Clarity needed on EU system for cross-border privacy probes, regulators say

16 May 2017. By Vesela Gladicheva.

National regulators aren't clear on how new EU-wide data-protection rules will work in practice when they cooperate on cross-border investigations, the Irish and Belgian privacy watchdogs have said.

In addition, parts of the anticipated cooperation mechanism could also need to be revised within a few years to keep regulators' approaches aligned, said Willem Debeuckelaere, who heads Belgium's Privacy Commission.

Companies operating in multiple EU states are also eager to see more details about how regulators will work together to resolve breaches of the EU's General Data Protection Regulation, or GDPR, which will come into force in May 2018.

Ireland's data protection commissioner, Helen Dixon, warned at a conference* in Berlin yesterday that "thousands and thousands of cases" of companies operating across EU borders will be subject to joint probes by national privacy regulators.

Under the GDPR, regulators will team up when data-privacy violations are traced back to international companies providing services in more than one EU country.

Under a "one-stop-shop mechanism," the regulator in the country where the company has its European head office will have a leading role in investigations.

But Dixon warned that how exactly watchdogs would work together on probes was still far from clear — suggesting some authorities might choose to diverge from the EU-wide cooperation mechanism.

"There does seem to be a strong commitment from the data-protection authorities to make this work," she said. "But the proof will be the pudding. It remains to be seen how it will work in practice."

Dixon voiced particular concern at the complexity of the one-stop-shop mechanism and the potentially high number of cross-border violations that could end up going before a European Data Protection Board composed of national regulators.

Fragile system

Debeuckelaere described the GDPR's provisions on cooperation between regulators as a "great fragility" of the law, because they could see national watchdogs adopting different enforcement stances on the same case.

Speaking at a separate conference** in Brussels last week, he called a unanimous application of the rules "a very difficult point to reach." He said he was skeptical about whether the cooperation mechanism would work.

National regulators all aim to work in parallel under the GDPR by commonly drafting implementing guidelines for companies, Debeuckelaere explained.

"But I'm afraid that when we come to real cases . . . this unity that is now working will disappear," he said. "The devil is . . . in the application [of the rules] against your own companies in your own country."

Debeuckelaere said that in a few years' time, regulators will face a need to review cooperation provisions to keep the law being applied consistently across EU member states.

"We now have the consistency mechanism," he said. "But if it will lead to real consistency, I don't know."

* "7th European Data Protection Days," Berlin, May 15-16, 2017
** "Annual Conference on European Data Protection Law 2017," Academy of European Law, Brussels, May 11, 2017

Privacy report