European and national legal challenges when …...The recent Regulation 679/2016 (the “General Data Protection Regulation” or the “GDPR”) makes cooperation among DPAs mandatory

PHAEDRA II - IMPROVING PRACTICAL AND HELPFUL CO-OPERATION BETWEEN DATA PROTECTION AUTHORITIES II http://www.phaedra-project.eu/

Project co-funded by the European Union under the Fundamental Rights and Citizenship Programme (JUST/2013/FRAC/AG/6068).

European and national legal challenges when

applying the new General Data Protection

Regulation provisions on co-operation

Deliverable 3.1

London – Brussels – Warsaw – Castellon,

September 2016

2

A report prepared for the European Commission’s Directorate-General for Justice (DG JUST).

The contents of this deliverable are the sole responsibility of the authors and can in no way be taken to

reflect the views of the European Commission.

Authors

Name Partner

Vagelis Papakonstantinou VUB-LSTS

Cristina Pauner Chulvi UJI

Andrés Cuella UJI

David Barnard-Wills Trilateral Research

Internal Reviewer

Name Partner

Paul de Hert VUB-LSTS

Institutional Members of the PHAEDRA II Consortium

Member Role

Vrije Universiteit Brussel (VUB), Research Group on Law Science

Technology & Society (LSTS) Project Co-ordinator

Trilateral Research Ltd (TRI) Partner

Bureau of the Inspector General for Personal Data (GIODO) Partner

Jaume I University (UJI) Partner

3

Contents

Executive summary ................................................................................................................................. 5

List of abbreviations ............................................................................................................................... 6

1 Introduction ..................................................................................................................................... 7

2 Achieving consistency under the EU data protection legal framework .......................................... 9

2.1 The consistency mechanism .................................................................................................. 10

2.1.1 Article 63 of the GDPR: Consistency mechanism ........................................................ 10

2.1.2 Article 64 of the GDPR: Opinion of the Board ............................................................. 12

2.1.3 Article 65 of the GDPR: Dispute resolution by the Board ............................................ 16

2.1.4 Article 66 of the GDPR: Urgency procedure ................................................................ 18

2.1.5 Other consistency mechanisms ..................................................................................... 21

2.1.6 Conclusions ................................................................................................................... 21

2.2 The “one-stop-shop” mechanism in the GDPR: Article 60, on the Cooperation between the

lead supervisory authority and the other supervisory authorities concerned .................................... 22

2.2.1 Rationale ....................................................................................................................... 24

2.2.2 Basic components: the notions of a “lead DPA”, the actors in the one-stop-shop

mechanism, and the “main establishment” of the controller ........................................................ 25

2.2.3 How is the one-stop-shop mechanism expected to operate? ......................................... 30

2.2.4 Challenges and concerns ............................................................................................... 32

2.3 Consultation mechanisms and distribution of powers .......................................................... 33

2.3.1 Decision-making by the European Data Protection Board in the text of the GDPR..... 34

2.3.2 Mechanisms for DPA consultation with the European Data Protection Board ............ 38

2.3.3 The institutional setting for consistency: Roles and distribution of powers between the

European Data Protection Board and the Commission ................................................................. 39

2.4 Procedural differences and other issues ................................................................................ 40

2.4.1 EU DPAs complaint handling processes....................................................................... 40

2.4.2 The data subjects’ perspective: is there a “right to consistency”? ................................ 45

2.5 Conclusion: Enhancing consistency ...................................................................................... 45

3 Learning from “mutual recognition” experience: the case of the BCR ........................................ 47

3.1 The BCR legal basis and procedure ...................................................................................... 47

3.2 The BCR advantages ............................................................................................................. 51

3.3 The difficulties arising from BCRs’ lack of generalisation .................................................. 52

4 Proposed mutual assistance, co-ordination and co-operation regarding enforcement measures .. 54

4.1 Mapping DPAs’ enforcement powers ................................................................................... 54

4.2 Sharing information (including confidential information) .................................................... 58

4

4.2.1 Regulations governing the exchange of information under the GDPR ......................... 60

4.2.2 The notion of “relevant information” ............................................................................ 63

4.2.3 A variety of procedures for sharing information ........................................................... 65

4.2.4 The question of confidential information. Legal setting among Member States

concerning the exchange of information and the obligation of confidentiality ............................ 70

4.2.5 Learning from practical examples of tools used to exchange information ................... 78

4.2.6 The principle of confidentiality in the GDPR ............................................................... 80

4.2.7. An assessment of the GDPR provisions regarding the exchange of information ............... 82

4.3 Mutual assistance, co-ordination and co-operation regarding enforcement measures .......... 86

5 General conclusions ...................................................................................................................... 97

5

Executive summary

The recent reform of the basic EU data protection legal framework introduced a major change in how

data protection law is applied and enforced in EU Member States. It also introduced major changes in

the character and scope of cooperation between EU DPAs. Cooperation is now not merely a

possibility, but an obligation under EU law. Nevertheless, uncertainties do remain as to how this new

framework will be applied in practice and how it will impact the everyday operation of EU DPAs.

The recent GDPR makes cooperation among DPAs mandatory but does not provide comprehensive

rules on the modalities and procedures involved. The analysis that follows demonstrates that there is a

need for supplementary operational and legal guidance. The objective of this report is to examine the

practical implications of the relevant provisions of the GDPR, to identify aspects that remain

unregulated but which would benefit from a common approach by all DPAs, as well as to highlight

specific areas where there is a need for more operational and legal guidelines or where the

implementations of standardised procedures and rules would be advisable.

The analysis that follows applies this standard axis of analysis upon all different GDPR instances that

are placed under its scrutiny: the consistency mechanism, the “one-stop-shop” mechanism, the

European Data Protection Board, BCRs, DPA enforcement powers, data sharing practices among

DPAs and mutual assistance. An article-by-article approach was considered necessary, in view of the

fact that the GDPR is a relatively recent legal text of only a few months life span, whose provisions

would therefore benefit the most from a detailed legal analysis. While doing this, emphasis was

placed at the “practical” aspects of our research: our constant aim was to provide practical assistance

to DPAs, through identification of these points within the new GDPR that will probably need to be

complemented by additional, practical guidance to be issued, most likely, by the Board. In the same

context, we also strived to provide the Board members that will undertake this task with certain

guiding principles and considerations that will hopefully assist them in their work.

This report forms deliverable 3.1 of the PHAEDRA II project. The project is dedicated to identifying,

developing and recommending measures for improving practical co-operation between European Data

Protection Authorities (DPAs).

Further information about the project, including its previous reports and publications can be found at

http://www.phaedra-project.eu/

6

List of abbreviations

BCRs Binding Corporate Rules

CIRCABC Communication and Information Resource Centre for Administrations,

Business and Citizens

CJEU Court of Justice of the European Union

DPA Data protection authority

DPIA Data protection impact assessment

EDPB European Data Protection Board

EDPS European Data Protection Supervisor

EU European Union

FTC Federal Trade Commission

GDPR General Data Protection Regulation

GPEN Global Privacy Enforcement Network

ISO International Standards Organization

MS Member States

PC privacy commissionner

PIA privacy impact assessment

7

1 Introduction

The recent reform on the basic EU data protection legal framework introduced a major change in how

data protection law is applied and enforced in EU Member States. It also introduced major changes in

the character and scope of cooperation between EU DPAs. Cooperation is now not merely a

possibility, but an obligation under EU law. Nevertheless, uncertainties do remain as to how this new

framework will be applied in practice and how it will impact the everyday operation of EU DPAs.

The recent Regulation 679/2016 (the “General Data Protection Regulation” or the “GDPR”) makes

cooperation among DPAs mandatory but does not provide comprehensive rules on the modalities and

procedures involved. The analysis that follows demonstrates there is a need for supplementary

operational and legal guidance. The objective of this report is to examine the practical implications of

the relevant provisions of the GDPR, to identify aspects that remain unregulated but which would

benefit from a common approach by all DPAs, as well as to highlight specific areas where there is a

need for more operational and legal guidelines or where the implementation of standardised

procedures and rules would be advisable.

In this context, in Part 2 of this analysis, on “achieving consistency under the EU data protection

legal framework”, consistency is identified as a necessary attribute of the EU data protection legal

framework both from a formal and from a functional perspective. With regard to the former,

consistency is an obvious goal within an EU field of law, where common rules are aimed at regulating

in a common manner a particular subject-matter within all EU Member States, as also required by

Article 16 TFEU. With regard to the functional perspective, consistency is a basic assumption of

effective data protection. Because data protection essentially regulates personal data flows which, in

turn, can blatantly disregard national borders, a fundamental pursuit of all relevant international legal

instruments is to achieve a possibly consistent level of protection in all their signatory states.

Consistency within the future EU data protection model is to be achieved through the “consistency

mechanism”, incorporated into Section 2 (Articles 63, 64, 65 and 66) of Chapter VII of the GDPR. In

this context, our analysis takes the format of an article-by-article analysis of the GDPR provisions on

the consistency mechanism. In this way all aspects of this crucial new system for DPA cooperation

will be covered more effectively. Each article analysis is followed by some issues that may already be

identified as difficulties in relation to the GDPR article concerned

Within the same Part 2 the so-called “one-stop-shop” mechanism (its name is not formally adopted in

the regulatory text but is only to be found in the Preamble), as set in Article 60 of the GDPR, is also

analysed, as yet another formal cooperation mechanism among EU DPAs. While doing this, its raison

d’être is analysed, as well as its basic concepts of the “Lead DPA” and the “main establishment”,

upon which it is based. Its expected operation under the GDPR is further elaborated upon, with the

aim of identifying relevant challenges and concerns (laid out in section 2.2.4).

The focus is then turned upon the European Data Protection Board. Under the GDPR the Board is not

merely intended to be the replacement of the Article 29 Data Protection Working Party. Although this

substitution is also necessitated by the new EU data protection structure, the GDPR grants to the

Board a much wider role than that held by the Article 29 Working Party. As evidenced within the

analysis of the consistency and one-stop-shop mechanisms, the Board is to become an administrative

dispute resolution (in other words decision-making) mechanism – a substantial point of departure

from its past. The analysis therefore continues with its article-by-article format, specifically aimed at

highlighting only its decision-making function that is relevant to the purposes of this analysis.

Subsequently attention is turned on complaint-handling procedures by EU DPAs under the current

and future legal framework, identifying those issues that may stand in the way of developing a

8

standardised data subjects’ complaint handing procedure across the EU. Within the same analysis we

also address the issue whether the case of a “right to consistency” could be supported (with a negative

outcome).

Part 3 of this analysis, on “learning from mutual recognition experience”, makes use of the BCR

mutual recognition experience under the legal framework in effect today, in order to extrapolate,

wherever possible, to the forthcoming GDPR environment. In this context it is established that,

despite this procedure’s obvious advantages and the consistent effort by both the Commission and the

Article 29 Working Party to streamline its operation, a lack of generalization (both from the part of

DPAs but also from the part of the controllers and processors it would normally be addressed) reveals

the limitations of any similar attempt to introduce standards and achieve functional DPA cooperation

in the field.

Finally, Part 4 of this analysis, on “proposed mutual assistance, co-ordination and cooperation

regarding enforcement measures”, focuses on the diversity of existing DPA enforcement powers and

the differences between DPAs in the powers at their disposition as well as on current national

limitations on sharing information, because it is considered that all of the above are intrinsically

connected to practical challenges with regard to the proposed mutual assistance, co-ordination and co-

operation enforcement measures under the GDPR. To this end, attention is first given to DPAs’

enforcement powers, so as to highlight obstacles to a common enforcement practice that perhaps the

GDPR will need to overcome. Accordingly, sharing information practices among DPAs are

subsequently analysed, first from a regulatory perspective (their actual legal basis) and then with

regard to their basic components, meaning the concepts of “relevant information” and the mechanisms

through which to achieve such exchanges respectively. The legal setting among Member States on the

exchange of information and the obligation of confidentiality is also attempted. The analysis finds that

the effective exchange of information may be in potential conflict with their confidentiality

obligations and thus may prevent DPAs from releasing restricted information between them. Finally,

taking into account that the legal framework of the GDPR enhances and in certain circumstances

obliges EU DPAS to provide each other with mutual assistance and to co-ordinate or jointly undertake

certain enforcement measures, the last section of this report is aimed at providing an account of

mutual assistance and joint operations as set out in the GDPR, exploring the potential of a common

approach to mutual assistance, co-ordination and joint operations and also, in accordance with this

report’s general approach, to provide some initial best practice guidelines in this regard.

9

2 Achieving consistency under the EU data protection legal framework

Consistency is a necessary attribute of the EU data protection legal framework both from a formal and

from a functional perspective. With regard to the former, consistency is an obvious goal within an EU

field of law, where common rules are aimed at regulating in a common manner a particular subject-

matter within all EU Member States. In particular, Article 8 of the Charter and Article 16 TFEU

require that the fundamental right to the protection of personal data be ensured in a consistent manner

throughout the EU. With regard to the functional perspective, consistency is a basic assumption of

effective data protection: Because data protection essentially regulates personal data flows which, in

turn, can blatantly disregard national borders, a fundamental pursuit of all relevant international legal

instruments is to achieve a possibly consistent level of protection in all their signatory states. It is after

all within this context, that an EU Directive, Directive 95/461, was introduced as early as 1995 in

order to warrant harmonised data protection rules and regulations across the EU.

Consistency formed a basic priority for the amended EU data protection legal framework that recently

(in April 2016) came into effect. Ever since the first Commission communication in this regard,

consistency and harmonisation were highlighted as much sought-after aims for the new legislative

framework2. While the reasons why Directive 95/46 might have failed in this regard do not fall within

the purposes of this analysis, here it is enough to be noted that consistency is aimed at within the new

EU data protection legal framework also both from a formal and from a functional point of view: the

choice of legal instrument itself, a Regulation to replace a Directive, illustrates this aim-setting from a

formal point of view. In addition, a number of specialised provisions included in the Regulation

purport to achieve consistency among EU Member States through their application: in particular the

consistency mechanism and the one-stop-shop, that will be analysed below, are expressly introduced

to serve this purpose. Other mechanisms aimed at consistency, such as the European Data Protection

Board (the “Board”), will also be referred to in the analysis that follows.

At this point however it is perhaps useful to reflect on what exactly the notion of consistency means in

the field of EU data protection. In this regard the GDPR sets that consistency entails an “equivalent”

level of protection in all EU Member States3. It further explains that “consistent and homogenous

application of the rules for the protection of the fundamental rights and freedoms of natural persons

with regard to the processing of personal data should be ensured throughout the Union”4. What is

therefore aimed at is “equivalence” in the level of protection, to be warranted by consistent

application of the rules in effect. Within a Regulation environment, this practically means consistent

application of the rules of the Regulation itself by all EU Member States, but other than that Member

States are free to introduce national provisions wherever necessary that, even if not identical with

these of other Member States, will still need to provide to data subjects an equivalent level of

protection. Consistency therefore is to be assessed in practice through the use of two, broad, criteria:

First, consistent application of the EU legal framework throughout the EU, and, second, introduction

of consistent Member State-specific data protection provisions that complement it locally.

Another point to be taken into consideration at this stage refers to the consistency actors. While

recipients of such consistency refer to both data subjects and data controllers alike, who all share the

1 See also Simitis S/Dammann U, EG-Datenschutzrichtlinie, Kommentar, Nomos, Baden-Baden 1997.

2 European Commission, A comprehensive approach on personal data protection in the European Union,

COM(2010) 609 final. 3 Preamble, 10.

4 Ibid.

10

expectation of an equivalent level of protection across the EU, consistency actors are first and

foremost Data Protection Authorities (“DPA(s)”).5 DPAs hold a central role in EU data protection,

being “responsible for monitoring the application”6

of data protection provisions within their

respective jurisdictions. From this point of view, the task of warranting consistent application of these

same provisions falls largely within their hands. This assumption has been indeed validated in the text

of the GDPR: all mechanisms introduced to this end are addressed at EU DPAs and are based on their

cooperation and coordination.

A final point to be noted refers to the legal framework that this report will take into consideration. EU

data protection is currently found at a transitory phase, in-between changing legal environments.

Directive 95/46 currently in effect, as implemented by each Member State through national

legislation, will be replaced by the General Data Protection Regulation in May 2018. In fact, the EU

data protection framework will be composed of two pieces of legislation, the GDPR replacing

Directive 95/46 and Directive 680/2016 (the “Police and Criminal Justice Data Protection Directive”)

replacing the Framework Decision 977/20087. Despite of the complex current legal environment, this

report will focus only on the GDPR text. This is due not only to the fact that the GDPR actually

constitutes the scope of this workstream, but also due to the fact that the consistency mechanisms

within the new EU data protection environment are described in the most comprehensive manner in

its text: Directive 680/2016 only includes provisions on mutual assistance as well as, evidently, on the

Board8, while Directive 95/46, that remains in effect until May 2018, will most likely have to adjust to

the new (GDPR) reality, taking advantage of this in-between period.

2.1 The consistency mechanism

By definition, consistency within the future EU data protection model is to be achieved through the

“consistency mechanism”, incorporated into Section 2 (Articles 63, 64, 65 and 66) of Chapter VII of

the GDPR. In the text that follows an article-by-article analysis of the GDPR provisions on the

consistency mechanism is undertaken. In this way we believe that all aspects of this crucial new

system for DPA cooperation will be covered more effectively. Each article analysis is followed by

some issues that may already be identified as difficulties in relation to the GDPR article concerned.9

2.1.1 Article 63 of the GDPR: Consistency mechanism

According to Article 63 of the GDPR,

5 For the purposes of this analysis it is assumed that DPAs will undertake the role of “competent supervisory

authorities” referred to in the GDPR. 6 Art. 28.1 Directive 95/46.

7 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data

processed in the framework of police and judicial cooperation in criminal matters. 8 Articles 50 and 51 respectively.

9 The analysis that follows only focuses on the final GDPR provisions, and does not take into consideration the

recommendations of the Council or the Parliament during the EU law-making process. Despite this being

included in the project’s Description of Work, it should be noted that at the time the relevant proposal was

drafted there was no concrete knowledge of the outcome of the GDPR law-making process. Since April 2016

we have a final GDPR text, and it is our belief that it would be more beneficial to the purposes of this project if

all effort was turned to its final provisions, the solutions they provide, and the issues they raise.

11

In order to contribute to the consistent application of this Regulation throughout the Union, the

supervisory authorities shall cooperate with each other and, where relevant, with the Commission,

through the consistency mechanism as set out in this Section.

Accordingly, Recital 135 sets that

In order to ensure the consistent application of this Regulation throughout the Union, a consistency

mechanism for cooperation between the supervisory authorities should be established. That

mechanism should in particular apply where a supervisory authority intends to adopt a measure

intended to produce legal effects as regards processing operations which substantially affect a

significant number of data subjects in several Member States. It should also apply where any

supervisory authority concerned or the Commission requests that such matter should be handled in the

consistency mechanism. That mechanism should be without prejudice to any measures that the

Commission may take in the exercise of its powers under the Treaties.

In this way a specific, new, dedicated mechanism for consistent application of the Regulation is

introduced in the text of the GDPR. The consistency mechanism is actually nothing more than a

method for cooperation among DPAs. However, in view of the expected increased level of

cooperation under the new EU data protection regime, the GDPR takes special care to

“institutionalise” such a mechanism, evidently aiming at streamlining requests for cooperation that are

bound to proliferate. While the consistency mechanism is first and foremost addressed at DPAs, the

Commission is also awarded a role in it, making it therefore the standard, dominant DPA cooperation

mechanism under the GDPR.

Repeated aim of the consistency mechanism is to warrant the “consistent application” of the GDPR.

The GDPR therefore takes due note of the possibility that different rules may exist at Member State

level on data protection, in spite of its existence, and aims at addressing this issue at the last stage of

the law-making process: application. This, according to the Preamble, will particularly be the case

when a DPA intends to deal with a cross-border issue or when a DPA by its own initiative refers a

specific matter to it or when the Commission makes a similar request. However the above listing is

indicative: In fact, the broad wording of Article 63 is to be understood as empowering the consistency

mechanism on all data protection application matters within the EU.

Therein however may lie the first concern regarding the consistency mechanism. The fact that it is

addressed at DPAs means that it essentially constitutes an administrative mechanism. Nevertheless,

DPAs are not the only rule-making body on data protection in the EU. National parliaments may

legislate on data protection matters as well. Other administrative bodies, for instance electronic

communications or financial state agencies, may equally produce personal data processing rules in the

course of exercising their lawful powers. Case law may also be an important source of regulations.

None of these cases falls under the categories of a DPA either adopting a cross-border measure or

referring the matter at its own initiative to the consistency mechanism, as prescribed in the GDPR. In

fact, in some of the above law-making examples there may exist very little space for DPA

involvement at all, depending on the Member State relevant legislation. Although the Commission

may of course intervene at all times, this is a last resort, and most likely not particularly time efficient,

defence. It therefore remains to be seen whether the consistency mechanism will truly deliver on its

promise: Being effectively hampered by its administrative nature, it may not prove the panacea for

12

consistent data protection across the EU. In other words, it may need other, complementary and most

likely high(-er) level tools, to assist itself in its mission.

A second concern with regard to the consistency mechanism refers to the fact that it is introduced in

the text of the GDPR as the standard cooperation tool among DPAs. However, this is a formal tool,

aimed at addressing cross-border or important data protection matters. Given the expected volume of

such matters under the GDPR, it is expected to occupy a lot of resources by DPAs who may be right

in treating it as the only cooperation tool among them. Nevertheless, this would ultimately restrict

cooperation. As seen in previous PHAEDRA deliverables, cooperation among DPAs is both formal

and informal. While informal cooperation is mostly undocumented, it is nevertheless crucial for DPA

cooperation. In other words, not all matters concerning a DPA merit to be referred to the consistency

mechanism, however they would perhaps benefit from informal cooperation with other DPAs. By

introducing a formal cooperation mechanism, the GDPR risks abolishing the cooperation paths

already in existence today, even under the less-developed provisions of Directive 95/46 in this regard,

which is something that could ultimately harm DPA effectiveness.

2.1.2 Article 64 of the GDPR: Opinion of the Board


1. The Board shall issue an opinion where a competent supervisory authority intends to adopt any of

the measures below. To that end, the competent supervisory authority shall communicate the draft

decision to the Board, when it: (a) aims to adopt a list of the processing operations subject to the

requirement for a data protection impact assessment pursuant to Article 35(4); (b) concerns a matter

pursuant to Article 40(7) whether a draft code of conduct or an amendment or extension to a code of

conduct complies with this Regulation; (c) aims to approve the criteria for accreditation of a body

pursuant to Article 41(3) or a certification body pursuant to Article 43(3); (d) aims to determine

standard data protection clauses referred to in point (d) of Article 46(2) and in Article 28(8); (e) aims

to authorise contractual clauses referred to in point (a) of Article 46(3); or (f) aims to approve binding

corporate rules within the meaning of Article 47.

2. Any supervisory authority, the Chair of the Board or the Commission may request that any matter

of general application or producing effects in more than one Member State be examined by the Board

with a view to obtaining an opinion, in particular where a competent supervisory authority does not

comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations

in accordance with Article 62.

3. In the cases referred to in paragraphs 1 and 2, the Board shall issue an opinion on the matter

submitted to it provided that it has not already issued an opinion on the same matter. That opinion

shall be adopted within eight weeks by simple majority of the members of the Board. That period may

be extended by a further six weeks, taking into account the complexity of the subject matter.

Regarding the draft decision referred to in paragraph 1 circulated to the members of the Board in

accordance with paragraph 5, a member which has not objected within a reasonable period indicated

by the Chair, shall be deemed to be in agreement with the draft decision.

4. Supervisory authorities and the Commission shall, without undue delay, communicate by electronic

means to the Board, using a standardised format any relevant information, including as the case may

13

be a summary of the facts, the draft decision, the grounds which make the enactment of such measure

necessary, and the views of other supervisory authorities concerned.

5. The Chair of the Board shall, without undue, delay inform by electronic means: (a) the members of

the Board and the Commission of any relevant information which has been communicated to it using

a standardised format. The secretariat of the Board shall, where necessary, provide translations of

relevant information; and (b) the supervisory authority referred to, as the case may be, in paragraphs 1

and 2, and the Commission of the opinion and make it public.

6. The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1

within the period referred to in paragraph 3.

7. The supervisory authority referred to in paragraph 1 shall take utmost account of the opinion of the

Board and shall, within two weeks after receiving the opinion, communicate to the Chair of the Board

by electronic means whether it will maintain or amend its draft decision and, if any, the amended draft

decision, using a standardised format.

8. Where the supervisory authority concerned informs the Chair of the Board within the period

referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in

whole or in part, providing the relevant grounds, Article 65(1) shall apply.

Accordingly, Recital 136 sets that:

In applying the consistency mechanism, the Board should, within a determined period of time, issue

an opinion, if a majority of its members so decides or if so requested by any supervisory authority

concerned or the Commission. The Board should also be empowered to adopt legally binding

decisions where there are disputes between supervisory authorities. For that purpose, it should issue,

in principle by a two-thirds majority of its members, legally binding decisions in clearly specified

cases where there are conflicting views among supervisory authorities, in particular in the cooperation

mechanism between the lead supervisory authority and supervisory authorities concerned on the

merits of the case, in particular whether there is an infringement of this Regulation.

In addition, Recital 138 sets that:

The application of such mechanism should be a condition for the lawfulness of a measure intended to

produce legal effects by a supervisory authority in those cases where its application is mandatory. In

other cases of cross-border relevance, the cooperation mechanism between the lead supervisory

authority and supervisory authorities concerned should be applied and mutual assistance and joint

operations might be carried out between the supervisory authorities concerned on a bilateral or

multilateral basis without triggering the consistency mechanism.

The Board is set in the text of the GDPR as the body in charge of the consistency mechanism. This is

an obvious choice, given the fact that the Board is to be composed of the head of each DPA and the

14

EDPS as well as its award of formal legal status (legal personality).10

The Board is expected to issue

an opinion on matters referred to it under the consistency mechanism, as set in Article 70.1(t); Under

certain conditions these may have legally binding effect (see also the analysis on Article 65 that

follows). There are three apparent ways for the Board to examine a case under the consistency

mechanism: It can be referred to it by a DPA, by the Commission or even at its own initiative (by

authority of its Chair).

DPA reference of cases to the Board is expected to be the normal way of operation for the consistency

mechanism. This is expected to take place in all cases when a DPA is faced with an important

category or type of personal data processing: Processing operations requiring an DPIA, a sector-

specific code of conduct, certification issues, or personal data exports. There is only one case when a

DPA is obliged to submit a case to the mechanism, as per the GDPR preamble, and that is when it

intends to apply mandatory measures, evidently on an important data protection matter within its own

jurisdiction. Until the Board has reached its final decision on it, the DPA concerned is not allowed to

apply the relevant measure. However, the listing in paragraph 1 ought only be read as indicative:

Under combined reading with the GDPR preamble11

and paragraph 2, where mention is made to

cross-border or important data protection matters in general, a DPA should submit matters to the

consistency mechanism always when the list set in paragraph 1 occurs and, at any event, whenever it

is faced with a cross-border or an important matter, according to its own judgement. In this context,

reference to cases in paragraph 2 where mutual assistance and joint operations are explicitly referred

to ought also be read as indicative, or even as cases where the consistency mechanism may operate as

a first instance dispute resolution mechanism where complaints by a DPA against another may be

treated.

Other than DPAs, the Commission and the Board itself are also empowered to submit a case to the

consistency mechanism. The circumstances under which such reference may be made are identical to

these of DPAs: an important or a cross-border case. The same applies to non-compliance of a DPA to

its mutual assistance or joint operations applications, making thus the consistency mechanism not

only the formal complaint mechanism for DPA cooperation but also the “disciplinary” path for the

Board or the Commission who may identify such a case and submit it to the mechanism, even despite

of the concerned DPAs unwillingness to do so.

With regard to the format of cases referred to the consistency mechanism, when done so by DPAs or

the Commission, the GDPR requires that they communicate electronically all relevant information,

including a summary, the draft decision, its justification as well as the views of other DPAs. The

listing in indicative, so apparently the Board, while examining the case, may request for further

documentation to be submitted to it. Because no details are provided on the documentation required

for Chair of the Board submissions to the consistency mechanism, the above requirements would need

to extend and apply to these cases as well. It should be noted that DPAs are expected to transmit to the

Board fully formed draft decisions, and not merely questions. The consistency mechanism is thus

envisaged as a resolution and not a consulting mechanism.

Case referrals to the consistency mechanism will be addressed to the Chair of the Board. It is the

Chair’s duty, once he or she has received a petition, inform electronically the members of the Board

10

See Article 68 of the GDPR. 11

Par. 135.

15

and the Commission on such event and forward them all relevant documentation. If any translations

are required, these will be undertaken by its secretariat (that will be provided by the EDPS).

Decision-making by the Board under the consistency mechanism depends on the type of case brought

to its attention. In the event of an important data protection matter referred to it, the Board is expected

to first examine whether it has already issued an opinion on the same matter and, if not, it will have up

to altogether fourteen weeks to reach a decision. Decision may be reached by simple majority of its

members. If a DPA submits to it a draft decision it intends to take, acceptance by the Board is to be

established tacitly: Unless its members expressly object within a reasonable deadline set by the Chair,

acceptance shall be deemed reached. Finally, when disputes arise between DPAs, a two-third majority

will be needed (such cases falling under the consistency mechanism only partially when

“infringements of the GDP” are concerned for example by non-compliance with mutual assistance or

joint operations obligations).12

In this case, Article 65, whose analysis follows, provides further

clarifications.

