One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution.
Status and powers of the DPAs
Under the Regulation, each Member State is required to establish one or more independent DPAs responsible for monitoring compliance, and to ensure they are adequately resourced. If a Member State establishes more than one DPA, it must designate one DPA to represent the other DPAs in the European Data Protection Board and has to implement proceedings to ensure that all DPAs comply with the cooperation and consistency mechanism created by the Regulation.
DPAs are provided with a broad range of enforcement powers, including:
- to notify data controllers or data processors of an alleged breach of data protection law
- to order data controllers and data processors to provide or to allow access to any information relevant for the performance of its duties
- to carry out investigations in the form of on-site audits
- to order controllers or processors to bring processing operations into compliance with the Regulation
- to order the rectification, erasure or destruction of personal data
- to impose a temporary or definitive ban on processing
- to impose administrative fines.
The cooperation and consistency mechanism and One Stop Shop
A key innovation of the Regulation is that where a controller is established in more than one Member State, the DPA of the country of the
main establishment of the controller will be competent to regulate all its data processing activities throughout the EU. This provides an attractive solution for businesses, but could potentially make it difficult for individuals to pursue complaints. However the final draft of the Regulation makes clear that individuals are entitled to lodge complaints with the DPA of their home Member State, even if this is not the data controller’s lead authority.
The One Stop Shop applies:
- to data controllers or data processors with establishments in several Member States or
- where the processing of personal data takes place in the context of the activities of a single establishment and is likely to substantially affect data subjects in more than one Member State.
In these cases, generally only one lead DPA can bring enforcement actions against the data controller, namely the DPA in the country of the main establishment of the controller. The lead DPA co-ordinates input from the DPAs of the other affected Member States in order to reach a consensus regarding the enforcement measures. Any local DPA which has informed the lead DPA about an infringement is competent to provide a draft suggestion for enforcement actions to the lead DPA. If the involved DPAs are not able to reach a consensus, a new body, the European Data Protection Board, will decide by simple majority.
This new body will have responsibility for approving measures by DPAs which are intended to have legal effects, such as adopting a code of conduct, authorizing contractual clauses for data transfers abroad or approving BCRs. This is intended to promote a consistent approach to enforcement by the different DPAs.
However, there are exceptions to the One Stop Shop and the consistency mechanism. Each local DPA is still competent to deal with complaints or possible infringements of the Regulation, if the issue relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. In these cases, the local DPA has to notify the lead DPA which then has three weeks to decide whether or not to deal with the infringement. If the lead DPA decides not to handle the case, the local DPA becomes competent for enforcement actions, but has to observe the rules regarding mutual assistance and joint operations of the DPAs.
There is another exception to the consistency mechanism by way of an urgency procedure where the competent DPA considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects. In such cases the competent DPA may adopt provisional measures with a specified period of validity. DPAs may also conduct joint operations, including joint investigations and joint enforcement actions.
Stronger judicial remedies and heavier sanctions
The Regulation provides individuals with judicial remedies against:
- Decisions of a DPA which concern them
- A DPA, obliging it to act on a complaint
- Data controllers and data processors who breach their rights by failing to comply with the Regulation.
These rights can be exercised by consumer bodies on behalf of data subjects. It will be interesting to see to what extent such organisations bring a different focus to enforcement of rights.
Individuals will also have a right to compensation from both data controllers and data processors for material and immaterial damage suffered as a result of processing carried out in breach of the Regulation. Where more than one data controller and data processor are involved in the processing the Regulation provides that they will be jointly and severally liable unless they can prove that they were not responsible for the event that caused the damage.
A significant change is that sanctions will now apply not only to data controllers, but also to data processors that have breached their data protection obligations. There is also a significant increase in the potential severity of sanctions, acknowledging the fact that current fines are insignificant for certain organisations. Sanctions include:
- Fines up to €20 million, or in case of an undertaking, up to 4% of annual worldwide turnover for other compliance failures with respect to infringements of the rights of the data subjects and the general principles for data processing, e.g. failure to respond to data subject access requests in line with the Regulation or any inadmissible data processing.
- Fines up to €20 million, or in case of an undertaking, up to 4% of annual worldwide turnover for failures to comply with orders of the competent DPA.
The level of sanctions will be fixed having regard to factors such as the nature, gravity and duration of the breach and whether this was intentional or negligent, history of previous breaches, the data protection compliance structure that was in place and the level of co-operation with the DPAs to try and remedy the breach.
Likely practical impact
The One Stop Shop mechanism has the potential to be a substantial improvement on the fragmented regulatory activities under the Data Protection Directive, as it may enable businesses which operate across the EU to deal with only one DPA. However, it remains to be seen how this will work in practice. Due to the various exceptions, data controllers and data processors may still have to deal with several local DPAs which may interpret the Regulations in different ways.
What to do
- Organisations operating in a number of Member States will benefit from a strategic analysis of the distribution of their data processing activities to assess whether there is a clear country of main establishment, and if not whether it would be beneficial to have one.
- Develop a workable DPA cooperation strategy and procedure.
- Organisations which traditionally act as data processors should conduct a risk assessment of their operations which takes into account the changes in liability.
- Develop guidelines for information requests and inspections by a DPA and train your staff on what to do during an inspection.
- Implement a data protection specific compliance management system to avoid violations of the Regulation which may result in fines of millions of Euros.
- Closely monitor the enforcement actions and announcements of the competent DPA.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.