Upload
jan-dhont
View
47
Download
0
Embed Size (px)
Citation preview
Role of the Supervisory Authorities, Commission and EDPS
Jan Dhont, Alston & Bird LLPOctober 24, 2016
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Overview
- Introduction
- New roles of the Supervisory Authorities, EDPB, Commission and EDPS
- Lead SAs, cross-border processing and main establishment
- Remedies, Liability and Penalties
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Harmonization- A “single set of rules”- GDPR has direct effect- More granular provisions- Cooperation and consistency
procedures- Role of the EDPB and Commission
Diversification- GDPR provides for national
implementation at many instances
- Cultural and linguistic variation- Divergent SA positions/court
rulings may have more authority than before (adverse effects)
Concern #1: Harmonization
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
GDPR’s Trinity of Effective Data Protection
Accountability
Enhanced Data Protection
Rights
Increased Enforcement and
Sanctions
Concern #2: Effective Enforcement
GDPR’s Trinity of Effective Data Protection
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Supervisory Authorities
Policy-making/Education Promote public awareness Provide information to
individuals concerning rights International cooperation on
legislative and administrative measures
Monitor relevant developments (technologies and commercial practices)
Contribute to EDPB activities Specific tasks re DPIAs,
certifications of data protection seals and marks, etc.
Authorizations/Administrative Periodic review of
certifications Approve BCRs Prior consultations Records of measures in
light of complaint handling
Enforcement Complaint handling Cooperate with other SAs
and provide mutual assistance
Conduct investigations (also further to requests from other SAs or public authorities)
- Member states must organize SAs and adopt legislation ensuring effective functioning and new role (Art. 54)
- Sufficient financial and human resources- More enforcement/judicial role than administrative
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Supervisory Authorities. Extended Powers (Art 58).
Inve
stig
ativ
e
• Order companies to provide information
• Auditing
• Obtain access to all information necessary for performance of tasks
• Obtain access to premises, including equipment/means
Co
rrec
tive
• Issue warnings
• Issue reprimands (infringements)
• Order compliance with data protection rights
• Order to bring processing in compliance (in a specified manner/time period)
• Order to communicate data breach to individuals
• Order ban on processing/suspension of data flows
• Withdraw certifications
• Impose administrative fines
Ad
viso
ry/A
uth
ori
zati
on
• Advise in context of prior consultation and authorize processing
• Issue opinions to local authorities
• Issue opinions concerning codes of conducts and their approval
• Accreditation of certification bodies
• Issue certifications and approve certification criteria
• Adopt standard model clauses
• Approve BCRs
Extended Powers Supervisory Authorities (Art. 58)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
European Data Protection Board
Tasks Guidelines and
recommendations similar to WP 29 today
Encourage drawing-up of codes of conducts/certifications/data protection seals
Adequacy assessments Promote cooperation between
SAs, training, exchange of knowledge
Issue opinions and binding decisions in context of the consistency mechanism
Maintain register of opinions and decisions taken in context of consistency mechanism
EDPB Replaces the Article 29 Working
Party Heads of the SAs, the EDPS or
their representatives Will have legal personality Decisions by simple majority
(default) (Art. 72)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
The Commission and the EDPS
EU Commission Adequacy decisions and model clauses
Participate to EDPB meetings without voting rights
Request referral SA decision to EBPB if EU-wide impact (Art. 64(2))
Technical protocals on exchange of information in the context of BCR applications and SA’s duty of mutual assistance – Art. 47(3) and Art. 61(9)
Delegated and implementing acts (e.g. icons for notices, approval of codes of conduct, criteria for certification mechanism)
EDPS Participates in EDPB meetings but only voting rights for issues relating to EU-
institutions Hosts secretariat of EDPB (important change!) Revision of Regulation 45/2001 on its way – expected end 2017
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
National courts likely to become more involved:
Judicial review of SA decisions
GDPR underscores right to effective judicial remedy
ECJ
Annulment of EDPB decisions
Preliminary rulings
9
Judiciary
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Discussion
- Companies will primarily be engaged with Supervisory Authorities
- Substantial national variation of law – local guidance SAs remains important
- Supervisory Authorities have different cultural background and may push own policy
- Exact roll-out of tasks not yet clear since national laws need to be adopted (e.g. Germany, France)
- EDPB will play more direct role for companies –can take binding decisions in specific cases
- Impact of national case-law- More important source of law than before
- Divergent effect of national case law over mid-long term
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
- Original Proposal: “single set of rules” and “one-stop-shop”
- Questions:
- To what extent do we still have a one-stop-shop?
- What value in structuring governance in light of location Lead SA?
