Rosemary Jay offers an expert's perspective on the challenges facing the implementation of a ‘One Stop Shop’ under the General Data Protection Regulation
In January 2012 the European Commission published its proposals for a new data protection regime in the European Union. The current Data Protection Directive (95/46/EC ) would be replaced by a directive covering the criminal justice sector and a regulation covering all other processing of personal data. The proposed regulation, referred to as the General Data Protection Regulation (GDPR), would mark a radical change to data protection law in Europe. One of the most widely heralded, but at the same time controversial, aspects of the GDPR has been the proposal for a 'One Stop Shop' (OSS) for enforcement of the Regulation for multi-jurisdictional businesses operating in the EU. The proposal for a OSS has raised numerous issues of debate concerning the role of the supervisory authority, the power of a regulatory authority to take enforcement action which will impact outside the jurisdiction in which he/she has competence, the relationship between the OSS and the consistency mechanism, the enforcement of the rights of data subjects and the proximity of remedies to individuals, in particular concerns that the regulator will be too remote from the affected individuals. This article deals with one possible approach to the OSS which has not yet been canvassed and which, it is suggested, could resolve some of the current difficulties.
Changing the perspective
The legal landscape around the OSS is complex and the discussions reflect that complexity. However, it is notable that those complex discussions have focused, and continue to focus, on the role and powers of regulators on the one hand and the position and rights of individual data subjects on the other. In this debate the data controllers who will be subject to the OSS appear as almost shadowy figures, without input and largely without choice; appearing only as passive recipients of the strictures of supervisory authorities or the complaints of data subjects. In practice however, it will be those data controllers, whether retailers, manufacturers, employers, IT companies or any other business, who will have the primary responsibility for making the law work, delivering individual rights, building compliant businesses and communicating with data subjects. It is a truism that the best outcomes are delivered where organisations are committed, engaged and have an active role in building and delivering compliant solutions. As the current texts stand there are few, if any, incentives to engage organisations in this manner.
No doubt there are assumptions that data controllers will engage with regulators to make the OSS work. Such assumptions are perfectly reasonable but the solution would be greatly strengthened if data controllers were to become active participants in delivering the OSS solution.
In this article I set out a simple proposal that the OSS should be designed so that it works with data controllers, engages them actively and thereby encourages the delivery of effective compliance. The proposal is at an early stage of development and no doubt more work would be required if it were to be considered but it is hoped that it offers a useful point for discussion.
At the time of writing (late October 2014) the Commission and the Parliament text are settled. The Council continues to work on its text. It has made papers publicly available in the course of its work. It is clear from those published papers that the Council has carried out significant work on the role of the supervisory authorities but the OSS remains an issue of debate.
The three current texts have different provisions on the OSS, including those dealing with the determination of the roles and powers of supervisory authorities. Nevertheless the texts have the following in common:
· The application of the OSS appears to be automatic. In other words, if a data controller has multiple establishments in the EU the OSS will apply irrespective of whether the data controller seeks to be subject to a OSS and irrespective of the impact of a OSS on data subjects or the resource implications for the supervisory authority.
· Under the OSS a supervisory authority will be able to impose orders on a data controller at its main establishment even if that main establishment cannot exercise control over other establishments in the EU.
· Data controllers are under no specific obligation to facilitate the operation of the OSS. The obligations of a data controller (or processor) subject to a OSS are exactly the same as those of any other data controller.
· There are no incentives for data controllers to take an active role in the working or development of the OSS.
· The OSS appears to be irreversible and unchangeable. There is no power to alter the nature or terms of the OSS irrespective of changes in the context or wider environment.
These are issues of legitimate concern. They risk placing significant impediments in the path of the effective operation of the OSS. It should also be remarked that the system as proposed has a degree of rigidity that may make it difficult to take advantage of learning, development and modification of the concept. Yet this remains a new, untried approach to pan-European regulation. We will not have got it all right first time round. There will be mistakes and no doubt room for improvement in the future.
A OSS has the potential to offer a real benefit to data controllers. That benefit will not be appreciated if a OSS is imposed or operated in a manner that creates difficulties for the data controller when seeking to deliver compliance. The simple alternative would be to offer the OSS as an option to data controllers and regulators; as an inducement to those organisations which are prepared to take additional steps to engage with regulators in making it work. At the simplest level, a data controller should not be entitled to take the benefit of a OSS without offering appropriate assurances that it is committed to working in partnership with the relevant supervisory authorities.
