[DRAFT] Converting the European Data Protection Board into a European Data Protection Agency: red pill or blue pill?

By Giorgia, Lisa-Marie, Shivani, and Emilia

You take the blue pill—the story ends, you wake up in your bed and data protection enforcement stays the same. You take the red pill—we make a new agency, and I show you what it could look like.

(Lana Wachowski and Lilly Wachowski, The Matrix, 1999)

In ‘The Matrix’, when the reality of Thomas Anderson begins to fall apart, he is presented with a choice: to take the blue pill which allows him to continue living in contended ignorance, or to take the red pill to learn about reality and express his full potential by becoming his alter ego Neo. It is a risky option which yields challenges, yet ultimately beneficial consequences. Similarly, whilst leaving the status-quo of the enforcement system of the General Data Protection Regulation (‘GDPR’) provides a comforting yet ineffective blue pill, taking the red pill and converting the European Data Protection Board (‘EDPB’) into a European Data Protection Agency (‘EDPA’) could disrupt yet enhance enforcement of data protection law in the European Union (‘EU’).

In today’s digital economy, companies process a significant amount of personal data. Individuals can benefit from this, for instance by receiving more targeted and relevant information. However, there are also inherent risks to data protection, a fundamental right of every EU citizen. For example, in cases of a data breach, individuals can be harmed by identity theft or fraud (Bergkamp, Hunton, and Williams, 2002). The GDPR, therefore, imposes certain limitations on personal data processing. These are enforced through a hybrid system composed of the EDPB and national supervisory authorities (‘SAs’). The SAs investigate and enforce companies’ compliance with the GDPR in their respective Member States, while the EDPB functions as an advisory and appellant body in cases of disputes between SAs, but has no investigative or corrective powers itself. However, the GDPR’s enforcement, particularly in cross-border cases, has been criticized for being too complex, slow, and ineffective, leading to its underenforcement. For this reason, the Commission Vice President Věra Jourová announced that the GDPR enforcement system might be reformed, moving towards a more centralized enforcement. This blog post investigates whether converting the existing EDPB into a EDPA modeled after the Single Supervisory Mechanism (‘SSM’) could solve the current enforcement deficits.

Blue pill: The Gordian knot of the current GDPR cross-border enforcement

In situations where companies control and process personal data across several Member States, the one-stop-shop mechanism applies: the SA in the Member State of the companies’ main establishment takes the lead but must cooperate with SAs of other affected Member States through information exchanges, in order to reach consensus in the investigation and sanctioning. However, this cooperation mechanism exhibits major deficits, in particular in cases where companies, such as Google, Facebook, and Twitter, process data from individuals across the EU.

There are two major drawbacks to the current system:

  1. The one-stop-shop mechanism places an unproportionate burden on SAs of Member States where many big companies are located (e.g., Ireland) which, combined with a lack of resources and possible political unwillingness to investigate violations sufficiently, leads to enforcement bottlenecks;
  2. The EDPB and concerned SAs are highly dependent on the lead SA to investigate sufficiently and share its information. If this is not done in goodwill, then the EDPB does not possess enough evidence to decide disputes between SAs (see Decision 01/2020, paras 132-133).

Together, these deficits contribute to the underenforcement of the GDPR (Mustert and Bledoeg, 2021). Could the transformation of the EDPB, empowered with direct enforcement powers, be the bold step necessary to solve this Gordian knot?

Red pill: Creating an EDPA modeled after the SSM?

EU agencies play a crucial role in the shared administration of the EU by executing information-gathering, regulatory, and direct enforcement tasks (Scholten, Strauss, and Brenninkmeijer, 2021). There are pros and cons of a centralized agency that enjoys investigative and legally-binding enforcement powers overruling national authorities (Scholten and Ottow, 2014). Most importantly, a centralized EDPA could increase harmonization and reduce the risks of enforcement bottlenecks, ensuring a cohesive observance of the GDPR throughout the EU. However, optimal results will still only be achieved when national SAs are incentivized to cooperate with a centralized EDPA. This could be achieved if the EDPA is modeled following the role that the European Central Bank (‘ECB’) undertakes in the SSM.

The Regulations governing the SSM ensure the soundness of the European banking system. This mechanism confers specific tasks on the ECB regarding policies on the prudential supervision of banks and credit institutions. It functions through a centralized system of enforcement between the ECB and SAs, with the former being ultimately responsible for the effective functioning of the SSM. Although the ECB and SAs enjoy similar powers, the ECB is exclusively competent for supervising and investigating significant banks, whilst SAs are entrusted with the monitoring and investigation of less-significant banks. The significant status is decided by the ECB based on banks’ sizes, their economic importance, their cross-border activities, and whether they have requested direct public support. The ECB must cooperate through a system of shared enforcement which permits the ECB to take over institutions overseen by SAs at any time (Karagianni and Scholten, 2018).

The solution of an EDPA and SSM model of enforcement

In light of the considerations on centralizing the GDPR enforcement, the EDPB could be transformed into the EDPA by firstly adopting a regulation on the basis of the fundamental right to data protection, and secondly by endowing it with similar supervisory and investigative powers as the ECB has within the SSM. The legal basis allows for ensuring GDPR compliance of companies harvesting personal data of EU citizens, while the SSM-like powers allow to share the task of overseeing the personal data processing companies with the SAs and supervise the overall system. Otherwise, allocating the entire supervision to the EDPA might prove detrimental, especially when comparing the large number of companies controlling and processing personal data in the EU with the few significant banks supervised by the ECB. While the criteria of significance in the data-processing field cannot be directly transposed from what is used to determine significant banks, new considerations in terms of the quantity and quality of data a company processes will prove pivotal to determining which entities are supervised by the EDPA.

Author: Student posts

This blog post is written by Master students at Utrecht University.

Leave a Reply

Your email address will not be published.