Privacy & Information Security Law Blog

On November 23, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on relevant and reasoned objections under the General Data Protection Regulation (“GDPR”) cooperation and consistency mechanisms (the “Guidelines). The consultation on the Guidelines took place a few weeks before the EDPB issued its first binding decision under the Article 65 GDPR dispute resolution mechanism.

The purpose of the Guidelines is to provide (1) guidance to Supervisory Authorities (“SAs”); (2) a common understanding of the concept of a “relevant and reasoned objection” (“RRO”); and (3) guidance on what should be considered when assessing whether an objection clearly demonstrates the significance of the risks a draft decision poses to the fundamental rights and freedoms of data subjects or free flow of data within the EU.

In its response, CIPL welcomes the EDPB’s commitment to transparency in publishing draft Guidelines, helping organizations gain insight into the practicalities of the decision-making process followed by the SAs and the EDPB. CIPL underlines the value of the GDPR cooperation and consistency mechanism―the One Stop Shop (“OSS”)―to deliver effective, consistent, transparent and proportionate regulation. CIPL supports the aim of the EDPB to achieve flexible, timely and responsive oversight. CIPL considers the Guidelines to help streamline and clarify the process of decision-making through the OSS, thereby supporting robust decision-making in regulatory action on matters of cross-border processing. CIPL also welcomes the Guidelines’ position that a dispute as to the identity of the Lead Supervisory Authority (“LSA”) cannot give rise to an RRO.

In addition, CIPL suggests that the Guidelines clarify a number of points and highlights a number of concerns:

• The Guidelines do not sufficiently address the obligation of the LSA to produce a properly structured draft decision for the consideration of Concerned Supervisory Authorities (CSAs) that would allow them to assess whether RROs are appropriate.
• The Guidelines should make clear that an RRO can only be made to an LSA draft decision itself, to the exclusion of the investigative process and exchange of information prior to the draft decision.
• An RRO must relate to the decision itself and not the associated procedure, unless the failure to follow proper procedures has wholly undermined the validity of the draft decision.
• The Guidelines should recall more prominently that the lodging of an RRO should never be a routine or regular matter, in order to avoid derailing the timeframe for effective decision-making and engaging significant resources of the EDPB.
• The Guidelines should recall that the threshold for lodging an RRO is a high one, i.e., in serious cases, where there are real risks to data subjects or the free flow of data occasioned by the draft decision. An RRO should not be lodged simply because a CSA would have come to a different decision.
• The Guidelines should clarify that an RRO must be confined to the parameters of the draft decision being considered. It should not cover other complaints received or matters that the CSA believes also should have been investigated.
• The Guidelines should stress the independence of the LSA under national administrative law. Controllers and processors subject to enforcement proceedings following the consideration of an RRO may seek discovery and disclosure of relevant materials in order to bring appeals.
• The Guidelines should acknowledge that in nearly every case of cross-border processing, an enforcement or penalty decision will have a potential impact on the free flow of data. Hence, it is likely that it should be considered in all cases.
• The Guidelines should provide that the risks to individual rights and freedoms and to the free flow of data must be given equal weight.
• The Guidelines could focus more on the fact that investigation, reaching a draft decision and enforcement are matters governed by Member State laws and procedural rules, which must be accorded due weight and respect.

Download a copy of CIPL’s full response.