Wednesday 11 March 2015

When super-regulators fight: the ‘one-stop shop’ in the proposed Data Protection Regulation



Steve Peers

A guilty pleasure for fans of superhero comic books is the moment when our heroes pause in their valiant efforts to save the public from the nefarious plans of the supervillains – and start beating the hell out of each other instead. This is usually triggered by some trivial difference of opinion, perhaps concerning a continuity error or intellectual property rights.

Similarly, the EU vests its hopes for the effective enforcement of data protection law upon national data protection authorities (DPAs): the superheroes of the data protection world. They have considerable powers under the current data protection Directive, and the proposed Regulation would also give them more powers. But what if they disagree with each other? There’s nothing in the current legislation to settle this problem, which gives each DPA the power to regulate actions on its own territory without addressing the obvious complications that result in a digital age, when many forms of processing of personal data (most obviously via the Internet) take place across borders.  

To deal with this problem, the Commission proposal contains a conflict rule to determine who is the lead regulator in cross-border cases, with the possibility that a ‘European Data Protection Board’ or the Commission itself can issue an opinion on the issue. This has been dubbed the ‘one-stop shop’ rule. However, due to legal concerns, both the Council (which is about to adopt its position on this part of the proposed Regulation: see the draft text here), and the European Parliament (EP), which has already adopted its position on the entire text, propose instead that the Board must be able to make binding decisions to settle disputes.

So this is set to become one of the most significant innovations of the new legislation. Let’s take a look at what the future rules will likely say about the role of national DPAs, the one-stop-shop process and the powers of the Board.

National data protection authorities

The current Directive already provides for the existence of DPAs, and insists that they must exercise their powers in ‘complete independence’. CJEU case law (discussed here) has set out a very strong interpretation of this notion, ruling that Germany, Austria and Hungary breached it, because they provided for too much accountability to national parliaments (Germany), failed to separate the DPA from the ordinary civil service (Austria) and defenestrated the DPA boss before his normal term of office expired (Hungary).

The proposed Regulation would retain and elaborate upon this concept, and the Council and EP agree with most of the Commission’s suggestions. Admittedly, the DPAs have to be appointed by public authorities in the first place: after all, their powers don’t stem from being bitten by a radioactive spider, or orphaned in a bat-infested back alley. The Council would amend the proposal so that they don’t have to be appointed by the government or parliament, but could instead be appointed by the head of state or independent body. Only the last alternative would fully ensure their independence from the outset (although who appoints the ‘independent body’?)

Three points of concern here. First, the proposal would usefully require the national DPAs to be adequately funded. That is easier said than done, for most DPAs complain of an absence of sufficient funding. For instance, the Irish DPA occupies a small office next to a corner shop – but purports to regulate (among many other things) all of Facebook’s activities in the EU.  Secondly, the Council would remove the proposed rule requiring that DPAs be independent ‘beyond doubt’ when they are appointed; but DPAs should not be a resting ground for political hacks and bagmen. Thirdly, the Council would remove most of the details concerning the loss of office of DPAs, retaining only the minimum rule of four years in office. As the termination of the Hungarian DPA showed, it’s hard to exercise your powers independently if you constantly fear that there may be Kryptonite in your coffee.

As for the powers of the DPAs, the Regulation would strengthen and elaborate upon their current advisory and enforcement roles. In particular, the current powers to investigate, intervene and engage in legal proceedings would be fleshed out, by adding powers concerning audits, access to the premises of the controller and processor, ordering compliance with a data subject’s request, the suspension of data flows, or the imposition of fines.  

But with these great powers will come only limited accountability. DPAs will have to publish an annual public report (and the EP even wants to weaken this obligation). But that’s the only way that their decisions can be controlled, unless a cross-border complication means that other DPAs, or the European Data Protection Board (a sort of uber-DPA) gain jurisdiction, as discussed below. Otherwise, the only bodies which can watch these watchmen are the courts.

Settling disputes

Although the Commission is often accused of favouring over-centralisation in the EU, its proposed model for a ‘one-stop-shop’ was highly decentralised. Where a data processor or controller was established in the EU in more than one Member State, the supervisory authority of the ‘main establishment’ would have competence to regulate all that controller’s or processor’s activity in all Member States. There would be new rules on cooperation between supervisory authorities, in particular as regards mutual assistance (each DPA would usually have to comply with requests from another DPA) and joint operations.

