Category Archives: Ireland

One-stop shop starts to get interesting

The disagreement between the EU supervisory authorities over an Irish DPC draft decision could mark the start of a line of cases which the EDPB will need to resolve –  and maybe resolve to the consternation of the DPC, and Big Tech

As the UK hurtles backwards, blindfolded and with both arms tied behind its back, towards the precipice that is the end of the Brexit implementation period (31 December), and with no sign that the government is particularly pushing for an adequacy decision for the UK, it hardly seems worth it (the ICO is, for instance, already no longer a member) to analyse the implications of the news that the European Data Protection Board (EDPB) is being required to take its first binding decision pursuant to Article 65 of GDPR.

But I’m going to.

The Article 65 process has been triggered because an unspecified number of other supervisory authorities have raised objections (as they are entitled to) to the draft decision of the Irish Data Protection Commissioner (DPC) – the lead supervisory authority – in its investigation of of whether Twitter (more correctly “Twitter International Company”) complied with its personal data breach obligations under Article 33 of GDPR, in relation to a notification it made to the DPC in November 2018. In line with Articles 56 and 60, the DPC submitted its draft decision in May of this year. As this was a case involving cross-border processing, the DPC was required to cooperate with the other supervisory authorities concerned. One assumes, given the controller involved, that this meant the supervisory authorities of all member states. One also assumes that most complaints involving Big Tech (many of whom tend to base their European operations in Ireland, thus making the DPC the default lead supervisory authority) will similarly engage the supervisory authorities of all member states. The DPC already has many such complaint investigations, and, courtesy of civil society groups like “NOYB“, it is likely to continue to get many more.

Article 65 provides that where another supervisory authority “has raised a relevant and reasoned objection” to a draft decision of the lead supervisory authority, and the latter then doesn’t agree, then the EDPB must step in to consider the objection. The EDPB then has one month (two if the subject matter is complex) to reach a two-thirds majority decision, or, failing that, within a further two weeks, to reach a simple majority decision. The decision is binding on all the supervisory authorities.

And here’s where it gets interesting.

Because it must mean that, in circumstances where the EDPB agrees with an objection, then the lead supervisory authority will be bound to accept a decision it probably still does not agree with, and determine the substantive matter accordingly. In the context of the DPC, and its jurisdiction over the European processing of the world’s largest technology companies, this sounds like it might be a lot of fun. There are many supervisory authorities on the EDPB who take a substantially harder line than the DPC – if they end up being part of a simple majority which results in a “robust” binding decision, fur might well fly.

The controller being investigated appears to be able to challenge the EDPB’s decision by way of judicial review under Article 263 of the Treaty of the Functioning of the European Union. There is no direct route of appeal under the GDPR. But presumably an aggrieved controller may also potentially challenge the lead supervisory authority’s decision (which, remember, the latter might essentially disagree with) through the domestic courts, perhaps to the point where a referral to the CJEU could then also be made.

No doubt some of this may become clearer over the next few months. And, though it pains me to say it, and though it would be a development fraught with complexity and political shenanigans, maybe the UK will start to look like a more attractive place for Big Tech to base its European operations.

[This piece was updated on 24.08.20 to correct/clarify a point about the availability of judicial review of the EDPB].

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, Data Protection, EDPB, Europe, Ireland

Schrems II – this time it’s serious

As soon as judgment came out, my Mishcon de Reya colleague Adam Rose and I recorded our initial reactions to the CJEU’s decision in Schrems II. Here’s the link to the recording. Excuse my lockdown locks.

Some takeaways

  • The EU-US Privacy Shield arrangement for transferring personal data to the US is declared invalid.
  • Parties using Standard Contractual Clauses to transfer personal data from the EEA to countries outside must not do so if, in their assessment, the recipient country doesn’t provide an adequate level of protection. There must now be serious questions as to whether any transfers to the US can be valid.
  • The Binding Corporate Rules regime used by some of the world’s biggest international groups must now also be open to challenge.
  • Data Protection Authorities (such as the ICO) must intervene to stop transfers under SCCs which are made to countries without an adequate level of protection.
  • Post-Brexit UK may be seen as an attractive place for US companies to base operations, but there may well be further legal challenges to such arrangements.

Leave a comment

Filed under adequacy, Data Protection, Directive 95/46/EC, Europe, facebook, GDPR, Information Commissioner, Ireland, national security, privacy shield, surveillance