Supervisory Authorities (SAs)
Supervisory authorities are independent organisations established by each member state. They are responsible for and tasked with monitoring the application of the GDPR, “in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union” (Article 51).
The authority within a country must contribute to the consistent application of the GDPR. This is achieved via coordination and through the European Data Protection Board.
Supervisory authorities are the first contact point for all companies. The supervisory authority from the main country of establishment is also the one which is the lead authority for the company. The ‘establishment’ can be tricky to define, but pertains to the country in which the major administrative decisions are made.
For example, if your company is based in Germany and you expand to France, your actions are governed by both authorities. However, in practice you only deal with one – the German authority. The authority itself is responsible for the rest of the communication with other authorities. Only the lead authority can take legally binding decisions against a company.
One-Stop Shop Mechanism
If your company does not have EU establishment, then you will be obligated to deal with all the local supervisory authorities in countries where you do business. That is why it may make more sense to open an EU establishment for this purpose.
That is the famed ‘one-stop shop’ regulatory mechanism that aims to reduce administrative burden for the companies. The supervisory authorities perform a large scope of tasks. They can investigate, give advice and issue fines. They also allow data subjects to file a complaint with companies.
You have a duty of regularly contacting the supervisory authorities in case of breaches and other issues. The communication is two-way, to and from a company-appointed DPO and the supervisory authority.
Much of the regulatory coordination and action happens behind the scenes. It is not something companies must actively concern themselves with. We think this is one of the greatest achievements of the GDPR. The lead supervisory authority is responsible for the coordination of any investigations.
European Data Protection Board
The European Data Protection Board will be a new old agency. Let’s explain. The currently active Data Protection Directive, which was adopted in 1995, mandates in its Article 29 the creation of an advisory body.
The body is called The Article 29 Working Party, and it is made up of representatives from national data protection authority from every member state, the European Data Protection Supervisor (incumbent Supervisor: Giovanni Buttarelli) and the European Commission.
It is an advisory body that provides expert advice, ensures the consistent application of data protection principles throughout the EU and advises the European Commission on privacy-related legislation.
The GDPR will replace the Article 29 Working Party with the European Data Protection Board. The Party will transform into the EDPB, but with an enhanced set of responsibilities and powers. Namely, the EDPB will be an independent body of the EU, instead of having an advisory function.
The Article 29 WP has already included this transition in its Work Plan for 2016 – 2018, in which it outlines the major changes it will have to undertake. It will consist of several subgroups with dedicated tasks and responsibilities.
The EDPB will also be made up of heads of the supervisory authorities from each member state and the European Data Protection Supervisor. The European Commission will have only a non-voting seat. In case a country has more than one supervisory authority, they all need to cooperate on appointing a joint representative. The European Data Protection Board will provide secretariat for the EDPB.
The Top Coordinator
The EDPB also serves to coordinate the supervisory authorities. Since a company can conduct business in all EU countries, one supervisory authority will be appointed as a lead authority. However, in case of a dispute, or if there is an EU-wide impact of a decision by a supervisory authority, the EDPB can intervene to help, issuing opinions and legally binding decisions (requiring a supermajority). These decisions may be challenged in court, of course.
The coordination and the unification of rules in practice will take place via the consistency mechanism, as outlined in Article 63 of the GDPR. The consistency mechanism does not take place if the decision by the SA does not have an EU-wide impact. This will probably incentivize forum shopping. The fines are huge and despite the same legislative environment, cultural differences can play a part as well. Some authorities could be laxer when it comes to fines, for example.
The decisions of the EDBT will be public in most cases. Interested parties will have to be consulted before reaching the decision, where appropriate.
The European Commission
As outlined above, the European Commission will still form part of the EDPB. Its role is designated as a ‘backstop’; it is the supranational element that prevents the Board from being an intergovernmental club.
The Commission will ensure that the Board acts in the interests of the European citizens and protects their personal data. Furthermore, the Commission is the only body capable of making binding decisions, as the Board doing it itself would technically be illegal under the EU treaties.
A Watchful Observer
It is stressed that the Commission will not affect the independence of the SAs. However it remains to be seen to what extent that will hold. It should technically not get involved in individual cases, especially without EU-wide impact. The Commission can issue opinions where the consistency mechanism is engaged after the EDPB issues its opinion, if it deems it necessary. The Commission gets involved directly only if the opinion is not taken into account by the SAs in question.
If the Commission or the Board seriously doubt that the measure enacted by the supervisory authority would result in the correct application of the GDPR, the Commission may require that the SA suspend the measure for a year at most. This can be done only in two cases – to reconcile differing opinions of the SA and the Board or to adopt an implementing measure where there are issues with the proper functioning of the internal market.
The result of these provisions and an approach to ensure coordination between the regulatory authorities means that much of the regulatory action happens behind the scenes and it is not something companies must actively concern themselves with. We think this is one of the greatest achievements of the GDPR.
The companies will have only one authority to communicate with. In addition, they can rest assured that any decisions they receive from the authority are valid within the whole EU. The burden of ensuring that other authorities green light the decisions lies with the authority, not the company. It should greatly simplify the companies’ compliance efforts.
It remains to be seen how well this coordination mechanism will work. Some authorities could be less stringent than others, and only time will tell how effective these coordination mechanisms will be. A few hiccups are expected until all the parties establish clear and effective avenues of communication and other guidelines. In any case, aside from meeting the requirements of the GDPR, the overall regulatory environment should be a friendly one.