Europe Needs a Workable One-Stop Shop
Posted by John Jolliffe, European Government Relations Lead
This week the European Commission and the CNIL (the French Data Protection Authority) launch eagerly-awaited consultations with industry on how to interpret and enforce certain parts of the General Data Protection Regulation (GDPR), Europe’s new Data Protection law which is due to come into effect in mid-2018.
One of the aspects of the GDPR where consultation with industry would be most beneficial is the notion of the “One Stop Shop” or OSS, which determines how a data controller interacts with the different national data protection authorities in Europe.
The GDPR foresees a complicated interplay of roles and sharing of powers between the “lead” authority where a company is based, other “concerned” authorities where data subjects can be impacted, and an overarching committee of Data Protection Authorities (DPAs) – the European Data Protection Board (EDPB) – acting as a kind of dispute resolution mechanism. The practical details of the new OSS model present a number of challenges for controllers and, ultimately, for data subjects.
So while OSS is not on the agenda for this week’s consultations, it is to be hoped that the Article 29 Working party – the committee of national data protection authorities – will make it a priority to issue some guidance on OSS later in the year. From the perspective of a company whose customers and employees span all over Europe, we think there are a number of challenges that such guidance could usefully address:
Clarity needed over how a DPA can argue that they are the “lead authority”
The GDPR text assumes a world where companies operate a “hub and spoke” corporate structure, with a “main establishment” controlling the operations of distributed local operations. But organizational efficiency often requires the decentralised management of activities such as business development and marketing in offices outside the “place of central administration”, meaning that multiple decision makers may be involved in data processing decisions. Could the mere existence of a company employee with a particular title in a country outside a main establishment give another DPA an opportunity to assert supervisory responsibility? Hopefully the guidance will recognise that where a company has a central place of administration and has put in place effective data processing policies and procedures to ensure internal coordination and the possibility of effective control from the place of central administration, the mere fact that a company has decentralized decision makers should not open the lead authority analysis up to debate by other DPAs.
Clarity needed over when a DPA can become a “concerned” DPA
DPAs other than the lead authority can automatically achieve “concerned” status – giving them the right to be involved in investigations of the lead authority – merely by having a data controller or processor established in their territory or, where a controller has no office in a member state, if the processing “substantially affects data subjects” in their country. In both cases the threshold for becoming a concerned DPA seems all too easily met, with the risk of protracted discussions over the measures and decisions of the lead DPA and the eventual use of the EDPB as the ultimate decision-making body. It would be helpful if the Article 29 Working Party guidance could propose some kind of materiality threshold to clarify how “concerned” status can be acquired in practice, and prevent the administrative wrangling that runs counter to the idea of efficient regulation and legal certainty.
Clarity needed over the threshold for escalating an issue to the EDPB
At the moment a concerned DPA need only formulate “a relevant and reasoned objection” to refer the opinion of a lead DPA for review to the EDPB. This threshold has little value as, in practice, any DPA worthy of the name should be able to easily fulfil these criteria. There is a need for some additional materiality threshold in the guidance to prevent overuse of the consistency mechanism by DPAs who simply disagree with the findings of their counterparts in the lead DPA.
Clarity needed over when the urgency mechanism can be triggered
Similarly, in order to take unilateral action under the emergency mechanism – rather than waiting for a decision of the lead DPA – a concerned authority only needs to have “reasons to consider that there is an urgent need to act in order to protect the interests of data subjects”. This threshold is clearly too subjective, and there are potential risks when unilateral action in one jurisdiction can affect the rights of data controllers and data subjects in other jurisdictions. Again, hopefully the guidance can define some kind of materiality threshold that needs to be met before the procedure can be invoked.
I hope that the Article 29 Working Party guidance on OSS will take some of these practical considerations on board, and help define procedures that can avoid tying up DPAs, individuals and companies in unproductive administrative conversations that do nothing to enhance data subject rights or provide businesses with the certainty they need to operate. The prize, if they get it right, will be greater accountability for controllers and more effective rights for data subjects.