The disagreement between the EU data protection supervisory authorities over an Irish Data Protection Commissioner draft decision relating to Twitter could be the first of many cases which the European Data Protection Board will need to resolve (and maybe resolve in a way that leads to further challenge).
Recent news reports suggest that the European Data Protection Board (EDPB) is being required to take its first binding decision pursuant to Article 65 of the General Data Protection Regulation (GDPR). The Article 65 process has been triggered because an unspecified number of other supervisory authorities have raised objections (as they are entitled to) to the draft decision of the Irish Data Protection Commissioner (DPC) – the lead supervisory authority – in its investigation of whether Twitter complied with its personal data breach obligations under Article 33 of GDPR, in relation to a notification it made to the DPC in November 2018. In line with Articles 56 and 60, the DPC submitted its draft decision to other EU supervisory authorities in May of this year. As this was a case involving cross-border processing, the DPC was required to cooperate with the other supervisory authorities concerned. Given that the complaint concerned Twitter, we assume the supervisory authorities of all member states were consulted. It also seems likely that most complaints involving Big Tech (many of whom tend to base their European operations in Ireland, thus making the DPC the default lead supervisory authority) will similarly engage the supervisory authorities of all member states. The DPC already has many such complaint investigations, and, courtesy of civil society groups like “NOYB“, it is likely to continue to get many more.
Article 65 provides that where another supervisory authority “has raised a relevant and reasoned objection” to a draft decision of the lead supervisory authority, and the latter then doesn’t agree, then the EDPB must step in to consider the objection. The EDPB then has one month (two if the subject matter is complex) to reach a two-thirds majority decision, or, failing that, within a further two weeks, to reach a simple majority decision. The decision is binding on all the supervisory authorities.
This appears to mean that, in circumstances where the EDPB agrees with an objection, then the lead supervisory authority will be bound to accept a decision it probably still does not agree with, and determine the substantive matter accordingly. In the context of the DPC, and its jurisdiction over the European processing of many of the world’s largest technology companies, this could have an interesting outcome: there are many supervisory authorities on the EDPB who take a substantially harder line than the DPC – if they end up being part of a simple majority which results in a “robust” binding decision adverse to the technology companies, then further challenges may almost certainly result.
The controller being investigated appears to be able to challenge the EDPB’s decision by way of an action for annulment under Article 263 of the Treaty of the Functioning of the European Union. There is no direct route of appeal under the GDPR. But presumably an aggrieved controller may also potentially challenge the lead supervisory authority’s decision (which, remember, the latter might essentially disagree with) through the domestic courts, perhaps to the point where a referral to the CJEU could then also be made.
It has taken seven years, and counting, for complaints raised with the DPC, about transfers of data by Facebook to the US, to wend their way through the CJEU process. There may be years of similar challenges to come.