Decisions of the Board are binding only in cases of DPA disputes. In other cases an opinion under

Article 70.1(t) is formed. The Chair of the Board is empowered to transmit the decision to the parties

(DPAs) concerned. These parties then have two weeks to reply to the Chair whether they will adhere

to the Board decision or not. Effectively, the DPA concerned may decide not to follow the Board’s

decision, the GDPR only requires it to pay the “utmost” attention to it. In the event of DPA refusal to

follow the consistency mechanism decision, Article 64 on dispute resolution by the Board applies.

Taking into account the above description on the operation of the consistency mechanism certain

concerns may be raised. First, that the consistency mechanism is introduced in the text of the GDPR

as a court-like mechanism: fully documented cases are brought to its attention, a suspension period

until it reaches its decision is provided for, decision-making majorities are introduced and appeal-like

means are also to be found in the GDPR. Case law effect is granted to its decisions (in the sense that

once it has decided on a particular matter it cannot go back to it). In this context, if the mechanism is

indeed to be operated as a court system, then it is likely that more details will be needed for it to

function in an adequate manner. To this end, provisions on document submission, participation of the

parties affected (non-DPAs), appeal processes, format and publicity of decisions could strengthen its

role further.

A second concern may be derived from the mechanism description above: Because the consistency

mechanism is ultimately a resolution and not a consulting mechanism, the latter is missing from the

GDPR. However, its contribution to the work of DPAs is substantial. Important data protection

matters first require deliberation among the DPAs concerned before reaching a decision, and it is

possible that even the fourteen weeks time period granted at most within the consistency mechanism

may not suffice to this end.

Finally, the GDPR also expects the consistency mechanism to operate as a dispute resolution

mechanism among DPAs. Although a majority of two thirds is expected, that would under normal

circumstances warrant consensus, the fact remains that this role could develop into a function creep

difficulty for the consistency mechanism. The mechanism is devised in order to ensure uniform

application of the GDPR provisions in the EU. Although this is indeed a decision-making function, it

is not a dispute resolution one. If the same mechanism is to address disputes among DPAs, who would

12

Other cases referred to in the preamble, par. 136 falling under the one-stop-shop mechanism.

16

otherwise be expected to reach amicable solutions on important data protection matters, it would risk

damaging its public (DPA) perception and blur its role boundaries.

2.1.3 Article 65 of the GDPR: Dispute resolution by the Board


1. In order to ensure the correct and consistent application of this Regulation in individual cases, the

Board shall adopt a binding decision in the following cases:

(a) where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a

relevant and reasoned objection to a draft decision of the lead authority or the lead authority has

rejected such an objection as being not relevant or reasoned. The binding decision shall concern all

the matters which are the subject of the relevant and reasoned objection, in particular whether there is

an infringement of this Regulation;

(b) where there are conflicting views on which of the supervisory authorities concerned is competent

for the main establishment;

(c) where a competent supervisory authority does not request the opinion of the Board in the cases

referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64. In

that case, any supervisory authority concerned or the Commission may communicate the matter to the

Board.

2. The decision referred to in paragraph 1 shall be adopted within one month from the referral of the

subject-matter by a two-thirds majority of the members of the Board. That period may be extended by

a further month on account of the complexity of the subject-matter. The decision referred to in

paragraph 1 shall be reasoned and addressed to the lead supervisory authority and all the supervisory

authorities concerned and binding on them.

3. Where the Board has been unable to adopt a decision within the periods referred to in paragraph 2,

it shall adopt its decision within two weeks following the expiration of the second month referred to in

paragraph 2 by a simple majority of the members of the Board. Where the members of the Board are

split, the decision shall by adopted by the vote of its Chair.

4. The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to

the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.

5. The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to

the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be

published on the website of the Board without delay after the supervisory authority has notified the

final decision referred to in paragraph 6.

6. The lead supervisory authority or, as the case may be, the supervisory authority with which the

complaint has been lodged shall adopt its final decision on the basis of the decision referred to in

paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has

notified its decision. The lead supervisory authority or, as the case may be, the supervisory authority

with which the complaint has been lodged, shall inform the Board of the date when its final decision

is notified respectively to the controller or the processor and to the data subject. The final decision of

17

the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9).

The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify

that the decision referred to in that paragraph will be published on the website of the Board in

accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in

paragraph 1 of this Article.

A consistency mechanism would be ineffective without a dispute resolution mechanism. If the Board,

in the context of its work within the consistency mechanism, was restricted to only producing

opinions on important data protection matters or interpretations of the GDPR’s provisions, its scope of

work would be incomplete. Disputes may arise at any stage in the data protection application process.

In view of the GDPR’s direct effect, DPAs need a forum within reach, to which they can address

concerns and complaints. In this case, the Board’s decisions need to be binding, so as to resolve

disputes in a decisive and effective manner. However, whether the same (consistency) mechanism

needed to be used for dispute resolution purposes, or whether another one would have preferably been

established in order to avoid the possibility of function creep, is an issue addressed in the preceding

analysis (on Article 64)

The one-stop-shop mechanism is an anticipated source of such disputes. This is perhaps

understandable, given the difficult distinctions that need to be made within its context. The fact that

these need to be made under a consensus environment does not necessarily mean that disagreement

may not occur. In view of the importance of cases treated within it, it is imperative that some sort of

dispute resolution administrative procedure was introduced in the GDPR, so as to avoid first-instance

court intervention. This role has been undertaken by the consistency mechanism, that, in this case,

also produces binding decisions for the parties concerned. Once again its role as a resolution, and not

a consulting, mechanism is highlighted in this sense.

Article 65 perhaps makes a philosophical opening: the “correct” application of the Regulation is to be

warranted through the consistency mechanism. While it is understandable that the Board, under the

provisions of this Article, is the body authorised to interpret the GDPR, one ought not forget that this

is done at a first-instance, administrative level. In fact, the only bodies authorised to make the

“correct” interpretation of the GDPR are the courts, to which, after all, also decisions of the Board

may be brought in the event the parties concerned are not content with the provided solutions.

While the one-stop-shop mechanism is an obvious source of friction, such fact after all explicitly

acknowledged in paragraph 1 of this Article, it is by no means the only way for the Board to become

effective as a dispute resolution mechanism. This will also be the case when a DPA does not address

an important data protection matter (according to the listing of Article 64 above) to the Board, or

when a DPA does not conform to a Board’s decision opinion already issued. In this sense, it could be

argued that the consistency mechanism’s decisions acquire a de facto binding effect, because these

DPAs that are unwilling to conform to the Board’s opinion under Article 64, may be referred back to

it, this time in order for a binding decision to be issued.

The Board as a dispute resolution mechanism is only open to DPAs. In other words, DPAs, or the

Commission, may only be the disputing parties in front of the Board. Other parties affected by the

Board’s decision (data subjects, controllers) may not appear in front of it, nor is there any way

introduced for their views to be heard (for instance, through written submissions).

A dispute resolution mechanism unavoidably undertakes functions similar to a court, and the GDPR

provides guidance in this regard. In particular, the Board has preset time periods in which to reach its

18

decisions; this adds to the legal certainty of the process. It is also the basis for the urgency procedure,

described in Article 66, whose analysis follows. In addition, submission of a case to the Board means

that the parties (DPAs) concerned are not allowed to apply the decision in question or take any

measures that would prejudice the effectiveness of the Board’s decision. Finally, the GDPR awards

the role of informing and communicating to disputing parties to the Chair of the Board.

Paragraph 6 provides the necessary provisions to warrant the binding effect of a Board’s decision

under this Article in practice. In essence, a DPA is expressly obliged to apply the Board’s decision,

and indeed within strict deadlines. This fact, application of a Board’s dispute resolution decision,

needs to be explicitly mentioned in the DPA decision itself. The same DPA also needs to inform the

Board in this regard. In addition, the Board’s decisions are to be published online. In this way a

comprehensive mechanism is setup in order to force DPAs to conform to the Board’s decision. The

GDPR’s description in this regard is comprehensive and the DPA concerned is left with no means to

circumvent it – or, in the same sense, to appeal.

Concerns with regard to this Article 65 again refer to the role of the Board as a dispute resolution

mechanism. While an obvious policy option within the GDPR context, the fact that the same body

resolves disputes and at the same time consults or constitutes a place for cooperation for the same

actors (DPAs) may lead to cases of function creep. Particularly with regard to Article 65, because a

dispute resolution mechanism unavoidably presents court-like characteristics, it is perhaps advisable

to provide additional safeguards in this regard. For example, the case that only DPAs may apparently

appear in front of it may be cause for infringement of the rights of data subjects or controllers whose

cases are being examined by the Board. This same article could also provide further guidance as to

whether sessions of the Board as dispute resolution function are public or not, whether minutes are

held and published etc.

In the same context, the rights to appeal need to be addressed. While it may be perhaps claimed that

DPAs may appeal any Board’s decisions that are binding upon them to the Court, the way to court

redress may not be equally obvious to the parties actually affected, meaning data subjects and

controllers. These may ultimately need to appeal the DPAs’ decision issued on the basis of the Board

decision, as set in paragraph 6, but this is neither clear in the GDPR text nor straightforward to the

parties concerned, especially if they reside in different parts of the EU (effectively, not in the lead

DPA territory).

2.1.4 Article 66 of the GDPR: Urgency procedure


1. In exceptional circumstances, where a supervisory authority concerned considers that there is an

urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of

derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure

referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on

its own territory with a specified period of validity which shall not exceed three months. The

supervisory authority shall, without delay, communicate those measures and the reasons for adopting

them to the other supervisory authorities concerned, to the Board and to the Commission.

19

2. Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final

measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision

from the Board, giving reasons for requesting such opinion or decision.

3. Any supervisory authority may request an urgent opinion or an urgent binding decision, as the case

may be, from the Board where a competent supervisory authority has not taken an appropriate

measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms

of data subjects, giving reasons for requesting such opinion or decision, including for the urgent need

to act.

4. By derogation from Article 64(3) and Article 65(2), an urgent opinion or an urgent binding decision

referred to in paragraphs 2 and 3 of this Article shall be adopted within two weeks by simple majority

of the members of the Board.

Accordingly, Recital 137 sets that:

There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in

particular when the danger exists that the enforcement of a right of a data subject could be

considerably impeded. A supervisory authority should therefore be able to adopt duly justified

provisional measures on its territory with a specified period of validity which should not exceed three

months.

In line with the court-like character of the consistency mechanism, an urgency procedure is provided

for in this Article 66. This is an indispensable component of any decision-making mechanism:

because urgent cases may occur, that require a possibly quick decision in order to address a pressing

problem, derogations needs to be introduced so as to make this possible. This is the need that Article

66 aims to address. It can be invoked by a DPA, whenever there is an “urgent need to act in order to

protect the rights and freedoms of data subjects”. When this occurs is a judgement reserved to the

DPA in question. The GDPR does not preclude any emergency. However, the preamble does provide

some guidance in explicitly stressing the case when “the enforcement of a right of a data subject could

be considerably impeded”. It appears consequently that whenever data subjects’ rights are endangered

a justifiable emergency for the purposes of this Article 66 occurs. On the other hand, this does not

exclude controllers’ emergencies as well: provided that it is justified, an emergency may well refer to

their own rights and freedoms.

At any event, regardless whether data subjects’ or data controllers’ rights are at immediate risk, the

GDPR requires that the DPA justifies its decision to invoke this Article 66. This needs to be done in

written format and to be communicated, together with the relevant measures undertaken by the DPA,

to all the parties concerned: other DPAs that are affected by them, the Board and the Commission.

The GDPR, nevertheless, does not provide for a possibility to question this decision.

The lack of an appeal procedure by parties affected by it is particularly relevant when the DPA

unilaterally undertakes concrete measures so as to address the emergency by derogation of the

consistency mechanism (or, as appropriate, the one-stop-shop mechanism). Indeed, the GDPR allows

two possibilities to DPAs facing an emergency: it can either undertake concrete measures to address

it, justifying them to other parties concerned, or it can request an urgent opinion or binding decision

respectively from the Board (see the analysis on Articles 64 and 65 above). In the event that the DPA

adopts measures, there are expressly provisional and can have a duration of no longer than three

months. This period may be more than enough to cover the emergency, given that the Board is

20

obliged to adopt an urgent opinion or decision within two weeks since submission of the request. No

space for extension or, for the same purposes, request of further information, is permitted in the

GDPR. The only shortcut provided to the Board in this case is the fact that simple majority of its

members (rather than a two-third majority, as is required in binding decisions) is enough.

The other possibility for the urgency procedure within the consistency mechanism to be raised by a

DPA refers to the case when another DPA has failed to act. However, in this case the GDPR

requirements are stricter. In essence, only when a fellow DPA has failed to act and thus endangers the

rights and freedoms of data subjects is another DPA allowed to ask for a binding opinion or decision,

as the case may be, from the Board. Data controllers’ rights do not seem to be valued in the same

manner for the purposes of paragraph 3 of this Article 66. The GDPR does not require that the

applying DPA also formulates the actual measure to be undertaken by the neglecting DPA. Although

this may be the case, in the context of its application to the Board, it is not a formal requirement for

the relevant submission to the Board. The applying DPA need only state the emergency and then ask

for an opinion or a binding decision accordingly. Evidently, it not possible for the applying DPA to

impose measures within the, foreign, jurisdiction of the neglecting DPA; it is less evident, however,

why the GDPR has not provided this option to the Board, if indeed it assesses the situation as urgent

and prior to it reaching its opinion or decision accordingly.

Because this Article 66 does not state anything to the contrary, the general provisions on the character

of a Board’s decision under the consistency mechanism apparently apply. In practice, this means that

a binding decision develops a binding character as per the provisions of Article 65, while an opinion

develops the character afforded to it in Article 64. Particularly with regard to the latter, a dissenting

DPA will have to follow the procedure described in paragraph 8 of Article 64. However, in view of

the curtailed periods referred to in this Article 66, apparently the Board and the DPA concerned will

have to act accordingly.

Concerns regarding Article 66 stem from the description of the process above. The first refers to the

lack of the possibility to appeal. A DPA may undertake emergency measures for cross-border cases

(indeed, applicable only within its own jurisdiction) for as long as three months without other DPAs,

the Commission or the Board being able to object. Presumably the parties directly affected by these

measures could object, following national rules against binding DPA decisions, but this means that

they are left alone (no way for other DPAs, the Commission or the Board to intervene) in this process.

Given the gravity of the cases falling under the urgency procedure category, the consequences of this

unilateral dealing for a three month period may be grave.

The fact that a DPA is effectively “left alone” for a substantial period of time while invoking

emergency measures under the urgency procedure of this Article 66 is further established in its

paragraph 3, when another DPA may apply to the Board against inaction of the DPA concerned.

Although in this case the time for reaction is significantly shorter (the Board needs to reach an opinion

or a binding decision within two weeks) one ought also take into consideration that until a “foreign”

DPA becomes aware of the emergency in another jurisdiction and until a reasonable period of time

has passed, when the local DPA is in vain expected to take measures to deal with it, a significant

amount of time will have passed. This adds up to a reaction time not in accordance with an

emergency. During all that time supposedly the rights and freedoms of individuals are being

infringed. It is for these purposes that a better structure of the urgency mechanism needs to have been

incorporated in the text of the GDPR.

21

2.1.5 Other consistency mechanisms

The GDPR is unique, in the sense that it regulates through a Regulation a daily, routine practice that

affects in a number of ways everyday life across the EU.13

Other fields may also benefit from the use

of Regulations, rather than Directives, with regard to their regulatory framework, however they

usually refer to well-specified, concentrated fields of law or activities (for example consumer law,

competition law, financial law) rather than an activity as wide as personal data processing that today

could cover anything within the employment, recreation, security or even, under certain

circumstances, household areas. From this point of view, a consistency mechanism intended to

support such a wide ranging, open-ended field of law could not possibly be compared to consistency

mechanisms operating under specialised, closed fields of law.

However, as identified in deliverable 2.1 of this project,14

useful lessons may be learned from other

fields of law that, although of a more restricted scope, they profit from years of implementation in

practice. In this context, in the EU consumer protection law, co-ordinated enforcement activities (so-

called “sweeps”) have been organised since 2007 among member States, based on Article 7 of the

CPC Regulation.15

In each “sweep” action, national authorities check hundreds of sites relating to a

particular sector or product in order to check whether the necessary consumer rights are being adhered

to. The sectors proposed for the “sweep” are selected by Member States with the Commission based

on a list of proposed themes that combines evidence on current consumer issues available to national

authorities and the Commission. Such “sweeps” are apparently the preferred way in the field, so as to

cover cross-border cases. Therefore, their usefulness is strongly supported by all participating parties.

This can be used as evidence that, within a field regulated by a Regulation, there is indeed a strong

need for cross-border cooperation and coordination among Member States.

On the other hand, in the private international law field,16

the need for cross-border cooperation

among national authorities is covered by mutual trust. In the absence of a formal cooperation

mechanism, “the EU private international law (PIL) is based on “the presumption of the equal value,

competence and standing of the legal and judicial systems of the individual Member States and of the

judgments of their courts”. This may serve as further evidence of the importance of the installation of

a consistency mechanism in a field as far reaching as data protection, as well as on the need for it to

succeed.

2.1.6 Conclusions

The consistency mechanism is a necessary and essential component of the GDPR. Given its direct

effect, the need for a system to warrant uniform application across all Member States is obvious. Only

in this way will legal certainty with regard to data protection regulations in the EU be provided to data

subjects and controllers alike. The GDPR approach to such a system is reasonable: an administrative

mechanism is installed, headed by the Board – essentially the DPAs themselves as represented in it.

Provisions on procedure, duration of the process and effect of the relevant decisions are indeed to be

13

See De Hert P/Papakonstantinou V, The new General Data Protection Regulation: Still a sound system for the

protection of individuals? Computer Law & Security Review, 2016. 14

Phaedra II, Cooperation among data privacy supervisory authorities by analogy: lessons from parallel

European mechanisms, April 2016. 15

Ibid, pp.59ff. 16

Ibid, pp.41ff.

22

found in its text. The event of an emergency is also expressly taken care of. From this point of view,

the consistency mechanism in the GDPR seems a robust system to address application difficulties

across the EU.

Foreseeable difficulties only refer to the double role of the Board and the depth of process coverage

that the above provisions provide. With regard to the former, the GDPR awards to the Board the

double role of an adjudicator and a consulting mechanism. This could lead to cases of function creep,

when the same body may be called to decide upon cases it has consulted. This double role was not

present in the Article 29 Working Party, the equivalent mechanism established under Directive 95/46,

because it only had a consulting role. A decision-making role is qualitatively different; the Board may

have to struggle so as to accommodate its new powers under the GDPR.

In the same context, if the GDPR aimed at establishing an adjudication mechanism through the

consistency mechanism, it may need to go into more detail on its operation. Although the description

provided in the above provisions covers the basics of such a system, there are issues that are left

unregulated, such as attendance to hearings, the right to intervene by the parties affected (data subjects

and controllers, not only DPAs), appeals, etc. Naturally, by-laws for the Board may complement the

GDPR provisions and provide for further guidance. It therefore remains to be seen how the Board will

apply its newly acquired decision-making powers in relation to the consistency mechanism in

practice.

2.2 The “one-stop-shop” mechanism in the GDPR: Article 60, on the Cooperation between

the lead supervisory authority and the other supervisory authorities concerned

The one-stop-shop mechanism in the GDPR, a name not formally adopted in its text but only to be

found in its Preamble (as introduced in Recital 127 and re-appearing only in Recital 128) is set in its

Article 60:

1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in

accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and

the supervisory authorities concerned shall exchange all relevant information with each other.

2. The lead supervisory authority may request at any time other supervisory authorities concerned to

provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article

62, in particular for carrying out investigations or for monitoring the implementation of a measure

concerning a controller or processor established in another Member State.

3. The lead supervisory authority shall, without delay, communicate the relevant information on the

matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to

the other supervisory authorities concerned for their opinion and take due account of their views.

4. Where any of the other supervisory authorities concerned within a period of four weeks after

having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and

reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the

relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned,

submit the matter to the consistency mechanism referred to in Article 63.

5. Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it

shall submit to the other supervisory authorities concerned a revised draft decision for their opinion.

23

That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period

of two weeks.

6. Where none of the other supervisory authorities concerned has objected to the draft decision

submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the

lead supervisory authority and the supervisory authorities concerned shall be deemed to be in

agreement with that draft decision and shall be bound by it.

7. The lead supervisory authority shall adopt and notify the decision to the main establishment or

single establishment of the controller or processor, as the case may be and inform the other

supervisory authorities concerned and the Board of the decision in question, including a summary of

the relevant facts and grounds. The supervisory authority with which a complaint has been lodged

shall inform the complainant on the decision.

8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory

authority with which the complaint was lodged shall adopt the decision and notify it to the

complainant and shall inform the controller thereof.

9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or

reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be

adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision

for the part concerning actions in relation to the controller, shall notify it to the main establishment or

single establishment of the controller or processor on the territory of its Member State and shall

inform the complainant thereof, while the supervisory authority of the complainant shall adopt the

decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that

complainant and shall inform the controller or processor thereof.

10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and

9, the controller or processor shall take the necessary measures to ensure compliance with the decision

as regards processing activities in the context of all its establishments in the Union. The controller or

processor shall notify the measures taken for complying with the decision to the lead supervisory

authority, which shall inform the other supervisory authorities concerned.

11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider

that there is an urgent need to act in order to protect the interests of data subjects, the urgency

procedure referred to in Article 66 shall apply.

12. The lead supervisory authority and the other supervisory authorities concerned shall supply the

information required under this Article to each other by electronic means, using a standardised format.

In addition, Recitals 125, 126, 128, 130 and 131 also apply:

(125) The lead authority should be competent to adopt binding decisions regarding measures applying

the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the

supervisory authority should closely involve and coordinate the supervisory authorities concerned in

the decision-making process. Where the decision is to reject the complaint by the data subject in

whole or in part, that decision should be adopted by the supervisory authority with which the

complaint has been lodged.

(126) The decision should be agreed jointly by the lead supervisory authority and the supervisory

authorities concerned and should be directed towards the main or single establishment of the

24

controller or processor and be binding on the controller and processor. The controller or processor

should take the necessary measures to ensure compliance with this Regulation and the implementation

of the decision notified by the lead supervisory authority to the main establishment of the controller or

processor as regards the processing activities in the Union.

(128) The rules on the lead supervisory authority and the one-stop-shop mechanism should not apply

where the processing is carried out by public authorities or private bodies in the public interest. In

such cases the only supervisory authority competent to exercise the powers conferred to it in

accordance with this Regulation should be the supervisory authority of the Member State where the

public authority or private body is established.

(130) Where the supervisory authority with which the complaint has been lodged is not the lead

supervisory authority, the lead supervisory authority should closely cooperate with the supervisory

authority with which the complaint has been lodged in accordance with the provisions on cooperation

and consistency laid down in this Regulation. In such cases, the lead supervisory authority should,

when taking measures intended to produce legal effects, including the imposition of administrative

fines, take utmost account of the view of the supervisory authority with which the complaint has been

lodged and which should remain competent to carry out any investigation on the territory of its own

Member State in liaison with the competent supervisory authority.

The one-stop-shop mechanism constitutes one of the most significant novelties, and at the same time

an important milestone, in the text of the GDPR. The introduction of a single mechanism to treat

cross-border data protection incidents is an indispensable component not only in view of the direct

application of the GDPR but also with regard to any modern legislative approach to current personal

data processing circumstances. At the same time, its success, because of its high profile, is a milestone

for the success of the GDPR itself. Depending on the efficiency of treatment of these, usually highly

visible, cases that will fall within its scope, the whole of the GDPR may or may not acquire the trust

of its addressees, meaning both data subjects and controllers.

2.2.1 Rationale

The rationale of the one-stop-shop mechanism is evident: within a global personal data processing

environment, that transcends effortlessly Member State borders, a locally based data protection

legislation, restricted through application of a legal, jurisdictional approach, would be hopelessly left

behind technological developments. In essence, it would ultimately unable to assist individuals

effectively. One of the most highlighted shortcomings of Directive 95/46 was exactly that, its inability

to efficiently handle cross-border data protection incidents.17

Therefore, a new mechanism had to be

devised, in order to treat similar cases. The one-stop-shop mechanism came as the reply to these

requirements.

17

See European Commission, A comprehensive approach, ibid.

25

2.2.2 Basic components: the notions of a “lead DPA”, the actors in the one-stop-shop

mechanism, and the “main establishment” of the controller

The one-stop-shop mechanism essentially constitutes an administrative mechanism for the treatment

of cross-border data protection incidents. Its premises lie in the designation of a single DPA as the

“lead DPA”, meaning the DPA in charge of addressing the relevant incidents. The crucial question,

which DPA is to be designated as the “lead DPA” in cross-border cases is replied in Article 56 of the

GDPR:

1.Without prejudice to Article 55, the supervisory authority of the main establishment or of the single

establishment of the controller or processor shall be competent to act as lead supervisory authority for

the cross-border processing carried out by that controller or processor in accordance with the

procedure provided in Article 60.

2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a

complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates

only to an establishment in its Member State or substantially affects data subjects only in its Member

State.

3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the lead

supervisory authority without delay on that matter. Within a period of three weeks after being

informed the lead supervisory authority shall decide whether or not it will handle the case in

accordance with the procedure provided in Article 60, taking into account whether or not there is an

establishment of the controller or processor in the Member State of which the supervisory authority

informed it. 4.5.2016 L 119/67 Official Journal of the European Union EN

4. Where the lead supervisory authority decides to handle the case, the procedure provided in Article

60 shall apply. The supervisory authority which informed the lead supervisory authority may submit

to the lead supervisory authority a draft for a decision. The lead supervisory authority shall take

utmost account of that draft when preparing the draft decision referred to in Article 60(3). 5.Where

the lead supervisory authority decides not to handle the case, the supervisory authority which

informed the lead supervisory authority shall handle it according to Articles 61 and 62. 6.The lead

supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border

processing carried out by that controller or processor.

Consequently, as per paragraph 1, the basic rule underlying the one-stop-shop mechanism is that the

“lead DPA” would be that DPA where the main establishment of the controller concerned is found. In

this context it is important to elaborate upon the law-making approach adopted in the GDPR: Article

56 is not found within the Section of the GDPR where the one-stop-shop mechanism is discussed.

Rather than that, it is placed within the provisions on the “competence, tasks, and powers” of DPAs.

Accordingly, a “lead DPA” is designated not only in the case of controllers or processors with some

presence in more than one Member States but also in the case of a single establishment, where

however the processing undertaken by that actor spreads across national borders.

Further guidance is provided in Recitals 124, 127 and 131 of the GDPR:

(124) Where the processing of personal data takes place in the context of the activities of an

establishment of a controller or a processor in the Union and the controller or processor is established

in more than one Member State, or where processing taking place in the context of the activities of a

single establishment of a controller or processor in the Union substantially affects or is likely to

26

substantially affect data subjects in more than one Member State, the supervisory authority for the

main establishment of the controller or processor or for the single establishment of the controller or

processor should act as lead authority. It should cooperate with the other authorities concerned,

because the controller or processor has an establishment on the territory of their Member State,

because data subjects residing on their territory are substantially affected, or because a complaint has

been lodged with them. Also where a data subject not residing in that Member State has lodged a

complaint, the supervisory authority with which such complaint has been lodged should also be a

supervisory authority concerned. Within its tasks to issue guidelines on any question covering the

application of this Regulation, the Board should be able to issue guidelines in particular on the criteria

to be taken into account in order to ascertain whether the processing in question substantially affects

data subjects in more than one Member State and on what constitutes a relevant and reasoned

objection.

(127) Each supervisory authority not acting as the lead supervisory authority should be competent to

handle local cases where the controller or processor is established in more than one Member State, but

the subject matter of the specific processing concerns only processing carried out in a single Member

State and involves only data subjects in that single Member State, for example, where the subject

matter concerns the processing of employees' personal data in the specific employment context of a

Member State. In such cases, the supervisory authority should inform the lead supervisory authority

without delay about the matter. After being informed, the lead supervisory authority should decide,

whether it will handle the case pursuant to the provision on cooperation between the lead supervisory

authority and other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the

supervisory authority which informed it should handle the case at local level. When deciding whether

it will handle the case, the lead supervisory authority should take into account whether there is an

establishment of the controller or processor in the Member State of the supervisory authority which

informed it in order to ensure effective enforcement of a decision vis-à-vis the controller or processor.

Where the lead supervisory authority decides to handle the case, the supervisory authority which

informed it should have the possibility to submit a draft for a decision, of which the lead supervisory

authority should take utmost account when preparing its draft decision in that one-stop-shop

mechanism.

(131) Where another supervisory authority should act as a lead supervisory authority for the

processing activities of the controller or processor but the concrete subject matter of a complaint or

the possible infringement concerns only processing activities of the controller or processor in the

Member State where the complaint has been lodged or the possible infringement detected and the

matter does not substantially affect or is not likely to substantially affect data subjects in other

Member States, the supervisory authority receiving a complaint or detecting or being informed

otherwise of situations that entail possible infringements of this Regulation should seek an amicable

settlement with the controller and, if this proves unsuccessful, exercise its full range of powers. This

should include: specific processing carried out in the territory of the Member State of the supervisory

authority or with regard to data subjects on the territory of that Member State; processing that is

carried out in the context of an offer of goods or services specifically aimed at data subjects in the

territory of the Member State of the supervisory authority; or processing that has to be assessed taking

into account relevant legal obligations under Member State law.

