Role of the DPAs_Commission_EDPS_October16_DC

Role of the Supervisory Authorities, Commission and EDPS

Jan Dhont, Alston & Bird LLPOctober 24, 2016

Follow us: @AlstonPrivacy www.AlstonPrivacy.com

Overview

- Introduction

- New roles of the Supervisory Authorities, EDPB, Commission and EDPS

- Lead SAs, cross-border processing and main establishment

- Remedies, Liability and Penalties


Harmonization- A “single set of rules”- GDPR has direct effect- More granular provisions- Cooperation and consistency

procedures- Role of the EDPB and Commission

Diversification- GDPR provides for national

implementation at many instances

- Cultural and linguistic variation- Divergent SA positions/court

rulings may have more authority than before (adverse effects)

Concern #1: Harmonization


GDPR’s Trinity of Effective Data Protection

Accountability

Enhanced Data Protection

Rights

Increased Enforcement and

Sanctions

Concern #2: Effective Enforcement

GDPR’s Trinity of Effective Data Protection


Supervisory Authorities

Policy-making/Education Promote public awareness Provide information to

individuals concerning rights International cooperation on

legislative and administrative measures

Monitor relevant developments (technologies and commercial practices)

Contribute to EDPB activities Specific tasks re DPIAs,

certifications of data protection seals and marks, etc.

Authorizations/Administrative Periodic review of

certifications Approve BCRs Prior consultations Records of measures in

light of complaint handling

Enforcement Complaint handling Cooperate with other SAs

and provide mutual assistance

Conduct investigations (also further to requests from other SAs or public authorities)

- Member states must organize SAs and adopt legislation ensuring effective functioning and new role (Art. 54)

- Sufficient financial and human resources- More enforcement/judicial role than administrative


Supervisory Authorities. Extended Powers (Art 58).

Inve

stig

ativ

e

• Order companies to provide information

• Auditing

• Obtain access to all information necessary for performance of tasks

• Obtain access to premises, including equipment/means

Co

rrec

tive

• Issue warnings

• Issue reprimands (infringements)

• Order compliance with data protection rights

• Order to bring processing in compliance (in a specified manner/time period)

• Order to communicate data breach to individuals

• Order ban on processing/suspension of data flows

• Withdraw certifications

• Impose administrative fines

Ad

viso

ry/A

uth

ori

zati

on

• Advise in context of prior consultation and authorize processing

• Issue opinions to local authorities

• Issue opinions concerning codes of conducts and their approval

• Accreditation of certification bodies

• Issue certifications and approve certification criteria

• Adopt standard model clauses

• Approve BCRs

Extended Powers Supervisory Authorities (Art. 58)


European Data Protection Board

Tasks Guidelines and

recommendations similar to WP 29 today

Encourage drawing-up of codes of conducts/certifications/data protection seals

Adequacy assessments Promote cooperation between

SAs, training, exchange of knowledge

Issue opinions and binding decisions in context of the consistency mechanism

Maintain register of opinions and decisions taken in context of consistency mechanism

EDPB Replaces the Article 29 Working

Party Heads of the SAs, the EDPS or

their representatives Will have legal personality Decisions by simple majority

(default) (Art. 72)


The Commission and the EDPS

EU Commission Adequacy decisions and model clauses

Participate to EDPB meetings without voting rights

Request referral SA decision to EBPB if EU-wide impact (Art. 64(2))

Technical protocals on exchange of information in the context of BCR applications and SA’s duty of mutual assistance – Art. 47(3) and Art. 61(9)

Delegated and implementing acts (e.g. icons for notices, approval of codes of conduct, criteria for certification mechanism)

EDPS Participates in EDPB meetings but only voting rights for issues relating to EU-

institutions Hosts secretariat of EDPB (important change!) Revision of Regulation 45/2001 on its way – expected end 2017


National courts likely to become more involved:

Judicial review of SA decisions

GDPR underscores right to effective judicial remedy

ECJ

Annulment of EDPB decisions

Preliminary rulings

9

Judiciary


Discussion

- Companies will primarily be engaged with Supervisory Authorities

- Substantial national variation of law – local guidance SAs remains important

- Supervisory Authorities have different cultural background and may push own policy

- Exact roll-out of tasks not yet clear since national laws need to be adopted (e.g. Germany, France)

- EDPB will play more direct role for companies –can take binding decisions in specific cases

- Impact of national case-law- More important source of law than before

- Divergent effect of national case law over mid-long term


- Original Proposal: “single set of rules” and “one-stop-shop”

- Questions:

- To what extent do we still have a one-stop-shop?

- What value in structuring governance in light of location Lead SA?