A OSS will not be suitable for all data controllers, even if they operate on a pan-European basis. For example, a business may operate through local subsidiaries which have a great deal of autonomy in how they operate, or subsidiaries may have vastly different activities which engage different forms of processing. Such businesses may be able to engage effectively with data subjects and national regulators without the need for a lead supervisory authority. It would be counter-productive to insist that such data controllers should have to deal with a lead supervisory authority (however the specific powers are allocated between lead and other supervisory authorities).
The proposal this article makes is a simple one. A OSS should be adopted as a partnership with a business. It should be a formal arrangement backed up with statutory structure. In the simplest form the process could be envisaged as follows:
· Any data controller which wishes to have the benefit of a OSS would make an application to its preferred lead regulator setting out the data processing for which it wishes to establish the OSS, the location of its other establishments in the EU which carry out the same data processing, and the basis on which it considers that the lead regulator is the appropriate one.
· The proposed lead regulator would review the application and consult with the regulators for the other relevant places of establishment in the EU, using the consistency mechanism if appropriate.
· In the event that the preferred lead authority refused to accept the application it would notify the data controller and propose an alternative authority, if one was willing to take on the role. If the data controller wished to proceed with the alternative authority it could do so but would not be compelled to do so.
· Once the lead authority accepted the position as lead, the data controller would be required to submit an application for recognition as the lead establishment for the purposes of the OSS. Such an application could include :
· assurances on how the data controller would be able to take effective measures to safeguard the position of individuals so that they could exercise their rights in other jurisdictions (eg so that local offices could deal with complaints in the local language, cooperate with the local supervisory authority over local investigations and deliver local solutions);
· how the data controller would establish reporting lines to and liaison with the lead authority (eg an agreement to compile a record of all the complaints received in the EU and a regular report on such complaints to the lead authority);
· assurances that the data controller has put in place firm arrangements to exercise real control of all the relevant processing carried out in its establishments and would be able to deliver compliance in respect of all such processing;
· how the data controller would guarantee to deliver compliance in all its establishments throughout the EU with any order served by the lead authority.
· Overall, in order to apply for recognition, the lead establishment would have to show evidence that it could deal with compliance for all its branches or other establishments and operate effective oversight of all of its processing in the EU and could guarantee to deliver compliance with any order imposed by the lead regulator (as long as the order does not contravene local law). In other words, the main establishment would have to show that it really holds control over all the relevant processing.
· Recognition could be given for processing of a particular nature (eg all HR data processing in the EU).
· Once the arrangements have been agreed, the proposal would be set out in a formal and binding undertaking from the data controller which would remain in force for a set period of time. In return for that undertaking, the OSS arrangement would be recognised by all the affected supervisory authorities.
· Once recognition applied the supervisory authority of the lead establishment would have the main competence for supervision of the recognised processing.
· Supervisory authorities of other jurisdictions would be restricted in the roles and enforcement and supervisory actions which they could take in respect of the particular processing in respect of the data controller's establishments in their jurisdictions. The restrictions would be designed so as to ensure that proximity for the data subjects was delivered - in other words individual complaints would be handled locally.
· The lead authority would deal with those matters which have a cross-border aspect, including the grant of prior authorisation or dealing with prior consultation for new processing, providing guidance or advice to the business, taking notification of security breaches and determining whether notice should be provided to data subjects and enforcement of measures having a cross border operation. It would also operate as a central point of knowledge and liaison with the business;.
· The lead supervisory authority would be able to seek the cooperation of the other relevant supervisory authorities for example in conducting local investigations or carrying out routine audit of facilities.
· The business would report to the lead authority and carry the burden of collating and reporting information (eg on its complaints). The lead supervisory authority would be responsible for reporting on its supervisory activities in respect of the data controller and making all the relevant information available to the other relevant supervisory authorities.
· If the lead supervisory authority issued an order or enforcement action against the data controller which required it to carry out certain actions in its other establishments or some of them:
· if the order was lawful under local law a failure by the local establishment to comply would result in sanctions against the main establishment (which might include withdrawal of the recognition of the OSS);
· if the order was not lawful under local law of the local establishment (eg the local law had a derogation which did not apply in other places), the lead supervisory authority would not be empowered to impose any penalties or action as a result of that non-compliance.
· At the end of the three year (or other) period the arrangement would be reviewed and could be renewed or re-negotiated.
