The GDPR’s cooperation and consistency mechanism will now be put to a test at the European Data Protection Board (EDPB) which is already dealing with more than 20 cross-border cases. Willem Debeuckelaere, Vice-Chair, EDPB, said at PL&B’s conference in Cambridge today that the DPAs will try to reach the goal of consistent application of the GDPR by issuing opinions and by dispute resolution.
The Board has decided to re-adopt all of the Article 29 Working Party’s guidelines. “Most of the old opinions should be revised as they were adopted under the Directive, but we are a little reluctant to do so as the new e-privacy regulation is on its way and may affect that work, “ Debeuckelaere said.
The Board will issue binding decisions on cases brought to it but it can also proactively examine issues. While the Board can take decisions by a two-thirds majority, a procedure needs to be found for situations when a national authority prefers not to accept EDPB’s decision.
“We have had complaints made to the Belgian, German and French authorities. Max Schrems is testing the system,” Debeuckelaere said. Noyb.eu has filed four complaints over ‘forced consent’ against Google, Instagram, WhatsApp and Facebook. Debeuckelaere said that the DPAs are using their new communications system to exchange information in an efficient manner.
The group has now published its rules of procedure. At tomorrow’s meeting, the Board will discuss the Facebook/Cambridge Analytica investigation, and the One Stop Shop.
Florence Raynal of France’s Data Protection Authority, the CNIL, which held the presidency of the Article 29 Group, said that national consistency is now of importance. In France, the GDPR adaptation law was adopted on 1 June. “A decree will hopefully be published at the end of July. Also, there will be an ordinance in six months’ time to make the text more readable,” she said.
She predicted that around one third of the cases in France will concern cross-border issues.
“At international level, the Board is working on guidelines on the territorial scope of the GDPR. There are a lot of expectations regarding this paper. We need to continue our collaboration with non-EU countries to make sure we have strong cooperation on enforcement issues at international level. We need to develop bridges and relationships outside of Europe.”
Head of Iceland’s Data Protection Authority, Helga Þórisdóttir, said that steps have been taken to incorporate the GDPR into the EEA agreement (European Economic Area, to which Iceland belongs). A decision is expected on 6 July.
To follow the conference, see our Twitter hashtag #PLBAC and read articles in the July issues of PL&B UK and International Reports.