In addition, with regard to controller and processor relationships the GDPR clarifies, in its Recital 36,

that

27

[...] In cases involving both the controller and the processor, the competent lead supervisory authority

should remain the supervisory authority of the Member State where the controller has its main

establishment, but the supervisory authority of the processor should be considered to be a supervisory

authority concerned and that supervisory authority should participate in the cooperation procedure

provided for by this Regulation. In any case, the supervisory authorities of the Member State or

Member States where the processor has one or more establishments should not be considered to be

supervisory authorities concerned where the draft decision concerns only the controller. Where the

processing is carried out by a group of undertakings, the main establishment of the controlling

undertaking should be considered to be the main establishment of the group of undertakings, except

where the purposes and means of processing are determined by another undertaking.

The decision which DPA is the lead DPA is not expected to constitute an easy matter to. In principle,

the following process is prescribed in the GDPR: All DPAs having various degrees of relevance with

a particular data protection case form the group of “concerned DPAs”. All of them need to cooperate

between them. While a formal process for accomplishing this is not provided for in the GDPR, it

could be envisaged that multiple exchanges will take place so as to establish (a) the exact number of

the DPAs concerned, (b) which one is the lead DPA among them. A special role is awarded by the

GDPR to the “initiating DPA”.

Given the above, in order to achieve uniform naming for the actors involved in the one-stop-

shop mechanism (an omission in the text of the GDPR that could have achieved linguistic

efficiency in its text) the following roles and names to DPAs participating in it at any given

moment could be allocated:

the “Initiating DPA”, meaning the one opening the investigation or receiving the

complaint (the “supervisory authority which informed the lead supervisory authority”

in the text of the GDPR),

the “DPAs Concerned”, meaning the group of DPAs affected at various degrees by a

cross-border data protection case, and

the Lead DPA, as per the GDPR text (Article 56).

The Initiating DPA either receives a complaint or initiates an investigation in the normal course of

exercising its duties. The criteria indicating that the one-stop-shop mechanism needs to be invoked for

a particular data protection case are provided for (indicatively) in Recital 124: (a) the controller or

processor has an establishment on the territory of their Member State, (b) data subjects residing on

their territory are substantially affected, or (c) a cross-border complaint has been lodged with them.

Immediately when such instances are established by that DPA, it needs to initiate the one-stop-shop

mechanism, thus automatically becoming the Initiating DPA. However, a wide discretionary power is

apparently left to the Initiating DPA: an exhaustive analysis of each case to establish whether cross-

border elements are found in it is taken for granted; efficient means of communication with other

DPAs as well. In addition, effective means need to be introduced so as to accurately formulate the

group of DPAs Concerned – in other words, in order not to omit any one of them.

Once the group of the DPAs Concerned is formed, and in order to decide which DPA is the Lead

DPA among them, the basic factor remains the main establishment of the controller. The Initiating

DPA holds a significant role at this stage: namely, it can designate a Lead DPA, other than itself, on

its own, and inform such other DPA of its decision.

28

However, paragraph 2 of Article 56 grants to the Initiating DPA the chance to overcome such

designation, and act as sole competent DPAs in these cases that “substantially affect data subjects

only in its Member State” even if another DPA is evidently the Lead DPA for the controller or

processor concerned. This is an important derogation within the one-stop-shop mechanism, that,

if exercised extensively by Member State DPAs, could undermine its effectiveness – and,

ultimately, the success of the whole GDPR. An assessment therefore needs to be performed by each

DPA in the event of a complaint or an identification of a possible Regulation infringement, whether

the main establishment of the controller is in another Member State and, if yes, whether or not data

subjects mostly affected by it reside in its own Member State or not. This could be done prior to a

DPA becoming the Initiating DPA, meaning prior to initiating the one-stop-shop mechanism. If the

assessment proves positive, then the one-stop-shop mechanism apparently need not be invoked

at all – a shortcoming within the GDPR, because the Lead DPA ought to be informed of all

matters affecting a controller or processor essentially found within its jurisdiction. In the same

context, whether these cases, the ones that present cross-border relevance but may be withheld for

treatment by a non-main establishment of the controller DPA, are to be communicated to other DPAs

as well, so as to provide them with the chance to dispute this decision, is equally left unregulated in

the GDPR. At any event, Recital 131 proves further, detailed guidance in these cases: in short, the

DPA invoking this Article 56.2 “should seek an amicable settlement with the controller” and only if

this proves unsuccessful, “exercise its full range of powers”. However, these powers necessarily are of

a local character, as confirmed in the same Recital. It is therefore possible that the same controller

is penalised for its practices locally, in one Member State, while being left alone in the place of

its main establishment. The GDPR does not address this possibility – and is evidently left to

good practices of the DPAs not to overuse this opportunity, that could ultimately undermine the

whole notion of harmonisation brought by the GDPR.

Article 56 provides further “technical” guidance with regard to the process of cooperation among the

group of DPAs Concerned while establishing which one among the DPAs concerned is the Lead

DPA. To this end, paragraph 3 sets a deadline of three weeks for any DPA designated by the Initiating

DPA as the Lead DPA on a particular case to accept this designation or not. Here a second level of

examination is introduced, this time by the DPA that is (provisionally) designated as the Lead DPA by

the Initiating DPA. The criteria to apply while making this decision are not detailed in the GDPR, and

presumably include cross-checking whether the reasoning of the decision of the Initiating DPA to

designate it as the Lead DPA is correct. Only Recital 127 provides some further guidance: “When

deciding whether it will handle the case, the lead supervisory authority should take into account

whether there is an establishment of the controller or processor in the Member State of the

supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-

vis the controller or processor”.

Of some relevance with regard to the criteria applicable for designation of the Lead DPA could be the

approach already adopted and employed by EU DPAs in the context of BCRs, as analysed below

(under 3.1).

In the same context, paragraph 4 explicitly sets that Article 60 (the one-stop-shop mechanism) will

apply whenever a DPA accepts its role as the Lead DPA on a particular case. In doing so, it needs

take into the “utmost” account the decision drafted and forwarded to it by the Initiating DPA. In the

same context, if the DPA refuses the Initiating DPA’s designation, then the Initiating DPA may

handle the case, however taking into consideration the GDPR’s provisions on mutual assistance and

joint DPA operations (Articles 61 and 62 respectively). Finally, paragraph 6 of the same article

clarifies what is most important in the one-stop-shop mechanism for data subjects and data

29

controllers, meaning the fact that the Lead DPA, once formally designated, will act as the sole

interface (“interlocutor”) towards them with regard to the case under examination.

Finally, as seen above under 2.1, all disputes among DPAs as to the designation of a particular DPA

as the lead DPA are to be resolved by the Board, under the consistency mechanism.

The other basic component of the one-stop-shop mechanism refers to the notion of the “main

establishment” of the controller or processor. As seen above, the notion of the Lead DPA, while

important in its own merit, is of a dynamic nature: whatever the interpretation given to the notion of

the “main establishment”, through the letter of GDPR or subsequent case law or by any other means

(for example, guidelines issued by the Board, as advised in Recital 124), that will correspond to the

designated Lead DPA.

For the time being guidance as to the notion of the “main establishment” is merely provided in Article

2 of the GDPR:

(16) ‘main establishment’ means:

(a) as regards a controller with establishments in more than one Member State, the place of its central

administration in the Union, unless the decisions on the purposes and means of the processing of

personal data are taken in another establishment of the controller in the Union and the latter

establishment has the power to have such decisions implemented, in which case the establishment

having taken such decisions is to be considered to be the main establishment;

(b) as regards a processor with establishments in more than one Member State, the place of its central

administration in the Union, or, if the processor has no central administration in the Union, the

establishment of the processor in the Union where the main processing activities in the context of the

activities of an establishment of the processor take place to the extent that the processor is subject to

specific obligations under this Regulation;

While it is outside the scope of this analysis to elaborate in detail upon the notion of the “main

establishment” in the GDPR, here a few points will be raised particularly with regard to the one-stop-

shop mechanism requirements. In this context it should be noted that the GDPR, as regards a

controller, places the essence of the distinction between a main establishment and other possible

establishments onto the place where “the decisions on the purposes and means of the processing of

personal data are taken”. This is further complemented by the “power to have such decisions

implemented”. This place is to be understood as the place of the controller’s “central administration”.

Consequently, all of the above criteria, meaning (a) decision on the purposes, and (b) decision on the

means of the processing, as well as (c) the power to have these decisions implemented, need to be

established by the Initiating DPA in order to designate the place of the central administration of a

controller, that will in turn coincide with the Lead DPA for the one-stop-shop mechanism purposes.

The GDPR does not clarify whether the check on the place of the central administration for a

controller is to be done automatically, for all controllers and in all cases by a DPA imitating an

examination within its jurisdiction or whether this checking needs to be done only after a particular

controller raises this issue. For the purposes of the one-stop-shop mechanism, where cross-border

cases are placed in the centre of examination, it would be advisable for any DPA to examine by

definition the place of central administration of any controller that draws its attention. After all, this

policy option is in line with the globalised contemporary processing environment.

30

A final note, that is important to be made at this point but will however not be elaborated any further

because it borders with the paramount issue of extraterritoriality in the GDPR, refers to the

assumption of the GDPR that a controller (or, for the same purposes, a processor) has a place of the

central administration “in the Union”. As far as the one-stop-shop mechanism is concerned, this is a

necessary assumption in order for it to become operational: only EU DPAs are actors in it. However,

given the contemporary globalised processing environment, this may not always be the case.

As far as the processor is concerned, the GDPR again stresses the importance of the “place of its

central administration in the Union”. In this case, because from a law-making perspective it follows

the definition of the “central administration” with regard to controllers, it may be assumed that the

same requirements (meaning, the three-step verification process described above) is applicable in the

case of processors as well. However, in this case the GDPR makes express mention to the possibility

that the processor may not have its central administration in the Union: in the case the Initiating DPA

needs to establish, first, whether the processor is “subject to specific obligations under this

Regulation” and, second, where “the main processing activities take place”. The result of this

assessment is expected to divulge the Lead DPA.

2.2.3 How is the one-stop-shop mechanism expected to operate?

Once the roles are allocated between the DPAs Concerned, Article 60 applies. This is the epicentre of

the one-stop-shop mechanism. Its operation, as expected to take place as per the GDPR description

could be described as follows: Presumably the Lead DPA will have accepted its role and will have

assumed its duties as such – otherwise Article 56 paragraph 5 would apply. In the same context, it is

assumed that the case in question does not pertain to processing carried out by “public authorities or

private bodies in the public interest”, in which cases the local DPA is expressly the only competent

DPA and the one-stop-shop mechanism does not apply (according to Recital 128). However, the

GDPR does not clarify what happens in cases where controllers are both private and public bodies.

Once the Lead DPA assumes its role, it may investigate the case under examination. The Lead DPA

may utilise all means provided in the GDPR in order to reach its decision. Given the cross-border

character of the cases falling under the one-stop-shop mechanism, the GDPR affords it with the

investigation powers that it would normally have had, were this a data protection case within its

jurisdiction. To this end, paragraph 2 allows the Lead DPA to ask either for mutual assistance (under

Article 61) or to request that joint operations are undertaken within the DPAs Concerned (according

to Article 62). Having reached a conclusion, once the investigation process is concluded, the Lead

DPA needs to draft its decision on the matter at hand. In doing so, it needs to take “into the utmost

account” the decision drafted by the Initiating DPA, as forwarded to it together with its appointment

as Lead DPA (as per Article 56.4). Before being finalised, a consultation process needs to be opened

by the Lead DPA, in which all DPAs Concerned may take part. To this end, the Lead DPA is

expected to transmit its draft decision, together will all relevant information, to them for comments.

Any comments other DPAs may have need to reach the Lead DPA, so as for it to “take due account”

of them. The GDPR qualitative differentiates at this point between the views of the Initiating DPA

and the DPAs Concerned, placing more emphasis upon the draft decision (and, consequently, views)

of the former.

The GDPR offers, as per paragraph 4, four weeks to the DPAs Concerned to express their views –

particularly any objections they may have to the draft decision prepared by the Lead DPA. If a DPA

31

agrees with the draft decision of the Lead DPA (or, for the same purposes, any re-submitted and

amended draft decision it forwards them) its tacit acceptance may be inferred by the fact that it has let

this deadline pass without any submission on the matter (as per paragraph 6). In the event of a dispute,

the GDPR provides expressly for the procedure to be followed: objections need to be justified and

reasoned. After receiving any such objections before expiration of the above deadline, the Lead DPA

is invited to consider its way ahead. If it decides not to follow these objections, then it can refer the

matter to the consistency mechanism (see above, under 2.1). If, on the other hand, it decides that it

will follow the objections, it needs to prepare a new draft decision in accordance with them and re-

circulate to the DPAs Concerned for comments (as per paragraph 5). This time the DPAs Concerned

have only two weeks in which to respond. While the GDPR does not clarify what will happen if any

one among the DPAs Concerned has an objection with this new draft decision, it is to be assumed that

the matter will be brought immediately to the consistency mechanism, rather than the Lead DPA

risking another round of objections among the DPAs Concerned.

The preferred way for the GDPR in which all of the above are to take place is through consensus of

the DPAs Concerned. This is expressly instructed in paragraph 1. In the same context, the DPAs

Concerned are expected to exchange “all relevant information with each other”, meaning that any and

all requests need to be addressed. This is likely to particularly burden the Lead DPA, that will

presumably be the recipient of the majority of relevant requests, and that as a result will need to

allocate the relevant resources to this task.

All of the above exchanges are to take place “by electronic means, using a standardised format” (as

per paragraph 12). Apparently, a new electronic platform for these exchanges to be executed within a

secure and comprehensive environment needs to be developed until May 2018, when the GDPR, and

consequently the one-stop-shop mechanism, will come into effect.

The Lead DPA may reach one of the following types of decision with regard to a complaint:

(a) Accept the complaint;

(b) Reject the complaint;

(c) Partially accept and partially reject the complaint.

Accordingly, in the event of an investigation the Lead DPA may decide to take action or not to take

action with regard to the processing concerned. At any event, however, the decisions of the Lead DPA

will have binding character (as per Recital 125).

Once a final decision has been formulated by the Lead DPA according to the procedure described

above, the parties concerned, meaning the controller or the complainant, need to be notified about it

(in paragraph 7). The GDPR distinguishes between the two: in the event of a controller, the Lead DPA

is to make the relevant announcement. In the event, however, of a complainant, the Initiating DPA

will inform him or her on the outcome. Accordingly, paragraph 8 clarifies that, in the event of a

rejection or dismissal of a complaint, the Initiating DPA will inform both the complainant and the

controller. Evidently, other the DPAs concerned also need to be informed of the final decision; this is

expressly the task of the Lead DPA, that also needs to inform the Board. The requirement in the

GDPR that the Lead DPA also includes “a summary of the relevant facts and grounds” probably

refers only to the Board, because all other parties (the DPAs Concerned and the controller) are already

well aware of the case in detail.

The GDPR also takes care of the event that a “split” decision is reached by the Lead DPA, meaning

that it partially accepts and partially rejects a complaint. In this case, as per paragraph 9, the Lead

32

DPA will inform the controller and take relevant action (being after all the competent authority

because that controller’s central administration resides within its jurisdiction) while the Initiating

DPA will inform the complainant on the rejection of part of his or her complaint.

Compliance with the decision coming as a result of the one-stop-shop mechanism by the controller

concerned may be obvious, because it ultimately constitutes a decision of the same controller’s

competent DPA, but it nevertheless is expressly states in the text of the GDPR as well (in paragraph 9

and also Recital 126).

Finally, the GDPR provides for an expedited operation of the one-stop-shop in “exceptional

circumstances” (in paragraph 11). In this case the Initiating DPA may invoke the urgency procedure

referred to in Article 66 (see above, under 2.1).

2.2.4 Challenges and concerns

An assessment of the one-stop-shop mechanism is most likely premature, given that a number of

issues pertaining to it are awaiting for further clarification, both when the first cases are indeed

handled by it and through the Board’s guidelines. Consequently, the following points only constitute a

list of challenges the mechanism will have to tackle:

Successful designation of the Lead DPA. Successful designation of the Lead DPA is not

expected to constitute an easy matter to resolve. While the basic concept of the main

establishment of the controller or the processor provides useful guidance, and is

complemented by further guidance in the Recitals of the GDPR, practical application of these

rules may be tested, particularly within the contemporary globalised personal data protection

environment. Should numerous disputes on this matter arise among DPAs, regardless of the

effectiveness or not of the consistency mechanism while addressing them, the level of public

trust on the GDPR system may be placed at risk;

In the same context, Article 56.2 may constitute an important undermining factor within the

GDPR system, if DPAs exasperated by the practices of the Lead DPA decide to take action

independently, making use of its provisions (the treatment of certain internet social networks

or search engines coming to mind as a precedent in this regard);

Task allocation within the group of DPAs Concerned. While designation of the Lead DPA

is important, participation of all DPAs Concerned is equally significant, so as to warrant

comprehensiveness, transparency and, ultimately, an effective application of the Lead DPA’s

decision. The GDPR distinguishes between the input of the Initiating DPA and DPAs

Concerned; however, all inputs need to be taken into account by the Lead DPA. The Lead

DPA should also inform and engage the group of DPAs Concerned as much as possible.

Although much of this is left to practice and to the actual implementation of the relevant

provisions, the importance of all of the DPAs Concerned active participation in the one-stop-

shop mechanism cannot be stressed enough: its effective, and convincing, application

essentially depends on it. To this end, the Board’s guidelines (see immediately below) ought

to cover this matter extensively, placing concrete obligations in this direction to the Lead

DPA;

A number of operational details are missing; the Board needs to intervene and provide

guidelines that will complement the one-stop-shop mechanism system within the general

33

principles set in the GDPR. While doing this, the following directives could prove of

relevance:

o Ensuring DPA participation and inclusion by placing concrete obligations upon the

Lead DPA;

o Ensuring DPA timely response to Lead DPA requests;

o Clearly articulating all stages of the one-stop-shop process;

o Providing operational instructions as regards the electronic platform to be developed;

o Addressing practical issues (for example, translations, costs, etc.).

In the same context, the electronic platform required for exchanges among DPAs within the

one-stop-shop mechanism, as per the requirement of Article 60.12, needs to be developed –

and to be continuously operated and maintained to the highest technological standards;

The one-stop-shop mechanism is essentially an intra-EU administrative mechanism to

address cross-border issues. Its limitations are therefore easily observed through its

description: it cannot handle international, non-EU cases, and it is not a judicial mechanism,

meaning that persistent disputes will ultimately need to be brought in front of courts. In

addition, it is a mechanism assuming a clear and straightforward distinction between

processing undertaken in the public and the private sector. Given these limitations, a

reasonable amount of time will probably be needed for the mechanism to address all its

inherent difficulties and fully develop its potential – in the meantime, the treatment of cross-

border cases may not present the legal certainty that the GDPR aims at.

As stated above, the success of the mechanism constitutes a milestone for the success of the GDPR

itself. Because much of personal data processing undertaken today is of a cross-border nature, and this

is particularly relevant to high profile cases that attract the public’s attention, an efficient operation of

the mechanism when addressing them will warrant public trust to the new GDPR itself. If this is not

the case, if the one-stop-shop mechanism fails to address cross-border issues in a competent manner,

then its addressees (data subjects and controllers) will have lost faith in a substantial part of the

rationale behind the introduction of a Regulation to replace Directive 95/46.

2.3 Consultation mechanisms and distribution of powers

An indispensable role in the GDPR system is to be held by the European Data Protection Board. The

Board is not merely intended to be the replacement of the Article 29 Data Protection Working Party.

Although this substitution is also necessitated by the new EU data protection structure, the GDPR

grants to the Board a much wider role than that held by the Article 29 Working Party. As already seen

in the preceding Chapters, the Board is to become an administrative dispute resolutions, in other

words decision-making, mechanism upon which the consistency as well as the one-stop-shop

mechanism are based. Its role is therefore central in the EU data protection edifice and the way it

decides to exercise its newly (if considered to be the successor of the Article 29 Working Party)

acquired powers will constitute a basic metric for the success of the GDPR itself.

A necessary clarification at this point refers to the fact that decision-making is understood in this

analysis as a process leading to a decision of (some) binding character (in the sense that it is binding

to its addressees, meaning the DPAs concerned). While decision-making is also involved in the

drafting of opinions and recommendations or guidelines of non-binding, voluntary character of the

Board, the consultation mechanism with DPAs in this case or lack (or deficiency) thereof ultimately

affects EU data protection in a less resolute manner. This is because binding Board decisions may

34

affect directly individuals and controllers, when adopted at Member State level by the DPAs

concerned, while non-binding Board decisions do not have, at least directly, such a potential.

However, the issue of the “soft” binding power of the Board opinions will indeed by discussed in the

analysis that follows.

The GDPR introduces the Board in Section 3 of its Chapter VII on “Cooperation and Consistency”. It

is placed immediately after the provisions on the one-stop-shop and the consistency mechanism.

Because of the central role it holds in both of them, this is considered a wise law-making choice.

The analysis that follows aims at examining the mechanisms for DPA consultation regarding

envisaged decisions and decision-making process within the Board, as introduced in the final text of

the GDPR. It will continue applying the methodology employed above, in the sense of an article by

article commentary. In this case, however, given its specific aim and the number of GDPR provisions

pertaining to the Board, a selection will be made, targeted to the subject-matter under discussion.

2.3.1 Decision-making by the European Data Protection Board in the text of the GDPR

Aim of the analysis is to examine DPA potential for consultation with the Board while the latter is

engaged in decision-making processes. As such, it is first imperative to highlight the decision-making

powers afforded to the Board in the final text of the GDPR. Admittedly, the Board, exactly as its

predecessor, the Article 29 Working Party, essentially constitutes an advisory mechanism, as

evidenced by the majority of the items listed in Article 70 (see immediately below). However, there

are cases where the Board is afforded with decision-making power, perhaps most importantly with

regard to the consistency mechanism as outlined above (under 2.1). At any event, identification of the

decision-making powers of the Board under the GDPR is neither a straightforward nor a final task, in

the sense that the listing in Article 70 is expressly indicative and the Board has yet to assume its role

and issue its by-laws.

In addition, the wording of the GDPR does not provide much assistance in this regard, because it

employs the same terminology, “opinions”, for all opinions issued by the Board, regardless of

the binding character of some of them (at least to their addressees, Member State DPAs). In

practice, only through inference and combined reading of certain GPPR provisions, particularly those

included in its Article 65, may the binding character of Board opinions be derived. A clear distinction

between these “opinions” and others, that are indeed of a voluntary, consulting status and do not

develop any binding character whatsoever, would have assisted the reading of the GDPR.

Consequently, only through examination of the GDPR provisions, and particularly its Article 65, the

following may be highlighted in this regard:

Decision-making powers of the Board within the consistency mechanism.

This may probably prove the most important decision-making powers afforded to the Board under the

GDPR. As discussed above, under 2.1, the Board is to act as the administrative dispute resolutions

body within the consistency mechanism (see its Articles 65 and 70.1(t)). Any DPA disputes pertaining

to it are to be brought in front of the Board. The Board’s decision is binding upon the disputing DPAs.

35

Decision-making powers of the Board within the one-stop-shop mechanism.

As also outlined above, under 2.2, designation of the Lead DPA within the context of the one-stop-

shop mechanism is not expected to be a straightforward task. In this sense, it is neither expected to be

an undisputed one. Here again, the administrative body empowered to decide, in a binding way for

competing DPAs, is the Board (see Article 65).

Other decision-making powers of the Board

Article 70 of the GDPR lists, indicatively, the tasks of the Board:

1.The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on

its own initiative or, where relevant, at the request of the Commission, in particular:

(a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles

64 and 65 without prejudice to the tasks of national supervisory authorities;

(b) advise the Commission on any issue related to the protection of personal data in the Union,

including on any proposed amendment of this Regulation;

(c) advise the Commission on the format and procedures for the exchange of information between

controllers, processors and supervisory authorities for binding corporate rules;

(d) issue guidelines, recommendations, and best practices on procedures for erasing links, copies or

replications of personal data from publicly available communication services as referred to in Article

17(2);

(e) examine, on its own initiative, on request of one of its members or on request of the Commission,

any question covering the application of this Regulation and issue guidelines, recommendations and

best practices in order to encourage consistent application of this Regulation;

(f) issue guidelines, recommendations and best practices in accordance with point (e) of this

paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant

to Article 22(2);

(g) issue guidelines, recommendations and best practices in accordance with point (e) of this

paragraph for establishing the personal data breaches and determining the undue delay referred to in

Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is

required to notify the personal data breach;

(h) issue guidelines, recommendations and best practices in accordance with point (e) of this

paragraph as to the circumstances in which a personal data breach is likely to result in a high risk to

the rights and freedoms of the natural persons referred to in Article 34(1).

(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph

for the purpose of further specifying the criteria and requirements for personal data transfers based on

binding corporate rules adhered to by controllers and binding corporate rules adhered to by processors

and on further necessary requirements to ensure the protection of personal data of the data subjects

concerned referred to in Article 47;

36

(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph

for the purpose of further specifying the criteria and requirements for the personal data transfers on

the basis of Article 49(1);

(k) draw up guidelines for supervisory authorities concerning the application of measures referred to

in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;

(l) review the practical application of the guidelines, recommendations and best practices referred to

in points (e) and (f);

(m) issue guidelines, recommendations and best practices in accordance with point (e) of this

paragraph for establishing common procedures for reporting by natural persons of infringements of

this Regulation pursuant to Article 54(2);

(n) encourage the drawing-up of codes of conduct and the establishment of data protection

certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;

(o) carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and

maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited

controllers or processors established in third countries pursuant to Article 42(7);

(p) specify the requirements referred to in Article 43(3) with a view to the accreditation of

certification bodies under Article 42;

(q) provide the Commission with an opinion on the certification requirements referred to in Article

43(8);

(r) provide the Commission with an opinion on the icons referred to in Article 12(7);

(s) provide the Commission with an opinion for the assessment of the adequacy of the level of

protection in a third country or international organisation, including for the assessment whether a third

country, a territory or one or more specified sectors within that third country, or an international

organisation no longer ensures an adequate level of protection. To that end, the Commission shall

provide the Board with all necessary documentation, including correspondence with the government

of the third country, with regard to that third country, territory or specified sector, or with the

international organisation;

(t) issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism

referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding

decisions pursuant to Article 65, including in cases referred to in Article 66;

(u) promote the cooperation and the effective bilateral and multilateral exchange of information and

best practices between the supervisory authorities;

(v) promote common training programmes and facilitate personnel exchanges between the

supervisory authorities and, where appropriate, with the supervisory authorities of third countries or

with international organisations;

(w) promote the exchange of knowledge and documentation on data protection legislation and

practice with data protection supervisory authorities worldwide.

(x) issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and

37

(y) maintain a publicly accessible electronic register of decisions taken by supervisory authorities and

courts on issues handled in the consistency mechanism.

2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into

account the urgency of the matter.

3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the

Commission and to the committee referred to in Article 93 and make them public.

4. The Board shall, where appropriate, consult interested parties and give them the opportunity to

comment within a reasonable period. The Board shall, without prejudice to Article 76, make the

results of the consultation procedure publicly available.

As is easily observable in the above listing, the tasks of the Board almost exclusively pertain to

issuing “guidelines”, “recommendations” and “best practices”. Therefore, its role as a mostly advisory

body cannot be challenged. However, decision-making powers, other than the important ones outlined

above (pertaining to the consistency and the one-stop-shop mechanisms), may perhaps be identified in

the above listing.

This, for example, is particularly the case with regard to the accreditation of certification bodies. As

per paragraphs (o) and (p), the Board is empowered to carry out the accreditation of certification

bodies as per the criteria it has established on its own, and also to perform a periodic review and also

maintain a relevant public register.

In the same context, of some interest, although definitely not of a decision-making nature, is the

power of the Board to maintain an electronic register “of decisions taken by supervisory authorities

and courts on issues handled in the consistency mechanism”, according to paragraph (y).

“Soft” decision-making powers of the Board

While, as stated above, decision-making by the Board is understood in this analysis as pertaining to

decisions developing some type of binding character to their addressees (the DPAs concerned), an

unquestionable “soft” decision-making power is to be expected in all Board decisions,

recommendations or guidelines – at least to Member State DPAs. This is an inevitable development

on account of the Board’s composition: it is to be composed by the head of each DPA as well as the

EDPS (Article 68.3). In addition, the Board is expected to decide on all matters by simple majority of

its members (see Article 72.1). Consequently, if one takes into consideration that heads of DPAs are

essentially the ones, even by majority, making decisions within the Board, even if these decisions are

of an otherwise voluntary nature, it is to be expected that upon their return to their respective DPAs,

they will indeed follow these decisions in practice.

Therefore, despite of the focus of this analysis on binding decisions to be issued by the Board,

because of their potential to ultimately affect the rights and obligations of data subjects and

controllers, the issue of DPA participation and consultation in all Board procedures ought not be

underestimated.

38

2.3.2 Mechanisms for DPA consultation with the European Data Protection Board

DPA consultation in the cases listed above, under 2.3.1, is expressly provided for in the text of the

GDPR. As established in the analysis above, under 2.1 and 2.2 respectively, the DPAs participating in

any way in the consistency or the one-stop-shop mechanisms have clearly identified roles in the

respective articles of the GDPR. In the same context, consultation with regard to certification is

warranted through the fact that the criteria are issued by the Board, and therefore by the DPAs

constituting it, as well as through the accreditation of certification bodies that will presumably be

made through normal decision-making processes of the Board (by simple majority of its, DPA,

members).

