Buildup of disputes among EU data regulators risks logjam at EDPB

Being able to agree to disagree is the key to any good relationship. Luckily for EU data protection authorities, a mechanism codified in law allows them to do just that.

That mechanism is provided for by Article 65 of the General Data Protection Regulation and managed by the umbrella group of EU watchdogs, the European Data Protection Board. It is used when national regulators can’t agree on enforcement measures in cross-border cases or when they can’t agree who the lead authority should be.

Until recently, it has only been used twice: In Irish enforcement cases against Twitter in 2020 and Meta Platforms' WhatsApp in 2021. Four out of around 2,000 cross-border cases processed in the four years since the GDPR came into force is not bad going.

But the number has been doubled by two Article 65 cases that emerged last month — a French case against hotel operator Accor, the largest hospitality company in Europe, and an Irish case against search giant Google.

In addition, the Irish Data Protection Commission has said two other investigations, into Meta's Facebook and Instagram, are also likely to go to Article 65. The latter is expected to begin the process very soon, the watchdog's chief, Helen Dixon, has said.

And, while not yet confirmed, the Irish enforcer appears also to have two further cases, against WhatsApp and Instagram, as likely contenders to go through the dispute resolution mechanism. These cases, brought after a complaint by Noyb in May 2018, concern the "legal basis" for processing data. Organizations must only process data if they can show they use one of six legal bases set out by the GDPR to do so.

Noyb revealed late last month that these Instagram and WhatsApp cases were close to conclusion, having been sent to the EDPB for the usual process of consideration by other regulators. They are nearly identical “sister” complaints to the Facebook case that Dixon said in February is also likely to go to Article 65.

By this count, it is feasible that at least six cases could go through the Article 65 procedure in 2022, compared to only one in 2020 and one in 2021.

Brussels traffic

It is not necessarily a bad thing, and was in some respects inevitable, that more cases have now needed dispute resolution. The GDPR is a large and complex law, with significant wiggle room for interpretation in places.

The most complicated enforcement examples — which by their nature are the ones most likely to create inter-regulator disputes — are likely to be against large companies with sophisticated legal teams, meaning the whole process can take years. Four years after the GDPR came into force, that juncture is now being reached increasingly regularly.

The problem, however, may lie in the workload that this puts on the EDPB. Though the umbrella group is accorded various procedural powers by the GDPR, the board is not large, and the cases that reach Article 65 are complex and contentious.

The default deadline given to the EDPB to decide such cases is one month, but it has the option of extending this to two months. In both completed Article 65 cases, it chose to extend its deadline due to their complexity.

EDPB chairwoman Andrea Jelinek told MLex recently that deciding Article 65 cases is the “most stressful” work for the body’s staff and its constituent regulators. With as many as six more coming down the line this year, a snarl-up seems inevitable.

Cooperation

This places extra significance on the board’s recent announcement of its intention to “streamline” the Article 65 process. Jelinek told MLex that this will involve regulators working together to clarify issues in the relevant case before the mechanism formally kicks in. This may serve two purposes: avoiding Article 65 altogether, and making the dispute resolution process easier if it is unavoidable.

The plans to streamline Article 65 formed part of a wider agreement to cooperate and work to fixed deadlines on cases of “strategic importance” — a significant step that signals a need to get EU data regulators singing from the same hymn sheet after years of increasingly bitter disagreements and criticism from the sidelines.

Marie-Laure Denis, head of French privacy regulator CNIL, told MLex that she thinks the recent cooperation pact will make enforcement more efficient. “We are very determined to speed up,” she said.

Generally, the system is working; just one in every 1,000 cross-border cases have so far gone through the Article 65 process. But given how challenging it is for the EDPB to resolve each dispute, only a slight increase may significantly stress the system.

A move towards more centralized enforcement of the GDPR may or may not be the solution to this problem, and it is unlikely to happen any time soon, but an upcoming conference, attended by regulators and hosted by the European Data Protection Supervisor — a connected but distinct organization to the board — is expected to be the venue for serious consideration of a change in that direction.

And in big enforcement cases, the final decision is invariably appealed. Although the EDPB doesn’t technically issue the final enforcement notice, WhatsApp appears to think that it played a significant enough role that it should be challenged, so it has applied to the EU General Court to annul the board's decision.

With more cases going through Article 65, it's reasonable to expect an increasing number of challenges to Jelinek’s decisions — and an emerging body of case law on some of the most complex interpretations of data protection law.

With additional reporting by Matthew Newman.