European Data Protection Board

Cross-border cooperation and consistency procedures – State of play

Generic image
Friday, 20 July, 2018

Brussels, 19 July – An important innovation of the General Data Protection Regulation (GDPR) is the new way in which the supervisory authorities of the Member States closely cooperate to ensure a consistent application as well as a consistent protection of individuals throughout the EU.

During its second plenary meeting on 4 and 5 July the EDPB discussed the consistency and the cooperation systems, sharing first experiences on the functioning of the One-Stop Shop mechanism, the performance of the Internal Market Information System (IMI), the challenges the authorities are facing and the type of questions received since 25 May. Most data protection authorities reported a substantial increase in complaints received. The first cross-border cases were initiated in IMI on 25 May. Currently, around 100 cross-border cases in IMI are under investigation.

The EDPB Chair Andrea Jelinek said: “Despite the sharp increase in the number of cases in the last month, the Members of the EDPB report that the workload is manageable for the moment, in large part thanks to a thorough preparation in the past two years by the Article 29 Data Protection Working Party. However, we should only expect the first results of the new procedures to deal with cross-border cases in a few months from now. To handle complaints lead supervisory authorities will have to carry out investigations, observe procedural rules, and coordinate and share information with other supervisory authorities. The GDPR sets specific deadlines for each phase of the procedure. All of this takes time. During this time, complainants are entitled to be kept informed on the state of play of a case. The GDPR does not offer a quick fix in case of a complaint but we are confident the procedures detailing the way in which the authorities work together are robust and efficient.”

Background

In cross-border cases, supervisory authorities (SAs) have to cooperate in order to ensure a consistent application of the GDPR.

The Lead Supervisory Authority (LSA) has to cooperate with the other supervisory authorities in an endeavour to reach consensus.

In this case, the so-called consistency mechanism can be triggered. Under this mechanism the European Data Protection Board (EDPB) issues opinions or, in case of dispute between national data protection authorities, issues binding decisions to arbitrate.

In the cooperation phase, it is the Lead Supervisory Authority that acts as the main point of contact for the controller and processor and drafts a decision. The LSA needs to submit a draft decision to the SAs concerned. The SAs concerned can express relevant and reasoned objections to the draft decision, the LSA can decide to follow or not to follow the objection.

When none of the SAs concerned objects, they shall be deemed in agreement with the draft decision.

If the LSA intends to follow the objection, it shall submit a revised draft decision to the other SAs concerned.

If the LSA has rejected a reasonable or relevant objection, the case is referred to Board (Art. 65 –Dispute resolution by the Board). The Board then issues a binding decision. The LSA shall adopt its final decision on the basis of the Board’s binding decision.

The Internal Market Information System (IMI) is the IT platform chosen to support cooperation and consistency procedure under the GDPR.
The so-called consistency mechanism can also be triggered to ask the Board to issue an opinion, as regards a draft decision submitted by a supervisory authority or following a request concerning a matter of general application or producing effects in more than one Member State.