Role of the Supervisory Authorities, Commission and EDPS Jan Dhont, Alston & Bird LLP October 24, 2016

Transcription

1 Role of the Supervisory Authorities, Commission and EDPS Jan Dhont, Alston & Bird LLP October 24, 2016

2 Overview - Introduction - New roles of the Supervisory Authorities, EDPB, Commission and EDPS - Lead SAs, cross-border processing and main establishment - Remedies, Liability and Penalties

3 Concern #1: Harmonization Harmonization - A single set of rules - GDPR has direct effect - More granular provisions - Cooperation and consistency procedures - Role of the EDPB and Commission Diversification - GDPR provides for national implementation at many instances - Cultural and linguistic variation - Divergent SA positions/court rulings may have more authority than before (adverse effects)

4 Concern #2: Effective Enforcement GDPR s Trinity of Effective Data Protection GDPR s Trinity of Effective Data Protection Accountability Enhanced Data Protection Rights Increased Enforcement and Sanctions

5 Supervisory Authorities - Member states must organize SAs and adopt legislation ensuring effective functioning and new role (Art. 54) - Sufficient financial and human resources - More enforcement/judicial role than administrative Policy-making/Education Promote public awareness Provide information to individuals concerning rights International cooperation on legislative and administrative measures Monitor relevant developments (technologies and commercial practices) Contribute to EDPB activities Specific tasks re DPIAs, certifications of data protection seals and marks, etc. Authorizations/Administrative Periodic review of certifications Approve BCRs Prior consultations Records of measures in light of complaint handling Enforcement Complaint handling Cooperate with other SAs and provide mutual assistance Conduct investigations (also further to requests from other SAs or public authorities)

6 Investigative Corrective Advisory/Authorization Extended Powers Supervisory Authorities (Art. 58) Supervisory Authorities. Extended Powers (Art 58). Order companies to provide information Auditing Obtain access to all information necessary for performance of tasks Obtain access to premises, including equipment/means Issue warnings Issue reprimands (infringements) Order compliance with data protection rights Order to bring processing in compliance (in a specified manner/time period) Order to communicate data breach to individuals Order ban on processing/suspension of data flows Withdraw certifications Impose administrative fines Advise in context of prior consultation and authorize processing Issue opinions to local authorities Issue opinions concerning codes of conducts and their approval Accreditation of certification bodies Issue certifications and approve certification criteria Adopt standard model clauses Approve BCRs

7 European Data Protection Board EDPB Replaces the Article 29 Working Party Heads of the SAs, the EDPS or their representatives Will have legal personality Decisions by simple majority (default) (Art. 72) Tasks Guidelines and recommendations similar to WP 29 today Encourage drawing-up of codes of conducts/certifications/data protection seals Adequacy assessments Promote cooperation between SAs, training, exchange of knowledge Issue opinions and binding decisions in context of the consistency mechanism Maintain register of opinions and decisions taken in context of consistency mechanism

8 The Commission and the EDPS EU Commission Adequacy decisions and model clauses Participate to EDPB meetings without voting rights Request referral SA decision to EBPB if EU-wide impact (Art. 64(2)) Technical protocals on exchange of information in the context of BCR applications and SA s duty of mutual assistance Art. 47(3) and Art. 61(9) Delegated and implementing acts (e.g. icons for notices, approval of codes of conduct, criteria for certification mechanism) EDPS Participates in EDPB meetings but only voting rights for issues relating to EUinstitutions Hosts secretariat of EDPB (important change!) Revision of Regulation 45/2001 on its way expected end 2017

9 Judiciary National courts likely to become more involved: ECJ Judicial review of SA decisions GDPR underscores right to effective judicial remedy Annulment of EDPB decisions Preliminary rulings 9

10 Discussion - Companies will primarily be engaged with Supervisory Authorities - Substantial national variation of law local guidance SAs remains important - Supervisory Authorities have different cultural background and may push own policy - Exact roll-out of tasks not yet clear since national laws need to be adopted (e.g. Germany, France) - EDPB will play more direct role for companies can take binding decisions in specific cases - Impact of national case-law - More important source of law than before - Divergent effect of national case law over mid-long term

11 What SA is competent? Preliminary - Original Proposal: single set of rules and one-stop-shop - Questions: - To what extent do we still have a one-stop-shop? - What value in structuring governance in light of location Lead SA? 11

12 Supervisory Authorities Competences Local SA competent for - Exclusively local matters (Art. 55 (1)) BUT local SA must notify Lead SA - Processing for compliance with national law or for national public interest remains exclusively for the local SA (Art. 55 (2)) Lead SA Competent for - Cross-border processing ( One-Stop-Shop )(Art. 56) - Lead Authority is SA of main establishment or single establishment - Lead must cooperate with SAs concerned (Art. 60(1)) and relevant SAs have right to be involved in joint operations

