European data protection authorities (DPAs) need to speed up their investigative and decision-making processes—especially with regard to cross-border complaints—before regulators lose patience and find legal means to mete out penalties under national laws instead of the EU’s General Data Protection Regulation (GDPR).
DPAs also need to be more aligned in the way they enforce the single market’s strict rules on privacy, particularly regarding fines and corrective actions, say experts looking ahead to 2021.
One of the key problem areas under the GDPR is the “one-stop shop” mechanism, introduced to simplify cross-border complaints. It says the data regulator of where a company has its European headquarters can act as the lead supervisory authority in any case in which cross-border processing arises. This means companies can nominate their “home” regulator to investigate any breach or complaint rather than deal with several European DPAs on similar issues at the same time.
“GDPR is still a relatively new regime, and there is limited public information available about the reasons for decisions taken by DPAs. While decisions such as BA and Marriott are helpful to start building our knowledge, it will be some time before any trends start to emerge.”
Anne Todd, Senior Solicitor, Macfarlanes
Lawyers believe the system enables firms to “forum shop” and choose a perceived “soft” regulator that is badly resourced, slow to act, and domiciled in a country that is traditionally pro-business to lead complaints against them. As a result, says Sonia Cissé, counsel and head of the technology, media, and telecommunications team of law firm Linklaters in Paris, the one-stop shop mechanism “benefits companies and not supervisory authorities.”
Several DPAs have already expressed their dissatisfaction with the mechanism, as well as the regulator in charge of leading some 25 cross-border Big Tech investigations on their behalf (Ireland). Indeed, data regulators in France, Sweden, and Belgium have taken matters into their own hands against Google and issued their own fines rather than allow Ireland to take the lead.
In France, EU DPAs decided the case could be handled by the French data regulator, CNIL, since the Irish watchdog did not have “decision-making power” over Google’s Android operating system and its services, which were developed in the United States. In the Swedish case, the regulator said it was enforcing corrective actions regarding delisting user data the company had failed to implement in 2017 before the GDPR had come into force. Belgium, meanwhile, argued Google’s Irish operation was not responsible for delisting defamatory information against a Belgian citizen.
France’s CNIL has recently gone one step further, side-stepping the GDPR altogether and opting to issue fines against Google and Amazon under domestic legislation that was in place before the EU-wide regulation came into force.
Lawyers believe such approaches may result in more confusion about how the GDPR is enforced. By trying to find loopholes to avoid the one-stop shop mechanism, Cissé says there is a risk some supervisory authorities may be “trying to have it both ways” by applying the GDPR and sanctioning when it works for them and relying on other legislation when it doesn’t.
Some lawyers believe there will be further attempts by DPAs to assert their own jurisdiction in 2021. The Belgian DPA is already seeking clarity on whether it can proceed against companies for GDPR infringements in cases where it is not the lead supervisory authority. The Court of Justice of the European Union will give its decision next year. This ruling, say lawyers, will not only provide further guidance on the scope of the one-stop shop mechanism, but it will also address whether lead supervisory authorities have the competence to always take charge of cross-border GDPR complaints.
To prevent DPAs taking matters into their own hands, the existing mechanisms under the GDPR aimed at encouraging collaboration and harmonization need to be “prioritized”, say experts.
Mark Blunden, partner and head of technology and commercial at law firm Boyes Turner, says the GDPR’s Article 65 procedure—whereby the European Data Protection Board (EDPB), the EU’s overarching DPA, works to achieve a two-thirds majority decision when a national DPA fails to do so—is going to be “pivotal” to ensure harmonization with future GDPR penalties.
The mechanism was used for the first time in this month’s decision against Twitter after the Irish Data Protection Commission failed to resolve varying objections raised by several other DPAs. Although criticized for the length of time it took to reach consensus, Article 65 ultimately proved its worth, says Blunden. “The divergence in views among the DPAs shows very clearly the need for the Article 65 procedure,” he says.
Certainly, fines are another problem experts want to see clarity on in 2021. Anne Todd, senior solicitor at law firm Macfarlanes, says in its penalties against British Airways and Marriott—both of which were substantially reduced—the U.K.’s Information Commissioner’s Office made a point of spelling out the GDPR does not create a harmonized regime for fines and that each case must turn on its own facts.
The recent Twitter case also exposed differences at DPAs regarding the level of fines. Initially, the Irish DPC wanted to set the fine at between €135,000 to €275,000. Eight DPAs objected; Germany wanted to impose a fine worth between €7.3 million and €22 million. The fine was eventually issued at €450,000 (U.S. $547,000).
“GDPR is still a relatively new regime, and there is limited public information available about the reasons for decisions taken by DPAs,” says Todd. “While decisions such as BA and Marriott are helpful to start building our knowledge, it will be some time before any trends start to emerge.”
Yet the GDPR will not be the only concern for DPAs in 2021. Another key issue is whether the EDPB can come up with a replacement for the EU-U.S. Privacy Shield to ensure the safe transfer of personal data across the Atlantic. Not many are hopeful of a swift resolution, largely because U.S. surveillance laws would need to change to have any chance of appeasing the European Union.
Sarah Pearce, privacy and cyber-security partner at law firm Paul Hastings, says there is unlikely to be much progress made in 2021. “The authorities [in the U.S. and EU] will be focused on updating the existing mechanisms—standard contractual clauses and binding corporate rules—rather than creating alternatives,” she says.