A well-developed precedent in the data protection area for the use of a formal structure to deliver compliance is the use of Binding Corporate Rules (BCRs). BCRs have been developed to provide practical and deliverable compliance in co-operation with data controllers. A OSS recognition would not require the same level of detail as a BCR application but would utilize the same concept of using a binding legal commitment from the data controller to work with the regulators within a statutory scheme.
There are, no doubt, many other precedents in other areas of regulation across the EU. We can mention here one from the UK which has some similarities and from which some lessons could perhaps be drawn.
In 2009 the UK launched a Primary Authority initiative for businesses which are subject to the jurisdiction of multiple provincial enforcement authorities in areas such as health and safety. Under the initiative, businesses are able to form a statutory partnership with a lead authority. The lead authority issues guidance on compliance which is binding on other authorities and must be applied by other authorities. The system is voluntary. By 1 October 2014 over 1,900 businesses had entered partnerships with nearly 140 authorities. The initiative is now being extended to franchisees and trade associations. The initiative is also supported by a strong system of communication between authorities. The interactive Primary Authority Register not only gives access to details on every registered partnership but also allows the communication of key information from the lead authority to others, for example to assist with inspection.
These precedents point to a number of issues which would be key to achieving success in building a OSS. They are partnerships between the regulator and the regulated. They are supported by strong information and communication mechanisms. They are based on a mixture of statutory backing and contractual commitment. They are not rigid but are open to development. The OSS is new. It will not be possible to create a fully-functioning scheme by legislation alone. It will have to be built and will be built best by the involvement of all of those concerned.
Proximity to data subject
Any proposal for a OSS arrangement must deliver proximate solutions to data subjects. It will be essential that individual data subjects can refer their complaints to the supervisory authority in their jurisdiction and take action for compensation or individual orders in their own courts. This is not incompatible with the benefit of a OSS and can be applied under the proposal outlined above.
Consultation and co-operation between supervisory authorities
Any OSS arrangement must provide for proper consultation and co-operation between supervisory authorities. This would not be incompatible with an effective OSS. Crucially all the relevant authorities would be involved from the outset in the application. It could be envisaged that all those concerned would be consulted about the recognition undertaking. Arrangements might include setting up a small committee drawn from those supervisory authorities with an involvement to advise and support the lead authority in its role. The benefit to the data controller of the OSS would be, primarily, the streamlining of communications with, and referrals to, the supervisory authority. The ability to make one application for prior approval or for consultation would be a great advantage. It would be the role of the lead authority to consult with other relevant authorities and possibly to set up appropriate structures to do so in each case. In the event of a real dispute between supervisory authorities, the European Data Protection Board (EDPB) could act as a mediator but it would be clear that the final decision on cross-border issues would lie with the lead supervisory authority.
The adoption of a OSS would put a strain on the lead authority. In the UK precedent of the Primary Authority initiative, businesses which wish to enter a Primary Authority arrangement are required to pay a fee which helps to pay for the additional burden that it imposes. This is not an unreasonable possibility and could be explored further. For example, it is possible that particular supervisory authorities will in the future develop areas of different expertise in technical areas and it may be appropriate to steer data controllers operating in specific fields to those supervisory authorities. The development and maintenance of such expertise can be expensive and it would be reasonable to expect business to share the costs.
One of the benefits of the proposal would be that the OSS could be gradually developed as data controllers move through the application process. Supervisory authorities would not be faced with an immediate burden of operating the OSS for all eligible data controllers on commencement of the Regulation. The process could be controlled.
Communication and Information Sharing
It appears that one of the critical contributions to success would be open and transparent communication between supervisory authorities. This would also support the wider agenda of openness and facilitate the sharing of information with data subjects.
Clearly this is a mere outline. To take these ideas forward, it would be necessary to raise the issues in debate and bring in the views of business and the other stakeholders.
If the proposal were to be taken forward it would not be a matter of great difficulty to integrate it into the current text and to ensure compatibility with the consistency mechanism.
The concept of a lead authority to deliver robust and effective regulation while at the same time offering certainty and clarity for business is a powerful one. It should help to serve the needs of data subjects while enabling the growth of a successful digital Europe. We have the opportunity to involve data controllers in building a future in which data protection rights have the respect they deserve.
Rosemary Jay is a Senior Attorney with Hunton & Williams. Rosemary is the author of Sweet & Maxwell's Data Protection Law & Practice,now in its fourth edition, a contributing editor to The White Book and an editor of the Encyclopedia of Data Protection and Privacy. She is a Fellow of the British Computer Society and writes and lecturers widely on data protection matters.
The views expressed in this article are those of the author and do not represent the views of Hunton & Williams.