13 Key Concepts Cross-Border Processing Processing by controller or processor that has effects in more than one Member state, because the processing either: - Benefits or concerns ( takes place in the context of the activities of ) multiple establishments of a controller/processor which is established in more than one Member state; or - Takes place in only one establishment of a controller/processor but substantially affects data subjects in more than one Member state. 13

14 Cross-Border Processing Quiz Yes/No? - Data controller in Belgium retaining a third party processor in France? - Same but processor is owned by controller? - Company group of entities in 6 EU countries, acting as a controller retaining a third party cloud provider in Belgium? - Same, but provider is outside the EU? - US online service provider with a representative office in EU? 14

15 Cross-Border Processing Discussion Does NOT necessarily require the transfer of personal data (though will involve mostly transfer in practice) Presence in more than one Member state does NOT automatically mean cross-border processing NO cross-border processing in case of extra-territorial application! Problem: in practice, typically no plurality of establishments but of controllers/processors (potentially defunct definition) What is sure: Lots of potential grey zone WP29 is working on guidance 15

16 Key Concepts Main-Establishment Main Establishment. As regards: - A controller: - the place of its central administration in the EU, - unless decisions on purposes and means are taken in another establishment of the controller in the EU AND the latter has power to have such decisions implemented. - A processor: - the place of its central administration in the EU, or, - if the processor has no central administration, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place. Examples/Cases - In case of processor internal to the group (e.g., shared data center), location of HQ will arguably be determining - Only US HQs and no EU HQs? - What in case of vertical organization of business (e.g., 3 business lines with business HQs in more than one Member state)?

17 Cooperation Procedure COOPERATION (Art.60) CONSISTENCY (Art.63 eff.) Lead SA must cooperate with other SAs to reach consensus - Exchange information - Provide Mutual Assistance (Art. 63) - Joint operations (Art. 62) 3 3 Lead SA follows reasoned objection 4 Lead SA must submit a revised draft decision before local SAs concerned - Lead SA does NOT follow objection - Lead SA decides objection is not relevant and reasoned 5 - Provide information; - submit draft decision without delay 1 2 Local Supervisory Authorities concerned - Reasoned objection ; - Within 4 weeks - Within 2 weeks; - If no further objections, SAs are bound - Lead SA will notify controller/processor, SAs and the EDPB 4 Dispute settlement under Consistency Mechanism before EDPB 1. A decision may be split in different decisions; 2. Controller/Processor must take measures to ensure compliance with decision THROUGHOUT the Union and notify the Lead SAs of implementation measures

18 Consistency Procedure Opinion of EDPB (Art. 64) Dispute Resolution by EDPB (Art. 65) Opinion must be obtained in certain cases - Obligatory in specific cases (e.g. BCRs, model contracts, accreditation certification body, etc.) - Any matter that has multijurisdictional effects, upon request of SA, EDPB Chair, Commission - Lack of mutual assistance between SAs Timing - Opinion to be provided within 8 weeks (extendable with another 6 weeks) - Supervisory authority must not take decision until Opinion has been obtained - Supervisory authority shall take into account Opinion within 2 weeks and notify its position to the EDPB Binding Decision - In case a SA has raised a relevant and reasoned objection to a draft decision or the LSA rejected an objection of a SA - Issues concerning competency - SA does not request EDPB Opinion where required or does not follow EDPB Opinion Timing - Decision must be adopted by EDPB within one month (extendable by another month) [2/3 majority vote] - If no outcome, extendable by another 2 weeks [simple majority vote] - SA and Commission will be notified of decision - SA must adopt its final decision on the basis of the [EDPB] decision

19 Supervisory Authorities One-Stop-Shop Possible political use of procedure by Lead SA Lead may take up matter with view to bringing it to the EDPB (Art. 60 (4) jo. 63)? There is value in organizing corporate governance to interact with pragmatic Lead SA - Jurisdiction of Lead SA will in practice often be country with most important/significant processing for company group - Lead SA will be sole interlocutor for cross-border processing and be in drivers seat - Lead SA has authority to reject the decision of a local SA and instead handle the matter itself in accordance with the cooperation procedure