In several cases, however, a DPA would have had to send a draft measure to the European Data Protection Board for its opinion. In particular, this would have applied to measures regulating processing concerning ‘offering of goods or services to data subjects in several Member States, or monitoring of their behaviour’, or which would ‘substantially affect’ the free movement of data. Following the Board’s opinion, the Commission could give its opinion, and then could ultimately adopt a binding measure if necessary. A decision of any supervisory authority is enforceable in all Member States, except where that DPA breaches the consultation rules, in which case its decision isn’t valid.

However, the Council and EP both agree to strip the Commission of all dispute settlement powers, and to confer binding powers on the Board instead. In the Council’s version, the DPA of the main establishment or single establishment of the controller or processor would not be the sole authority, but only the lead supervisory authority for transnational processing. Even then, each national supervisory authority would be competent to deal with an issue which only concerned an establishment in its State, or ‘substantially affects data subjects only in’ that State, unless the lead DPA decided to step in.

There’s a complex process for trying to reach a consensus on a decision between the lead DPA and the other DPAs involved. But in the event of a dispute between them, as regards the content of a draft decision, or who is the lead DPA in the first place, or where the procedures aren’t followed, then the European Data Protection Board can adopt a binding decision.  The Council would remove the rules on enforceability and unenforceability of DPA decisions, but the EP wants to strengthen them. In the event of disputes about the Board’s decisions, the preamble sets out detailed rules on whether litigation would take place before the national or EU courts.

The European Data Protection Board

It isn’t spelled out in the main text of the proposed Regulation, but the future Board is clearly a super-powered version of the current ‘Article 29 working party’, an advisory body which is (like the future Board) made up of members of the national DPAs. That working party can give opinions on national data protection law, data protection in the EU and third countries, the amendment of the Directive and codes of conduct. It has indeed issued many such opinions, which can be found on its website. They are interesting documents which fascinate data protection specialists, but which have not yet had any direct impact on the interpretation of the law by the CJEU. In the Commission’s proposal, the working party would be renamed and it would have more advisory powers, but its essential role would not change.

However, this puny body is about to be transformed at the behest of the Council and EP, which would both confer significant powers upon it as regards dispute settlement (discussed above), along with a longer list of advisory powers. The Council would also take the logical step of defining the Board as a ‘body’ of the EU, with express legal personality.

Finally, it should be noted that the future European Data Protection Board should not be confused with the current European Data Protection Supervisor (EDPS) – although I suspect that this warning will be in vain for many years to come. The EDPS is created by separate legislation, and has the role of enforcing data protection law against the EU’s institutions and other bodies, as well as advising on the development of EU data protection law. Its role in the new Regulation will be very limited. The Commission wants it to have a seat and a deputy chair post on the Board, but the Council rejects the first suggestion (relegating the EDPS to an observer role instead) and both the Council and the EP reject the second one. The EDPS will provide the Board’s secretariat, but the Council wants to build a firewall between the two administrations. In effect, while both the Board and the EDPS will have a significant role in the EU’s data protection architecture, there will be almost no crossover between them – rather like comic books produced by competing publishers.

Conclusion

It is certainly necessary for the EU to ensure that DPAs have effective powers to ensure the application of data protection law. Although it will still be possible for individuals to bring legal action directly against data processors or controllers (under other parts of the Regulation, which the Council has not yet agreed), DPAs remain the principal method of enforcing the rules. However, the draft legislation does not fully address the key practical question of sufficient ensuring resources for DPAs, and there is also not enough protection against dismissal or for the initial independence of DPA staff in the Council’s draft position.  

As for settlement of disputes, the Commission’s idea of a lead DPA having full jurisdiction was fairly attractive, although apparently it was torpedoed by the objections of the Council’s legal service. The replacement system is comparatively convoluted, and it has one key weakness – the absence of procedural rights for the original complainant before the Board. Also, it leaves intact greater possibilities of multiple DPAs acting as regards the same data processor or controller, with resulting greater complications for data subjects, DPAs and data processors and controllers alike. It will probably take some time (and possibly even litigation) before the new system will be working effectively. Furthermore, the Council’s removal of the rules about the unenforceability of DPA decisions which are taken in contravention of the rules could lead to complications in the event of rebellious DPAs. Finally, the existence of parallel bodies with similar names (the Board and the EDPS) may be unavoidable, but it unlikely to help public understanding of the EU’s data protection system.