11

What SA is competent? Preliminary


Supervisory Authorities | Competences

Local SA competent for

- Exclusively local matters (Art. 55 (1)) BUT local SA must notify Lead SA

- Processing for compliance with national law or for national public interest remains exclusively for the local SA (Art. 55 (2))

Lead SA Competent for

- “Cross-border processing” (“One-Stop-Shop”)(Art. 56)

- Lead Authority is SA of “main establishment” or “single establishment”

- Lead must cooperate with “SAs concerned” (Art. 60(1)) and relevant SAs have right to be involved in joint operations


Processing by controller or processor that has effects in more than one Member state, because the processing either:

- Benefits or concerns (“takes place in the context of the activities of”) multiple establishments of a controller/processor which is established in more than one Member state; or

- Takes place in only one establishment of a controller/processor but substantially affects data subjects in more than one Member state.

13

Key Concepts |Cross-Border Processing


- Data controller in Belgium retaining a third party processor in France?

- Same but processor is owned by controller?

- Company group of entities in 6 EU countries, acting as a controller retaining a third party cloud provider in Belgium?

- Same, but provider is outside the EU?

- US online service provider with a representative office in EU?

14

Cross-Border Processing Quiz | Yes/No?


Does NOT necessarily require the transfer of personal data (though will involve mostly transfer in practice)

Presence in more than one Member state does NOT automatically mean “cross-border” processing

NO cross-border processing in case of extra-territorial application!

Problem: in practice, typically no plurality of establishments but of controllers/processors (potentially defunct definition)

What is sure: Lots of potential grey zone – WP29 is working on guidance

15

Cross-Border Processing | Discussion


Key Concepts |Main-Establishment

Main Establishment. As regards:

- A controller: - the place of its central administration in the

EU, - unless decisions on purposes and means are

taken in another establishment of the controller in the EU AND the latter has power to have such decisions implemented.

- A processor: - the place of its central administration in the

EU, or, - if the processor has no central

administration, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place.

Examples/Cases

- In case of processor internal to the group (e.g., shared data center), location of HQ will arguably be determining

- Only US HQs and no EU HQs?

- What in case of vertical organization of business (e.g., 3 business lines with business HQs in more than one Member state)?


Cooperation Procedure

1. A decision may be split in different decisions;2. Controller/Processor must take measures to ensure compliance with decision THROUGHOUT the Union and notify the Lead SAs of implementation measures

Lead SA must cooperate with other SAs to reach consensus- Exchange information- Provide Mutual Assistance (Art. 63)- Joint operations (Art. 62)

Local Supervisory Authorities concerned

- Provide information;- submit draft decision

“without delay”

- “Reasoned objection”;

- Within 4 weeks

Lead SA follows “reasoned objection”

- Lead SA does NOT follow objection

- Lead SA decides objection is not “relevant and reasoned”

1

2

3 3

4

Lead SA must submit a revised draft decision before local SAs concerned

4

- Within 2 weeks;- If no further objections,

SAs are bound- Lead SA will notify

controller/processor, SAs and the EDPB

Dispute settlement under “Consistency

Mechanism” before EDPB

5

COOPERATION (Art.60) CONSISTENCY (Art.63 eff.)


Consistency Procedure

Opinion must be obtained in certain cases

- Obligatory in specific cases (e.g. BCRs, model contracts, accreditation certification body, etc.)

- Any matter that has multijurisdictional effects, upon request of SA, EDPB Chair, Commission

- Lack of mutual assistance between SAs

Timing

- Opinion to be provided within 8 weeks (extendable with another 6 weeks)

- Supervisory authority must not take decision until Opinion has been obtained

- Supervisory authority “shall take into account” Opinion within 2 weeks and notify its position to the EDPB

Opinion of EDPB (Art. 64) Dispute Resolution by EDPB (Art. 65)

Binding Decision

- In case a SA has raised a “relevant and reasoned objection” to a draft decision or the LSA rejected an objection of a SA

- Issues concerning competency

- SA does not request EDPB Opinion where required or does not follow EDPB Opinion

Timing

- Decision must be adopted by EDPB within one month (extendable by another month) [2/3 majority vote]

- If no outcome, extendable by another 2 weeks[simple majority vote]

- SA and Commission will be notified of decision

- SA must “adopt its final decision on the basis of the [EDPB] decision”


Supervisory Authorities | One-Stop-Shop

Possible “political use” of procedure by Lead SA – Lead may take up matter with view to bringing it to the EDPB (Art. 60 (4) jo. 63)?

There is value in organizing corporate governance to interact with pragmatic Lead SA

- Jurisdiction of Lead SA will in practice often be country with most important/significant processing for company group

- Lead SA will be sole interlocutor for “cross-border processing” and be in drivers seat

- Lead SA has authority to reject the decision of a local SA and instead handle the matter itself in accordance with the cooperation procedure


Remedies | Liability | Penalties


Remedies

Complaint with SA

(Art. 77)

- Every data subject

- In particular, in (i) Memberstate of habitual residence,(ii) place of work, or (iii)place of alleged infringement

- SA required to informcomplainant on progress andoutcome AND availablejudicial remedies

Effective remedy against a SA (Art. 78)

- Every data subject or legal person

- Remedy against a legally binding decision of the SA concerning them

- In case of non-action of the SA or non-information of data subject on progress within 3 months time