20 Remedies Liability Penalties

21 Remedies Complaint with SA (Art. 77) - Every data subject - In particular, in (i) Member state of habitual residence, (ii) place of work, or (iii) place of alleged infringement - SA required to inform complainant on progress and outcome AND available judicial remedies Effective remedy against a SA (Art. 78) - Every data subject or legal person - Remedy against a legally binding decision of the SA concerning them - In case of non-action of the SA or non-information of data subject on progress within 3 months time - Before court of the member state where SA is established - Full remedy (facts and law) - Opinion/Decision of EDPB must be provided to Court Effective judicial remedy against a controller or processor (Art. 79) - Every data subject - Contended violation of rights under the GDPR as result of processing in non-compliance with GDPR - Court of the Member state of establishment controller/processor - Alternatively, court of Member state where data subject has habitual residence (unless public authorities) - EDPB decisions cannot be challenged before national courts - Annulment action before ECJ if individually and directly concerned (Art. 263 TFEU)

22 Judicial Remedies - National court may (or must in case of Art. 267 TFEU) request ECJ for preliminary ruling - Companies, individuals and SAs can bring annulment actions of EDPB decisions before ECJ (Art. 263 TFEU): - SA can bring action within 2 months after notification - If decisions are of direct and individual concern to a controller/processor/data subject, within 2 months after publication on website SA - Companies and natural persons directly and individually concerned must challenge EDPB decision before ECJ (recital 143)!

23 Remedies Discussion - What if the controller or processor has no establishment in the EU? Can the representative be sued? Effect? - Can companies challenge a decision which concerns them indirectly? (E.g., a decision having impact on industry-level?) - Non-for-profit bodies, consumer organizations can be mandated to exercise procedural rights and right to receive compensation (Art. 80) - Member states can also empower consumer organizations to act independently (!) (Art. 81)

24 Liability Regimes Civil Liability. Any person who suffered damage has right to receive compensation from controller or processor for damage suffered as result of an infringement of the GDPR (Art. 82 GDPR). - Strict liability Regime. - Controller or processor have burden of proof to discharge. - Joint and several liability. Processor may need to pay first! - Compensating party may claim back that part of the compensation corresponding to their part of responsibility for the damage. Processor ultimately cannot be held liable for damage relating to controller obligations. Need for clear contract language.

25 Liability Regimes Administrative Fines. Supervisory Authorities must ensure effective, proportionate and dissuasive application of a administrative fines (Art. 83). - In addition, or instead of, corrective measures - Criteria for fining and amount are set forth in GDPR, for instance (recital 148): - sensitive data - measures taken to mitigate damage - degree of responsibility (!) - degree of cooperation - notification of SA (<> principle of non self-incrimination) - privacy certifications - financial gain - Total amount = limited to amount of gravest infringement - Effective judicial remedy and due process

26 Administrative Fines Core violations General processing principles/lawfulness of processing (legal basis)/consent conditions/sensitive data processing/data subjects rights/third country transfers/chapter IX processing (freedom of expression, public access to official documents, national identification number, context of employment, derogations for scientific, historical research or statistical purposes)/noncompliance with an order or temporary or definitive limitation on processing or suspension of data flows/refusal to allow access to SA (measures preventing investigations by SAs) Other violations Children data processing/processing not requiring identification/data protection by design or default/joint controller obligations/appointment of representative/processor obligations/records of processing/cooperation duty with SAs/Information Security/Breach notification to SA and to Data Subject/DPIAs/Prior Consultation/DPO obligations/certification Administrative fine up to 20 MM EUR, or in the case of an undertaking, up to 4 percent of total worldwide annual turnover of the preceding financial year, whichever is higher Administrative fine up to 10 MM EUR, or in the case of an undertaking, up to 2 percent of total worldwide annual turnover of the preceding financial year, whichever is higher - Undertaking is not restricted to a legal person - Undertaking is every entity engaged in an economic activity (offering of goods or services with intention to make profit), regardless of the legal status of the entity or the way it is financed - May infringements by an entity be attributed to other members of the company group (e.g. parent company)?

27 Liabilities Criminal Penalties. Member states must lay down rules on other penalties to infringements of the GDPR, in particular, to infringements not sanctioned by [administrative fines]. They must be effective, proportionate and dissuasive. - Criminal fines in addition to administrative fines - Prison sentences/deprivation of profits obtained through infringement of the GDPR (Recital 149) - Member states must notify the Commission of legislation implementing this requirement - Ne bis in idem

28 Discussion Enforcement risk: - GDPR has teeth - Symbolic actions/policy-making - Supervisory Authorities are rooted in local tradition will want to continue certain policy - Consumer-awareness - Stakes are higher than before for all parties 28

29 Questions About Alston & Bird s Privacy and Data Security Practice: Privacy & Data Security Team Our team helps clients at every step of the information life cycle, from developing and implementing corporate policies and procedures to representation on transactional matters, public policy and legislative issues, and litigation. Cybersecurity Preparedness & Response Team Alston & Bird s Cybersecurity Preparedness & Response Team specializes in assisting clients in both preventing and responding to security incidents and data breaches, including all varieties of network intrusion and data loss events. Follow