On the other hand, the operation of the actual dispute resolution mechanism, while occupying a whole

article of the GDPR (its Article 65) may need to be further expanded in the Board’s by-laws,

particularly with regard to DPA consultation. Such consultation may be the result of disputing DPAs’

representations in front of the Board or interventions by other DPAs Concerned. The GDPR, while

introducing the process and the relevant deadlines for the Board to reach a decision, does not describe

in detail how the DPAs involved may take part. The Board needs indeed to reach “reasoned”

decisions, but clearer instructions as to DPA consultation probably need to be established in

relevant by-laws of guidelines to be issued by the Board.

At this point, DPA consultation needs perhaps to be distinguished from DPA participation.

Although the GDPR fails to make such a distinction, in certain cases, particularly when the Board

issues binding decisions, it may have been useful. Binding decision of the Board within the

consistency or the one-stop-shop mechanisms directly affect only the disputing DPAs or the Initiating

and the Lead DPA, however they are also (a) binding for all DPAs Concerned, and (b) binding for all

other DPAs. While point (a) is evident, and indeed the DPAs Concerned are afforded the right to

express their views and thus even become a disputing DPA, point (b) probably needs some further

clarification. Because the Board in its capacity as a dispute resolution mechanism is expected to

operate in a court-like manner, its decisions and findings therein will most likely constitute “case law”

for its own aims and purposes. In other words, the assumptions, methodology and interpretations to be

found in any binding decisions of the Board will most likely be binding, by way of “case law” for

future disputes as well. Therefore, in this way they will, indirectly, affect all other DPAs.

Therein lies the problem of non-DPA participation in these cases, unless the DPA is among the DPAs

Concerned. The GDPR does not expressly clarify if, in the relevant discussions within the Board, all

other DPAs, even if not a DPA Concerned, may intervene or not. However, given the ultimately

binding character of the decision in question for them as well, they need to be provided with the

opportunity to intervene as well – something that is ultimately not against the spirit of the GDPR.

This could perhaps be clarified in the relevant by-laws.

Finally, with regard to DPA consultation in all other Board decision-issuing regardless whether

developing binding character or not (as per the “soft” law distinction discussed above), this is to be

taken for granted taking into consideration the composition of the Board. Essentially, in all these

matters, DPAs, by simple majority, will reach decisions on all EU data protection matters that will

ultimately be applied by the same DPAs. However, even in this case the process could benefit from

established, institutional means of DPA consultation (that could perhaps be made public,

particularly dissenting DPA opinions); the relevant electronic platform to be developed could

provide a useful means to this purpose.

39

2.3.3 The institutional setting for consistency: Roles and distribution of powers between the

European Data Protection Board and the Commission

While the consultation and participation mechanisms between the DPAs and the Board is an

indispensable element of the latter’s operation, the role of the Commission also needs to be examined,

as an equally important institutional setting for warranting consistency. In view of the fact that the

GDPR has not yet come into effect, neither are the Board by-laws available yet, the provisions of the

GDPR with regard to the role of the Commission in this regard will constitute the only terms of

reference for the respective analysis.

An overlook of the relevant provisions (these relating to the consistency and one-stop-shop

mechanisms as well as these listing, indicatively, the tasks of the Board) divulges that the role of the

Commission is that of an active, yet silent, participant.

The Commission holds an active role in the work of the Board as well as in the operation of the above

mechanisms, because the GDPR repetitively grants it the right to initiate the relevant procedures. For

example, Article 64 sets that “any supervisory authority, the Chair of the Board or the Commission

may request that any matter of general application or producing effects in more than one Member

State be examined by the Board” (paragraph 2). Or, Article 65 grants it the right to “communicate the

matter to the Board”, whenever “a competent supervisory authority does not request the opinion of the

Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued

under Article 64” (in (c)). Also, the Board is to inform the Commission of its decisions within the

dispute resolution mechanism (Article 65.5). Perhaps more importantly, in the sense that this is a

“blanket” authorisation, Article 70 commences by stating that “the Board shall ensure the consistent

application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at

the request of the Commission, in particular [...]”. Consequently, the Commission may initiate any

procedure in front of the Board.18

However, at the same time the role granted to the Commission is, perhaps, a silent one, in the sense

that relatively little attention is given in the text of the GDPR on the details of its participation in the

process initiated by it. Apart from the fact that it has no voting rights in the Board whatsoever, in

practice the Commission is empowered to initiate a process under certain circumstances and is also to

be informed by the outcome of any dispute resolution process, but the exact content, and context, of

its intervention once these processes are under way is not provided for in the text of the GDPR. In the

same context, there is no specific guidance as to the Commission’s possible participation in a process

in front of the Board, which has not been initiated by it. Is it to be assumed that the Commission will

not take part in the relevant workings, and only be informed by the Board’s final decision? Or, for

example, it has the right to intervene if it is informed of a case of particular interest to it? This could

also be supported, in view of the fact that, as per Article 68.5, “the Chair of the Board shall

communicate to the Commission the activities of the Board”. Therefore, all of the matters

regarding Commission participation, particularly in the consistency and one-stop-shop

mechanisms, need to be defined in the guidelines and by-laws to be issued by the Board.

18

Some reservation needs to be made with regard to the interpretation of the “where relevant” provision in

practice, that, however, is not expected to be applied in a way that will significantly restrict the power afforded

to the Commission expressly, and repeatedly, in the text of the Regulation.

40

Viewed from a different perspective, it is among the duties of the Board to advise the Commission

with regard to EU data protection matters (see also Recital 139). This may be done either on its own

initiative or at the request of the Commission (see Article 70). In addition, “where the Commission

requests advice from the Board, it may indicate a time limit, taking into account the urgency of the

matter” (paragraph 2). Also, “the Board shall forward its opinions, guidelines, recommendations, and

best practices to the Commission [...] and make them public”. The GDPR therefore describes a two-

way process, whereby the Board may advise the Commission and the Commission may ask for the

advice of the Board. The Board will make the content of such consultation public, offering thus

transparency to this process.

The general, overreaching aim of all GDPR actors is to warrant consistency and efficient application

of its provisions throughout the EU. With this in mind, the interplay among the bodies directly

involved in this process (DPAs, the Board, the Commission and the EDPS) is crucial in ensuring

consistency. The GDPR grants to the Commission an important role, albeit of a singular status: it is

an active participant in all work of the Board and is permitted also to initiate processes against it,

however it has no voting right. A careful balancing of each body’s duties and obligations needs

therefore to take place, so as to benefit the most for this introduction of an impartial (because it is not

a DPA nor does it have particular Member State connections itself) actor in the field, without risking a

“turf war” among competing bodies that would ultimately damage the GDPR’s application and

personal data protection in the EU.

2.4 Procedural differences and other issues

Aim of this analysis is to consider how differences in national procedures might impede consistency.

This will be done in particular with regard to the way DPAs handle complaints. Although the legal

regime under which such an assessment will be performed remains that of Directive 95/46, that will

only be replaced in May 2018 by the GDPR, we believe that useful lessons may be learnt from current

DPA practices across the EU in this regard.

2.4.1 EU DPAs complaint handling processes

The EU data protection legal edifice currently in effect is based on Directive 95/46. According to its

Article 28,

1. Each Member State shall provide that one or more public authorities are responsible for monitoring

the application within its territory of the provisions adopted by the Member States pursuant to this

Directive. These authorities shall act with complete independence in exercising the functions

entrusted to them.

2. Each Member State shall provide that the supervisory authorities are consulted when drawing up

administrative measures or regulations relating to the protection of individuals' rights and freedoms

with regard to the processing of personal data.

3. Each authority shall in particular be endowed with:

41

- investigative powers, such as powers of access to data forming the subject-matter of processing

operations and powers to collect all the information necessary for the performance of its supervisory

duties,

- effective powers of intervention, such as, for example, that of delivering opinions before processing

operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such

opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or

definitive ban on processing, of warning or admonishing the controller, or that of referring the matter

to national parliaments or other political institutions,

- the power to engage in legal proceedings where the national provisions adopted pursuant to this

Directive have been violated or to bring these violations to the attention of the judicial authorities.

Decisions by the supervisory authority which give rise to complaints may be appealed against through

the courts.

4. Each supervisory authority shall hear claims lodged by any person, or by an association

representing that person, concerning the protection of his rights and freedoms in regard to the

processing of personal data. The person concerned shall be informed of the outcome of the claim.

Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data

processing lodged by any person when the national provisions adopted pursuant to Article 13 of this

Directive apply. The person shall at any rate be informed that a check has taken place.

5. Each supervisory authority shall draw up a report on its activities at regular intervals. The report

shall be made public.

6. Each supervisory authority is competent, whatever the national law applicable to the processing in

question, to exercise, on the territory of its own Member State, the powers conferred on it in

accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority

of another Member State. The supervisory authorities shall cooperate with one another to the extent

necessary for the performance of their duties, in particular by exchanging all useful information.

7. Member States shall provide that the members and staff of the supervisory authority, even after

their employment has ended, are to be subject to a duty of professional secrecy with regard to

confidential information to which they have access.

Accordingly, Recital 63 states that

Whereas such authorities must have the necessary means to perform their duties, including powers of

investigation and intervention, particularly in cases of complaints from individuals, and powers to

engage in legal proceedings; whereas such authorities must help to ensure transparency of processing

in the Member States within whose jurisdiction they fall;

Evidently, of relevance to the purposes of this analysis is paragraph 4 of Article 28. In essence, it

grants to Member State DPAs the power to hear complaints by any person against infringements of its

right to data protection. DPAs’ authorisation is set in a wide manner: not only are infringements of the

Directive’s provisions to be investigated by it, but also the lawfulness of any derogations (exemptions

and restrictions) introduced by Member States that limit the scope of certain of its rights for purposes,

among others, of national or public security or defence. Consequently, DPAs are not viewed in

Directive 95/46 as merely administrative bodies for addressing individual complaints but also as

judicial bodies assessing the lawfulness of legislative measures that affect the right to data protection.

42

In the same context, the person that launched the complaints needs to be informed of the outcome of

the DPA relevant investigation. In cases other than those pertaining to the above exemptions (national

security, defence, etc. as listed in Article 13) the complainant may not be informed of the details of

the investigation, while, a contrario, in all other cases this needs to be done. Accordingly, DPAs need

to be granted under their respective national law with powers of investigation and intervention as well

as with power to engage in legal proceedings, so as to effectively carry out their tasks.

While the above constitute a brief description of the requirements and specifications found in the text

of Directive 95/46 regarding the power of DPAs to receive and examine complaints by individuals,19

the exact way national laws across the EU have implemented them is not straightforward.20

A number

of important reasons have led to, unavoidable, differences among EU Member States in this regard:

Complaint handling processes need to be compatible with the respective Member State

judicial system. Being essentially placed within the public law edifice, the relevant

provisions need to streamlined with existing legal provisions and systems of individual

redress;

The DPAs essentially constituting state (administrative) agencies, their powers and

authorities also need to be compatible with the respective legal, administrative system.

In certain EU Member States there is constitutional provision on independent state agencies,

while in others such a possibility does not exist. Accordingly, state agencies may or may not

have the power to impose fines or carry out a full-length investigation (see point immediately

below);

The legal framework of reference itself (meaning, national Data Protection Acts) may

differ among different Member States. This is a well-identified difficulty, aimed at being

addressed through the GDPR;

Complaints themselves may be of a cross-border character, meaning that DPA

cooperation needs to take place under the current legal framework, where however similar

processes are not established;

The notions of “investigation” and “intervention” may have different meanings in

different Member States. For example, should they include also the power to physically

intervene and seize processing means? Perform digital forensics? Conduct on-site visits? And,

if yes, under what procedural conditions?

The notion of “complaint” may also have different meanings across the EU. While in

certain Member States it could refer to a formal submission of a complaint, written by a legal

advisor in a legal manner, alleging specific infringements and asking for specific measures, in

other Member States it may only relate to an informal notification to a DPA so as to further

inquire into a specific personal data processing.

Finally, the means of redress are not uniform across the EU. While in some Member

States DPAs have the power to impose fines to controllers but not pay this money to the

complainants, elsewhere this may well be the case.

In view of the above, brief, listing of insurmountable (at least, under the current legal framework)

difficulties when it comes to complaint handling by DPAs across the EU, it comes as no surprise that

19

On this issue see also European Union Agency for Fundamental Rights, Data Protection in the European

Union: the role of National Data Protection Authorities, p.25, where also a helpful comparative table is

included. 20

See also the analysis below, on DPA enforcement measures, under 4.

43

substantial differences appear to be in place with regard to DPAs’ relevant practices. The following

list is indicative of areas where such differences may occur:

The nature of complaints that may be brought to the attention of a DPA. Individual

“complaints” may be described in national law in many ways and formats, ranging from

simple, unofficial notifications to DPAs to legally-written formal complaints that are placed

within a judicial or formal dispute resolution system and lead to concrete measures;

The legal powers afforded to a DPA. Legal powers under Member State law afforded to

DPAs may range from “soft” intervention and reference of more important cases to courts to

full and formal adjudication and enforcement powers;

The discretionary power of a DPA to respond. While DPAs generally have the

discretionary power to select to which complaints they will respond and which do not merit

further examination, the methodology behind such selection may not be the same across the

EU;

The investigation and intervention powers afforded to a DPA. While part of the legal

powers discussed above, it is important to distinguish between the possibilities afforded to

any specific DPA to engage in a particular case. In this context, the conditions under which an

investigation may be conducted as well as its scope may vary significantly among EU DPAs;

The procedure of examination in front of a DPA may vary substantially. Examination of

complaints may consist of a mere classification and archiving of the complaint for further

future action to a court-like procedure, in which complainants and defendants together with

their legal counsel make full representations of their case to the competent DPA;

Time limits and deadlines. In certain DPAs specific or general (administrative law)

deadlines may apply, in which individual complaints need to be addressed in one way or

another. This may not be the case in other EU DPAs;

Enforcement powers. While this stage of complaint-handling by DPAs also falls within the

legal powers afforded to them, as listed above, it is important to distinguish because of its

wide implications for controllers and data subjects alike. Certain DPAs have the power to

enforce fines, while others do not. Equally, certain DPAs may request for other measures to

be applied by controllers on the basis of their findings, such as data destruction, while other

DPAs are not afforded with this option. Finally, an important distinction refers to whether

through the complaint-handling process by a DPA money can be paid directly to the

complainant, if an infringement of his or her rights has been indeed established, or not.

Appeal processes. A complaint-handling process may or may not end through the issuing of

the relevant decision of the DPA. Differences among Member State laws also refer to whether

these decisions may be challenged in front of courts or whether a second level of

examination, within the same DPA, is prescribed in national law.

Nevertheless, the question how individuals are affected by these differences is not easy to reply.

Cross-border cases evidently placed aside (because they are obviously affected by any different

treatment of the same case among multiple DPAs that may be called upon to examine it), at local,

national level the different complaint-handling processes among EU DPAs may not have a practical

effect on the individuals concerned. For example, an individual residing in Belgium and filing a

complaint with the Belgian DPA, within whose exclusive competence the handling of this complaint

falls, is not directly affected by the fact that, for example, in Italy a different procedure would have

been followed. Ultimately, this is a matter of warranting adequate legal protection to individuals;

whether this is achieved exclusively at DPA level or some involvement of national courts is also

needed is irrelevant to the individuals concerned, as long as the protection afforded to them is at the

44

end of the day efficient (meaning, measures are imposed on the infringing controller and/or the

individual is compensated for the relevant infringement of its rights). Consequently, it could be

argued that from the data subjects’ point of view, when remaining exclusively at national level,

different complaint-handling processes among EU DPAs are not of great concern.

However, harmonisation among such practices is indeed important. Cross-border cases are increasing

in volume. Even at local level, cross-EU legal certainty is warranted through possibly standardised

complaint-handling methods. This is evident from a controller point of view, that may feel compelled

to engage in forum-shopping in order to address national differences. Individuals too will profit from

a possibly standardised approach in their complaint-handling by DPAs across the EU, not only

because of its increased legal certainty and level of awareness (a single process for all the EU), but

also due to the, indirect, result of the process acquiring more experience and in-depth knowledge due

to the fact that it will draw from the, comparable at that point, practices of all EU Member States.

At any event, the GDPR aims at addressing the above differences, and thus warranting consistency,

once it comes into effect. As a first, obvious, step, it will provide a common legal framework for

DPAs to apply. In addition, cross-border cases will fall under the one-stop-shop and consistency

mechanisms discussed above (under 2.2 and 2.1, respectively). However, at the same time it is not

entirely clear, nor self-evident, that the GDPR will successfully resolve national differences when it

comes to complaint handling by DPAs. Despite of its direct effect, the fact remains that national

provisions and national adjudication legal systems continue to apply; the new data protection

provisions will somehow need to be aligned with them. Member States may decide to make the most

of the space for national law flexibility afforded to them by the GDPR in this regard.

In view of the above, consistency in DPA complaint-handling, particular with regard to

exclusively “local” cases that do not transcend national borders, constitutes a target to be

attained, rather than an issue already resolved merely through the introduction of the GDPR.

Member State law is expected to differ while implementing the relevant provisions and it will require

the attention of all actors involved (DPAs, the EDPS, the Commission) to align differentiated national

approaches to this matter. A “standardised” complaint-handling procedure across the EU is an

important harmonisation metric to be achieved by the GDPR. However, while striving to achieve this

cause, the following issues21

also need to be taken into account:

While consistency is a shared aim among DPAs, flexibility is also an important concern

among them. DPAs wish to retain a level of flexibility while handling local complaints, in

accordance with local law, practices and public expectations;

Overregulation is a concern among DPAs. The GDPR system ought to achieve consistency

in complaint-handling without overregulating in the field, through going into great detail on

local processes and procedures;

DPA autonomy needs to be respected;

Financial aspects, and limitations of human resources, also need to be taken into account;

The connection of this system with the one-stop-shop and the consistency mechanisms

needs to be clearly established.

21

As derived also through interviews with DPAs held under Deliverable D1.1 of this project.

45

2.4.2 The data subjects’ perspective: is there a “right to consistency”?

While consistency is an important aim of the GDPR that, as discussed above, needs to be pursued by

all actors involved in its application (DPAs, the Board, the Commission), it is doubtful whether at the

same time it creates a corresponding legal right for individuals. A legal right in the sense of a

judicially pursuable right that creates concrete obligations to its addressees is hard to envisage in the

context of consistency. Consistent application of the GDPR provisions across the EU is listed

expressly as one of its aims, however the same wording does not grant to individuals a right in this

regard. On the other hand, in all cases where the GDPR affords rights to data subjects (see its Chapter

III), this is done in an explicit manner, together with operational instructions as to their exercise. This

is not the case with consistency. Inference of such an important right just from the GDPR’s Preamble,

where relevant mention is made, would probably appear exaggerated.

Even from a practical point of view, it is hard to imagine the standard against which such a, new, right

afforded to individuals would need to be measured against, in order to establish possible

infringements or to allocate obligations. A number of reasons, among which express place for national

law flexibility afforded in the text of the GDPR, enable different levels of application among Member

States. In other words, lack of consistency may well be lawful under the GDPR. An individuals’

indiscriminate claim for consistent application of the same provisions across the EU could hit against

these exact provisions. Even if this is not the case, courts that would conceivably assess claims of

infringement of this right would first have to assess which one of the different Member State

implementations is the correct one according to the GDPR – therefore opening up new issues on

lawfulness. It is for the above reasons that we consider an interpretation of the GDPR provisions as

awarding a “right to consistency” to data subjects as both impractical and ultimately unbeneficial to

the level of data protection afforded within the EU.

2.5 Conclusion: Enhancing consistency

In view of the importance of consistency under the new GDPR edifice, ways to enhance it ought to be

explored. These ways need not coincide with the adequate and efficient application of the relevant

provisions themselves, which after all constitutes a basic and self-evident first step for warranting

consistency. Other than that, new ways that would supplement and strengthen the consistency

mechanism need to be devised by all the actors concerned (DPAs, the Board, the Commission). In this

regard, the following list is aimed at providing relevant guidance:

Knowledge exchange among DPAs. Exchange of knowledge, in the form of case-specifics,

legal theories applied, and balancing of rights etc. is imperative in order to warrant a same

level of understanding and interpretation among DPAs on the GDPR provisions, that in turn

constitutes a fundamental basis for the consistency mechanism.

Know-how exchange among DPAs. Know-how differs from knowledge, in that it pertains to

practical information. As such it may not refer to the reasoning behind the decision of a DPA

but rather on the way a complaint or a case has been treated, especially towards the parties

concerned (data subjects and controllers).

Established ways of communication among DPAs. The above information needs to be

exchanged among DPAs in a common, preferably electronic, accessible, searchable and

secure platform.

46

Training of DPAs. Continuous training of DPA personnel involved in case-handling is an

important step in achieving consistency, ultimately aimed at the individuals in charge of

effectuating it.

DPA access to academic and related material. In order for DPAs to reach informed, up-to-

date and scientifically valid decision within the consistency mechanism they need to be

provided with full access to all supporting material available.

Dissemination activities aimed at data subjects. Data subjects, who are ultimately the users

of the consistency mechanism needs to be made aware of its existence and its potential

contribution to identified infringements of their rights.

Publication and openness. The consistency mechanism should strive to achieve a possibly

maximum level of openness and transparency, given the fact that it may function as a dispute

resolution mechanism and thus affect the rights and obligations of individuals and controllers.

In this regard, any documentation pertaining to a case that is publishable needs to be

accessible to the public, preferably by being placed online.

Continuous re-assessment and re-evaluation. The consistency mechanism is a new

introduction through the text of the GDPR that is aimed at addressing a critical aspect of

contemporary personal data processing. It is therefore expected to constitute a leraning

experience for all bodies and individuals involved in its operation. This is why a mechanism

for continuous re-evaluation and re-assessment will assist its continuous improvement

through incorporation in its workings of lessons learned and best practices.

47

3 Learning from “mutual recognition” experience: the case of the BCR

Under the EU data protection legal framework in effect today, meaning the one based on Directive

95/46, Binding Corporate Rules (BCRs) constitute a relevant example with regard to cooperation and

mutual recognition processes among EU DPAs. Indeed, this paradigm is relevant within the GDPR

environment soon to come into effect from more than one aspects. In particular, apart from

constituting a working example of DPA cooperation and mutual recognition, it also involves

identification of the Lead DPA, a central, as seen above (under 2.2.2) component of the one-stop-shop

mechanism. It is in this regard that BCRs will be analysed in this Chapter; although by now of limited

legal effect, in the sense that the GDPR will come into effect in May 2018 while the Privacy Shield

that recently became effective22

may affect them as well, because they are related to such an important

issue as international data transfers they constitute a useful example on the possible ways of DPA

cooperation, the advantages of its existence as well as the difficulties arising from the lack of

generalisation.

3.1 The BCR legal basis and procedure

According to Article 26 of Directive 95/46,

1. By way of derogation from Article 25 and save where otherwise provided by domestic law

governing particular cases, Member States shall provide that a transfer or a set of transfers of personal

data to a third country which does not ensure an adequate level of protection within the meaning of

Article 25 (2) may take place on condition that:

(a) the data subject has given his consent unambiguously to the proposed transfer; or

(b) the transfer is necessary for the performance of a contract between the data subject and the

controller or the implementation of pre-contractual measures taken in response to the data subject's

request; or

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest

of the data subject between the controller and a third party; or

(d) the transfer is necessary or legally required on important public interest grounds, or for the

establishment, exercise or defence of legal claims; or

22

See the relevant press release, European Commission launches EU-U.S. Privacy Shield: stronger protection

for transatlantic data flows, Brussels, 12 July 2016, available at http://europa.eu/rapid/press-release_IP-16-

2461_en.htm

48

(e) the transfer is necessary in order to protect the vital interests of the data subject; or

(f) the transfer is made from a register which according to laws or regulations is intended to provide

information to the public and which is open to consultation either by the public in general or by any

person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for

consultation are fulfilled in the particular case.

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of

personal data to a third country which does not ensure an adequate level of protection within the

meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the

protection of the privacy and fundamental rights and freedoms of individuals and as regards the

exercise of the corresponding rights; such safeguards may in particular result from appropriate

contractual clauses.

3. The Member State shall inform the Commission and the other Member States of the authorizations

it grants pursuant to paragraph 2. If a Member State or the Commission objects on justified grounds

involving the protection of the privacy and fundamental rights and freedoms of individuals, the

Commission shall take appropriate measures in accordance with the procedure laid down in Article 31

(2). Member States shall take the necessary measures to comply with the Commission's decision.

4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that

certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member

States shall take the necessary measures to comply with the Commission's decision.

According to the Commission, BCRs are “internal rules (such as a Code of Conduct) adopted by

multinational group of companies which define its global policy with regard to the international

transfers of personal data within the same corporate group to entities located in countries which do not

provide an adequate level of protection”.23

Their legal basis is to be found in paragraph 2 of the above

article 26. This has been further elaborated in Working Paper 74 by the Article 29 Data Protection

Working Party.24

In particular, with regard to their raison d’etre, the Working Party noted that

(emphasis placed by the authors):

Data Protection Authorities receive requests for authorisations for the transfer of personal

data to third countries within the meaning of Article 26 (2) of the Directive. Traditionally

23

Information from http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-

rules/index_en.htm 24

Working Document: Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data

Protection Directive to Binding Corporate Rules for International Data Transfers, WP74, 3 June 2003.

49

most of these requests have required contractual solutions which national authorities have

considered in the light of the principles outlined in WP 12, other documents issued by this

group and particularly the Commission decisions on standard contractual clauses.

[…]

In so far as a unilateral undertaking is able to deploy real and ensured legal effects, in

particular as regards the effective protection of data subjects after the transfer and as

regards the possible intervention of national supervisory authorities or other authorities,

as further clarified under chapters 3 and 5 below, there should not be any reason to

exclude such a possibility: Article 26 (2) of Directive 95/46/EC offers the Member States

a broad margin of manoeuvre in this regard.

[…]

Binding corporate rules should not be considered as the only or the best tool but for

carrying out international transfers but only as an additional one where the use of existing

instruments (i.e. Commission decisions on standard contractual clauses or the Safe

Harbor Principles where applicable) seem to be particularly problematic. This working

document may not be used as forcing or even simply as inciting the Member States to

use a given tool in responding to the requests of multinational companies. National

supervisory authorities or any other competent bodies are entirely free to analyse and

answer the proposals submitted to them in the way that fits best with their national laws

and the given elements of the submission.

Subsequently, the DPA cooperation procedure is outlined in the Working Paper 107.25

Because of its

length, here the, shortened, version provided in the Commission website26

is provided:

First step: the company shall designate the lead authority, i.e. the authority which will be

handling the EU co-operation procedure amongst the other European DPAs.

Second step: the company drafts the BCR which meet the requirements set up in the

working papers adopted by the Article 29 Working Party. This draft is submitted to the

lead authority which reviews it and provides comments to the company to ensure that the

document matches the requirements set out in paper WP 153.

Third step: the lead authority starts the EU cooperation procedure by circulating the

BCR to the relevant DPA i.e. of those countries from where entities of the group transfer

personal data to entities located in countries which do not ensure an adequate level of

protection.

Fourth step: the EU co-operation procedure is closed after the countries under mutual

recognition have acknowledged of receipt of the BCR and those which are not under

mutual recognition have considered that the BCR complies with the requirements set out

in WP29 (within one month).

25

Working Document, Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate

Safeguards Resulting From “Binding Corporate Rules, WP107, 14 April 2005. 26

Information available at http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-

rules/procedure/index_en.htm

50

Fifth step: once the BCR have been considered as final by all DPA, the company shall

request authorisation of transfers on the basis of the adopted BCR by each national DPA.

An important step, therefore, in the BCR process is identification of the Lead DPA. This, as seen

above (under 2.2.2), may constitute useful precedent and provide relevant guidance to the consistency

mechanism. The criteria through which a controller designates a Lead DPA (in the same way as an

Initiating DPA as per the analysis above) are listed in WP107 above as follows (emphasis placed by

the authors):

2. An applicant corporate group should justify the selection of the lead authority on the

basis of relevant criteria such as:

a. the location of the group’s European headquarters;

b. the location of the company within the group with delegated data protection

responsibilities;

c. the location of the company which is best placed (in terms of management function,

administrative burden etc.) to deal with the application and to enforce the binding

corporate rules in the group;

d. the place where most decisions in terms of the purposes and the means of the

processing are taken; and

e. the member states within the EU from which most transfers outside the EEA will take

place.

2.1. Priority will be given to factor described under 2 (a) above.

2.2. These are not formal criteria. The data protection authority to which the application

is sent will exercise its discretion in deciding whether it is in fact the most appropriate

data protection authority and, in any event, the data protection authorities among

themselves may decide to allocate the application to a data protection authority other than

the one to which the corporate group applied.

Once the BCR process has begun at the initiative of a controller, who also has to decide on the Lead

DPA, the actual DPA cooperation process takes place. According again to WP 107 (emphasis placed

by the authors),

4. Once a decision on the lead authority has been made, the latter will start the

discussions with the applicant. The result of these discussions should be a “consolidated

draft” which will be distributed among all DPAs concerned for comments. In normal

circumstances, the period for comments on the consolidated draft will not exceed one

month.

5. The lead authority will transmit these comments on the “consolidated draft” to the

applicant and may resume discussions, if necessary. If the lead authority is of the view

that the applicant is in a position to address satisfactorily all comments received, it will

invite the applicant to send a “final draft” on which the lead authority will invite

confirmation from the DPAs that they are satisfied as to the adequacy of the

safeguards proposed.