11
What SA is competent? Preliminary
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Supervisory Authorities | Competences
Local SA competent for
- Exclusively local matters (Art. 55 (1)) BUT local SA must notify Lead SA
- Processing for compliance with national law or for national public interest remains exclusively for the local SA (Art. 55 (2))
Lead SA Competent for
- “Cross-border processing” (“One-Stop-Shop”)(Art. 56)
- Lead Authority is SA of “main establishment” or “single establishment”
- Lead must cooperate with “SAs concerned” (Art. 60(1)) and relevant SAs have right to be involved in joint operations
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Processing by controller or processor that has effects in more than one Member state, because the processing either:
- Benefits or concerns (“takes place in the context of the activities of”) multiple establishments of a controller/processor which is established in more than one Member state; or
- Takes place in only one establishment of a controller/processor but substantially affects data subjects in more than one Member state.
13
Key Concepts |Cross-Border Processing
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
- Data controller in Belgium retaining a third party processor in France?
- Same but processor is owned by controller?
- Company group of entities in 6 EU countries, acting as a controller retaining a third party cloud provider in Belgium?
- Same, but provider is outside the EU?
- US online service provider with a representative office in EU?
14
Cross-Border Processing Quiz | Yes/No?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Does NOT necessarily require the transfer of personal data (though will involve mostly transfer in practice)
Presence in more than one Member state does NOT automatically mean “cross-border” processing
NO cross-border processing in case of extra-territorial application!
Problem: in practice, typically no plurality of establishments but of controllers/processors (potentially defunct definition)
What is sure: Lots of potential grey zone – WP29 is working on guidance
15
Cross-Border Processing | Discussion
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Key Concepts |Main-Establishment
Main Establishment. As regards:
- A controller: - the place of its central administration in the
EU, - unless decisions on purposes and means are
taken in another establishment of the controller in the EU AND the latter has power to have such decisions implemented.
- A processor: - the place of its central administration in the
EU, or, - if the processor has no central
administration, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place.
Examples/Cases
- In case of processor internal to the group (e.g., shared data center), location of HQ will arguably be determining
- Only US HQs and no EU HQs?
- What in case of vertical organization of business (e.g., 3 business lines with business HQs in more than one Member state)?
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Cooperation Procedure
1. A decision may be split in different decisions;2. Controller/Processor must take measures to ensure compliance with decision THROUGHOUT the Union and notify the Lead SAs of implementation measures
Lead SA must cooperate with other SAs to reach consensus- Exchange information- Provide Mutual Assistance (Art. 63)- Joint operations (Art. 62)
Local Supervisory Authorities concerned
- Provide information;- submit draft decision
“without delay”
- “Reasoned objection”;
- Within 4 weeks
Lead SA follows “reasoned objection”
- Lead SA does NOT follow objection
- Lead SA decides objection is not “relevant and reasoned”
1
2
3 3
4
Lead SA must submit a revised draft decision before local SAs concerned
4
- Within 2 weeks;- If no further objections,
SAs are bound- Lead SA will notify
controller/processor, SAs and the EDPB
Dispute settlement under “Consistency
Mechanism” before EDPB
5
COOPERATION (Art.60) CONSISTENCY (Art.63 eff.)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Consistency Procedure
Opinion must be obtained in certain cases
- Obligatory in specific cases (e.g. BCRs, model contracts, accreditation certification body, etc.)
- Any matter that has multijurisdictional effects, upon request of SA, EDPB Chair, Commission
- Lack of mutual assistance between SAs
Timing
- Opinion to be provided within 8 weeks (extendable with another 6 weeks)
- Supervisory authority must not take decision until Opinion has been obtained
- Supervisory authority “shall take into account” Opinion within 2 weeks and notify its position to the EDPB
Opinion of EDPB (Art. 64) Dispute Resolution by EDPB (Art. 65)
Binding Decision
- In case a SA has raised a “relevant and reasoned objection” to a draft decision or the LSA rejected an objection of a SA
- Issues concerning competency
- SA does not request EDPB Opinion where required or does not follow EDPB Opinion
Timing
- Decision must be adopted by EDPB within one month (extendable by another month) [2/3 majority vote]
- If no outcome, extendable by another 2 weeks[simple majority vote]
- SA and Commission will be notified of decision
- SA must “adopt its final decision on the basis of the [EDPB] decision”
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Supervisory Authorities | One-Stop-Shop
Possible “political use” of procedure by Lead SA – Lead may take up matter with view to bringing it to the EDPB (Art. 60 (4) jo. 63)?