- Before court of the member state where SA is established

- Full remedy (facts and law)- Opinion/Decision of EDPB must

be provided to Court

Effective judicial remedy against a controller or

processor (Art. 79)

- Every data subject- Contended violation of rights

under the GDPR as result of processing in non-compliance with GDPR

- Court of the Member state of establishment controller/processor

- Alternatively, court of Member state where data subject has habitual residence (unless public authorities)

- EDPB decisions cannot be challenged before national courts- Annulment action before ECJ if individually and directly concerned (Art. 263 TFEU)


Judicial Remedies

- National court may (or must in case of Art. 267 TFEU) request ECJ for preliminary ruling

- Companies, individuals and SAs can bring annulment actions of EDPB decisions before ECJ (Art. 263 TFEU):- SA can bring action within 2 months after notification

- If decisions are of “direct and individual concern” to a controller/processor/data subject, within 2 months after publication on website SA

- Companies and natural persons “directly and individually concerned” must challenge EDPB decision before ECJ (recital 143)!


Remedies | Discussion

- What if the controller or processor has no establishment in the EU? Can the representative be sued? Effect?

- Can companies challenge a “decision” which “concerns them” indirectly? (E.g., a decision having impact on industry-level?)

- Non-for-profit bodies, consumer organizations can be mandated to exercise procedural rights and right to receive compensation (Art. 80)

- Member states can also empower consumer organizations to act independently (!) (Art. 81)


Liability Regimes

Civil Liability. Any person who suffered damage has right to receivecompensation from controller or processor for damage suffered as resultof an infringement of the GDPR (Art. 82 GDPR).

- Strict liability Regime.- Controller or processor have burden of proof to discharge.- Joint and several liability. Processor may need to pay first!- Compensating party may claim back “that part of the compensation

corresponding to their part of responsibility for the damage”. Processor ultimately cannot be held liable for damage relating to controller obligations. Need for clear contract language.


Liability Regimes

Administrative Fines. Supervisory Authorities must ensure “effective,proportionate and dissuasive” application of a administrative fines (Art. 83).

- In addition, or instead of, corrective measures- Criteria for fining and amount are set forth in GDPR, for instance (recital 148):

- sensitive data- measures taken to mitigate damage- degree of responsibility (!)- degree of cooperation- notification of SA (<> principle of non self-incrimination)- privacy certifications- financial gain

- Total amount = limited to amount of gravest infringement- Effective judicial remedy and due process


“Other” violationsChildren data processing/Processing not requiringidentification/Data protection by design or default/joint controllerobligations/appointment of representative/Processorobligations/Records of processing/Cooperation duty withSAs/Information Security/Breach notification to SA and to DataSubject/DPIAs/Prior Consultation/DPO obligations/Certification

“Core” violationsGeneral processing principles/Lawfulness of processing (legalbasis)/Consent conditions/Sensitive data processing/Data subjects’rights/third country transfers/Chapter IX processing (freedom ofexpression, public access to official documents, nationalidentification number, context of employment, derogations forscientific, historical research or statistical purposes)/non-compliance with an order or temporary or definitive limitation onprocessing or suspension of data flows/refusal to allow access toSA (measures preventing investigations by SAs)

Administrative fine up to 10 MM EUR, or “in the case of an undertaking”, up to 2 percent of “total

worldwide annual turnover of the preceding financial year”, whichever is higher

Administrative fine up to 20 MM EUR, or “in the case of an undertaking”, up to 4 percent of “total

worldwide annual turnover of the preceding financial year”, whichever is higher

- Undertaking is not restricted to a legal person

- Undertaking is “every entity engaged in an economic activity (offering of goods or services with intention to make profit), regardless of the legal status of the entity or the way it is financed”

- May infringements by an entity be attributed to other members of the company group (e.g. parent company)?

Administrative Fines


Liabilities

Criminal Penalties. Member states must lay down rules on other penalties toinfringements of the GDPR, in particular, to infringements not sanctioned by[administrative fines]. They must be effective, proportionate and dissuasive.

- Criminal fines in addition to administrative fines- Prison sentences/deprivation of profits obtained through infringement of the GDPR

(Recital 149)- Member states must notify the Commission of legislation implementing this

requirement- Ne bis in idem


Enforcement risk:

- GDPR has teeth

- Symbolic actions/policy-making

- Supervisory Authorities are rooted in local tradition – will want to continue certain policy

- Consumer-awareness

- Stakes are higher than before for all parties

28

Discussion


About Alston & Bird’s Privacy and Data Security Practice:

Follow us: @AlstonPrivacy

www.AlstonPrivacy.com

Cybersecurity Preparedness & Response Team

Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in

both preventing and responding to security incidents and data breaches, including all varieties

of network intrusion and data loss events.

www.alstonsecurity.com

Privacy & Data Security Team

Our team helps clients at every step of the information life cycle, from developing and

implementing corporate policies and procedures to representation on transactional matters, public

policy and legislative issues, and litigation.

www.alston.com/privacy

Questions

Documents

Role of the DPAs_Commission_EDPS_October16_DC