Since 2012, the European Commission has taken numerous steps in order to shape to EU’s digital future. One of these steps included the adoption of the General Data Protection Regulation (GDPR) which entered into force in May 2018. The GDPR aims to protect, in particular, the right of natural persons to the protection of personal data. At the end of 2020, the Commission went a step further and published its proposal for the Digital Services Act (DSA). As part of the EU’s Digital Strategy, it contains provisions to update the e-commerce legal framework.
Infringements of both the GDPR and the DSA do not stop at the Member States’ borders. An incident at Twitter, for instance, led to a situation where Twitter users had their Tweets, dating back to 2014, publicly accessible without their knowledge. This breach of the GDPR affected at least 88.726 EU and EEA Twitter users all across the continent. For this reason, it is essential that national authorities of different Member States cooperate in order to adequately enforce such breaches. Cooperation is fundamental here because it enhances the enforcement capacity and quality (van der Heijden 2016) – e.g., when investigating and sanctioning infringements that take place in multiple Member States, authorities can benefit from sharing resources and knowledge, which also speeds up the enforcement process. Keeping enforcement mainly the responsibility of national authorities, also respects the Member States’ desire to keep these competences at national level and it offers functional benefits since national authorities often have better access to information at national level (Hofmann 2008; Coen and Thatcher 2008; Eberlein and Grande 2005. Börzel and Heard-Lauréote 2009). Therefore, both the GDPR and the DSA provide that national authorities of different Member States cooperate, under the coordination of an EU body. Nevertheless, the GDPR experience proved that enforcement of cross-border infringements is not an easy task and the complexity of such structures could even lead to under-enforcement.
This blogpost aims to shed light on the complex enforcement procedures and speculates as to whether the Commission has learnt any lessons from the enforcement challenges that materialize under the GDPR. In order to assess the potential of the DSA enforcement structure, we discuss the horizontal (national authorities cooperating) and vertical (national authorities cooperating with an EU body) enforcement procedures of both systems, and the challenges that arise under the GDPR system.
Horizontal cooperation between national authorities in enforcement networks
The GDPR provides a one-stop-shop mechanism, meaning that cross-border enforcement under the GDPR is organized by the lead supervisory authority – the authority of the Member State where the data controller or processor has its main establishment. This mechanism, however, places a large burden on certain Member States – e.g., Ireland and Luxembourg – as a result of how large data processing companies locate their headquarters. This may lead to a situation where some supervisory authorities face huge backlogs since they do not have the capacity to deal with all cases. The lead authority shall cooperate with authorities of other Member States – e.g., because data subjects in that other Member States are also affected by the breach. For this purpose, the lead and concerned authorities, shall endeavor to reach consensus during the investigation and decision-making phase, for instance, on the scope of the investigation or the final decision taken (GDPR, Article 60(4)). Although this seems promising, consensual decision-making could slow down the enforcement procedure enormously. Furthermore, the authorities shall exchange information, provide mutual assistance or carry out joint investigations (GDPR, Articles 61-62). However, national supervisory authorities are not willing to make use of these tools and, thus, until the end of 2020 only one joint operation was carried out. It remains to be seen whether the Support Pool of Experts of the EU Data Protection Board will be a useful alternative in the near future.
Under the DSA system, cross-border enforcement is organized by the Digital Services Coordinator of establishment – the Digital Services Coordinator of the Member States where a digital services provider locates its main establishment or its representative. This authority serves as a single contact point for national and EU authorities. However, it may assign tasks to another authority in its Member State, meaning that multiple authorities in one Member State could be responsible for the organization of cross-border enforcement (DSA, Article 38(2)). Cooperation itself is not so much ‘proceduralized’ as it is under the GDPR. The DSA provides that the Digital Services Coordinator receiving the complaint should involve competent authorities and Digital Services Coordinators of other Member States if the matter requires cross-border cooperation, which could include the exchange of information and organization of joint investigations (on a permanent or temporary basis and may range from organizing data gathering exercises to inspections of premises) (DSA, recital 76). The DSA explicitly provides that the initiation of such cross-border enforcement actions may also be requested by a Digital Services Coordinator from another Member State or the Board for Digital Services. This is an important instrument for Digital Services Coordinators and the Board to push for enforcement actions to be taken (DSA, Article 45(1)).
Centralized nodes to networked enforcement under the GDPR and DSA
Enforcing Union law in cases of cross-border violations involving authorities of various Member States proves to be complex for several reasons. Therefore, more and more often we see hybrid enforcement models which involve both EU and national bodies. A networked enforcement model with centralized elements allows sufficient room at national level to enforce EU goals, while centralized bodies coordinate these enforcement practices and could push national authorities to act in a way that contributes to adequate enforcement practices (Boin, Busuioc and Groenleer 2014).