There is value in organizing corporate governance to interact with pragmatic Lead SA
- Jurisdiction of Lead SA will in practice often be country with most important/significant processing for company group
- Lead SA will be sole interlocutor for “cross-border processing” and be in drivers seat
- Lead SA has authority to reject the decision of a local SA and instead handle the matter itself in accordance with the cooperation procedure
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Remedies
Complaint with SA
(Art. 77)
- Every data subject
- In particular, in (i) Memberstate of habitual residence,(ii) place of work, or (iii)place of alleged infringement
- SA required to informcomplainant on progress andoutcome AND availablejudicial remedies
Effective remedy against a SA (Art. 78)
- Every data subject or legal person
- Remedy against a legally binding decision of the SA concerning them
- In case of non-action of the SA or non-information of data subject on progress within 3 months time
- Before court of the member state where SA is established
- Full remedy (facts and law)- Opinion/Decision of EDPB must
be provided to Court
Effective judicial remedy against a controller or
processor (Art. 79)
- Every data subject- Contended violation of rights
under the GDPR as result of processing in non-compliance with GDPR
- Court of the Member state of establishment controller/processor
- Alternatively, court of Member state where data subject has habitual residence (unless public authorities)
- EDPB decisions cannot be challenged before national courts- Annulment action before ECJ if individually and directly concerned (Art. 263 TFEU)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Judicial Remedies
- National court may (or must in case of Art. 267 TFEU) request ECJ for preliminary ruling
- Companies, individuals and SAs can bring annulment actions of EDPB decisions before ECJ (Art. 263 TFEU):- SA can bring action within 2 months after notification
- If decisions are of “direct and individual concern” to a controller/processor/data subject, within 2 months after publication on website SA
- Companies and natural persons “directly and individually concerned” must challenge EDPB decision before ECJ (recital 143)!
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Remedies | Discussion
- What if the controller or processor has no establishment in the EU? Can the representative be sued? Effect?
- Can companies challenge a “decision” which “concerns them” indirectly? (E.g., a decision having impact on industry-level?)
- Non-for-profit bodies, consumer organizations can be mandated to exercise procedural rights and right to receive compensation (Art. 80)
- Member states can also empower consumer organizations to act independently (!) (Art. 81)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Liability Regimes
Civil Liability. Any person who suffered damage has right to receivecompensation from controller or processor for damage suffered as resultof an infringement of the GDPR (Art. 82 GDPR).
- Strict liability Regime.- Controller or processor have burden of proof to discharge.- Joint and several liability. Processor may need to pay first!- Compensating party may claim back “that part of the compensation
corresponding to their part of responsibility for the damage”. Processor ultimately cannot be held liable for damage relating to controller obligations. Need for clear contract language.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Liability Regimes
Administrative Fines. Supervisory Authorities must ensure “effective,proportionate and dissuasive” application of a administrative fines (Art. 83).
- In addition, or instead of, corrective measures- Criteria for fining and amount are set forth in GDPR, for instance (recital 148):
- sensitive data- measures taken to mitigate damage- degree of responsibility (!)- degree of cooperation- notification of SA (<> principle of non self-incrimination)- privacy certifications- financial gain
- Total amount = limited to amount of gravest infringement- Effective judicial remedy and due process
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
“Other” violationsChildren data processing/Processing not requiringidentification/Data protection by design or default/joint controllerobligations/appointment of representative/Processorobligations/Records of processing/Cooperation duty withSAs/Information Security/Breach notification to SA and to DataSubject/DPIAs/Prior Consultation/DPO obligations/Certification
“Core” violationsGeneral processing principles/Lawfulness of processing (legalbasis)/Consent conditions/Sensitive data processing/Data subjects’rights/third country transfers/Chapter IX processing (freedom ofexpression, public access to official documents, nationalidentification number, context of employment, derogations forscientific, historical research or statistical purposes)/non-compliance with an order or temporary or definitive limitation onprocessing or suspension of data flows/refusal to allow access toSA (measures preventing investigations by SAs)
Administrative fine up to 10 MM EUR, or “in the case of an undertaking”, up to 2 percent of “total
worldwide annual turnover of the preceding financial year”, whichever is higher
Administrative fine up to 20 MM EUR, or “in the case of an undertaking”, up to 4 percent of “total
worldwide annual turnover of the preceding financial year”, whichever is higher
- Undertaking is not restricted to a legal person
- Undertaking is “every entity engaged in an economic activity (offering of goods or services with intention to make profit), regardless of the legal status of the entity or the way it is financed”
- May infringements by an entity be attributed to other members of the company group (e.g. parent company)?
Administrative Fines
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Liabilities
Criminal Penalties. Member states must lay down rules on other penalties toinfringements of the GDPR, in particular, to infringements not sanctioned by[administrative fines]. They must be effective, proportionate and dissuasive.
- Criminal fines in addition to administrative fines- Prison sentences/deprivation of profits obtained through infringement of the GDPR
(Recital 149)- Member states must notify the Commission of legislation implementing this
requirement- Ne bis in idem
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
Enforcement risk:
- GDPR has teeth
- Symbolic actions/policy-making
- Supervisory Authorities are rooted in local tradition – will want to continue certain policy
- Consumer-awareness
- Stakes are higher than before for all parties
28
Discussion
Follow us: @AlstonPrivacy www.AlstonPrivacy.com
About Alston & Bird’s Privacy and Data Security Practice:
Follow us: @AlstonPrivacy
www.AlstonPrivacy.com
Cybersecurity Preparedness & Response Team
Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in
both preventing and responding to security incidents and data breaches, including all varieties
of network intrusion and data loss events.
www.alstonsecurity.com
Privacy & Data Security Team
Our team helps clients at every step of the information life cycle, from developing and
implementing corporate policies and procedures to representation on transactional matters, public
policy and legislative issues, and litigation.
www.alston.com/privacy
Questions