One of the major purposes of the Regulation is to ensure a consistent application of data protection law throughout the EU, not only to provide a high level of data protection but also to guarantee legal certainty for businesses when handling personal data. This has presented legislators with one of their biggest challenges: how to maintain the existing network of independent national DPAs, whilst ensuring that they promote a consistent interpretation of the Regulation and minimising the number of different DPAs which a controller has to deal with. It remains to be seen whether they have devised a workable solution.
Status and powers of the DPAs
Under the Regulation, each Member State is required to establish one or more independent DPAs responsible for monitoring compliance, and to ensure they are adequately resourced. If a Member State establishes more than one DPA, it must designate one DPA to represent the other DPAs in the European Data Protection Board and has to implement proceedings to ensure that all DPAs comply with the cooperation and consistency mechanism created by the Regulation. DPAs are provided with a broad range of enforcement powers, including:
- to notify data controllers or data processors of an alleged breach of data protection law
- to order data controllers and data processors to provide or to allow access to any information relevant for the performance of its duties
- to carry out investigations in the form of on-site audits
- to order the rectification, erasure or destruction of personal data
- to impose a temporary or definitive ban on processing
- to impose administrative fines.
The cooperation and consistency mechanism and One Stop Shop
A key innovation of the Regulation is that where a controller is established in more than one Member State, the DPA of the country of the main establishment of the controller will be competent to regulate all its data processing activities throughout the EU. This provides an attractive solution for business, but could potentially make it difficult for individuals to pursue complaints. Some DPAs also raised concerns that it could lead to forum shopping. The three drafts in circulation provide different solutions to the issue and it is likely that this will be one of the most hotly debated provisions during the trialogue stage.
In the Council draft this model applies:
- to data controllers with establishments in several Member States
- where the processing of personal data takes place in the context of the activities of a single establishment and is likely to substantially affect data subjects in more than one Member State.
In these cases, only one lead DPA can bring enforcement actions against the data controller, namely the DPA in the country of the main establishment of the controller. The DPAs of the other affected Member States have to coordinate with the lead DPA to reach a consensus regarding the enforcement measures. If the involved DPAs are not able to reach a consensus, the European Data Protection Board will decide by simple majority. A new European Data Protection Board will be established, with responsibility for approving measures by DPAs which are intended to have legal effects, such as adopting a code of conduct, authorizing contractual clauses for data transfers abroad or approving BCRs. This is intended to promote a consistent approach to enforcement by the different DPAs.
There is an exception to the consistency mechanism by way of an urgency procedure where the competent DPA considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects. In such cases it may adopt provisional measures with a specified period of validity
DPAs may also conduct joint operations, including joint investigations and joint enforcement actions.
Stronger judicial remedies and heavier sanctions
- The Regulation provides individuals with judicial remedies against:
- Decisions of a DPA which concern them
- A DPA, obliging it to act on a complaint
- Data controllers and data processors who breach their rights by failing to comply with the Regulation.
These rights can be exercised by consumer bodies on behalf of data subjects. It will be interesting to see to what extent such organisations bring a different focus to enforcement of rights.
Individuals will also have a right to compensation from both data controllers and data processors for damage suffered as a result of processing carried out in breach of the Regulation (discussions are on-going as to whether this should include non-pecuniary damages). Where more than one data controller and data processor is involved in the processing the Regulation provides that they will be jointly and severally liable unless they can prove that they were not responsible for the event that caused the damage.
A significant change is that sanctions will now apply not only to data controllers, but also to data processors that have breached their data protection obligations. There is also a significant increase in the potential severity of sanctions, acknowledging the fact that current fines are insignificant for certain organisations. Sanctions currently being considered include:
- a written warning in case of first and non-intentional breaches to individuals and organisations with less than 250 employees whose main business is not the processing of personal data
- Fines of up to €250,000 or up to 0.5% of the organisation’s annual worldwide turnover for failure to deal properly with individual’s rights
- Fines of up to €500,000 or up to 1% of annual worldwide turnover for failure to respond to subject access requests in line with the Regulation
- Fines up to €1 million or up to 2% of annual worldwide turnover for other compliance failures such as failure to comply with the requirements regarding profiling, failure to notify data breaches, transferring data internationally without adequate safeguards or failure to appoint a data protection officer.
The level of sanctions will be fixed having regard to factors such as the nature, gravity and duration of the breach and whether this was intentional or negligent, history of previous breaches, the data protection compliance structure that was in place and the level of co-operation with the DPAs to try and remedy the breach.
Likely practical impact
The One Stop Shop mechanism has the potential to be a substantial improvement on the fragmented regulatory activities under the Data Protection Directive, as it may enable businesses which operate across the EU to deal with only one DPA. However, its ultimate form and viability is still unclear, and there remains a risk that the trialogue process will result in an unwieldy mechanism that leaves us with the same or even greater uncertainty as to which regulator is the competent one.
What to do now
- Organisations operating in a number of Member States will benefit from a strategic analysis of the distribution of their data processing activities to assess whether there is a clear country of main establishment, and if not whether it would be beneficial to have one.
- Develop a workable DPA cooperation strategy and procedure.
- Organisations which traditionally act as data processors should to conduct a risk
- assessment of their operations which takes into account the changes in liability.
- Develop guidelines for information requests and inspections by a DPA and train your staff on what to do during an inspection.
- Closely monitor the enforcement actions and announcements of your competent DPA.
This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.” To access the full guide, click here.