8 Min Read

When European data regulators disagree: EDPB steps in to resolve a dispute between French and Polish Data Protection Authorities

Read more

By Christopher Air

|

Published 30 August 2022

Overview

In a decision published on 17 August 2022, the European Data Protection Board (EDPB) issued a binding resolution, in relation to a dispute between the French and Polish Data Protection Authorities (DPAs) regarding the amount of a proposed fine against French-based ACCOR SA (“Accor”). This is only the third time the EDPB has had to step in to resolve a dispute between DPAs in as many years. The decision provides a useful opportunity for an overview of the EDPB’s role as a final adjudicator in the context of the EU GDPR’s “One Stop Shop” mechanism, which we examine in more detail below.

What is the “One Stop Shop”?

From the EU GDPR’s early days, its supporters have hailed the potential merits of the mechanism under Article 60, which is aimed at reducing the administrative burden on controllers carrying out cross-border data processing, and avoids them having to liaise with multiple DPAs. In short, this principle of the “One Stop Shop” allows multinational organisations to deal with a single lead supervisory authority (LSA) – which is the DPA of the Member State of the controller’s main establishment. At the same time, Concerned Supervisory Authorities (CSAs) act as the main point of contact for data subjects whose data is being processed by the controller in the territory of the relevant CSA’s Member State. The LSA is the authority in charge of leading the cooperation process with the CSAs.

To complement the One Stop Shop, the EU GDPR contains a so-called “consistency mechanism” in Articles 63 to 67. In short, this provides that in order to contribute to the consistent application of the EU GDPR, where the One Stop Shop is utilised by an organisation, the relevant LSA and CSAs shall cooperate with each other in an endeavour to reach consensus on any draft decisions affecting that controller.

Handling disagreement: The Article 65 dispute resolution

Under Article 60(4) EU GDPR, when a LSA issues a draft decision affecting a controller who is using the One Stop Shop mechanism, the LSA consults with all CSAs, who can express their relevant and reasoned objections to the draft decision within a period of four weeks. If none of the CSAs object within this timescale, the LSA may proceed to adopt the decision.

Conversely, if at least one of the CSAs disagrees with the draft decision, it may raise its relevant and reasoned objections, and throw the ball back into the LSA’s court. The LSA can either agree to the objection(s) and submit a revised draft decision to all the CSAs, or, alternatively, it can state that it does not intend to follow the objection(s). In the latter case, a dispute arises about a draft decision and the consistency mechanism is triggered. This means that the LSA is obliged to refer the case to the EDPB in accordance with Article 65(1)(a) EU GDPR.

Under Article 65(2) EU GDPR, the EDPB has one month (or two months, in complex matters) to reach a decision on the dispute, and must achieve a two-thirds majority of the members of the Board. Where such majority proves impossible, a decision can be made by way of simple majority within two weeks of the expiration of the second month of the initial referral, as per Article 65(3) EU GDPR. The EDPB’s decision is binding on all DPAs and shall resolve the disagreement between them. Following the EDPB’s binding decision, the LSA shall adopt its final ruling “without undue delay”, and in any event within one month (Article 65(6) GDPR).

The ACCOR decision

Timeline

August’s Article 65 binding decision concerned Accor, a global company operating in the hospitality sector. Between November 2018 and December 2019 the French DPA, the CNIL, acting as Accor’s LSA, received a total of eleven complaints against the company from CSAs (made on behalf of affected data subjects). The complaints concerned a failure to take into account the data subjects’ right to object to the receipt of marketing messages and/or difficulties encountered by them in exercising their right of access.

In response to these complaints, the CNIL published a first draft of an enforcement decision against Accor in December 2019. This was objected to by several LSAs and went through a number of amendments, until January 2022, when the CNIL issued a position explaining that it would not follow the objections raised by the remaining objecting CSA – Poland’s UODO. The matter was referred to the EDPB for a binding resolution on 22 February 2022.

The decision

UODO’s objections concerned the amount of the fine set by the CNIL in its draft decision, based on 3 separate grounds. Having discussed each of the three issues in dispute, the EDPB decided as follows:

Relevant financial year for the calculation of a controller’s annual turnover. The EDPB confirmed that, when assessing a controller’s global annual turnover to calculate the maximum possible fine under Article 83 EU GDPR, DPAs should take the financial year preceding the anticipated final (rather than draft) decision. In the case of the CNIL’s decision, this was the 2021 financial year.

Reduction of the amount of a fine. The EDPB criticised the CNIL for reducing Accor’s proposed fine, which was reduced to take into account a mitigating adjustment due to the company’s decreased revenue caused by the Covid-19 pandemic. The EDPB observed that reductions of turnover are reflected in the final annual turnover figure, forming the basis of a fine. Mitigating adjustments are therefore only appropriate where there is evidence that the controller is unable to pay the fine, which was not the case in this instance.

Dissuasiveness of a fine. The EDPB further found that the “negligible” fine of €100,000 (less than 0.02% of Accor’s reported 2020 global annual turnover) was not sufficiently dissuasive for the company in light of the “substantive infringements” of data subjects’ rights identified. Therefore, the Board invited the CNIL to re-calculate the monetary penalty.

The LSA has one month after the EDPB decision to communicate its final enforcement notice to the EDPB and the CSAs. Alternatively, the CNIL can appeal the EDPB’s binding decision to the Court of Justice of the European Union.

Comment

As previously discussed, many organisations make use of the One Stop Shop mechanism due to the cost and efficiency benefits of having to deal with a single EU privacy regulator. However, experience has shown that the cooperation mechanism doesn’t always run smoothly, especially where there are political considerations surrounding a LSA decision. The Accor case follows another landmark Article 65 intervention – the Irish DPA’s fine of WhatsApp, where the EDPB ordered an increase of the monetary penalty to be imposed on Facebook’s subsidiary for a number of “severe” breaches of the EU GDPR.

While the EDPB can grant the controller a right to be heard before it issues a binding decision, it decided not to do so on this occasion. Therefore, companies should make efforts to present strong submissions in response to an investigation by their LSA, as this is often their one and only chance to put their case forward.

Authors