Coordination of national enforcement practices is under both instruments the responsibility of an EU Board. In case of the GDPR, the EU Data Protection Board (composed of heads of the national supervisory authorities) and for the DSA, the EU Board for Digital Services (composed of high-level officials of the Digital Services Coordinators). The Commission has a large role in the latter Board as Chair and as being responsible for providing analytical and administrative support.
Despite a promising statement in the DSA, that the EU Board for Digital Services aims to achieve a common EU perspective on the consistent application of the DSA (DSA, recital 89), it merely has an advisory role since it shall support the coordination of joint investigations – e.g., by providing roadmaps or timelines for joint activities – and shall issue opinions, requests and recommendations addressed to national authorities and Digital Services Coordinators (DSA, Article 49(1)). However, this guidance is not legally binding. The EU Data Protection Board may also adopt opinions, guidelines and recommendations addressed to national supervisory authorities – of which opinions could end up being finally binding decisions when the national supervisory authorities do not follow them (GDPR, Article 65(1)(c)). Thus, the EU Data Protection Board’s influence could be very large in practice. This is also true because the Data Protection Board may adopt finally binding decisions addressed to national supervisory authorities – e.g., when disputes arise between the national supervisory authorities (GDPR, Article 65(1)(a)). However, this mechanism faces some serious drawbacks since the EPDB is highly dependent on the willingness of national supervisory authorities to share the required information – if a lead supervisory authority fails to investigate the matter sufficiently, the Board will not have all required factual elements to decide the case (EBDS Decision 01/2020) – and its decisions are broadly formulated, leaving much room for national supervisory authorities when implementing the Board’s decision.
Under the DSA, it is not the EU Board for Digital Services who has strong enforcement competences, but the Commission itself – e.g., it may solve disagreements between Digital Services Coordinators on enforcement measures taken (although the DSA does not provide that they should reach consensus) and, if needed, it may request the Digital Services Coordinator to take different measures to ensure compliance with the DSA (DSA, Article 45(6)(7)). It is unclear what happens if the follow up action by the Digital Services Coordinator is still insufficient. Only in case of enforcement actions related to Very Large Online Platforms, the Commission may intervene via binding decisions in accordance with the ‘enhanced supervision system’ (DSA, Article 50). This, in short, entails that the Commission has very broad investigative or decision-making powers to enforce certain DSA provisions with regard to these platforms. In these cases the Digital Services Coordinator of establishment is relieved of the power to intervene.
Potential of the DSA enforcement mechanism
In the DSA, the Commission proposed to organize a hybrid enforcement model involving horizontal cooperation between national authorities under the coordination of centralized bodies in a slightly different manner than the GDPR system. Whether this system is the answer to the enforcement challenges that occur when violations of harmonized Union law crosses borders, remains to be seen.
First, although to a certain extent proceduralized, cooperation under the GDPR proved to be complex and cumbersome and the role of the Data Protection Board is too soft in practice. It is questionable whether the loose forms of cooperation proposed in the DSA – with no possibility to request mutual assistance or joint decision-making – will lead to consistent and coherent enforcement practices. Although the DSA, for instance, provides for joint investigations, a lot of cooperation is assumed to be organized via informal ways. On the one hand, informal, non-hierarchical forms of cooperation lead to more interaction between authorities which enhances learning and builds trust among the network participants (Polak and Versluis 2016), which is essential for cooperation to be effective. On the other hand, informal procedures make it impossible to guarantee a prompt response to violations of the DSA, especially with so many actors involved (Digital Services Coordinators, other competent authorities, the EU Board for Digital Services and the Commission ). The importance of formalization is also acknowledged by the European Data Protection Supervisor, who advocates for more explicit references to the competent authorities that should be involved in cooperation procedures and identification of the circumstances in which cooperation should take place.
Seeing this overly complex enforcement framework, coordination via a centralized body seems to be even more important in case of the DSA. However, no consistency procedure is foreseen regarding the conduct of digital services providers which do not classify as a Very Large Online Platform (Cole, Etteldorf and Ullrich 2021). The EU Board for Digital Services only has an advisory role, and in case of disagreement on the enforcement measures, the Commission can merely request the Digital Services Coordinator to reassess the matter. The case is different for Very Large Online Platforms. Here the Commission’s competences ensure an adequate response when the DSA is infringed, which prevents that these platforms are not being supervised by national authorities. It remains to be seen, however, if the Commission is the right body for this duty: isn’t the Commission’s role too large – strong steering role as Chair of the EU Board for Digital Services; providing analytical support to the same Board; and being responsible for supervision of Very Large Online Platforms – and wouldn’t the Commission be too political?
- The DSA Enforcement Framework, Lessons Learned from the GDPR? - July 31, 2021