Tag Archives: Europe

One-stop shop starts to get interesting

The disagreement between the EU supervisory authorities over an Irish DPC draft decision could mark the start of a line of cases which the EDPB will need to resolve –  and maybe resolve to the consternation of the DPC, and Big Tech

As the UK hurtles backwards, blindfolded and with both arms tied behind its back, towards the precipice that is the end of the Brexit implementation period (31 December), and with no sign that the government is particularly pushing for an adequacy decision for the UK, it hardly seems worth it (the ICO is, for instance, already no longer a member) to analyse the implications of the news that the European Data Protection Board (EDPB) is being required to take its first binding decision pursuant to Article 65 of GDPR.

But I’m going to.

The Article 65 process has been triggered because an unspecified number of other supervisory authorities have raised objections (as they are entitled to) to the draft decision of the Irish Data Protection Commissioner (DPC) – the lead supervisory authority – in its investigation of of whether Twitter (more correctly “Twitter International Company”) complied with its personal data breach obligations under Article 33 of GDPR, in relation to a notification it made to the DPC in November 2018. In line with Articles 56 and 60, the DPC submitted its draft decision in May of this year. As this was a case involving cross-border processing, the DPC was required to cooperate with the other supervisory authorities concerned. One assumes, given the controller involved, that this meant the supervisory authorities of all member states. One also assumes that most complaints involving Big Tech (many of whom tend to base their European operations in Ireland, thus making the DPC the default lead supervisory authority) will similarly engage the supervisory authorities of all member states. The DPC already has many such complaint investigations, and, courtesy of civil society groups like “NOYB“, it is likely to continue to get many more.

Article 65 provides that where another supervisory authority “has raised a relevant and reasoned objection” to a draft decision of the lead supervisory authority, and the latter then doesn’t agree, then the EDPB must step in to consider the objection. The EDPB then has one month (two if the subject matter is complex) to reach a two-thirds majority decision, or, failing that, within a further two weeks, to reach a simple majority decision. The decision is binding on all the supervisory authorities.

And here’s where it gets interesting.

Because it must mean that, in circumstances where the EDPB agrees with an objection, then the lead supervisory authority will be bound to accept a decision it probably still does not agree with, and determine the substantive matter accordingly. In the context of the DPC, and its jurisdiction over the European processing of the world’s largest technology companies, this sounds like it might be a lot of fun. There are many supervisory authorities on the EDPB who take a substantially harder line than the DPC – if they end up being part of a simple majority which results in a “robust” binding decision, fur might well fly.

The controller being investigated appears to be able to challenge the EDPB’s decision by way of judicial review under Article 263 of the Treaty of the Functioning of the European Union. There is no direct route of appeal under the GDPR. But presumably an aggrieved controller may also potentially challenge the lead supervisory authority’s decision (which, remember, the latter might essentially disagree with) through the domestic courts, perhaps to the point where a referral to the CJEU could then also be made.

No doubt some of this may become clearer over the next few months. And, though it pains me to say it, and though it would be a development fraught with complexity and political shenanigans, maybe the UK will start to look like a more attractive place for Big Tech to base its European operations.

[This piece was updated on 24.08.20 to correct/clarify a point about the availability of judicial review of the EDPB].

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under adequacy, Data Protection, EDPB, Europe, Ireland

Ofqual and the International Baccalaureate – more woes?

UPDATE: 23.08.20 One week on from this original post below, and it is clear (and unsurprising, when one reads the details) that many IB students are still deeply unhappy about the process, and now, with the u-turn on the A-Level awards, are arguably feeling even further aggrieved that their results are still tied to the outcome of what they see as a flawed an unfair algorithmic process. Also one week on, there seems to have been no word from the ICO about the decision of the Norwegian DPA, and what it means for UK IB students. END UPDATE.

UPDATE: 17.08.20 It appears that the IBO has responded to concerns (and possibly to the Norwegian DPA’s investigation, by reviewing the results, and making an adjustment to awarded results, with the emphasis that “no student will receive a lower grade than what was received previously”) END UPDATE.

In a piece for the Mishcon de Reya website last week, I noted, in the context of the recent A-Level awards fiasco, that the Norwegian Data Protection Authority had sent the International Baccalaureate Association (IBO) an advance notification that it was going to order the latter to rectify grades it had awarded based on “so-called ‘school context’ and ‘historical data'”. The IBO has until 21 August to “contradict” the Norwegian DPA’s draft decision.

What I had not fully appreciated were two things:

  1. The effect of the Norwegian DPA’s draft decision, should it be formalised, may be that all IBO grades based on such data would have to be re-done, not just those of Norwegian children.
  2. In a move now saturated with irony, the IBO’s grading process is, apparently, already being scrutinised by…erm…Ofqual, to whom the IBO’s awarding model was submitted , both prior to its actual use and to the issue of results.

The second point raises the rather remarkable possibility that Ofqual was a controller, in GDPR terms, for the International Baccalaureate model, as well as for the English A-Levels. This will only add to its already significant woes.

The first point turns on this: the IBO is based in Switzerland. Although Norway is not in the EU, it is in the European Economic Area (EEA), and by a joint agreement of July 2018 GDPR was incorporated into the EEA Agreement. To the extent that the IBO is offering (which it clearly is) goods or services to data subjects in the  European Union, it is subject to GDPR’s extra-territorial provisions at Article 3(2). So, although in theory, the Norwegian DPA’s decision would only apply in respect of the processing of personal data in respect of Norwegian data subjects, in practice it is very difficult to see how the IBO could comply with an order only applying to Norwegians, when the effect of the order would be that IB candidates across everywhere would have had their data impermissibly processed in the same way. If it decided not to redo all awards, and just Norwegian ones, then presumably supervisory authorities across Europe, including the Information Commissioner in the UK, would need to investigate.

[This post was edited to reflect the blindingly obvious point that Norway is not in the EU, but is in the EEA. I’m embarrassed to admit that I’m only human]

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under accuracy, EDPB, Europe, GDPR, Information Commissioner