4 comments:

  1. very useful indeed, steve! many thanks!

    to me, the core issue (assuming the overall substance will be halfway acceptable) will be the cooperation- and consistency mechanisms: if there are strong rules that can be widely applied to stop single DPAs from interpreting and applying the rules in a weak way, by allowing other DPAs to object to such weak interpretations and applications (at least when the issues affect more than one MS/data subjects in several MSs), with an ultimate central determination by the EDPB, then the regulation will potentially have a great and positive impact, especially in the currently weak states (such as the UK and ireland, but there are others). if on the other hand, the final text reduces the effectiveness of the mechanisms (by limiting objections to "[very very very] serious objections" and by watering down the binding nature of a central determination, through words such as "must take account of" rather than "must act in accordance with"), then as you say steve, we will effectively get a directive dressed up as a regulation. moving the final determination in the consistency mechanism from the EDPB to the Commn would also seriously undermine the mechanism.

    i am also worried by the numerous references in the tets to matters being determined by national law. that too is a recipe for divergence, and loopholes.

    finally, re the regulation, we must keep an eye on the link with the law enforcement dp directive, and beyond that on the holes through which data covered by the new regulation can seep through to the spooks: i have spotted some danger signs there. in my view the basic approach is straight-forward: the disclosure of any data by any entity covered by one particular instrument is covered by the rules in that instrument; and the obtaining/receiving of data by any entity covered by one particular instrument is covered by the rules in that latter instrument. thus, disclosure of data by companies (search engines, mobile network operators, ISPs, banks, whatever) to law enforcement agencies, or to national security agencies, is covered by the rules on disclosures in the current 1995 dp directive, and in future by the regulation; while the obtaining/demanding/receiving of the same data from those companies by LEAs is covered by the instruments specific to the latter, and shortly by the LEDP Directive, and the obtaining/demanding/receiving of the same data from those companies by NSAs is covered by whatever laws there are that govern their actions (and under the ECHR and CFR a law there ought to be!). similarly, the rules on the disclosure of data by the LEAs to the national security agencies must be in the eu rules governing the LEAs, even if the obtaining etc. of those same data from the LEAs by the NSAs is governed by the relevant laws on NSAs. (this looks convoluted but is really quite simple when you think about it :) ) i saw some signs in the latest council texts on the LEDPD that seem to deviate from this ...

    and of course, they'll still need to review the e-privacy directive (and through that, and also because of the CJEU ruling, the DRD). at least someone in the council has now proposed that the regulation will clarify the relation between the e-privacy directive and the regulation (pending review of the e-privacy directive). in my view, that relation should be that the regulation will prevail over anything in the e-privacy directive until the latter is revised. and i feel that rather than revising it to create a new subsidiary instrument, they should replace the e-privacy directive with a new section of chapter in the regulation. but that is for later.

    ciao ciao -

    douwe korff

    ReplyDelete
    Replies
    1. Thanks for your comments, Douwe. As I understand the Council's text, the DPAs in cross-border cases are meant to be working as a team, and the Board will decide in any cases where there is an inability to agree on a common decision. If a large majority of DPAs take a pro-privacy approach that should usually mean a pro-privacy decision of the Board, but are you sure that such a large majority exists?

      The CJEU often ignores references to national law, in particular in the context of the current data protection Directive (see ASNEF), so I wonder what effect the more limited references to national law in the future Regulation will actually have in practice.

      I will come back to the Directive on law enforcement and data protection when the Council talks on that proposal get anywhere at all.

      On e-privacy it would make great sense to follow your suggestion, and have an annex or a separate chapter in the main regulation setting out such specialist rules. I can't imagine there's much chance of this happening though.

      Delete
  2. Interesting article.

    However, the EDPS is not an observer in the current architecture of the Art 29 Working party. He is a full member of the Article 29, with voting rights. Therefore it is wrong to state ("relegating the EDPS to its current observer role instead)".

    ReplyDelete
    Replies
    1. Oops, sorry for this. I have corrected the mistake. Of course, the current voting rights only concern non - binding opinions.

      Delete