51

6. Such confirmation will be regarded by all the participant authorities and the

organisation concerned as an agreement to provide the necessary permit or authorisation

at national level (if required). However, additional requirements that may exist in each

country such as notification or administrative formalities may also have to be complied

with.

7. The Chairman of the Article 29 Working Party will be informed of this decision and

will share this information with other EU/EAA DPAs immediately via CIRCA.

8. Translations: as a general rule and without prejudicing to other translations where

necessary or required by law, first and consolidated drafts should be provided both in

the language of the leading authority and in English. The final draft must be translated

into the languages of those DPAs concerned.

The Lead DPA is, consequently, in charge of the relevant process; it is its duty to identify the DPAs

concerned, circulate the first BCR draft, receive DPA comments and transmit back to the applicant,

re-submit a “final draft” for confirmation by DPAs, and be prepared to re-initiate the same process, if

needed until confirmation by all DPAs concerned, “that they are satisfied as to the adequacy of the

safeguards proposed”, has been received.

DPA confirmation on the final version of BCRs, as forwarded to them by the Lead DPA, does not

have a formal legal status, neither is it binding upon its addressees (the DPAs concerned). It only

constitutes an “agreement to provide the necessary permit or authorisation” by the same DPA at

national level, which is usually indeed required. Therefore, the mutual recognition mechanism in the

case of BCRs is based on an informal, in the sense that it has no concrete legal status, understanding

between DPAs (keeping in mind that the Working Party’s opinions are not binding and WP 107 is,

indeed, merely a “working document”) that, if one of them has confirmed the adequacy of the BCRs

forwarded to it by the Lead DPA, it will not change its mind at a later stage, when the same controller

submits the same BCRs to it for approval, and indeed will issue the relevant permit. In the same

context, no other mechanisms are introduced with regard to appeals or a dispute resolution

mechanism. From this point of view, the BCRs cooperation mechanism, as in effect today, constitutes

an informal cooperation mechanism among DPAs, aimed at facilitating multinational controllers’

personal data processing and based on, essentially, the participating DPAs’ good will.

3.2 The BCR advantages

Within a globalised personal data processing environment the advantages of BCRs are easily

identifiable. The Commission, after all, provides a relevant list in this context:27

BCR make it possible to:

be in compliance with the principles set out by with article 25 and 26 of the European

Directive 95/46 for all flows of data within the group which are covered by the scope of

the BCR,

harmonise practices relating to the protection of personal data within a group,

27

European Commission, What are the advantages of BCR?, information available at

http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm

52

prevent the risks resulting from data transfers to third countries,

avoid the need for a contract for each single transfer,

communicate externally on the company's data protection policy,

have an internal guide for employees with regard to the personal data management,

make data protection integral to the way the company carries out its business.

Indeed the list is comprehensive with regard the BCR advantages. BCR are specifically addressed at

multinational controllers or processors that would otherwise need to file for multiple permits in EU

Member States, according to requirements posed by the Directive 95/46 and its transposing national

legislations.28

Such a process could prove counter-productive, in view of the fact that it ultimately

refers to the same region (the EU) applying essentially the same rules (these of Directive 95/46). BCR

therefore develop a twofold function: from the part of their addressees (processors and controllers)

they streamline and simplify processes. From the part of DPAs and the right to data protection, they

constitute a de facto consistency and one-stop-shop mechanism: identification of a Lead DPA to

handle the matter centrally and adherence to the relevant outcome by all DPAs concerned constitute

basic parts of the respective GDPR mechanisms discussed above (under Chapter 2). Evidently, the

advantages of such mechanisms within the contemporary personal data processing environment have

well been identified by EU DPAs over the past decade, and practical, case-specific solutions, as the

one pertaining to BCR, were introduced to address them. The GDPR, in a way, institutionalises these

approaches, validating at the same time their significance for personal data protection.

3.3 The difficulties arising from BCRs’ lack of generalisation

Since their introduction, as streamlined and particularised in the Article 29 Working Party’s

documents described above (under 3.1) and in the Commission’s corresponding webpages filled with

practical instructions and guidance, the BCR became over the years one of the basic alternatives for

international data transfers. They therefore attracted significant attention in legal theory.29

With regard

to difficulties identified, the issues of practical difficulty and cost in drafting have been, repeatedly,

highlighted. Apparently, the preparation of a series of BCR drafts in cooperation with the Lead DPA

and their revisions until all DPAs concerned are satisfied with them, so as to become final, is a length,

not straightforward and costly procedure. Perhaps expectedly so, however, given that the personal

data processing of multinationals is involved, that may span in several EU and non-EU countries.

However, the implementation per se of BCR is not the aim of this analysis. Rather than that, this

analysis focuses on the lessons learned through them in view of DPA cooperation and mutual

recognition under the new GDPR processes (one-stop-shop and consistency mechanisms) to become

28

In particular, “BCR are a solution for multinational companies which export personal data from the European

Economic Area to other group entities located in third countries which do not ensure an adequate level of

protection”, ibid. 29

See, for instance, Bender D/Ponemon L, Binding Corporate Rules for Cross-border Data Transfer, Rutgers

Journal of Law & Urban Policy, Vol 3:2, 2006, Wugmeister M/Retzer K/Rich S, Global Solution for Cross-

Border Data Transfers: Making the Case for Corporate Privacy Rules, 38 Geo. J. Int'l L. 449 (2006-2007),

Kulesza J, Walled Gardens of Privacy or Binding Corporate Rules: A Critical Look at International Protection

of Online Privacy, 34 UALR L. Rev. 747 (2011-2012), Moerel L, Binding corporate rules: Fixing the

regulatory patchwork of data protection, doctoral thesis, Tilburg Institute for Law, Technology, and Society

(TILT), 2011.

53

effective in the near future. From this point of view, a number of issues may be highlighted with

regard to BCR that we consider also of relevance to these forthcoming mechanisms:

Not all EU DPAs participate in this “mutual recognition” mechanism. As clarified in the

Commission website, “at the moment twenty-one countries are part of the mutual recognition

procedure”.30

In view of the BCR mechanism self-evident practical importance as well as the

many years it has been in effect, it could be assumed that lack of uniformity on behalf of

certain EU DPAs is intentional. Therefore, if this finding is to serve as a relevant example for

the future, the reasons that have led to this difficulty need to be addressed in a convincing

manner for all EU DPAs;

Only eighty-five companies have “closed” the BCR procedure. This is perhaps a

surprising finding, given BCRs’ clear advantages for all multinational processors or

controllers whose personal data processing spans across several EU and non-EU countries.

Here again it could be assumed that the practical, because they are not viewable from a lege

lata perspective, disadvantages of BCRs are such that they probably outweigh their

advantages, leaving them relevant only for a handful of companies who are willing to provide

the resources and effort needed. Equally, if one wished to extrapolate in the GDPR

environment, attention needs to be given so that the one-stop-shop mechanism becomes

reachable by the majority of controllers and processors in the EU and not only by a minority

who can afford it;

Cost and time restraints need to be taken into account. This constitutes perhaps an

obvious observation, that has however probably “condemned” BCR to very few applicants

over the past decade and is relevant to the GDPR environment particularly because it takes

special attention to the needs of “specific needs of micro, small and medium enterprises”;31

Flexibility is important. In view of the above limitations (not uniform EU participation,

limited appeal to its addressees, two findings that could well be feeding each other), it is

conceivable that the vast majority of international data transfers makes use of the other

alternatives provided for in Directive 95/46. This is an important finding, that may come as a

surprise to EU DPAs aspirations when they introduced BCR back in 2003 with the intention

for them to cover multinational cross-border personal data processing (see above, under 3.1).

However, reality has proven differently, and controllers and processors apparently found

other legal paths (model clauses, the “safe harbour” arrangement) more desirable. This is why

under the GDPR it is not advisable to adopt a “patronizing” approach, trying to promote any

one of its mechanisms over the others, but rather provide for a multitude of legal instruments

and then leave their addressees to decide which one suits their specific needs better.

30

Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Estonia, France, Germany, Iceland, Ireland, Italy,

Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain, and the United

Kingdom (information available at http://ec.europa.eu/justice/data-protection/international-transfers/binding-

corporate-rules/mutual_recognition/index_en.htm). 31

See, for example, its Recitals 13, 98 and 132.

54

4 Proposed mutual assistance, co-ordination and co-operation regarding enforcement

measures

The analysis of challenges that apply in practice with regard to the proposed mutual assistance, co-

ordination and co-operation enforcement measures under the GDPR needs to take into account the

diversity of existing DPA enforcement powers and the differences between DPAs in the powers at

their disposition as well as current national limitations on sharing information. The analysis that

follows is divided into three chapters, that address these issues and the diversity of approaches

respectively.

4.1 Mapping DPAs’ enforcement powers

The issue of mapping of DPAs enforcement powers has been addressed under this project’s

Deliverable 1.32

The relevant text, that in part justifies why a detailed mapping exercise is considered

impractical particularly at this period in time is therefore copied below:

One activity of the PHAEDRA II project is the mapping of the enforcement powers of

DPAs. We asked DPAs if they felt this would be a useful exercise, and if they could make

use of a centralised database of the foundation legislation granting DPAs their authority

and powers, or if a mapping exercise would need to summarise powers and capacities

more succinctly.

Several DPAs expressed their support for the activity. This was based upon the

advantages of knowing the capacities of other DPAs when it came to joint investigations

and other forms of co-operation, such as sharing information. Knowing what others were

capable of, without having to ask direct questions was seen as potentially aiding planning

activities, particularly in their initial early stages. It was also seen as potentially useful

when a complaint from a data subject has to be channeled through another country. DPAs

acknowledged the often significant differences between their capacities and their

enforcement powers under the current framework. Differences raised included access to

police files, sanctions and the ability to levy fines (of differing amounts). Having powers

visible was seen as relatively important goal.

DPAs generally did not think that a straightforward gathering of foundational legislation

would be sufficient or particularly useful, given that such legislation could exist across

and make reference to multiple acts, and a reader would have to be able to parse these

potentially complex legal documents in order to understand the particular powers of a

fellow DPA. Therefore a mapping exercise would need to extract competencies from the

foundational legislation, and make the former available in a more structured, easily

understood, comparable form - some form of "country fact sheet". Other information on

this could include international contact points for key issues. Mapping the enforcement

powers of the EDPB was also raised in this context.

32

Phaedra II: Authorities' views on the impact of the data protection framework reform on their co-operation in

the EU, July 2015, Chapter 5.3.

55

Some DPAs did not see any added value from the creation of such a map or database. In

this case they either felt familiar with the enforcement powers of their peers, or did not

believe additional information would alter their decision making. Several DPAs informed

us that they felt that this activity had been performed previously and that the results of

these exercises should be available. The Article 29 Working Party, the European

Commission and other parties may have performed mapping exercises. DPAs felt that

they had certainly answered similar questions in the past.

A fundamental issue raised by DPAs in this context was the extent to which this exercise

would be conducted before the passing of the GDPR, or afterwards. As a Regulation,

some DPAs felt that the GDPR would harmonise the enforcement powers of DPAs. They

therefore saw little value in conducting a mapping exercise that would be accurate for

only a small number of months, until the Regulation is passed. A mapping exercise

conducted afterwards would, theoretically, reveal little difference between the

enforcement powers of European DPAs. A more nuanced approach for the mapping

exercise was therefore seen as necessary by some DPAs – the mapping exercise would

not focus upon core enforcement powers under the GDPR, but instead upon the way that

the enforcement powers in the GDPR interacted with additional and existing legislation at

the Member State level (for example administrative law, audit laws, laws on minor

offenses, etc.). One DPA raised the challenge that a mapping of DPA enforcement

powers might, to be meaningful, also have to map DPA enforcement strategies (for

example, the balance between education, consultancy and enforcement, and the

willingness to use particular powers) and that this would be a political issue for DPAs.

However, in the post-GDPR context, a global mapping exercise was still seen as useful.

The above constitute the DPAs approach on the matter and, as explained, partially explain our

corresponding finding that a detailed mapping exercise of EU DPAs enforcement powers is, at this

point in time at least, impractical. The following explanatory reasons are intended to complement the

above – and at the same time provide some feedback on the necessary considerations of such an

exercise:

As also identified by DPAs, a mere gathering of foundational information on the

enforcement powers of DPAs and their subsequent insertion into a table would not be

sufficient or particularly useful. In order to understand them so as to provide practical

guidance a reader would indeed have to be able to navigate complex legal documents in order

to understand the particular powers of a DPA. Consequently, in order for the exercise to

become useful it first and foremost needs to be preceded by a comparative law analysis in

civil law, administrative law and also potentially criminal law among Member States;

The term “enforcement” itself may be perceived differently in different Member States,

so the same preparatory exercise would have to closely define it, taking account of various

local legal system parameters, such as the law on investigations/criminal procedure, the legal

status of DPAs, what enforcement measures actually include for each Member State, the

existence of any appeal processes, etc.;

Even identifying and paralleling the legal provisions does not provide an accurate

picture of DPA enforcement in a specific Member State, because practices also matter

and these cannot be evidenced. For example, shortcomings in a DPA’s founding documents

with regard to its investigatory powers may be resolved in practice through its seamless

56

cooperation with the state agencies needed to assist it in this regard. Consequently, while in

theory, by cross-examining the legal provisions in effect, a shortcoming, in the sense of lack

of relevant powers, may be presented, this may well not be the case in practice;

In the same regard, experience is an important factor in enforcement that also may not be

evidenced. A DPA may in theory possess all the legal tools for enforcement, but unless it has

long experience in applying them, it will not be aware of the practical issues that may lie

ahead of it: for example, case law through an appeal launched by a dissatisfied controller or

data subject against an enforcement decision by a DPA, if the court decides against such

DPA, may affect substantially its enforcement powers;

The purposes, and inherent limitations, of the mapping exercise need to be clear to its

recipients. A comparative mapping exercise on enforcement risks being used for purposes

other than to inform and educate other Member State DPAs;

In the same context, the notion of enforcement needs to be clearly distinguished from the

notion of efficiency in applying data protection provisions by any DPA;

Finally, and perhaps most importantly for the purposes of this analysis, the GDPR is expected

to soon redraft the field in all Member States. Because it comes into effect in May 2018,

developing immediately its direct effect over all of the EU, practically all Member States are

in the process of amending their national legislation in order not only to accommodate its

requirements but also to issue all secondary legislation needed. This process unavoidably

affects the legal status of DPAs in more than one ways, enforcement after all constituting a

substantial (if not the most important) part of DPAs powers and competences. A mapping

exercise carried out today would unavoidably have to reflect the law in effect in each Member

State, which is practically the one that transposed Directive 95/46 into Member State national

law. From this regard, it would almost certainly be outdated by the time it would have

been concluded.

In view of the above, we believe that a high-level approach would perhaps provide more relevant

results today, that could also be taken into consideration by Member States while drafting their

amended data protection legal frameworks. By keeping all other variables (Member State legal

systems, the legal status of DPAs within each one of them, the interplay of the relevant provisions

with the judicial system in place) outside the limits of this analysis, and by examining only the

provisions of the Member State data protection acts as well as the perceptions of DPAs themselves, as

evidences in interviews under Deliverable 1 of this project,33

the following may be concluded:

Important differences among the enforcement powers of Member State DPAs are to be

found in their founding legal texts, meaning Member State data protection acts. While

certain DPAs are equipped with powers resembling these of a judicial authority (investigation

of all controllers and power to impose fines to anybody) others may be faced with limitations

in this regard (for example, not being able to levy fines on state agencies). While the reasons

for these differences may be attributed to legal or other reasons, they most likely will need to

be eradicated by the time the new GDPR (particularly its one-stop-shop mechanism) comes

into effect. A common minimum set of enforcement powers could be useful in this

regard;

Evidently, important differences exist among Member States’ legal systems, that in turn

affect substantially the enforcement powers of their DPAs. In view, however, of the

33

Ibid.

57

analysis above, this factor of complexity is difficult to address, if only to map. A level of

flexibility for DPAs to deal themselves with their national legal systems, which they

evidently know better than anyone else, probably needs to be afforded to them, focusing

therefore on the result of enforcement and not on the national law details behind it;

Finally, important differences exist with regard to the approach each DPA adopts on its

enforcement powers. As evidenced in this project’s Deliverable 1, approaches range widely

from strict and judicial-like application of the law in effect to user-friendly and guidance-

oriented approaches that only resort to resolute measures against controllers if no other

alternative exists. Here again a level of flexibility is advised, because ultimately DPAs

reflect local cultures and practices upon local controllers, without however endangering

the overall data protection level;

An important question refers to how, and whether, these identified differences will be

justified under the GDPR. In particular the one-stop-shop mechanism is based on the idea of

mutual trust among DPAs. In essence, each EU DPA ought to trust that all of its colleagues,

who may be appointed as the Lead DPA in any case affecting also its own jurisdiction, will

achieve an end-result on that specific case (meaning, against a specific controller) comparable

to what it would have achieved itself, if it were the only DPA handling the case. If differences

remain, and this leads to dissatisfied DPAs believing that fellow-DPAs did not pursue a case

adequately because of local lack of enforcement powers, then this will undermine the

mechanism, and ultimately the GDPR itself;

The consistency mechanism may be too high level to address differences in enforcement

among EU DPAs. As seen above (under 2.1), this mechanism is designed to be called upon

only in important cases and cross-border processing. Unless therefore a particular difference

develops into an important issue for EU data protection overall, this mechanism will most

likely not be used to eradicate differences in enforcement across the EU. Another formal

mechanism to deal with them is not foreseen, perhaps other than ad hoc intervention of the

Board or the Commission. It is therefore important for EU DPAs to try and align their

enforcement powers with fellow DPAs under the new regulatory framework of the

GDPR at the law-making process within their respective Member States.

58

4.2 Sharing information (including confidential information)

Effective cooperation among DPAs depends, inter alia, in the ability to exchange case-related

information. This exchange of information not only constitutes a common practice among DPAs but it

is also necessary to fulfil their functions. Moreover, cooperation is now situated at the heart of the

institutional system created by the GDPR, well aware about the serious challenges that present

globalized data flows to ensure privacy and data protection compliance. This increased transborder

data flows must be backed by increased cross-border information sharing and enforcement

cooperation between supervisory authorities both inside the EU and internationally. And this

development is at the forefront of the GDPR and cooperation among national data protection

authorities on issues with a wider European impact is a key element of the new approach. As the

WP29 affirms, the new governance model established by the Regulation is built on three pillars: a

higher role to the national DPAs, enhanced co-operation between authorities and EDPB level for

consistency.34

The three priorities lie on the premise of a common and well-designed system for the

exchange of information.

As explained below, the GDPR determines that EU DPAs shall cooperate with each other in regard to

some of the most important data protection enforcement powers, that is, provision of information and

mutual support regarding authorisations and consultations, inspections and investigations. So far

exchanges of information have been taking place in the context of activities of a very different nature

and DPAs have informed about the wide plethora of types of information that they share, including

plans and intentions, case law, decisions, experiences and best practices, informal thinking, opinions,

and requests for opinions35

. Nonetheless, within the framework of their supervision activities,

Member States attached a vital importance to the activities of investigation, monitoring and

enforcement of EU data protection law.

Indeed, within the European Union, the Directive 95/46/EC of the European Parliament and of the

Council of 24 October 1995 on the protection of individuals with regard to the processing of personal

data and on the free movement of such data (or the Data Protection Directive) refers to the exchange

of information in general terms in its Article 28(6): “The supervisory authorities shall cooperate with

one another to the extent necessary for the performance of their duties, in particular by exchanging all

useful information”. So it does the GDPR in the list of what are considered to be the main and generic

tasks of each supervisory authority in Article 57(1). In the broader European framework, the

Convention 108 of the Council of Europe – now pending modernisation – also promotes cooperation

in Article 13 which stipulates the obligation of mutual assistance between signatories36

.

34

Article 29 Data Protection Working Party, Statement on the 2016 action plan for the implementation of the

General Data Protection Regulation (GDPR), 2 February 2016.

35 Barnard-Wills, David and David Wright, Deliverable D1: Authorities’ views on the impact of the data

protection framework reform on their co-operation in the EU, London-Brussels-Warsaw-Castellón, July 2015,

p. 16.

36 Article 13 of the Convention for the Protection of Individuals with regard to Automatic Processing of

Personal Data determines that, in order to implement the Convention, the Parties agree to render each other

mutual assistance and places the obligation to share all factual information, that is non-personal data, in relation

to a case. The Consolidated text of the modernisation proposals of Convention 108 finalised by the CAHDATA

in June 2016/Article 12.bis (paragraph 7bis) of the Draft modernised Convention for the Protection of

Individuals with Regard to the Processing of Personal Data in September 2016 nuances this limitation and

59

Coming back to Europe and according to Article 57(1) of the GDPR,

1. Without prejudice of other tasks set out under this Regulation, each supervisory authority shall on

its territory:

(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory

authorities with a view to ensuring to the consistency of application and enforcement of this

Regulation.

Together with this general provision, many other articles in the GDPR refer to sharing information

from one DPA to another or to the EDPB, as it is a precondition for the effective implementation of

the new cooperation mechanisms laid down in Chapter VII of the GDPR, which implementation will

require the exchange of information between DPAs and this will certainly require swift, flexible and

secure procedures.

Most of the mentioned articles incorporate detailed procedures that specify deadlines, means and

conditions for the transmission of information. All of them include the reference to the exchange of

relevant information for the purposes of cooperation between the lead supervisory authority and the

other supervisory authorities concerned (Article 60), of providing mutual assistance (Article 61), and

of implementing the consistency mechanism (Section 2, Articles 63 and following articles). This

mention arises a major concern as the provisions contain no explicit clause on exchange of

confidential or otherwise protected information. Yet, national laws often protect such information as it

is considered as confidential, restricted or secret. These laws usually impose on their authorities the

obligation of professional secrecy, which may in turn limit the DPAs’ powers to share such

information with DPAs in other Member States.

In this chapter, a brief statement of the regulations generally referring to the governing the exchange

of information is presented in Section 2 followed by an analysis of the notion of relevant information

and a reference to the specific cooperation mechanisms requiring the exchange of information

(Sections 3 and 4). The effective exchange of information is in potential conflict with the

confidentiality obligations that may prevent DPAs for releasing restricted information between them.

This question is developed in Section 5.

In the current and future state of play, some questions arise concerning the way Member State

legislations empower DPAs regarding to the exchange of information, the current safeguards applied

by Member States when information is exchanged, the types of information set out in Member States

national law and the procedures for requesting such information. This part of the chapter will show

that the absence of procedures framing information requests in national laws does not preclude

information exchange among DPAs, including confidential information. These issues will be treated

in Section 6 of this study which ends with practical examples of tools used to exchange information.

The principle of confidentiality in the GDPR will be analysed in Section 7 and Section 8 provides a

final assessment of the GDPR provisions regarding the exchange of information.

stipulates that shared information the shared shall not include personal data undergoing processing unless such

data are essential for co-operation, or where the data subject concerned has given explicit, specific, free and

informed consent to its provision.

60

4.2.1 Regulations governing the exchange of information under the GDPR

As mentioned above, the Data Protection Directive does not directly address the issue of the exchange

of information, neither it regulates what constitutes confidential or otherwise protected information or

the conditions under which it can be shared. In practice, there is a variety of provisions in the

legislation of DPAs and privacy enforcement authorities that enhance, constrain or qualify the sharing

of information with other DPAs37

. Indeed, the exchange of information among EU DPAs in relation

with investigations is very common. Many DPAs understand that they are authorised to do so in

accordance to the already mentioned provisions or the Data Protection Directive or the 108

Convention (Estonia, Finland, Netherlands). Other DPAs limit the information transferred taking into

account the results from the performed inspection (Bulgaria), to the extend that it is required in order

to give compliance with the provisions of national data protection legislation (Denmark), within its

scope of power (Slovakia), or limited by the principle of confidentiality (United Kingdom).

Concerning the exchange of information, the new Regulation requires DPAs to share “relevant”

information with each other in several articles but the most relevant ones are devoted to the regulation

of the new cooperation and mutual assistance mechanisms.

Concerning the cooperation between the lead supervisory authority and the other supervisory

authorities concerned, Article 60(1) of the GDPR provides:

1. The lead supervisory authority shall cooperate with the other supervisory authorities

concerned in accordance with this Article in an endeavour to reach consensus. The lead

supervisory authority and the supervisory authorities concerned shall exchange all relevant

information with each other.

Moreover, concerning mutual assistance, Article 61(1) of the GDPR reads as follows:

1. Supervisory authorities shall provide each other with relevant information and mutual

assistance in order to implement and apply this Regulation in a consistent manner, and shall put

in place measures for effective cooperation with one another. Mutual assistance shall cover, in

particular, information requests and supervisory measures, such as requests to carry out prior

authorisations and consultations, inspections and investigations

2. Each supervisory authority shall take all appropriate measures required to reply to a request

of another supervisory authority without undue delay and no later than one month after

receiving the request. Such measures may include, in particular, the transmission of relevant

information on the conduct of an investigation.

3. Requests for assistance shall contain all the necessary information, including the purpose of

and reasons for the request. Information exchanged shall be used only for the purpose for which

it was requested.

4. The requested supervisory authority shall not refuse to comply with the request unless:

37

Wright D, Enforcing privacy. Regulatory, Legal and Technological Approaches, in Wright D/De Hert P

(editors), Springer, 2016, pp. 28ff.

61

(a) it is not competent for the subject-matter of the request or for the measures it is requested to

execute; or

(b) compliance with the request would infringe this Regulation or Union or Member State law

to which the supervisory authority receiving the request is subject.

5. The requested supervisory authority shall inform the requesting supervisory authority of the

results or, as the case may be, of the progress of the measures taken in order to respond to the

request. The requested supervisory authority shall provide reasons for any refusal to comply

with a request pursuant to paragraph 4.

6. Requested supervisory authorities shall, as a rule, supply the information requested by other

supervisory authorities by electronic means, using a standardised format.

7. Requested supervisory authorities shall not charge a fee for any action taken by them

pursuant to a request for mutual assistance. Supervisory authorities may agree on rules to

indemnify each other for specific expenditure arising from the provision of mutual assistance in

exceptional circumstances.

8. Where a supervisory authority does not provide the information referred to in paragraph 5 of

this Article within one month of receiving the request of another supervisory authority, the

requesting supervisory authority may adopt a provisional measure on the territory of its Member

State in accordance with Article 55(1). In that case, the urgent need to act under Article 66(1)

shall be presumed to be met and require an urgent binding decision from the Board pursuant to

Article 66(2).

9. The Commission may, by means of implementing acts, specify the format and procedures for

mutual assistance referred to in this Article and the arrangements for the exchange of

information by electronic means between supervisory authorities, and between supervisory

authorities and the Board, in particular the standardised format referred to in paragraph 6 of this

Article. Those implementing acts shall be adopted in accordance with the examination

procedure referred to in Article 93(2).

The GDPR is aiming to encourage and facilitate the exchange of information not only within the EU

but also with third countries, a provision not found in the Data Protection Directive.

Indeed, Article 45(1) specifies that

1. A transfer of personal data to a third country or an international organisation may take place

where the Commission has decided that the third country, a territory or one or more specified

sectors within that third country, or the international organisation in question ensures an

adequate level of protection. Such a transfer shall not require any specific authorisation.

Furthermore, Article 50(4) specifies that

62

1. A transfer of personal data to a third country or an international organisation may take place

where the Commission has decided that the third country, a territory or one or more specified

sectors within that third country, or the international In relation to third countries and

international organisations, the Commission and supervisory authorities shall take appropriate

steps to:

(a) develop international cooperation mechanisms to facilitate the effective enforcement of

legislation for the protection of personal data;

(b) provide international mutual assistance in the enforcement of legislation for the protection

of personal data, including through notification, complaint referral, investigative assistance and

information exchange, subject to appropriate safeguards for the protection of personal data and

other fundamental rights and freedoms;

(c) engage relevant stakeholders in discussion and activities aimed at furthering international

cooperation in the enforcement of legislation for the protection of personal data;

(d) promote the exchange and documentation of personal data protection legislation and

practice, including on jurisdictional conflicts with third countries.

Accordingly, Recital 116 provides that:

When personal data moves across borders outside the Union it may put at increased risk the ability of

natural persons to exercise data protection rights in particular to protect themselves from the unlawful

use of disclosure of that information. At the same time, supervisory authorities may find that they are

unable to pursue complaints or conduct investigations relating to the activities outside their borders.

Their efforts to work together in the cross-border context may also be hampered by insufficient

preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource

constraints. Therefore, there is a need to promote closer cooperation among data protection

supervisory authorities to help them exchange information and carry out investigations with their

international counterparts. For the purposes of developing international cooperation mechanisms to

facilitate and provide international mutual assistance for the enforcement of legislation for the

protection of personal data, the Commission and the supervisory authorities should exchange

information and cooperate in activities related to the exercise of their powers with competent

authorities in third countries, based on reciprocity and in accordance with this Regulation.

And Recital 133 sets that:

The supervisory authorities should assist each other in performing their tasks and provide mutual

assistance, so as to ensure the consistent applicant and enforcement of this Regulation in the internal

market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it

receives no response to a request for mutual assistance within one month of the receipt of that request

by the other supervisory authority.

These exchanges of information do not enter in the scope of this analysis. The scope of the study will

be limited to the 28 EU Member States, countries that will have to abide to the new Regulation from

May 2018. Concerning information-sharing and more generally cooperation between a DPA of an EU

Member State and another DPA of a third country, ad hoc agreements are signed between DPAs,

which appear under a plethora of titles: Memorandum of Understanding, Cooperation Agreement,

63

Collaboration Declaration, Declaration on Further Collaboration, Declaration on Joint Co-operation,

Memorandum of Multilateral Cooperation, among others38

.

