EDPB adopts criteria for GDPR cross-border cooperation cases

In April, members of the European Data Protection Board (EDPB) formally agreed to enhance cooperation in these cases. Earlier this month, the EDPB adopted a set of criteria to assess whether a cross-border matter might qualify as a case of “strategic importance” for closer cooperation—and how to proceed if it does.

Cases of strategic importance primarily involve the one-stop shop mechanism of the General Data Protection Regulation (GDPR) and pose risk to the rights and freedoms of data subjects across European Economic Area member states (countries in the European Union, plus Norway, Liechtenstein, and Iceland).

To qualify, such cases need to involve one or more of the following before a DPA can propose closer cooperation:

• A large number of data subjects and/or complaints;
• High-risk data processing (such as data relating to vulnerable people or minors);
• A “structural” or recurring problem that has been difficult to resolve under the GDPR;
• Potential crossover with other aspects of law, such as competition; and
• A case concerning a “fundamental” issue that falls within the scope of the EDPB’s own strategy.

EDPB members then consider whether a case meets the criteria, while the EDPB steers the process. DPA involvement is voluntary, rather than mandatory.

The EDPB has already agreed to three test cases to kick-start the initiative. One is a working group between Dutch, French, Lithuanian, and Polish DPAs to investigate a series of GDPR complaints concerning the operator of clothing website Vinted.

Legal experts believe any steps the EDPB can take to better coordinate enforcement under the GDPR, including greater consistency in approach and outcomes, is to be encouraged.

“This change should speed up investigations of Big Tech firms as such cases are likely to be treated as ones of ‘strategic importance’ and will therefore be prioritized under the new approach,” said Luke Dixon, commercial partner at law firm Freeths.

Emily Cox, partner and head of media disputes at law firm Stewarts, shared that sentiment, though she added the change “will not be the magic bullet for all investigations—only those which the EDPB members have agreed are of strategic importance at a European level.”

The GDPR already allows cooperation between a lead supervisory authority and other supervisory authorities in terms of mutual assistance (Article 61) and joint operations (Article 62). However, DPAs generally have not opted to use the mechanisms available.

Further, national priorities regarding data protection and enforcement are not always in sync with those of the EDPB or other European DPAs.

“Sovereignty and the natural order of statism frequently prove to be critical factors in the success or failure of multilateral initiatives,” said Robert Grosvenor, managing director with consultancy Alvarez & Marsal’s disputes and investigations practice. “National interests and concerns play out particularly where data protection rules blur into domestic privacy rights, consumer affairs, and strategies regarding online safeguarding and digital services.”

Editor’s note: A previous version of this story identified Alvarez & Marsal as a law firm. It was corrected July 29 to consultancy.