Recent action by the Hamburg authority may present implications for companies regulated by a lead data protection supervisory authority in Europe.
A German supervisory authority has initiated an investigation into Google’s speech recognition practices and language assistant technologies, which are integrated into its Google Assistant product. More specifically, the Hamburg supervisory authority opened proceedings with the intention to “prohibit Google from carrying out corresponding evaluations by employees or third parties for a period of three months. This is intended to protect the personal rights of those concerned for the time being.”
This blog post analyzes the procedure against Google in Germany, in the context of recent trends elsewhere in Europe to transfer cases to lead authorities, and the impact for other companies regulated by a lead supervisory authority. The proceedings against Google might be resolved amicably, but still raise substantial questions over the powers of supervisory authorities under the cooperation and consistency mechanism of the GDPR.
Generally, only the lead authority may take action against cross border data processing in the EU
The fact that a German data protection supervisory authority is taking this action in relation to Google seems to contradict the cooperation and consistency rules of the GDPR. As we know from Google’s appeal against the CNIL decision, Google argues that, pursuant to Article 56 of the GDPR only the Irish Data Protection Commission (IDPC) is competent to deal with Google in the European Union because the company’s European headquarters are in Ireland and constitute the main establishment in the EU. The IDPC should therefore lead the so-called cooperation and consistency mechanism established in Chapter VII of the GDPR. This mechanism requires close cooperation between the lead supervisory authority and all supervisory authorities concerned. The overall aim of the mechanism is to achieve a high level of harmonization across the EU.
The Hamburg authority expressly acknowledges the general competence of the IDPC: “According to the GDPR , the so-called lead supervisory authority is initially responsible for orders. This is the authority in the Member State in which the head office of the responsible body is located. For Google, this is the IDPC in Ireland.”
This recent action by the Hamburg authority diverges from the apparent trend for data protection authorities to defer more immediately to the relevant lead supervisory authority. The UK Information Commissioner Office’s announcement last month of its intention to impose multi-million pound fines under the GDPR was the first significant action taken in a lead supervisory authority capacity which is subject to the cooperation and consistency mechanism.
In July, the EDPB passed an opinion on the competence of a supervisory authority in case of a change in circumstances relating to the main or single establishment. Since then, both the Swedish and Dutch authorities have pro-actively referred GDPR investigations to relevant lead supervisory authorities. In Sweden, the data protection authority has passed its ongoing investigations into Google’s use of Android users’ location data to the IDPC, as Google’s lead supervisory authority for these purposes. In a similar move, the Dutch authority has also passed its ongoing investigation into Microsoft’s Windows 10 software to the IDPC, as Microsoft’s lead supervisory authority. No binding actions or formal decisions have yet been made in either of these ongoing cases.
But there are exceptions
If a supervisory authority deems there to be an urgent need for action, Article 66 of the GDPR provides for an exception to the general competence of a lead authority. Using this “urgency procedure” in the present case, the Hamburg authority justifies its action against Google as follows: “The GDPR also provides for the possibility for data protection authorities in other Member States to take measures within their territory or jurisdiction for a maximum period of three months if there is an urgent need for action to protect the rights and freedoms of data subjects.”
The Hamburg authority believes that there is an urgent need for action in the Google case, on the basis that: “(…) effective protection of data subjects from interception, documentation and analysis of private conversations by third parties can only be achieved through timely enforcement.”
What are the next steps in this urgency procedure?
The Hamburg authority has initiated these proceedings against Google, but has not yet issued any formal decision or binding orders or actions with which Google has to comply.
The initiation of the urgency procedure leads to a coordination process across the relevant data protection supervisory authorities in the EU, the European Data Protection Board (EDPB), and the EU Commission, following the mechanisms prescribed by the GDPR.
Any concerned supervisory authority also has the power to request an urgent opinion or an urgent binding decision from the EDPB, if it considers that final measures need to be adopted urgently, or there is otherwise an urgent need to act and a competent supervisory authority has not taken an appropriate measure. A simple majority of EDPB members could then adopt such an urgent decision within two weeks.
How will the Hamburg authority’s action impact other companies?
If an escalation to the EDPB in the Google case should result in a binding decision that forces the IDPC to act against Google, this would set a precedent that other companies with a lead supervisory authority should closely examine. The Hamburg authority further suggests that other EU supervisory authorities should also take action in relation to voice and language assistance technologies: “The competent authorities for other providers of voice assistance systems, (…) should now also swiftly review the implementation of appropriate measures.” The Luxembourg supervisory authority has already commenced a review of other language assistant technologies, and more authorities likely will follow suit.
The Hamburg authority’s initiation of the urgency procedure shows that, in spite of the consistency mechanism and the strong role of lead authorities, other supervisory authorities can still take action in certain circumstances. This latest action also shines a light on the GDPR’s escalation mechanisms in the event a supervisory authority feels that a lead authority should, but does not, take appropriate action.
The German perspective
The German Federal Data Protection Act requires cooperation between the German supervisory authorities. Consequently, the German Federal Data Protection Commissioner Ulrich Kelber tweeted about the Google case: “The Hamburg colleague has my full support, the initiation of the procedure is among other things also the result of joint legal assessments.”
Interestingly, the Hamburg Commissioner Prof. Dr. Johannes Caspar had seemingly foreseen the potential of the urgency procedure in a 2012 leading German data protection law journal article: “(…) At the same time, there is a lack of adequate procedural safeguards against the inaction of supervisory authorities. (…)The unwillingness of the competent supervisory authority to take measures against a company can – this is how the regulation must be understood – in future be enforced by other supervisory authorities by way of legal action.(…) The decision of the weakest link in the supervisory control initially lasts until the EU Commission either takes action itself after the consultation procedure or one supervisory authority sues the other and prevails in court.”
In any event, it seems that the Hamburg and other German data protection authorities are increasingly reluctant to accept what is, in their eyes, inappropriate inactivity on the part of the IDPC and other lead authorities.
Companies that have a lead supervisory authority as their point of contact would be well advised to closely monitor developments in this case and prepare for the possibility of similar expedited procedures by other supervisory authorities.