4.2.2 The notion of “relevant information”

The boost given by Chapter VII of the GDPR affects the exchange of information in two different

aspects: its nature and its definition. The latter becomes mandatory; the former includes the term

“relevant information”.

Sharing relevant information is specifically mentioned in Articles 60 (1, 3), 61 (1, 2) and 64 (4, 5):

Article 60

1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in

accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and

the supervisory authorities concerned shall exchange all relevant information with each other.

3. The lead supervisory authority shall, without delay, communicate the relevant information on

the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision

to the other supervisory authorities concerned for their opinion and take due account of their views.

Article 61

1. Supervisory authorities shall provide each other with relevant information and mutual assistance

in order to implement and apply this Regulation in a consistent manner, and shall put in place

measures for effective cooperation with one another. Mutual assistance shall cover, in particular,

information requests and supervisory measures, such as requests to carry out prior authorisations and

consultations, inspections and investigations.

2. Each supervisory authority shall take all appropriate measures required to reply to a request of

another supervisory authority without undue delay and no later than one month after receiving the

request. Such measures may include, in particular, the transmission of relevant information on the

conduct of an investigation.

Article 64

4. Supervisory authorities and the Commission shall, without undue delay, communicate by

electronic means to the Board, using a standardised format any relevant information, including as

the case may be a summary of the facts, the draft decision, the grounds which make the enactment of

such measure necessary, and the views of other supervisory authorities concerned.

5. The Chair of the Board shall, without undue, delay inform by electronic means:

38

Information on the aforementioned agreements is available in previous studies of PHAEDRA. Specifically,

Part 3 of Deliverable 2.1, A compass towards best elements for cooperation between data protection authorities,

includes the full text of the online available agreements between DPAs and a brief analysis of agreements

between DPAs that are not available online but that were shared with the PHAEDRA consortium. A deep

research on BCR is provided in this study (see Chapter 3, pp. 24-27).

64

(a) the members of the Board and the Commission of any relevant information which has been

communicated to it using a standardised format. The secretariat of the Board shall, where necessary,

provide translations of relevant information;

Relevance can be defined as the quality or state of being closely connected or appropriate. In this

regard, the indications given by some of the consulted DPAs in previous studies of PHAEDRA are

particularly pertinent. Indeed, DPAs considered relevant information the information necessary to

respond or to resolve a specific case. The relevance was assessed through contextual criteria39

.

Ultimately, the requesting authority determines whether the information received is sufficient, as set

out by Article 61 (3) of the GDPR: “Requests for assistance shall contain all the necessary

information, including the purpose of and reasons for the request. Information exchanged shall be

used only for the purpose for which it was requested.”

Furthermore, it is understood that the term “relevant information” allows certain flexibility to

encompass all conceivable elements of the information. Indeed, the legislator has chosen this general

term instead of an exhaustive list -which by nature is limited- with the aim of not leaving behind some

actual or future elements of what it could be considered as “relevant information”. In the present case,

the choice of the term “relevant” suits well to successfully address this problematic issue.

The uncertainty remaining in the GDPR about the limits in the exchange of information leaves three

main doubts open: (1) the need of homogeneous interpretation of the confidentiality clause throughout

Europe so it could not be wielded against the request of other supervisory authority, (2) the

implementation of a mechanism allowing DPAs to trust the exchange of reserved information, and (3)

the creation of a secure, well-designed and appropriate system for information exchange. Doubts that

were already expressed by the DPAs during the ordinary legislative procedure but that were not

cleared in the final text40

.

Another note concerning the interpretation of information must not be disregarded. The request for

sharing information may include materials which contain information considered as confidential – or

restricted, reserved, secret – but also information related to personal data, in the definition that results

from Article 4 of the GDPR. Cooperation on enforcement activities among EU DPAs may include

providing non-confidential or confidential information, which may or may not contain personal data.

In case of exchange of information containing personal data, this exchange is limited by the

compliance of the general agreed data protection principles to the extent to which is necessary for

effective data protection enforcement. This implies, in one hand, the respect of the right of

information concerning the purpose of the exchange, the possible storage or processing of data by the

39

For the most part, DPAs suggested that they currently share information as necessary and as required for a

particular case, in relation to the context of that case. There was therefore not a standard set of information that

was exchanged. Relevancy was determined through contextual criteria, ranging from "all pieces of information

that are useful in assessing the issue at hand" to "all relevant information need(ed) to take the appropriate

procedural and material measures in order to solve a case" and "the information which we consider as necessary

for adoption of a decision". Relevancy was determined by the informing DPA, with the possibility of

negotiation and discussion if the receiving DPA felt there was some information missing (Barnard-Wills, David

and David Wright, Deliverable D1: Authorities’ views on the impact of the data protection framework reform on

their co-operation in the EU, London-Brussels-Warsaw-Castellón, July 2015, p. 14).

40 Barnard-Wills D/Wright D, Deliverable D1: Authorities’ views on the impact of the data protection

framework reform on their co-operation in the EU, London-Brussels-Warsaw-Castellón, July 2015, p. 14.

65

receiving authority (as well as the identity of the latter), the categories of the affected data, and the

possibility to exercise the right of access and rectification. In the other hand, it implies the limitation

of the rights of access, rectification cancellation and opposition in the case it would be necessary for

the effectiveness of the enforcement action or it would interfere with other domestic law obligations.

Finally, it implies the guarantee of a secure treatment of sensitive data as well as the consent of the

data subject.

4.2.3 A variety of procedures for sharing information

As this chapter will show, cooperation among DPAs has been taking place for a long time. This

cooperation has been characterized for being irregular, heterogeneous and often based on questions of

geographical proximity and trust. In fact, among the findings of the first report delivered by

PHAEDRA II, many DPAs affirmed that the exchange of information through "unstructured"

methods was not problematic and cooperation between authorities could work41

.

The Data Protection Directive do not include a specific procedure framing information requests from

one EU DPA to another EU DPA nor a general provision creating an obligation towards Member

States to develop national procedures on this matter. Legislations of Member States remain silent in

regards to specific procedures that could frame the multiples exchanges among DPAs. Nevertheless,

DPAs do exchange information, mainly through existing frameworks where they exchange

informally. These informal exchanges take place in different fora and through various means. Indeed,

DPAs participate, to a greater or lesser extent, to different conferences and seminars organized

worldwide where they have the opportunity to share about good practices or new policies, present

new projects or to formalize bilateral agreements.

Among the existing EU framework, the most relevant platform within the EU where EU DPAs are

able to exchange information is the Article 29 Data Protection Working Party (WP29)42

. During its

plenary sessions or during the meeting of the different groups (including the sub group of

“cooperation”, in charge of discussing cooperation issues), representatives from the EU DPAs are able

to exchange information about particular files or issues of interest. Sometimes, within the framework

of the WP29, task forces are created voluntary by several DPAs to work together on a precise case43

.

Additionally, the WP29 may agglutinate interested DPAs to create a working group to cooperate in a

certain case44

.

41

Even more, the conclusion was that “clever and well-designed systems for information exchange would likely

not harm DPA co-operation, but if their absence was not the key barrier or challenge, then they would have

little positive impact”, Barnard-Wills D/Wright D, ibid, p. 16.

42 The WP29 is composed of representatives from the different EU DPAs, the European Data Protection

Supervisor and the European Commission. It is the most important European platform for cooperation among

EU DPAs and its main role is advisory and promotion of uniform application of EU data protection law. The

WP29 meets about 5 times a year in Brussels.

43 This was the case for the drafting of the Opinion 04/2013 on the Data Protection Impact Assessment Template

for Smart Grid and Smart Metering Systems prepared by Expert Group 2 of the Commission’s Smart Grid Task

Force.

44 For instance, following a Facebook statement regarding the amendment of its privacy policy, a working group

was set up in March 2015 in the framework of the WP29 composed by five DPA that decided to investigate the

matter (France, Belgium, The Netherlands, Spain and Hamburg),

66

The European Conference of Data Protection Authorities (or Spring Conference) is also used by EU

DPAs to share information. Indeed, this Conference is composed by DPAs from EU Member States

and from the Council of Europe that meet every year in spring to discuss issues of common interest

and to exchange information and experiences on different topics. The EDPS is also represented and

contributes to the discussions. The conference usually ends with the adoption of documents.

EU DPAs also exchange information at the meetings of the Council of Europe Consultative

Committee on the protection of personal data45

(the TPD, which stands for traité de protection des

données). This Committee acts as a forum for exchanges on privacy challenges and developments.

Chapter V of the Council of Europe Convention 108 on the protection of personal data established the

Committee.

Other platforms46

where EU DPAs are able to exchange information are the Meetings of the Central

Eastern European Data Protection Authorities (CEEDPA)47

and the Conference of Balkan Data

Protection Authorities48

.

A special cooperation is set up by the Nordic DPAs, conformed by DPAs of Denmark, Sweden,

Finland, Norway and Iceland. Joint Nordic Inspections or usually performed once per year, and the

Nordic DPAs provide assistance to each other few times a year. These inspections have proved to be

“successful and have led to good results and practices”49

.

Among the existing international framework, the most relevant platforms where EU DPAs are able to

exchange information are the International Conference of Data Protection and Privacy Commissioners

(ICDPPC) and the Global Privacy Enforcement Network (GPEN). The purposes of the ICDPPC are,

inter alia, to promote and enhance internationally personal data protection, to draft and adopt joint

resolutions and to encourage and facilitate cooperation and the exchange of information50

The GPEN

aims at facilitating cross border cooperation in the enforcement of privacy laws. The Network enables

privacy regulators worldwide to work and cooperate as they address risks to the personal information

of their citizens. 17 out of the 28 EU DPAs are members to the GPEN.

Finally, at a sectorial and thematic level51

, four mechanisms exists where a small number of EU DPAs

are able to exchange information.

Regionally, EU DPAs are part of larger networks: the Ibero-American Data Protection Network and

the Association of Francophone Data Protection Authorities52

.

45

More detailed information available here: Barnard-Wills D/Wright D, Workstream 1 report: Co-operation

and Co-ordination between Data Protection Authorities, London-Brussels-Warsaw-Castellón, July. pp.87ff.

46 Ibid, pp.91ff.

47 EU DPAs participating in these meetings: Poland, Czech Republic, Slovenia, Estonia, Hungary and Bularia.

48 EU DPAs participating in these conferences: Czech Republic, Hungary and Slovenia.

49 Quote from the Finish Data Protection Ombudsman, available at

http://www.tietosuoja.fi/en/index/ajankohtaista/nordicdataprotectionauthorities8217meetinginhelsinki.html

50 Text available at

https://privacyconference2013.org/web/pageFiles/kcfinder/files/RULES_AND_PROCEDURES2.pdf

51 Following the classification of Wright D, in Enforcing privacy, ibid, pp. 38-39.

67

Thematically, EU DPAs exchange in the area of Telecommunications, through the International

Working Group on Data Protection in Telecommunication53

, and in the area of spam, through The

International Cybersecurity Enforcement Network (or so-called LAP -London Action Plan). The

London Action Plan seeks to promote international spam enforcement cooperation and address spam

related issues (online fraud and deception, phishing, dissemination of viruses…). Both private sector

representatives and government and public agencies are represented. DPAs from Ireland, Spain and

UK are part of this network. Moreover, other EU Member States –Belgium, Finland, Hungary, Latvia,

the Netherlands, Portugal and Sweden– are represented through other governmental bodies, mainly

consumer agencies54

.

In front of this plethora of mechanism for exchange of information among DPAs, the Regulation

gives further insight on practical cooperation and addresses some important details concerning the

way in which mutual assistance and cooperation in going to be implemented in practice. The

specification of procedural steps is positively assessed as proper implementation of the exchange of

information has to be based on predefined, clear and common rules. Thus, some aspects related to

information exchange procedures are found in the GDPR, especially as regards to the obligation to

respond and the deadlines to apply, making a clear distinction depending on the mechanism that is

being implemented.

The cooperation mechanism provided in Article 60 (cooperation between lead supervisory authority

and the other supervisory authorities concerned), shows an effort from the legislator to specify key

practical issues of the cooperation. For instance, it provides specific delays in paragraphs 4 and 555

and imposes the obligation to “notify” the decision at stake in paragraphs 7-10. However, paragraph 3

remains very vague when it establishes the obligation to “communicate the relevant information”.

Indeed, it does not specify the nature of the “relevant information” nor it indicates the timing to

perform the communication (“without delay”). The time of submission of the draft decision referred

to on the last sentence of paragraph 3 is also not stipulated56

.

In the second mechanism, set out in Article 61 under the title of “mutual assistance”, the legislator has

given both specific and general instructions. For instance, it provides in its first paragraph details on

what should mutual assistance cover (“requests to carry out prior authorisations and consultations,

inspections and investigations”). It also specifies the delays to be respected in Article 61(2)57

or

52

A comprehensive analysis of this mechanism is available here: Barnard-Wills D/Wright D, Workstream 1

report: ibid, pp. 128ff.

53 Ibid, p.90.

54 http://londonactionplan.org/member-organizations/

55 Article 60(4). “Where any of the other supervisory authorities concerned within a period of four weeks after

having been consulted in accordance with paragraph 3 of this article, expresses a relevant and reasoned

objection to the draft decision, the lead supervisory authority shall (…) submit the matter to the consistency

mechanism (…)”. (5). Where the lead supervisory authority intends to follow the relevant and reasoned

objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their

opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period

of two weeks.”

56 Article 60(3), “The lead supervisory authority shall, without delay, communicate the relevant information on

the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the

other supervisory authorities concerned for their opinion and take due account of their views.”

57 Article 61(2), “Each supervisory authority shall take all appropriate measures required to reply to a request

of another supervisory authority without undue delay and no later than one month after receiving the request.”

68

61(8)58

, imposes the use of electronic means and standardised format (paragraph 6) and prohibits

requested supervisory authorities to charge a fee for any action taken by them pursuant to a request of

mutual assistance (paragraph 7). Nevertheless, the regulation lacks of any precision when it comes to

defining “relevant information” (paragraph 1), “all appropriate measures” to be taken (paragraph 2) or

“all the necessary information” (paragraph 3).

The consistency mechanism (Articles 63 to 67) imposes new obligations. Apart from the obligation to

use electronic means and standardised format (paragraph 4 of Article 64), Article 64(5a) requires the

secretariat of the Board to provide translations when necessary. Moreover, Article 65(5) compels the

Board to publish on its website the decisions taken in the context of the dispute resolution. The

legislator in this mechanism has performed a clear effort of definition, leaving less uncertainty59

if

compared to the other two mechanisms. Indeed, delays are known60

, limits to the “without undue

delay” expression are set out61

, “relevant information” is defined62

and the majorities needed to adopt

decisions are outlined63

.

Even if the GDPR’s provisions deserve a very positive opinion as they will encourage and guarantee a

free flow of information among the concerned DPAs and the EDPS, a comprehensive regulation on

how the exchange of information will be ensured should also include other important issues, inter alia:

use of language, amount and nature of the information requested as well as technical means, formats

and procedures for information sharing and budget for supervisory activities. In day to day practice

these questions are vital to ensure effective cooperation among DPAs. In this sense, the GDPR

appoints the European Commission as the entity in charge of regulating these details through

implementing acts.

Indeed, Article 61(9) of the GDPR refers to the mutual assistance mechanism and provides that


mutual assistance referred to in this Article and the arrangements for the exchange of

information by electronic means between supervisory authorities, and between supervisory

authorities and the Board, in particular the standardised format referred to in paragraph 6 of this

Article. Those implementing acts shall be adopted in accordance with the examination

procedure referred to in Article 93(2).

Concerning the consistency mechanism Article 67 of the GDPR reads as follows:

58

Article 61(8), “Where a supervisory authority does not provide the information (…) within one month of

receiving the request of another supervisory authority, the requesting supervisory authority may adopt a

provisional measure on the territory of its Member State in accordance with Article 55(1).”

59 Mainly, in the use of the expression “without undue delay”, see Articles 64(4) and (5) or 66(1).

60 Articles 64 (3, 7, 8), 65 (2, 3), 66 (1, 4).

61 Article 65 (6).

62 Article 64 (4). “Supervisory authorities and the Commission shall (…) communicate (…) any relevant

information, including as the case may be a summary of the facts, the draft decision, the grounds which make

the enactment of such measure necessary, and the views of other supervisory authorities concerned.”

63 Articles 64 (3), 65 (2,3), 66 (4).

69

1. The Commission may adopt implementing acts of general scope in order to specify the

arrangements for the exchange of information by electronic means between supervisory

authorities, and between supervisory authorities and the Board, in particular the standardised

format referred to in Article 64.

2. Those implementing acts shall be adopted in accordance with the examination procedure

referred to in Article 93(2).

Accordingly, Recital 168 provides that:

The examination procedure should be used for the adoption of implementing acts on standard

contractual clauses between controllers and processors and between processors; codes of conduct;

technical standards and mechanisms for certification; the adequate level of protection afforded by a

third country, a territory or a specified sector within that third country, or an international

organisation; standard protection clauses; formats and procedures for the exchange of information by

electronic means between controllers, processors and supervisory authorities for binding corporate

rules; mutual assistance; and arrangements for the exchange of information by electronic means

between supervisory authorities, and between supervisory authorities and the Board.

The European Commission is also the body legitimated to give precisions in the context of the

procedures of exchanges of information with third countries. Indeed, Article 47 (3) of the GDPR

provides that

3. The Commission may specify the format and procedures for the exchange of information

between controllers, processors and supervisory authorities for binding corporate rules within

the meaning of this Article. Those implementing acts shall be adopted in accordance with the

examination procedure set out in Article 93(2).

The decision to appoint the EC did not come without criticism during the elaboration and discussion

of the Regulation as some Member States feared that this would impinge upon the independence of

the supervisory authority. Moreover, the EDPB was seen by some Member States as the best body to

further detail about these issues (formats, procedures…). But, in the final wording of the GDPR, the

EDPB occupies a secondary position as a mere advisor in this issues, as set out by Article 70(1):

(c) The Commission advise the Commission on the format and procedures for the exchange of

information between controllers, processors and supervisory authorities for binding corporate

rules;

(u) promote the cooperation and the effective bilateral and multilateral exchange of information

and best practices between the supervisory authorities;

(w) promote common training programmes and facilitate personnel exchanges between the

supervisory authorities and, where appropriate, with the supervisory authorities of third

countries or with international organisations;

70

4.2.4 The question of confidential information. Legal setting among Member States

concerning the exchange of information and the obligation of confidentiality

To fully understand the progress that the new regulation will involve on the exchange of information

and the challenges it faces, it is relevant to concisely present how has the exchanges developed so far.

The conditions and limitations imposed by national laws in this activity have been decisive in shaping

the practice of this activity. The analysis of Member States legislation in this point leads to a threefold

classification: some Member States foresee legal provisions explicitly making reference to

“information sharing” and thus empowering DPAs concerning exchange of information, others

foresee legal provisions mentioning protected (secret, confidential…) information versus other

information that can be freely shared, and finally, in other Member States there is an absence of legal

provisions making reference to types of information or information-sharing but nevertheless making a

distinction and exchanging information in practice. Alongside this threefold classification it is of

paramount importance to analyse the existing legal provisions of confidentiality for the DPAs and

their staff.

Legal provisions explicitly making reference to “information sharing” and thus empowering DPAs

concerning exchange of information

Among the 28 EU Member States, few are those that incorporate explicit references to “information

sharing” in their national legislations. Indeed, the authors identified the following six Member States

under this category: Bulgaria, Germany, Luxembourg, Lithuania, Malta, and United Kingdom64

.

The Bulgarian Law for Protection of Personal Data of 2002 does not explicitly make reference to

information sharing. Nevertheless, the “Legal Affairs, Training and International Cooperation

Directorate” established by Article 25 of the Rules on the activity of the Commission for Personal

Data Protection and its administration65

has the responsibility, amongst other things, of “[...] 10.

support[ting] the Commission in its contacts and cooperation with the national and international

institutions on personal data protection matters as well as by the exchange of information in

connection with exercising of obligations under international contract to which the Republic of

Bulgaria is party”.

The German Federal Data Protection Act of 2003 provides in its Section 38 (1, third and fourth

sentences) that “[t]he supervisory authority may process and use data it has recorded for supervisory

purposes only; [...] In particular, the supervisory authority may transfer data to other supervisory

authorities for supervisory purposes. On request, it shall provide supplementary assistance

64

Most of the information gathered in this section has been extracted from De Hert P/Boulet G, Deliverable 2.1

– “A Compass towards best elements for cooperation between data protection authorities”, Brussels, February

2014 (updated May 2014).

65 The first Rules of the Commission on the Protection of Personal Data Protection was promulgated in 2002,

with the act entering into force on 31.01.2003. At the time, the so-called Special Administration was divided

into three different Directorates (Legal, Technical, and Information), but it was the responsibility of the

Common administration, Directorate "Financial and international activity", to coordinate actions with

international institutions, and contractual obligations fell within the scope of the Legal Directorate. A merge of

responsibilities into a single entity was performed in 2008 and today this obligation is solely within the scope of

the Special Administration's responsibilities. This particular provision -Article 25 (10)- first appeared in the

revised version of the Rules which was promulgated on 10.02.2012.

71

(administrative assistance) to the supervisory authorities of other Member States of the European

Union”.

It is important to note that the Section referred to above concerns the supervisory authorities of the

German Bundesländer, but is equally applicable to the Federal Commissioner for Data Protection and

Freedom of Information, as regards cooperation and information sharing with other EU DPAs, on the

basis of Section 26 (4) sentence 2 of the Federal Data Protection Act. Indeed, Section 26(4) of the

Federal Data Protection Act provides that “[t]he Federal Commissioner shall work to cooperate with

the public bodies responsible for monitoring compliance with data protection provisions in the Länder

and with the supervisory authorities under Section 38. Section 38 (1) third and fourth sentences shall

apply accordingly”.

The Luxembourgish Coordinated Text of the Law of 2 August 2002 on the Protection of Persons

with regard to the Processing of Personal Data, modified by the Law of 31 July 2006, the Law of 22

December 2006 and the Law of 27 July 2007, stipulates in its Article 32§3(9) that the Luxembourgish

Data Protection Authority “will co-operate with its counterparts which are supervisory authorities set

up in other Member States of the European Union to the extent required for them to perform their

duties, notably by exchanging any appropriate information”. This provision has been present since the

first version of the Law of 2002.

The Lithuanian Law on legal protection of personal data of 21 January 2003 with amendments of 13

April 2004 provides in Article 41(7) that “[t]he State Data Protection Inspectorate shall be

empowered: [...] to exchange information with personal data supervisory authorities in other countries

and with international organisations to the extent necessary for the discharge of their duties”. This

provision has been present since the first version of the Law of 2003.

The Maltese Chapter 440 Data Protection Act of 2001 provides in Article 40(me) that the Data

Protection Commissioner “shall have the following functions: [...] to collaborate with supervisory

authorities of other countries to the extent necessary for the performance of his duties, in particular by

exchanging all useful information, in accordance with any convention to which Malta is a party or

other any international obligation of Malta”.

Section 54(3) of the United Kingdom Data Protection Act 1998 on “international cooperation” reads

as follows: “The [Secretary of State] may by order make provision as to co-operation by the

Commissioner with the European Commission and with supervisory authorities in other EEA States in

connection with the performance of their respective duties and, in particular, as to (a) the exchange of

information with supervisory authorities in other EEA States or with the European Commission”. This

provision has been present since the first version of the Law of 1998.

Legal provisions mentioning protected (secret, confidential…) information versus other

information that can be freely shared

Likewise, few Member States incorporate explicit references to “protected information” in their

national legislations. The authors identified the following seven Member States under this category:

Bulgaria, Greece, Latvia, Netherlands, Poland, Spain and Sweden.

The Bulgarian law distinguishes between business secret and confidential classified information.

Indeed, concerning confidential information a “differentiation should be made to whether this

72

information is classified as business secret or as confidential under the Classified Information

Protection Act (CIPA). If the data are classified as business secrets, then there is no obstacle for the

exchange of information between interested data protection authorities or privacy commissioners. If

the data are classified as confidential under the CIPA, then special certification is required for access

and use of data. The procedure for granting access is applied by another national body, the State

Commission on Information Security. Exemptions are made in cases where international treaty exists

to which Republic of Bulgaria is party or on the basis of reciprocity and to the citizens of other

countries, who perform tasks assigned to them by the state concerned or by international organization,

provided that the person have been cleared for access to classified information by the relevant

competent information security body or international organization”66

.

The Hellenic DPA, in the case of explicit provisions in laws other than the privacy law prohibiting the

sharing of confidential information, will not share that confidential information. Indeed, during the

drafting of Deliverable 2.1 the Hellenic DPA was contacted and informed that “[i]n principle, the

Hellenic DPA would be able to share information (including confidential information) with other

DPAs, unless this is prohibited by provisions including in laws other than the privacy law. Therefore,

such cases, which require such an exchange of information, are always examined ad hoc, taking into

consideration the principle of proportionality and other specific laws” 67

.

The Latvian Personal Data Protection Law provides in Section 4 that “The protection of personal

data which have been declared to be official secret matters shall be regulated by the Law on Official

Secrets”.

The Dutch DPA was also contacted during the drafting of the Deliverable 2.1 and clarified that “if the

assistance provided for in Article 61(6) Wbp leads to the exchange of confidential information,

Article 2:5 of the Dutch Administrative Law (Awb) applies. Pursuant to this provision, a[n]

administrative body shall not disclose confidential information, unless (1) such is required by a [...]

statutory obligation or (2) disclosure is necessary for the performance of its duties. If the sharing of

confidential information with other DPA’s in the EU is necessary for the purpose of enforcement

action, the conditions of the second exception will be met and disclosure will be permitted under

Article 2:5 Awb”68

.

The Polish DPA was contacted during the drafting of the Deliverable 2.1 and stated that “Polish

legislation envisages restrictions in making the confidential information available to other DPAs or

privacy commissioners based on the provisions of the Law on protection of classified information, or

due to other secrets protected by Law, to which the Inspector General has access to” 69

.

The Spanish Organic Law 15/1999 of 13 December on the Protection of Personal Data provides in

its Article 2(2-b) that “The system of protection of personal data laid down by this Organic Law shall

not apply to: (…) b) Files subject to the legislation on the protection of classified materials.” The

Spanish DPA will not be authorised to share information considered as secret pursuing Law 9/1968 of

66

De Hert P/Boulet G, ibid, p.26.

67 Ibid, p.69.

68 Ibid, p.85.

69 Ibid, p.89.

73

5 April about Official Secrets and its implementing rules. Nevertheless, in other cases “it would be

able to share information, including confidential information”70

.

The Swedish DPA would not be able to fully share information, including confidential information,

as “there could be restrictions according to the Swedish law on public access and secrecy”71

.

Absence of legal provisions making reference to types of information or information-sharing but

nevertheless making a distinction and exchanging information in practice

Even if some Member States do not foresee legal provisions making reference to types of information

or information sharing they do nevertheless distinguish and exchange information in practice. The

authors identified eleven Member States in this category: Austria, Belgium, Cyprus, Czech Republic,

Denmark Estonia, Germany, Ireland, Italy, Portugal and Hungary.

The Austrian Data Protection Act 2000 does not distinguish between normal and confidential

information. The Austrian DPA was contacted with the purpose to find out more about their practice

in dealing with confidential information72

. In its response, the Austrian DPA mentioned that it rarely

dealt with confidential information. In its practice, when the Austrian DPA is confronted with a

request for assistance from another DPA, the Austrian DPA assesses whether it is competent to share

the requested information. In case of doubt, the Austrian DPA may ask for further clarifications.

Moreover, the Austrian DPA is able to share any relevant information with EU requesting DPAs as

long as the requesting DPA can demonstrate that it needs the information for exercising its duties.

The Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of

personal data (the Privacy Act) does not have any provisions distinguishing between normal and

confidential information. Nevertheless, the Belgian Privacy Commission was contacted during the

drafting of the Deliverable 2.173

and referred to the provisions on professional secrecy in Article 28.7

of Directive 95/46/EC.

The Cypriot Processing of Personal Data (Protection of individuals) Law 138 (I) 2001 does not

distinguish between normal and confidential information. Nevertheless, in practice, sharing

information, including confidential information, is possible but that it would request from PCs and

DPAs to treat information as confidential “if the particulars of the case impose, for effective

enforcement action, the need to share confidential information with other CoE / EU Privacy

Commissioners and DPAs” 74

.

The Czech Republic Act 101 of April 4, 2000 on the Protection of Personal Data and on Amendment

to Some Acts does not include any specific provisions distinguishing between normal and confidential

information. Nevertheless, the Czech DPA was contacted during the drafting of the Deliverable 2.1

and indicated “[s]haring information would be possible even in case of confidential information

70

Ibid, p.104.

71 Ibid, p.105.

72 Date of the email: 31 July 2016.

73 De Hert P/Gertjan B, ibid, p. 21.

74 Ibid, p.34.

74

(which however should be conveyed in a special manner such as sealed envelope, secured line,

etc.)”75

.

The Danish Act No. 429 of 31 May 2000 on Processing of Personal Data does not distinguish

between normal and confidential information. Nevertheless, the Danish DPA was contacted during

the drafting of the Deliverable 2.1 and replied that “it thinks that it would be possible to share

information, including confidential information, to the extent necessary, but depending on the specific

situation” 76

.

The Estonian DPA was contacted during the drafting of the Deliverable 2.1 and affirmed that “there

are no restrictions to share information, including confidential information” 77

.

