CIPL gives a solution to the EDPB pointers 09/2020 on related and justified objections below the GDPR
On November 23, 2020, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth submitted its response to the consultation of the European Data Protection Board (“EDPB”) on draft guidelines on relevant and justified objections in accordance with the General Data Protection Regulation Coherence Mechanisms (“GDPR”) (the “Guidelines”). The consultation on the guidelines took place a few weeks before the first binding decision by the EDPB in the context of the dispute settlement mechanism under Article 65 GDPR.
The purpose of the guidance is to (1) provide guidance to Regulatory Authorities (“SAs”); (2) a shared understanding of the concept of a “relevant and reasoned objection” (“RRO”); and (3) guidance on what to consider when assessing whether an objection clearly demonstrates the importance of the risks a draft decision poses to the fundamental rights and freedoms of data subjects or the free flow of data within the EU.
In its response, CIPL welcomes the EDPB’s commitment to transparency in the publication of draft guidelines and helps organizations gain insight into the practical aspects of the decision-making process that the SAs and the EDPB follow. CIPL underscores the value of the GDPR’s cooperation and consistency mechanism – the one-stop shop (“OSS”) – to ensure effective, consistent, transparent and proportionate regulation. CIPL supports the EDPB’s goal of achieving flexible, timely and responsive surveillance. CIPL believes that the guidelines will help streamline and clarify the decision-making process through the OSS, thus supporting sound decision-making in regulatory action on cross-border processing issues. CIPL also welcomes the position of the guidelines that a dispute over the identity of the lead supervisory authority (“LSA”) cannot lead to an RRO.
In addition, CIPL suggests that the guidelines clarify a number of points and highlight a number of concerns:
- The guidance does not adequately address the LSA’s obligation to prepare a properly structured draft decision for the examination of the Regulatory Authorities (CSAs) concerned, against which they can assess whether RROs are appropriate.
- The guidelines should make it clear that an RRO can only be created for an LSA draft decision itself, excluding the investigation process and the exchange of information prior to the draft decision.
- An RRO needs to relate to the decision itself and not to the related process, unless failure to follow due process has completely undermined the validity of the draft decision.
- The guidelines should emphasize that filing an RRO should never be a routine or regular matter in order to avoid shortening the timeframe for effective decision-making and using significant resources of the EDPB.
- The guidelines should remind that the threshold for submitting an RRO is high. I.in serious cases where there are real risks to data subjects or the free flow of data caused by the draft decision. An RRO should not be submitted simply because a CSA would have made a different decision.
- The guidelines should clarify that an RRO must be limited to the parameters of the draft decision to be considered. It should not cover other complaints received or matters that the CSA believes should also have been investigated.
- The guidelines should emphasize the independence of the LSA under national administrative law. Controllers and processors who are subject to enforcement proceedings after reviewing an RRO may request the discovery and disclosure of relevant materials for appeal.
- The guidelines should recognize that in almost all cases of cross-border processing an enforcement or criminal decision will have a potential impact on the free flow of data. Hence, it is likely that this should be considered in all cases.
- The guidelines should stipulate that the risks to the rights and freedoms of the individual and to the free flow of data must be weighted equally.
- The guidelines could focus more on the fact that investigation, reaching a draft decision and enforcement are matters that are subject to the laws and procedures of the Member States and that must be duly weighted and respected.
Download a copy of CIPL’s full answer.