The European Data Protection Board (EDPB) recently published new Guidelines (09/2020) on the meaning of and interpretation of a “relevant and reasoned objection” under Article 60(3) of the GDPR.
The Guidelines relate to the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which a lead supervisory authority (LSA) has a duty to cooperate with other concerned supervisory authorities (CSAs) in order to reach a consensus on cases with a cross-border component. The so-called one-stop-shop (OSS) mechanism.
Under Article 60 (3), the LSA is required to submit a draft decision to the CSAs, who may then raise a “relevant and reasoned objection” under Article 60(4), and as described under Article 4 (24), within a specific timeframe:
“an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union”.
The LSA may then decide whether to follow the objection or reject it and submit the matter to the EDPB. In the Guidelines, the EDPB aims to establish a common understanding of the notion of the terms “relevant and reasoned” and what this type of objection should address.
Relevant & Reasoned
The concept of “relevant and reasoned objection” is based on the assumption that the LSA’s obligation to exchange all relevant information has been complied with, allowing the CSA(s) to have a thorough understanding of the issues and therefore submit a well-reasoned objection. The EDPB also notes that the ideas of relevant and reasoned are cumulative meaning that both conditions must be met.
An objection will be “relevant” where it has a direct connection to the substance of the draft decision and if followed, will essentially lead to a different conclusion. Therefore, an objections raised under Article 60(4) should not be used to address vague or abstract concerns or minor disagreements on wording.
An objection will be “reasoned” where it is coherent, clear, and precise and detailed in explaining the reasons for the objection and clearly indicates which parts of the decision are at issue. Ideally, the objection should be provided in one single submission and, as good practice, include a new wording proposal for the LSA’s consideration.
Substance of the Objection
As set out in the Article 4(24) GDPR definition, a relevant and reasoned objection will address whether there is an infringement of the GDPR and/or whether the envisaged action in relation of the controller or the processor complies with the GDPR. Additionally, the CSA’s objection should demonstrate the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, if applicable, the free flow of personal data within the EU.
Existence of infringement of the GDPR
The substance of an objection will amount to a disagreement between the CSA and the LSA as to whether there is an infringement of the GDPR, and to which infringement(s) specifically. An objection as to whether there is an infringement of the GDPR may include a disagreement as to the conclusions to be drawn from the findings of the investigation. However, the EDPB notes that such disagreement is less likely to happen where the LSA has cooperated appropriately with the CSAs and exchanged all information prior to issuing the draft decision.
The objection may also concern procedural issues where the LSA allegedly disregarded procedural requirements imposed by the GDPR, and this affects the conclusion reached in the draft decision. However, the Article 60(4) GDPR objection should not be used to challenge the competence of an LSA. Instead, this issue should be addressed pursuant to Article 65(1)(b) GDPR and may be raised at any stage.
Envisaged action infringes GDPR
An objection on the basis that the action envisaged in relation to the controller/processor does not comply with the GDPR will mean that the CSA essentially disagrees with the corrective measure, or lack thereof, proposed by the LSA. The Guidelines provide some useful examples where a CSA might object to the LSA’s proposed action. For instance, the CSA may believe that due to the number of data subjects impacted by a controller’s data breach, the draft decision has not gone far enough in its reprimand of the offending controller and that a fine should be issued.
Significance of the risks posed by the draft decision
The CSA has an obligation to demonstrate that the risks posed by the draft decision are significant. In addition, the demonstration of this risk cannot merely be implied from the CSA’s arguments but must be explicitly stated and explained. The EDPB emphasises that while a relevant and reasoned objection must always demonstrate the significance of the risks posed by the draft decision to the fundamental rights and freedoms of data subjects, the demonstration of the risks posed to the free flow of personal data within the EU is only requested “where applicable”.
Risks to the fundamental rights and freedoms of data subjects
When considering the risks posed to the fundamental rights and freedoms of data subjects, the CSA must have regard to the draft decision as a whole and evaluate the risks based on, inter alia, appropriateness, necessity and proportionality of the measures envisaged in relation to the relevant infringement. The assessment of the risks may take into account both the data subjects whose personal data was processed, but also those who may be affected in the future. The Guidelines provide a practical example illustrating how a CSA might object that the absence of a formal reprimand for a violation of a fundamental principle of the GDPR sets a dangerous precedent and risk for the future processing of individual’s personal data.
Risks to the free flow of personal data
Where the objection refers to particular risks to the free flow of personal data, the CSA will need to state in their objection why it is deemed to be “applicable”. The need to avoid restricting or prohibiting the free movement of personal data for reasons connected with the protection of natural persons with regard to the processing of personal data is explicitly set out in Article 1(3) GDPR
The EDPB notes that risks to the free flow of personal data within the EU may arise if unjustifiably different decisions are issued by SAs, in situations that are identical or similar (in terms of sector or type of processing). A lack of uniformity would endanger the EU level playing field and create contradictory situations within the EU, and encourage “forum shopping”. However, the EDPB does note that account should be taken of national specificities permitted by the GDPR with regard to processing in certain sectors such as health-care and journalism.