The German Federal Data Protection Act promulgated on 14 January 2003 does not differentiate

between normal and confidential information. Nevertheless, the German DPA was contacted during

the drafting of the Deliverable 2.1 and affirmed that sharing information would be possible, including

confidential information, “in the context of administrative assistance to other EU supervisory

authorities and in line with our federal legislation” 78

.

The Irish DPA was contacted during the drafting of the Deliverable 2.1 and replied that it “would be

able to share information, including confidential information” 79

.

The Italian DPA was contacted during the drafting of the Deliverable 2.1 and replied that it

“considers that a source of concern, among others, has to do with the confidentiality of the

information shared in coordinated actions (in terms of disclosure of confidential information or

materials received from another DPA/organization, etc.). Under Article 156(8) of the DP

Consolidated Code [Personal Data Protection Code, Legislative Decree no. 196 of 30 June 2003] staff

and members from the DPA are required to keep confidential any data that is to remain confidential.

This means that any classified information received from another entity might not be disclosed.

However, this does not prevent (has not prevented) exchanges of documents and information

(especially those submitted by complainants) with other DPAs in respect of cross-border cases

whenever this was deemed necessary to pursue the relevant inquiries [...] In this context, a request

from another DPA is considered as a qualified request, thus allowing the [...] Italian DPA to carry out

several activities, whilst a similar request from the [...] Italian DPA needs a specific legal basis” 80

.

The Portuguese DPA was contacted during the drafting of the Deliverable 2.1 and stated that “the

decisions made by the DPA have a public nature. The inspection reports may remain confidential, but

it depends on the content. So, it would be a case-by-case analysis” 81

.

The Hungarian Act CXII of 2011 on the Right of Informational Self-determination and Freedom of

Information (Privacy Act) does not distinguish between normal and confidential information.

75

Ibid, p.37.

76 Ibid, p.44.

77 Ibid, p.48.

78 Ibid, p.67.

79 Ibid, p.74.

80 Ibid, p.77.

81 Ibid, p.92.

75

Nevertheless, Section 72(1)82

“imply that confidential information (qualified data) falling outside the

scope of the respective data protection case may not be subject to sharing” 83

.

Legal provisions creating an obligation of confidentiality for the DPAs and their staff

A majority of Member States foresee in their legislations provisions creating an obligation of

confidentiality for the its DPAs and their staff. Indeed, the authors identified seventeen Member

States, including Bulgaria, Croatia, Cyprus, Finland, France, Greece, Ireland, Italy, Lithuania,

Luxembourg, Malta, the Netherlands, Portugal, Romania, Slovakia, Slovenia and the United

Kingdom.

Article 13§1 of the Bulgarian Law for protection of the personal data provides that “the chairman

and the members of the commission and the employees of its administration shall be obliged not to

make public and not to use for their or somebody’s else benefit the information representing a secret

protected by law for the administrators of personal data which has become known to them in

fulfil[l]ment of their activity, till the elapse of the period [...] [o]f its protection”.

Article 35 of the Croatian Act on Personal Data Protection provides that “[t]he Agency director,

deputy director and employees of the Agency’s professional service shall consider all personal and

other confidential data they come across while performing their duties professionally confidential or

as another relevant type of secret, all in accordance with the act establishing data confidentiality. The

obligation referred to in Paragraph 1 of this Article continues to apply after the Agency director and

deputy director cease to perform their duties or upon their termination of employment in the Agency’s

professional service”.

Article 36 of the Act on Personal Data Protection provides that “[a] fine of HRK 20,000.00 to

40,000.00 shall be charged for the following violations: [...] if the Agency director, deputy director

and employees of the Agency’s professional service disclose confidential data they came across while

performing their duties (Article 35)”.

The Cypriot Commissioner for Personal Data Protection is subject to a duty of confidentiality as

provided by Article 21(1) of the Processing of Personal Data (Protection of individuals) Law 138 (I)

2001.

The Finnish Act on the Openness of Government Activities (621/1999) contains in its Sections 24, 29

and 30 provisions on the right of access to official documents in the public domain, officials' duty of

non-disclosure, document secrecy and any other restrictions of access that are necessary for the

protection of public or private interests. Moreover, the Finnish DPA was contacted during the drafting

of the Deliverable 2.1 and affirmed that “it would not be able to share all information, including

confidential information” 84

.

82

Section 72(1) reads as follows: “In its proceedings the Authority shall be entitled to process - to the extent and

for the duration required - those personal data, and classified information protected by law and secrets obtained

in the course of professional activities, which are related to the given proceedings, or which are to be processed

with a view to concluding the procedure effectively”

83 De Hert, P/Gertjan B, ibid, p.71.

84 Ibid, p.58.

76

Article 20 of the French Act n°78-17 of 6 January 1978 on Information Technology, Data Files and

Civil Liberties provides that “Members and officers of the Commission are bound by a duty of

confidentiality in respect of the facts, acts and information of which they have knowledge by virtue of

their functions, according to the conditions provided for in Article 413-10 of the Criminal Code and,

subject to what shall be necessary for the preparation of the annual report, in Article 226-3 of the

same Code.”

Article 10 of the Hellenic Law 2472/1997 on the Protection of Individuals with regard to the

Processing of Personal Data provides that “The processing of personal data shall be confidential. It

shall be carried out solely and exclusively by persons acting under the authority of the Controller or

the Processor and upon his/her instructions”.

Section 9(10) of the Irish Data Protection Act of 1998 provides that “A person who holds or held the

office of Commissioner or who is or was a member of the staff of the Commissioner shall not disclose

to a person other than the Commissioner or such a member any information that is obtained by him or

her in his capacity as Commissioner or as such a member that could reasonably be regarded as

confidential without the consent of the person to whom it relates.” This provision was inserted

through an amendment to the Act in 200385

.

Section 156(8) of the Italian Personal Data Protection Code, Legislative Decree no. 196 of 30 June

2003 reads as follows: “Staff and consultants working for the Office of the Garante shall be subject to

secrecy rules as regards the information they may come to know in discharging their duties, where

such information is to remain confidential”.

Article 24(5) of the Lithuanian Law on Legal Protection of Personal Data provides that: “The

employees of the data controller, the data processor and their representatives who are processing

personal data must keep confidentiality of personal data if these personal data are not intended for

public disclosure. This obligation shall continue after leaving the public service, transfer to another

position or upon termination of employment or contractual relations.”

Article 24 of the Luxembourgish Law of 2 August 2002 on the protection of individuals with regard

to the processing of personal data provides: “(1) Members of the Commission Nationale and any

other person who carries out duties at the Commission Nationale or on its behalf, as well the official

in charge of data protection, are subject to the compliance with professional secrecy obligations as

provided under Article 458 of the Code Pénal [Criminal Code] even after their duties have ceased. (2)

Officials in charge of data protection when carrying out these functions may not plead the

professional secrecy to which they are subject to the Commission Nationale. (3) Certified service

providers may not plead the professional secrecy to which they are subject in accordance with Article

19 of the Law of 14 August 2000 relating to electronic commerce to the Commission Nationale.

The Maltese Chapter 440 Data Protection Act of 2001 provides in Article 45 that “The

Commissioner and any officer and employee of the Commissioner shall, before assuming their duties,

take an oath of office contained in the First Schedule to carry out their duties with equity and

impartiality and in accordance with the provisions of this Act and shall be subject to the provisions of

the Official Secrets Act, and the Code of Ethics applicable to public officers. The oath of office shall

be taken before the Attorney General”.

85

Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 20, S.I. No. 207 of 2003.

77

Article 2(5) of the Dutch Administrative Law (Awb) reads as follows: “1. Anyone involved in the

performance of the duties of an administrative authority who in the process gains access to

information which he knows, or should reasonably infer, to be of a confidential nature, and who is not

already subject to a duty of secrecy by virtue of his office or profession or any statutory regulation,

shall not disclose such information unless he is by statutory regulation obliged to do so or disclosure

is necessary in consequence of his duties. 2. Subsection 1 shall also apply to institutions, and persons

belonging to them or working for them, involved by an administrative authority in the performance of

its duties, and to institutions and persons belonging to them or working for them performing a duty

assigned to them by or pursuant to an Act of Parliament.”

Article 17 of the Portuguese Act on the Protection of Personal Data reads as follows: “1 –

Controllers and persons who obtain knowledge of the personal data processed in carrying out their

functions shall be bound by professional secrecy, even after their functions have ended. 2 –Members

of the CNPD shall be subject to the same obligation, even after their mandate has ended. 3 – The

provision in the previous numbers shall not exclude the duty to supply the obligatory information

according to the law, except when it is contained in filing systems organised for statistical purposes. 4

– Officers, agents or staff who act as consultants for the CNPD or its members shall be subject to the

same obligation of professional secrecy.”

Article 21(4) of the Romanian Law no. 677/2001 on the person’s protection regarding the processing

of personal data and the free circulation of these data reads as follows: “[t]he entire staff of the

supervisory authority has the obligation of permanently keeping the professional secrecy, except for

the cases set out by law, regarding the confidential or classified information they have access to in

carrying out their duties, even after termination of their legal employment relations with the

supervisory authority”.

An obligation to maintain secrecy arises from Section 18 of the Slovakian Act No. 122/2013 Coll. on

Protection of Personal Data and on Protection of Personal Data and on Changing and Amending of

other acts, but is not applicable in respect of the Office for Personal Data Protection of the Slovak

Republic (§5): “(5) [...] the obligation to maintain secrecy imposed on controllers, processors and

entitled persons pursuant to special regulations shall not apply in respect of the Office in the course of

fulfil[l]ment of its tasks [...].”

The Slovenian Personal Data Protection Act (ZVOP-1), in its Article 58 provides protection of

secrecy: “(1) The Supervisor shall be obliged to protect the secrecy of personal data he encounters in

performing inspection supervision, and also after ceasing to perform the Supervisor’s service. (2) The

obligation from the previous paragraph shall also apply to all civil servants at the National

Supervisory Body. (…) (4) Functionaries, employees and other individuals performing work or tasks

at persons that process personal data shall be bound to protect the secrecy of personal data with which

they become familiar in performing their functions, work and tasks. The duty to protect the secrecy of

personal data shall also be binding on them after termination of their function, work or tasks, or the

performance of contractual processing services.”

Section 59 of the United Kingdom Data Protection Act 1998 is on “Confidentiality of information”

provides that: “(1) No person who is or has been the Commissioner, a member of the Commissioner’s

staff or an agent of the Commissioner shall disclose any information which— (a) has been obtained

by, or furnished to, the Commissioner under or for the purposes of the information Acts, (b) relates to

an identified or identifiable individual or business, and (c) is not at the time of the disclosure, and has

not previously been, available to the public from other sources, unless the disclosure is made with

78

lawful authority.” Section 2 of the same article mitigates this prohibition: “a disclosure of information

is made with lawful authority if”, inter alia, “the disclosure is necessary in the public interest”. For

instances, collaborating with other DPA to investigate data protection offenders can be assumed to be

in the public interest.

Member States legal provisions use different denominations when referring to protected information.

For instance, Bulgaria considers personal information as confidential and as a type of secret. Finland

uses the term “secret official documents”86

. Greece considers the processing of personal data as

confidential. Romanian officials must maintain professional secrecy regarding “the confidential or

classified information”. Even it the denomination may differ from one Member State to another, the

adjective does not characterize the grade of limitation.

4.2.5 Learning from practical examples of tools used to exchange information

The majority of DPAs have been contacted by PHAEDRA and have been asked to provide practical

examples of how they have exchanged information (including confidential information) with other

EU DPAs and to share other relevant information (how the information is conveyed, number of

exchanges taking place every year, etc.). PHAEDRA has received a total 15 responses.

The most mentioned framework on which DPAs have exchanged information was the cooperation

mechanism of Schengen Information System II (SIS II), used to allow data subjects to exercise its

access, rectification and deletion rights. The information is usually exchanged by email. A DPA stated

that it exchanged information about 25 times a year; the others did not provide this information, as

statistic information in this matter is not collected.

DPAs mentioned a wide variety of examples of cooperation involving the exchange of information:

A DPA explained that it received “several” cooperation requests within the period 2014-2016 from

four EU DPAs in order to handle several complaints that the latter had received concerning a data

controller established in its country. Moreover, within the same period, the DPA received inquiries

from nine EU DPAs. The inquiries referred to the procedure used by that DPA for handling

complaints and to data protection aspects in very different matters: processing of personal data by

churches and other religious associations, video surveillance in law enforcement activities, processing

of genetic data and retention of personal data in the banking sector. The information was exchanged

through “regular channels”, namely “post, electronic post” and no classified information was

exchanged.

Another DPA explained that the DPA is contacted on a regular basis by other DPAs concerning legal

questions, in particular concerning the application of the Data Protection Directive. In most cases, the

requesting DPA needs information about a specific case handled in that DPA or how certain

provisions are interpreted by that DPA. Besides, the DPA was contacted by two DPAs with the

request for assistance in a specific case (one concerning a Schengen-alert entered by the DPA’s

country authorities; another concerning an alleged violation of data protection principles by a

company registered in the DPA’s country). Moreover, the DPA was contacted by another DPA in

order to get more information about the project of one company not registered in the DPA’s country

but whose project will also be carried out on the DPA’s country territory. Information is exchanged

86

Extended enumeration of documents considered as secret are listed in Section 24 of Act on the Openness of

Government Activities (621/1999), available at http://www.finlex.fi/en/laki/kaannokset/1999/en19990621.pdf.

79

about eight times a year, “mostly by email, sometimes by letter” and no classified information has

been exchanged in the period 2014-201687

, as “confidential information was not part of any request”.

A different DPA made reference to a “spam case” where information was exchanged. In the case, the

data controller was established in another Member State and the DPA sent a complaint with evidence

to the DPA of the place of establishment of the controller. In general, the information is exchanged by

“any informal means” and security measures may be applied, such as encryption of the attachment to

an email.

One of the DPAs considered that it “actively participates” in cooperation and exchange of information

with DPAs as information about case studies, legal files, data transfers and data abuse is exchange on

a daily basis. The DPA is also engaged in cooperation within the EU institutional framework, which

necessitates information flows on matter such as BCRs, nomination of leading authority and legal

opinions on pressing authorities. The information exchanged is channelled in different ways, in most

cases through email. Paper mail is used in cases dealing with SIS II access or when legal provisions

required this mode of communication. Nevertheless, the DPA has not had any case of confidential

information being conveyed in the last three years.

A DPA explained that even if there were no specifics for the treatment of confidential information in

its national law, it is customary to treat exchanged information as confidential in the course of joint

enforcement actions, if this is requested by one or more DPAs involved in the mentioned action.

Nevertheless, the DPA had not been involved in any joint enforcement actions during the period

2014-2016.

A different DPA gave examples of cases where it exchanged information with another EU DPA. For

instance, the DPA clarified that it might be necessary to exchange the personal data of a complainant

and the supporting documents in order to investigate a specific complaint (e.g. in case of an access

request). Moreover, certain information pertaining to data controllers such as business secrets,

information covered by professional secrecy or the security measures of the data controllers cannot be

shared due to legal restrictions. The most common scenario, as the DPA explained, is where the

sending authority transmits a complaint to its DPA due to applicable law, including the personal data

of the complainant and all relevant documents. The DPA then takes over the matter and corresponds

directly with the complainant about the follow-up and the outcome of the complaint. A less common

scenario is where the requesting authority informs the DPA of a possible data protection violation by

a data controller established in the country of the DPA. In this case, there is usually no need to

mention the concerned data subject’s personal information and the requesting authority receives

feedback about the outcome of the investigation. Another example of information exchange occurs

when a foreign DPA requests information about administrative formalities applicable to a given data

controller established in the country of the DPA. This information may be shared in accordance with

the country’s Data Protection Act. Moreover, when a company wishes to adopt BCRs as a means of

data transfers to third countries, data protection authorities share information on BCRs and other

documents submitted by the applicant, as part of the co-operation procedure pursuant to WP107. In

the years 2014 to 2016, the DPA received approximately 15 cross border complaints per year from

other EU DPAs. In most of these cases, the DPA was the receiving authority and no further

information was requested by or exchanged with the sending authority after the case was accepted.

87

When referring to the period 2014-2016 in this section, the reader should understand from January 2014 to

June 2016.

80

The DPA also receives approximately 10 information requests per year from other DPAs. Most of the

time, no information regarding a specific case is requested or exchanged. The DPA reminded that the

public servants of its DPA are all subject to professional secrecy obligations as provided for by the

country’s Data Protection Act. Therefore, if information must be exchanged with another DPA, it

takes place on a case-by-case and strict need-to-know basis. Practice has shown that every DPA

usually has its specific contact points (international relations officers, complaint handling officers),

who are authorised to exchange information with their DPA counterparts and who are also bound to

strict confidentiality rules. Finally, the DPA informed PHAEDRA that the information is usually

conveyed via mail or e-mail and occasionally by telephone and that it ensures the highest level of IT

security when exchanging information per e-mail.

The Nordic DPAs have exchanged information in the framework of the Joint Nordic Inspections. The

Scandinavian DPAs have several times carried out joint inspections or audits on commonly interesting

topics. These inspections are usually carried out once per year. Executive assistance is both asked and

provided few times a year by Nordic DPAs. One Nordic DPA has assessed the possibility to exchange

secret or confidential information and has concluded that this kind of information can be disclosed to

other DPAs in EU or EEA Member States in the context of Nordic Inspections. This information is

conveyed by letter or through a classified message, which is sent via certain web service.

The Baltic DPAs have exchanged information in the framework of joint supervisions, which are

performed once a year. One Baltic DPA has exchanged requests of explanations and proceeding

information (mostly spam cases) with other DPAs. For instance, in May 2016, the Baltic DPA

(country X) received a “request to exercise powers” from a DPA (country Y) in order to initiate

proceedings against a company of X nationality, which sent commercial e-mails to a Y citizen. As a

result of this request, the DPA from country X initiated supervisory proceedings and issued a

prescription. In this case the information exchange between DPAs did not expect previous agreements

and information was sent through e-mails. The DPA from country X does not held separate statistics

or separate (internal) regulation about cases that are connected with other DPAs.

The way of conveying information sometimes depends on the legislation constraints of each Member

State or on the specific practice of the DPA. For instance, if the information is considered as

“confidential personal data”, the DPA concerned will use a “normal letter” since public authorities are

only allowed in that specific country to transmit data over the Internet if this is ensured by the

appropriate encryption of the data transmitted. If the information is not considered as “confidential

personal data” the DPA will use “normal email”. Another DPA explained that a continuous

assessment is performed in order to separate information that can be freely shared and information

that could be confidential. In practice, only information of general nature is provided to other DPAs.

If the information that is going to be conveyed contains “secret information”, the DPA will decide to

“adjust” the information in order to provide useful information “while not revealing secret

information”.

4.2.6 The principle of confidentiality in the GDPR

The term confidentiality referred to data processing is present in numerous passages throughout the

GDPR. Obviously, this condition is predicated of the data processor (Article 28) and the Data

Protection Officer (Article 38). The principle of confidentiality is also invoked as regards some

discussions of the Board where deemed necessary (Article 76). Nevertheless, what affects this study is

81

the obligation of confidentiality of staff working in the DPAs, reflected in Article 54 (2) of the

GDPR.

“The member or members and the staff of each supervisory authority shall, in accordance with Union

or Member State law, be subject to a duty of professional secrecy both during and after their term of

office, with regard to any confidential information which has come to their knowledge in the course of

the performance of their tasks or exercise of their powers. During their term of office, that duty of

professional secrecy shall in particular apply to reporting by natural persons of infringements of this

Regulation”.

The effective enforcement in third countries is difficult not only because there is a lack of

internationally accepted data protection standards but also because of the potential conflicts with the

confidentiality obligations laid down in Article 28(7) of the Data Protection Directive and Article 15

of the Convention. In our regard, the hopes placed in the GDPR to overcome the ambiguity contained

in the Data Protection Directive have been dashed with its final version because this ambiguity has

not been overcome by the new Regulation. Indeed, even if its wording is more detailed, it introduces

no substantial changes on this issue.

Indeed, Article 28 (7) of the Data Protection Directive reads as follows:

“Member States shall provide that the members and staff of the supervisory authority, even after their

employment has ended, are to be subject to a duty of professional secrecy with regard to confidential

information to which they have access.”

It can be understood that the new provision does not provide any relevant developments compared to

its shorter version in the Data Protection Directive as the explicit mention to the provisions of

domestic laws may prevent the sharing of information even within the EU. Whilst recognising the

progress made by the GDPR in providing mandatory cooperation, further steps might be taken in view

of mitigating any obstacles. In this sense, some agreements provide an example which can be taken as

a basic reference. The Global Cross Border Enforcement Cooperation Arrangement includes specific

safeguards relating the most sensitive issues regarding sharing information including confidential

information.

The Global Cross Border Enforcement Cooperation Arrangement adopted in Mauritius in 2014 by the

36th International Conference of Data Protection and Privacy Commissioners represents a major

landmark in the efforts to advance in effective privacy enforcement cooperation88

. Even if the

Arrangement is not intended to create legally binding obligations (Clause 4), it is certainly a

significant step towards fostering a more coordinated approach in the aim of addressing cross-border

privacy issues.

This new tool for cross-border enforcement cooperation is of particular importance as it represents an

addition to the existing MoUs, signed with some international DPAs. Moreover, the Arrangement sets

out in the EU scene grounds rules for the sharing of confidential information related to enforcement

work as well as explanations on how information supplied will be processed by the addressee.

88

The proponents of Mauritius Agreement culminated the work of the previous International Conferences of

Data Protection and Privacy Commissioners, namely the work of the International Enforcement Cooperation

Working Group established at the 33rd Conference in Mexico City in 2011.

82

The agreement sets forth the participant’s commitment with regard to international cross-border

privacy enforcement cooperation, particularly on reciprocity, confidentiality, data protection and

coordination (Clauses 5 to 8). Regarding confidentiality, the Preamble of the Arrangement clearly

stipulates that “to effectively respond to data protection and privacy violations that affect multiple

jurisdictions a multi-lateral approach is required and therefore appropriate mechanisms to facilitate

the information sharing of confidential enforcement related material, and coordination of enforcement

amongst privacy enforcement authorities to tackle said violations is much needed.” More specifically,

Clause 6 of the Arrangement implements the Confidentiality principle. It rightly states how

participants will treat confidential information shared from other participants. This will be done,

mainly, by giving the same “qualification” to the information, by making arrangements to comply

with the domestic legal requirements of the sending participant, by preventing further disclosures and

asking for consent of the participant who shared the information, by respecting the purpose limitation

and by taking appropriate technical and organizational measures to keep the information secure. The

Arrangement introduces a final clause allowing derogation from complying with the rules listed above

if the domestic law of any Participant requires doing so, provided that the Participant will inform the

sending Participant prior to the exchange of information. Clause 7 of the Arrangement outlines the

rules guaranteeing de rights of the persons who may be affected when personal data information is

exchanged. The clause provides that “the exchange of such personal data should be limited to what is

necessary for effective privacy and data protection enforcement” and that participants will “use their

best efforts” to respect the data protection safeguards of each other. This respect must be provided by

assuring that they will comply with the requirements included in a final Schedule (principles of

necessity, proportionality, purpose limitation, accuracy and kept-up to date, respect to the rights of

information and access to data subjects, adoption of security measures, notification to and consent of

the other participants on the disclosure of the shared information, redress mechanisms).

The Arrangement is valuable as it shows in more concrete ways measures for improving enforcement

cooperation through information sharing. Indeed, in addition to the Sections mentioned above, in the

Arrangement can be found, among the mechanisms mentioned in Clause 3(iv), an encouragement to

Participants to use “secure electronic information sharing platforms to exchange enforcement related

information, particularly confidential information about on-going or potential enforcement activities”

or in Clause 11, the instructions on the limits on the use of the shared materials. Return of evidence no

longer required shall be done under requirement of the sending participant. If no request for return of

the materials is made, the receipting participant may dispose of the materials using methods

prescribed by the sender, or if no such methods have been prescribed, by other secure methods, as

soon as practicable after the materials are no longer required.

These indications are highly valuable as they can easily be transferred to the strict framework on

information sharing among European Agencies. For instance, European DPAs could strive to further

their efforts to develop a platform for the secure transmission of information, to guarantee a sufficient

level of personal data protection for the subjects affected or to establish precautions and limits to the

receiving authority of confidential information to ensure respectful treatment of the issuer’s national

laws.

4.2.7. An assessment of the GDPR provisions regarding the exchange of information

In a previous research developed by PHAEDRA, a comparative comprehensive study has analysed six

areas of cooperation among European authorities (migration and border control, private international

83

law, consumer protection, competition law, criminal justice and fundamental rights) with the purpose

of examining their mechanisms of cooperation and be able to draw lessons, with the aim of increasing

efficiency of cooperation in EU data privacy law89

. The obstacles that the relevant authorities face in

the area of cooperation are very similar to those posed by the cooperation among DPAs. These are

both of legal (such as capacity, procedures, sharing information) and practical nature (resources,

technical tools, sharing costs). On the basis of the similarity with these parallel cooperation

mechanisms, the research finally offers recommendations to improve the efficiency of cooperation,

which at the same time can be adapted to the needs of EU data protection law. These “lessons” are

divided into existential and practical lessons for cooperation. The former include the necessity of

mutual trust, legal basis, respect to national and regional differences, acceptance of extraterritorial

jurisdiction, broad geographical scope and gradual and periodically reviewed development. The latter

are the minimum need for translation and interpretation of the exchanged information, the

assumption of costs of cooperation by stakeholders, the use of information and communication

technologies, the fostering of preventive cooperation, the support of alternative dispute resolution

methods such as electronic means and the empowerment of supervisory authorities for urgent reaction

to cross-border data privacy violations.

These lessons are especially interesting for the present analysis and they may serve to assess the

extent to which the GDPR complies with them in relation to the regulation of the exchange of

information. Based on the analysis of the provisions of Chapter VII of the GDPR, some positive

conclusions can be achieved as it meets several of the above-mentioned lessons.

Legal basis – unlike the little relevance given to cooperation in the Directive, the cooperation

mechanisms have been determined on a legal and comprehensive basis. The Regulation is not only a

binding legal tool, it also engages supervisory authorities in such cooperation, making it compulsory.

Furthermore, the GDPR allows the introduction of exceptions when these are specifically provided by

national laws.

Use of ITCs – GDPR clearly stipulates that the exchange of information must be completed by

electronic means between supervisory authorities and between supervisory authorities and the Board

and under a standardised format (Articles 60, 61, 64 and 67 of the GDPR). Article 67 of the GDPR

appoints the EC to develop implementing acts of general scope in order to specify the arrangements

for the exchange of information by electronic means between supervisory authorities and between

supervisory authorities and the Board, in particular the standardised format referred to in Article 64.

Obviously, the decision on the communication infrastructure which will give support to the exchange

of information and the rules under it will work are very difficult and complex and it has to be taken in

a further step. A secure, well-designed and efficient system should be established to allow the flow of

information between supervisory authorities. The detailed explanation on the functioning of the

databases of SIS II, VIS, Eurodac or CIS represent the multiple principles that the platform should

guarantee and comply with. Questions related to the definition of terms, the purpose of the exchange

of information, the designation of the accessing authorities and the conditions for access, the

implementation of data protection and data security rules, the guarantee of data protection principles,

the implementation of effective supervision or the definition of responsibilities are the most relevant

ones.

Translation and interpretation – GDPR does not mention the thorny issue of multilingualism, which

89

Galetta A/Kloza D/De Hert P, ibid, April 2016.

84

brings other issues after the request of an exchange of information: the time and money resources to

be spent for multiple translations. Some cooperation systems do not have problems with

multilingualism as they process information under alphanumeric format90

. That is the case of SIS II,

VIS and Eurodac. But, generally speaking, providing translation is necessary and this raises the issue

of the costs. These concerns are managed in many different ways (previous agreement of the

authorities, such in consumer law; assumption of the costs by the authority in criminal justice

cooperation; use of certification in private international law, etc.) but in most occasions, the common

practice in parallel systems of cooperation is that translation is provided by the Member State that

introduces a request for notification. The GDPR has taken this direction and Article 61 (7) sets out

that “Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to

a request for mutual assistance. Supervisory authorities may agree on rules to indemnify each other

for specific expenditure arising from the provision of mutual assistance in exceptional circumstances.”

This broad expression obviously goes beyond and includes other costs, for instance, the physical

sending of a certain document or the travel costs of DPAs’ staff if this would be deemed necessary.

The great difference among DPAs concerning human resources and budget may allow us to conclude

that the impact of this provision will greatly differ among the supervisory authorities, and will

negatively affect the smallest DPAs.

Concerning the costs of running the data bases, sharing costs between the EU budget and the Member

State is the general rule, respectively covering the costs of the central unit in each Member State and

the national unit of the system. Therefore, the same conclusion that was just presented can be applied

in this area: the differences in terms of human and financial resources among DPAs would negatively

the smallest DPAs.

Trust – Any cooperation system must be based in the mutual trust of its participants. This study has

reflected that trust is precisely one of the grounds used to assess the collaboration that DPAs have

been developing so far. The generalisation of this mutual trust among all DPAs is necessary and is a

first step towards successful information sharing. Having said that, the GDPR deals with detailed

provisions of the mechanisms of cooperation at least in the basic procedural elements and determines

assertive obligations for the supervisory authorities in terms of deadlines and responsibilities.

Although the necessity to rely on the counterpart authorities is present, the compulsory nature of the

obligation to share information as designed by the GDPR may help to build mutual confidence.

