It is not uncommon for organisations within the European Union to process personal data in more than one member state, or for citizens from multiple member states to be affected by the activities of one particular establishment of an organisation. Where this type of cross-border processing is taking place, the ‘one-stop-shop’ mechanism applies. In the event of a violation of the GDPR, it is sufficient for the organisation or the data subject to interact with one single supervisory authority (Article 56). But how does this actually work? Let’s explore the practical operation of this one-stop-shop mechanism by looking at two cases that came up in November 2020, concerning various organisations, including Google, Twitter and the Dutch Consumer Association.
Lead vs. concerned supervisory authorities
For every instance of cross-border data processing there will always be one leading or ‘lead supervisory authority’. The supervisory authorities of the other countries where the cross-border processing is taking place, are referred to as ‘supervisory authorities concerned’. Which supervisory authority qualifies as lead, depends on the location of the main establishment or single establishment of the organisation. To illustrate this, the processing of personal data by Google is a cross-border operation and the main establishment of Google Ireland Limited is in Ireland. Which means that in this case, the lead supervisor would be the Irish supervisory authority, The Data Protection Commission.
The lead supervisory authority then bears primary responsibility for the regulation of cross-border processing. Nevertheless, on November 30 2020, the Dutch Consumer Association filed a suit against the Personal Data Authority (AP) of The Netherlands for having failed to rule on a complaint lodged by that same Consumer Association against Google, claiming that the AP was ‘hiding behind’ the Irish supervisory authority. Which raises the fundamental question whether or not it is possible for the AP to rule on an issue in the first place, when it is acting, as it clearly did, in the capacity of supervisory authority concerned? Whatever the court may decide, the case potentially carries some very interesting implications for the working of the ‘one-stop-shop’ mechanism.
The lead supervisory authority is obliged to cooperate with the other supervisory authority or authorities concerned in an endeavour to reach consensus (Article 60). In practical terms, what this means is that the lead supervisory authority and the supervisory authorities concerned are required to exchange all relevant information with each other and provide ‘mutual assistance’ (Article 61). If, for example, one of the supervisory authorities concerned does not agree with a draft decision proposed by the lead supervisory authority, a (relevant and reasoned) objection can be submitted.
In some cases, a dispute may arise between the lead supervisory authority and the supervisory authorities concerned, which can then be resolved by the European Data Protection Board (EDPB) issuing a binding decision. A dispute resolution by the EDPB is known as one of the so-called consistency mechanisms, another example an opinion of the EDPB (Article 64). These mechanisms are intended to stimulate cooperation between supervisory authorities, which, in turn, contributes to consistent application of the GDPR throughout the European Union.
On November 9 2020, for the first time since the introduction of the GDPR, the EDPB took a binding decision following a dispute between the Irish supervisory authority in its capacity of lead supervisory authority and other supervisory authorities concerned. The dispute arose after a data breach occurred at Twitter in 2019, which prompted the Irish supervisory authority to take a number of (draft) decisions. These draft decisions, having been shared with the other supervisory authorities concerned, were met with a number of objections regarding the exact nature of the GDPR violation, Twitter’s role as (sole) controller and the amount of the proposed fine. The lead supervisory authority rejected these objections, finding them insufficiently relevant and reasoned, which consequently led to the initiation of a dispute resolution procedure carried out by the EDPB.
Based on the EDPB’s binding decision, the Irish supervisory authority will have to take a final decision with regard to the data breach at Twitter. Once Twitter has been notified of the final decision, the EDPB will publish its own binding decision on this web page. This blog will certainly be continued!