the concerned SA that informed the Lead SA in the first instance will deal with such case. Where processing activities have only local effect, it is likely the local concerned SA would be the appropriate SA to deal with it. Presumably, in an attempt to anticipate that this situation may not always be clear cut, the Guidance suggests that SAs may require that companies insert clarification terms in corporate arrangements, presumably to designate which establishment will take responsibility for the processing at different times. The role of local SAs may, therefore, prove important even where a clear Lead SA is established.
The formal consistency mechanism for SA decisions should only be invoked where co-operation does not reach a mutually acceptable outcome which could include substantive conclusions or enforcement activity.
Local data processing does not fall within the GDPR's cooperation and consistency provisions and relevant SAs will deal with this on a local basis.
Companies not established in the EU
For companies that do not have an establishment in the EU, appointing a representative (as required elsewhere in the GDPR) does not trigger the one stop shop mechanism. Such companies will be required to deal with local SAs in each jurisdiction in which they are active through their local representatives.