Gradual development – the need of a gradual development and continuous process of revision and

improvement of all mechanisms and cooperative components, including the exchange of information,

shall be planned for the whole range of cooperation mechanisms under the GPDR. Among them, the

specific characteristics of the procedure for the exchange of information, from the use of a platform to

the strengthening of mutual trust among DPAs, must be progressively defined, developed and

improved.

Thought the treatment of the principle of confidentiality does not seem to be clearly defined in the

Regulation, the improvement of cooperation among DPAs under the GDPR present good prospects

for the future as it is developed among countries that share a common culture and similar legal

backgrounds. Nevertheless, this starting point should not lead to naively expect that cooperation, and

more specifically, information exchange, will be carried out smoothly and without hindrances. In this

respect, the regulation set out by the GDPR is realistic and sensitive to fundamental national rules and

90

Galetta A/Kloza D/De Hert P, ibid, p.33.

85

principles. This flexibility could be the first step towards a workable and efficient framework of

collaboration.

86

4.3 Mutual assistance, co-ordination and co-operation regarding enforcement measures

The legal framework of the GDPR enhances and in certain circumstances obliges EU DPAS to

provide each other with mutual assistance and to co-ordinate or jointly undertake certain enforcement

measures. This section of the report aims to do the following:

Provide an account of mutual assistance and joint operations as set out in the GDPR including

the key issues raised by this.

Explore the potential of a common approach to mutual assistance, co-ordination and joint

operations.

Provide some initial best practice guidelines91

The relevant sections are as follows.

Mutual Assistance

Article 57, "Tasks" requires that the supervisory authorities shall

(g) cooperate with, including sharing information and provide mutual assistance to, other supervisory

authorities with a view to ensuring the consistency of application and enforcement of this

Regulation;

The key details on mutual assistance in the GDPR can be found in Article 61 "mutual assistance"

Article 61

Mutual assistance

1. Supervisory authorities shall provide each other with relevant information and mutual assistance

in order to implement and apply this Regulation in a consistent manner, and shall put in place

measures for effective cooperation with one another. Mutual assistance shall cover, in particular,


consultations, inspections and investigations.

2. Each supervisory authority shall take all appropriate measures required to reply to a request of

another supervisory authority without undue delay and no later than one month after receiving the

request. Such measures may include, in particular, the transmission of relevant information on the

conduct of an investigation.

91

As part of this activity, the PHAEDRA consortium has sought the views of DPAS on the particular and

practical questions that arise with respect to implementation of these provisions. In particular, this activity has

included, interviews with senior representatives of EU DPAs (as reported upon in PHAEDRA II D1

http://www.phaedra-project.eu/wp-content/uploads/PHAEDRA2_D1_20150720.pdf) Roundtable events with

DPAs and other stakeholders held in Brussels, January 2016 and Budapest, May 2016, The PHAEDRA II

workshop conducted at the 37th International Conference of Data Protection and Privacy Commissioners in

Amsterdam, October 2015, as well as ongoing contact with individual authorities.

87

3. Requests for assistance shall contain all the necessary information, including the purpose of and

reasons for the request. Information exchanged shall be used only for the purpose for which it was

requested.

4. The requested supervisory authority shall not refuse to comply with the request unless:

(a) it is not competent for the subject-matter of the request or for the measures it is requested to

execute; or

(b) compliance with the request would infringe this Regulation or Union or Member State law to

which the supervisory authority receiving the request is subject.

5. The requested supervisory authority shall inform the requesting supervisory authority of the

results or, as the case may be, of the progress of the measures taken in order to respond to the request.

The requested supervisory authority shall provide reasons for any refusal to comply with a request

pursuant to paragraph 4.

6. Requested supervisory authorities shall, as a rule, supply the information requested by other

supervisory authorities by electronic means, using a standardised format.

7. Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to a

request for mutual assistance. Supervisory authorities may agree on rules to indemnify each other for

specific expenditure arising from the provision of mutual assistance in exceptional circumstances.

8. Where a supervisory authority does not provide the information referred to in paragraph 5 of this

Article within one month of receiving the request of another supervisory authority, the requesting

supervisory authority may adopt a provisional measure on the territory of its Member State in

accordance with Article 55(1). In that case, the urgent need to act under Article 66(1) shall be

presumed to be met and require an urgent binding decision from the Board pursuant to Article 66(2).


mutual assistance referred to in this Article and the arrangements for the exchange of information by

electronic means between supervisory authorities, and between supervisory authorities and the Board,

in particular the standardised format referred to in paragraph 6 of this Article. Those implementing

acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

The Regulation codifies a number of procedures for mutual assistance on cross-border investigations,

intensified cooperation between DPAS, and common responsibility will have profound consequences

on both policy and personal levels. Most fundamental is in making cooperation with a request for

assistance a requirement, with only limited grounds for refusal (the request would be illegal, or the

lack of competence).

From this we gather the definition of mutual assistance: " Mutual assistance shall cover, in particular,


consultations, inspections and investigations." which potentially opens up mutual assistance to include

assistive use of any of the investigative, corrective, authorisation and advisory powers of a DPA, as

set out under Article 58, which have (relatively) harmonised the powers of DPAs across the EU. The

exercise of some of these powers at the request of another DPA will have more formal structures, due

to the consistency mechanism, and the requirements of the one-stop-shop approach. Given that DPAs

88

should be able to exercise competence across their tasks under the Regulation, this also provides a

framework for the forms mutual assistance might take.

Further elements of the Regulation provide more detail on the scope of mutual assistance, as well as

the various governance arrangements that surround it.

Recital 123 essentially works to preserve the independence of DPAs and their ability to provide

mutual assistance in the absence of other agreements on legal cooperation between Member States:

Recital 123: The supervisory authorities should monitor the application of the provisions pursuant to

this Regulation and contribute to its consistent application throughout the Union, in order to protect

natural persons in relation to the processing of their personal data and to facilitate the free flow of

personal data within the internal market. For that purpose, the supervisory authorities should

cooperate with each other and with the Commission, without the need for any agreement between

Member States on the provision of mutual assistance or on such cooperation.

Recitals 125 through to 131 provide legal requirements for enforcement cooperation where this

cooperation includes multiple DPAs and results in either a decision to use enforcement powers, or to

reject a complaint. This is based primarily around the one-stop-shop approach for lead authorities and

supervisory authorities concerned, and the distribution on fundamental responsibilities in a decision.

For example Recital 125:

The lead authority should be competent to adopt binding decisions regarding measures applying the

powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the

supervisory authority should closely involve and coordinate the supervisory authorities concerned in

the decision-making process. Where the decision is to reject the complaint by the data subject in

whole or in part, that decision should be adopted by the supervisory authority with which the

complaint has been lodged.

Recital 126:

The decision should be agreed jointly by the lead supervisory authority and the supervisory authorities

concerned and should be directed towards the main or single establishment of the controller or

processor and be binding on the controller and processor. The controller or processor should take the

necessary measures to ensure compliance with this Regulation and the implementation of the decision

notified by the lead supervisory authority to the main establishment of the controller or processor as

regards the processing activities in the Union.

Recital 127:

Each supervisory authority not acting as the lead supervisory authority should be competent to handle

local cases where the controller or processor is established in more than one Member State, but the

subject matter of the specific processing concerns only processing carried out in a single

Member State and involves only data subjects in that single Member State, for example, where the

subject matter concerns the processing of employees' personal data in the specific employment

context of a Member State. In such cases, the supervisory authority should inform the lead

supervisory authority without delay about the matter. After being informed, the lead supervisory

authority should decide, whether it will handle the case pursuant to the provision on cooperation

between the lead supervisory authority and other supervisory authorities concerned (‘one-stop-shop

mechanism’), or whether the supervisory authority which informed it should handle the case at local

89

level. When deciding whether it will handle the case, the lead supervisory authority should take into

account whether there is an establishment of the controller or processor in the Member State of the

supervisory authority which informed it in order to ensure effective enforcement of a decision vis-à-

vis the controller or processor. Where the lead supervisory authority decides to handle the case, the

supervisory authority which informed it should have the possibility to submit a draft for a decision, of

which the lead supervisory authority should take utmost account when preparing its draft decision in

that one-stop-shop mechanism.

More specifically, Recital 133 links mutual assistance to the consistent application of the Regulation.

It suggests that it is only though close cooperation by EU DPAs and their working in harmony, that a

consistent application is possible:

Recital 133: The supervisory authorities should assist each other in performing their tasks and provide

mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the

internal market. A supervisory authority requesting mutual assistance may adopt a provisional

measure if it receives no response to a request for mutual assistance within one month of the receipt of

that request by the other supervisory authority.

Recital 138, refers to the consistency mechanism, but also sets out how the consistency mechanism

does not exhaust the requirement for mutual assistance. It appears that the expectation is that in many

cases, mutual assistance will be provided between DPAs on bilateral and multilateral basis, as

arranged, set up and negotiated by the relevant DPAs involved. This arguably points towards a

situation where cooperation between DPAs is much more routine than it was under Directive

95/46/EC where joint investigations were relatively uncommon, and when conducted were often

coordinated through the Article 29 Working Party:

The application of such mechanism should be a condition for the lawfulness of a measure intended to

produce legal effects by a supervisory authority in those cases where its application is mandatory. In

other cases of cross-border relevance, the cooperation mechanism between the lead supervisory

authority and supervisory authorities concerned should be applied and mutual assistance and joint

operations might be carried out between the supervisory authorities concerned on a bilateral or

multilateral basis without triggering the consistency mechanism.

The requirements for mutual assistance may change in the future, following any implementing acts

adopted by the Commission in this area. Article 61(9) and Recital 168 bring mutual assistance

(alongside the other areas open to implementing acts by the Commission) under the examination

procedure of the comitology process.92

The examination procedure should be used for the adoption of implementing acts on standard

contractual clauses between controllers and processors and between processors; codes of conduct;

technical standards and mechanisms for certification; the adequate level of protection afforded by a

third country, a territory or a specified sector within that third country, or an international

92

http://ec.europa.eu/transparency/regcomitology/index.cfm?do=implementing.home Comitology applies when

the Commission has been granted implementing powers by a particular EU legal act which has also provided for

the Commission to be assisted by a committee. In practice, implementing measures, under which the

Commission implements the fine details of the EU acts concerned (individual financing decisions, decisions to

place certain products on the market, etc.) vary in terms of frequency (many need to be performed regularly, e.g.

to quickly respond to changes in a specific market) and political/economic/financial importance.

90

organisation; standard protection clauses; formats and procedures for the exchange of information by

electronic means between controllers, processors and supervisory authorities for binding corporate

rules; mutual assistance; and arrangements for the exchange of information by electronic means

between supervisory authorities, and between supervisory authorities and the Board.

Article 60 "Cooperation", sets out the mechanisms of cooperation, it provides lead supervisory

authorities with the ability to request mutual assistance from concerned supervisory authorities

pursuant to Article 61.

Finally, it should be noted that Article 50 of Directive (EU) 2016/680 also engages with mutual

assistance between supervisory authorities under that Directive, many of which will also be

supervisory authorities under the GDPR. The subsections of both Articles are identical apart from the

differences due to one being a Regulation and the other a Directive, to be implemented by Member

States.93

The two components of the the data protection reform package are therefore aligned on

mutual assistance.

Joint operations

Recital 134 and Article 62 of the GDPR set out the legal framework for joint operations between

supervisory authorities.

Recital 134: Each supervisory authority should, where appropriate, participate in joint operations with

other supervisory authorities. The requested supervisory authority should be obliged to respond to the

request within a specified time period.

Article 62

Joint operations of supervisory authorities

1. The supervisory authorities shall, where appropriate, conduct joint operations including joint

investigations and joint enforcement measures in which members or staff of the supervisory

authorities of other Member States are involved.

2. Where the controller or processor has establishments in several Member States or where a

significant number of data subjects in more than one Member State are likely to be substantially

affected by processing operations, a supervisory authority of each of those Member States shall have

the right to participate in joint operations. The supervisory authority which is competent pursuant to

Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to take part

in the joint operations and shall respond without delay to the request of a supervisory authority to

participate.

3. A supervisory authority may, in accordance with Member State law, and with the seconding

supervisory authority's authorisation, confer powers, including investigative powers on the seconding

supervisory authority's members or staff involved in joint operations or, in so far as the law of the

Member State of the host supervisory authority permits, allow the seconding supervisory authority's

93

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0089.01.ENG&toc=

OJ:L:2016:119:FULL

91

members or staff to exercise their investigative powers in accordance with the law of the

Member State of the seconding supervisory authority. Such investigative powers may be exercised

only under the guidance and in the presence of members or staff of the host supervisory authority. The

seconding supervisory authority's members or staff shall be subject to the Member State law of the

host supervisory authority.

4. Where, in accordance with paragraph 1, staff of a seconding supervisory authority operate in

another Member State, the Member State of the host supervisory authority shall assume responsibility

for their actions, including liability, for any damage caused by them during their operations, in

accordance with the law of the Member State in whose territory they are operating.

5. The Member State in whose territory the damage was caused shall make good such damage under

the conditions applicable to damage caused by its own staff. The Member State of the seconding

supervisory authority whose staff has caused damage to any person in the territory of another

Member State shall reimburse that other Member State in full any sums it has paid to the persons

entitled on their behalf.

6. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of

paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting

reimbursement from another Member State in relation to damage referred to in paragraph 4.

7. Where a joint operation is intended and a supervisory authority does not, within one month,

comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other

supervisory authorities may adopt a provisional measure on the territory of its Member State in

accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed

to be met and require an opinion or an urgent binding decision from the Board pursuant to Article

66(2).

This is a relatively straightforward article, the key novelty of which is the requirement to invite EU

DPAs with an interest (based upon the nature of the data processing being investigated and in

particular the countries in which the investigated party is established, and the potential impact of that

processing) into a joint investigation.

There appears to follow from this a need for DPAS to consider the metrics they will use to determine

what they consider as "a significant number of data subjects", and "substantially affected" (under

Article 62:2). This also forms part of the consistency mechanism. These determinations might be

developed at the level of the individual DPA, based upon their existing processes for determining how

to respond to complaints or when an investigation is appropriate, and in many cases, EU DPAs will

have an organisational sense of what these terms mean in practice. These determinations may of

course be open to legal challenge. Alternatively, EU DPAs might be minded to adopt a collective

decision on what these terms mean in practice as part of a common approach to mutual assistance.

Similarly, a developed understanding of how any given DPA intends to go about determining main

and significant establishments in the process leading up to an investigation, would be beneficial for

collaboration, as this determines which DPAs have a right to participate in a joint operation and

should be invited to do so. The second point may be complex in that in some contexts the locations of

processing, and the establishments of controllers might become clearer during the course of an

investigation, and more DPAs may have to be invited. This suggests the need for regular review

during the process of an investigation, essentially to determine if any other DPAs count as concerned

parties. In practice, and on the basis of examples of previously collaboration, it is unlikely that any

92

DPA that was aware of a joint investigation and wanted to participate would be blocked from doing

so.

The conferral of powers under paragraph three is mostly, given the relatively harmonisation of powers

amongst EU DPAs a conferral of the ability to operate within a particular Member State legal

jurisdiction. Management of liability may become something of a concern, in that host supervisory

authorities are liable for any damages caused by hosted staff or the operations of a DPA in another

Member State, but this balanced by the paragraph providing for re-imbursement. This limits the

potential liability primarily to reputation and public image. It does however, suggest the need for

seconded staff to be properly and professional trained prior to their secondment, simply to reduce the

risk of damaging trust between DPAs. Simply put, for this reason and others, it would not be

appropriate for a DPA to respond to a request for mutual assistance by providing under-trained staff.

The potential for a general approach to mutual assistance

From the above legal framework, there appears to be no inherent legal requirement upon EU DPAs,

the EDPB or even the Commission to generate a generalised approach to requests for mutual

assistance and joint investigations, beyond meeting the requirements as set out above. However, there

is clearly space around the Regulation for DPAs themselves to build more process or set out shared

assumptions. This is not a necessary precursor to mutual assistance requests being made and joint

operations being initiated, and a general approach may develop in an evolutionary manner, with some

EU DPAs participating in its development, adopting it or finding their own approaches. This is a

separate issue to the possibility of a common enforcement strategy, but does fall within the category

of strategic planning and management identified by PHAEDRA II as an area of high benefit if high

difficulty.94

PHAEDRA II D195

summarises the response from EU DPAs on the usefulness of

standardised approach to requests for assistance:

DPAs were asked their opinions on desirability and feasibility of standardising the way that DPAs

approached their European counterparts with requests for assistance. Several DPAs stated that such a

standardised approach was a necessity. Others expressed that a standardised approach to the

presentation of requests for assistance would be useful and that it could facilitate co-operation and co-

ordination. A standardised approach might allow DPAs to make better informed decisions about the

requests being presented to them, and allow for clearly setting the parameters of any joint or

transferred investigation and for organising the division of work (based upon, for example technical or

investigative experience), as well as increasing the speed and efficiency of communication. The

awareness that similar procedures were being followed was seen as useful. Others contextualised this

form of operational co-operation against a background of global data protection issues that did not

follow national borders, and the need to provide high quality and effective services to both data

subjects and data controllers.

Any standardised approach to requests for assistance was seen as needing clear and simple rules, to be

agreed collectively by EU DPAs, and finding a resolution to several practical issues, particularly in

relation to language and translation. Such a system, we were told, should also retain some space for

information that did not fit within the structure, but that nevertheless needed to be exchanged as part

of a request. The approach must therefore have some capacity to respond to the particular nature of a

case. Standardised templates for requests for assistance would have to be well developed, and if so,

94

See Barnard-Wills, D/Papakonstantinou V, ibid, p.69 and p.74. 95

Ibid.

93

they would serve as a reminder to include appropriate information. Information that was identified as

an appropriate part of such a structured approach included the subject of the complaint, the technical

circumstances, any other data subjects affected by the breach, and involvement of an IT or manual

system. However, some DPAs suggested that it was the attitude to co-operation that was most

important, regardless of the approach or template used in practice.

One perspective was that the current system of bilateral requests, often formal written memos from

one DPA to another, worked acceptably well for the relatively low volume of cross-border complaints

received by DPAs. Some DPAs provided details of the Memoranda of Understanding (MoU) that they

had established with particular peers, which provided some structure to their interaction and co-

operation. One DPA expressed concern that a standardised approach might actively hinder and limit

co-operation and communication that was already occurring in less formal ways.

It was suggested by one DPA that it could be useful to take the Google Spain judgement

recommendations of the Article 29 Working Party as a reference model.96

DPAs provided examples

of systems in different fields that could be used as examples and inspiration for data protection. These

included the field of asylum claims, the system for passing on fines for violations of traffic rules

between different EU states, criminal law co-operation in the Council of Europe, and the well-

established tradition of mutual legal assistance. These systems were not seen as perfect, but

sufficiently functional to learn from.

The following table sets out the driving factors and potential barriers to a common approach to mutual

assistance

Factors pushing towards a common approach Factors mitigating against a common

approach

As noted above, a shared approach would

simplify and facilitate requests for assistance, and

reduce overheads in this area. DPA staff involved

in mutual assistance requests can become familiar

with this approach rather than starting afresh with

each request.

DPAs have different strategic priorities, and

different internal processes, as well as operating

in different national legal contexts. Finding a

common approach that meets all of these needs

may be impossible.

Cases themselves are potentially highly divergent

and a common approach that could meet all the

possible variations might itself be too complex to

be widely adopted.

International case volumes are widely expected to

increase under the GDPR regime as compared to

the Directive. Current method may be

inappropriate for this new reality. Organisations

A common approach to mutual assistance

requests is perceived as unnecessary by some

DPAs. This may not change over time, depending

upon the actual experienced volume of mutual

96

These recommendations included common criteria to be used by data protection authorities when handling

complaints. See Article 29 Data Protection Working Party, Guidelines on the implementation of the court of

Justice of the European Union judgment on the "Google Spain and inc V. Agencia Espanola de protection de

datos (AEPD) and Mario Costeja Gonzalez" C-131/12, WP225, 26 November 2014,

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-

recommendation/files/2014/wp225_en.pdf

94

tend to routinise and turn into formal processes

the activities they conduct on a regular basis.

assistance requests.

61(6) and 61(9) suggests that some form of

standardised format is necessary for information

requested by other supervisory authorities, but

this might be understood as supplying the

information in commonly used electronic

document formats standards, which can be

opened by the recipient.

There appears to be no current legal requirement

(pending implementing acts by the Commission)

to further develop a common process for mutual

assistance requests.

A mutual approach does not initially require full

consensus agreement on all elements. It might be

adopted starting from a sub-group of willing

parties, and still provide efficiency benefits. This

might provide sufficient incentive for other

authorities to align themselves with what

becomes a de facto standard approach. Even

competing approaches are possible.

Best practice recommendations

It is apparent that the formal legal requirements do not exhaust the potential ways in which DPAS

might provide mutual assistance or conduct joint operations. Based upon this legal framework, DPA's

perspectives97

, parallel mechanisms98

, as well as the case-studies of existing cooperation between

DPAs99

as well as general approaches to collaborative and multi-agency working, we present the

following suggestive list of best practices to improve mutual assistance and joint investigations

between data protection authorities in the EU.

1. As in other areas of cooperation, mutual assistance and joint operations should be based upon

cooperation and the presumption of the equal value, competence and standing of each

supervisory authority and of the legal system in its jurisdiction and thus on the principle of

mutual trust.100

This includes recognising independence and discretion of peers and having

respect for each other’s way of doing things.

2. When embarking on a joint initiative, first get comfortable – take time to establishing

trust and positive communication on a human level with occupational counterparts. Get used

to the idea that you will be sharing information, but that some information will rightfully be

withheld. We continue to support the recommendation made by PHAEDRA I that authorities

should continue and increase the number of short term visits, staff exchanges and

secondments and even joint training in order to foster connections prior to requests for

97

Barnard-Wills D/Wright D, ibid, 2015 98

Galetta A/Kloza D/De Hert P, ibid. 99

Barnard-Wills D/Wright D, ibid.

95

assistance and joint operations. 101

Promoting such exchanges and training is an explicit task

of the EDPB.

3. Strong initial planning. Establish budgets and plans, specifiying person-hours and other

resources should be made and agreed by all participants. Set well defined goals, project

directives and workload distribution. It is at this stage that initial decisions and plans for

reporting and public communication should also be developed.102

4. Lots of communication. for example, In the WhatsApp case, after some initial discussions

the two authorities kept in touch by standing teleconferences, with team leads in

communication daily by telephone and encrypted email.

5. Recognise each other strengths and weaknesses, and take account of this when allocating

work (e.g. geographical location, pre-existing relationships, tech capacity). In the WhatsApp

investigation the Canadian system allowed more contact with the data controllers under

investigation, whilst the Dutch threat of punitive enforcement encouraged compliance with

the investigation as a whole.

6. Leadership and senior-level support for mutual assistance and joint operations – spreading

a message within organisations that commissioners are strongly committed to the project,

making sure that teams are told they would be supported in making it work. For joint

operations investigative teams need to be creative and adaptive, and this becomes easier with

the support of senior management.103

Based upon their experience, Nordic DPAs have

recommended that joint project participants should report to a reference group composed of

executives from each participating authority.104

7. Relationship management. Authorities should pay attention to the way in which their

international relations are managed, particularly in terms of maintain contacts and sharing

expertise internally, and managing the potential loss of connects that can occur with staff

changeover. Relationship management, and in particular continuity planning approaches

therefore offer strong potential value to DPAs.

8. Training for less senior staff on mutual assistance and joint operations - senior level staff

at EU DPAs are increasingly familiar with cross-border cooperation, particular at the

commissioner level. The new legal framework of the GDPR will very likely increase

international cooperation. With respect to recommend Six above, much of this will occur at

operational levels, not at the level of strategic leadership. DPAs therefore need to consider

how best to provide their less senior staff with sufficient, training, knowledge and

international awareness to do this effectively.

9. Clarity and transparency about criteria and reasons for cooperation decisions,

particularly when a decision has been made by a DPA to decline to provide mutual assistance

in a manner requested by one of their peers. Being able to provide a clear rationale, including

101

http://www.phaedra-project.eu/wp-content/uploads/Findings-and-recommendations-18-Jan-2015.pdf 102

For a more detailed perspective on current best practices in joint communications, see chapter 4 of Barnard-

Wills D/Papakonstantinou V, ibid. 103

Recommendations two , three and five were provided by Wilbert Tomesen of the Dutch DPA at a joint

round-table between the PHAEDRA II project and the cooperation sub-group of the Article 29 Working Party,

held in Hungary in May 2016. For a summary of the round-table see http://www.phaedra-project.eu/phaedra-ii-

second-round-table-event-at-the-spring-conference-of-european-dpas/ 104

Svahn Starrsjo K, Successful collaboration requires commitment, EDPS Newsletter, No.46, Brussels,

December 2015,

https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Newslett

ers/Newsletter_46_EN.pdf, p.6

96

sharing the constraints, allows the requesting party to understand the decision, and encourages

trust between the two agencies, and advises future requests where the situations may be

similar.

10. Determine if assistance is necessary or nice to have? Recognise that requests for assistance

will create a potential resource drain upon the requested party, especially as unless either of

the two exceptions in 61(4) come into play, the request cannot be refused, and that

supervisory authorities cannot charge a fee for any action taken. This decision will be driven

by the needs of the particular case, complaint or investigation.

11. Conversely, be generous with invitations to participate in joint operations. Although there

are costs in terms of time and increasing difficulty of achieving consensus, taking a broad

view of which DPAs are likely to constitute a concerned party avoids the risk of excluding a

potential partner.

12. Consider strategic level agreements and memoranda of understanding amongst regular

co-operators which include detail on how requests for assistance will be made and how they

will be responded to, as well as the process to be used in developing joint operations. These

agreements can fill in the gaps still present in the legal requirements and provide both parties

with confidence in how mutual assistance and joint operations will occur in the future. They

reduce the start-up cost of joint investigations as some of the initial planning work will have

been covered by the MOU.

13. Conduct regular review of cooperation processes during and after the period of specific

cooperation. As well as shared project management, this includes understanding if additional

authorities should be invited to participate. These reviews should be conducted collectively.

14. Transparency of process. Consider publishing (or making accessible to DPA colleagues) the

steps of the process through which an investigation or operation is decided upon and planned,

including explicitly identifying the stages in which other concerned supervisory authorities

are identified and contacted, and the approach that will be used to make this determination.

15. Arrange internal processes for mutual assistance and arranging joint operations so that

decisions can be taken within the one-month window provided for by various aspects of the

legislation.

16. Personal processes to support mutual assistance and joint operations. If staff are to be

seconded to another DPA for the duration of a joint investigation, or as a form of mutual

assistance, and they will be hosted by that DPA, the success of this can be increased by

putting the secondment agreement in writing, making it clear where management

responsibility lies, put in place process for longer term management (sick pay, absences,

disciplinary and performance issues), ensure that the agreement provides for compliance with

the host authorities instructions and policies, assign mentors from the host and the sending

agency, establish an agreement in advance on costs (e.g. transportation, accommodation).

97

5 General conclusions

In view of the diversity and multitude of the issues analysed in this report, general conclusions may

not be easily drawn – and could even place at danger the analysis upon which they are based, by

failing to refer to any set of its findings. Indeed, such issues as the consistency mechanism, the “one-

stop-shop” mechanism, the European Data Protection Board, BCRs, DPA enforcement powers, and

data sharing practices among DPAs are not easy to summarise and therefore to present adequate

concluding remarks. Readers are therefore invited to go over each specific chapter that may be of

interest to them, in order to find there the specific conclusions reached each time through our

research.

Aim of this workstream was to examine the practical implications of the GDPR, to identify aspects

that remain unregulated and would benefit from a common approach by all DPAs, and to highlight

specific areas where there is a need for more operational and legal guidelines. The analysis above

attempted to apply this standard axis of analysis upon all different GDPR instances placed under its

scrutiny: the consistency mechanism, the “one-stop-shop” mechanism, the European Data Protection

Board, BCRs, DPA enforcement powers, and data sharing practices among DPAs. An article-by-

article approach was considered necessary, in view of the fact that the GDPR is a relatively recent

legal text of only a few months life span, whose provisions would therefore benefit the most from a

possibly detailed legal analysis. While doing this, emphasis was placed at the “practical” aspects of

our research: our constant aim was to provide practical assistance to DPAs, through identification of

these points within the new GDPR that will probably need to be complemented by additional,

practical guidance to be issued, most likely, by the Board. In the same context, we also strived to

provide the Board members that will undertake this task wish certain guiding principles and

considerations that will hopefully assist them in their work. As such our recommendations are

addressed to the professionals involved in these processes.

The GDPR is an ambitious legal text that has undertaken an unprecedented mission. The

implementation of consistent data protection across the EU constitutes undoubtedly a worthy cause,

that is nevertheless burdened by such seemingly insurmountable difficulties as differences in legal

systems, differences in judicial systems and, even, differences in culture among Member States. Many

of the issues analysed in this report constitute measurable metrics, against which the GDPR success

(in terms of providing efficient protection to individuals and creating legal certainty to controllers and

processors) will be judged. The DPAs are the competent authorities that will apply the GDPR’s

provisions within their respective jurisdictions and, in this regard, the recipients of the GDPR’s

obligation to co-operate and co-ordinate. Despite of its length, the GDPR cannot provide complete

details how best to achieve such DPA cooperation and coordination. The mechanisms through which

to do this are indeed introduced in its text, but are then described in generally broad terms. It is

therefore the task of EU DPAs, or of the Board, to complement these rules with adequate guidelines

and principles and to also develop the relevant culture of cooperation among them, in order to succeed

in achieving consistency and therefore the GDPR’s main objective: the creation of a uniform

regulatory environment on data protection across the EU.