Privacy Talk with Isabelle Vereecken, Head of the Secretariat of the European Data Protection Board:What is the strategic enforcement approach in Europe?
“This interview recorded on 20th July 2022 is talking about future data protection and cooperation”
Kohei is having great time discussing future data protection and cooperation.
This interview outline:
- How is the EDPB guideline prepared by working-group?
- What was discussed at the Vienna Meeting among data protection authorities?
- What is the strategic enforcement approach in Europe?
- Why did the EDPB make a binding decision against WhatsApp case?
- How is the EDPB guideline prepared by working-group?
Isabelle: In practice, the guidelines are first prepared in the EDPB expert-sub groups. The EDPB has different sub-groups dealing with different subject matters.
For instance, we have one subgroup working on international transfers, another one working on questions of law enforcement (police matters), another one working on GDPR accountability tools, such as certification and code of conduct.
The work is prepared in subgroups. This is where the technical discussions for the preparation of the documents are taking place. And then after it reached the level of the plenary meeting where the decision are made by the head of the different authorities.
This is a collaborative work where the members are taking part. One actor is taking the lead in the drafting. For instance, the EDPB Secretariat works a lot on all consistency actions. So the binding decisions and the Art 64 GDPR opinions such as on BCR or certification etc.
This is because binding decision and consistency opinions are addressed to data protection authorities and we are an independent party because we cannot be one of them that is proposing a decision. We can also provide consistency because we see all the draft decisions which are coming to us.
So for the consistency actions, the Secretariat as a main role in the drafting. For the guidelines, it’s a bit more shared. Sometimes the secretariat is taking the leadership like for the recommendation on supplementary measures, but in most of the time, it is the staff member of national data protection authorities which are leading the drafting of the document.
At the beginning of the process, there is a mandate given, for instance for a new guidance, and the different national data protection authorities can decide to contribute.
One will take the leadership in the drafting and the other ones will comment the draft prepared. Sometimes we have drafting teams preparing together in a small group a first draft and then after it goes for discussion in a subgroup meeting and then after that going to the plenary level.
In a subgroup you can have easily 50 people taking part in the subgroup discussions. And in the plenary meeting, it’s more a formal meeting where there are the heads of authorities taking the final decisions on the documents.
To give you an idea of the size of the workload of the EDPB last year, we organized 400 meetings. So, if you count the number of working days, it means that every day there have at least one meeting, normally even several EDPB meetings taking place at the same time in parallel.
So there is an intensive collaboration to do this work for having guidance and documents published by the Board.
Kohei: Wow. EDPB works so many things not just only for the binding but also like the collaboration that’s been a very significant process to organize the data protection lead. So I’d like to move on to the next questions.
It’s about very interesting topics for me, cause I was lucky to visit the EDPS conference. There are a lot of the member states are talking about the Vienna discussion.
So could you tell us about Vienna holding what’s happened, and what’s the decision, what we’ll be expecting to change through the EDPB perspective?
- What was discussed at the Vienna Meeting among data protection authorities?
Isabelle: With pleasure Kohei. The chair decided to invite all the members outside the context of a plenary meeting because in the plenary we have many documents, about different topics, to adopt at the same time.
The idea was really to focus on the question on the enforcement of the GDPR and to see what are the challenges and what we can do to support and to promote enforcement of the GDPR.
So all the heads of the national authorities have been invited by the chair in Vienna in April during two days to discuss this enforcement cooperation and to see how it can be further enhanced.
It was really a great momentum for the authorities and they agreed on a series of measures. I will focus on the three main outcomes that were made to improve enforcement cooperation.
The first one is the closer cooperation on cases of strategic importance. The authorities decided this also from on the basis of the experience of the One Stop Shop and on the basis of the discussions that we also had in the framework of the adoption of the guidelines on the One Stop Shop. This relates to article 60 of the GDPR.
We realized that it was necessary sometimes to go even beyond what is described there in the GDPR. The cooperation of the authorities when a draft decision is already there, it is in practice a bit late.
So it is needed to have a more earlier exchange between the authorities and a more comprehensive exchange between the authorities from very the beginning of the enforcement investigation action.
The authorities in Vienna agreed that they will select some cases of strategic importance for which they will decide on an action plan for which a small group of authorities will work with a concrete timeline to ensure the progress of the investigation and to report on that.
At the plenary of the 12 of July, just recently a few days ago, the EDPB made further work on that Vienna agreement, and we have adopted the criteria for making the selection of the strategic case, and also the process to follow.
And they also already decided on the first cases that will be considered as being strategic. Further cases will be decided in September and October, but they already identified three of them.
The second big decision taken in Vienna was to align the the national enforcement strategies. Most of the authorities at the beginning of the year, are deciding on their national enforcement strategy for the next year.
- What is the strategic enforcement approach in Europe?
The idea is to work more at the EU level and to develop an EU enforcement strategy. In fact, we already have this experience of, I don’t know who heard about this, the coordinated enforcement framework.
That is already an action that we made, where we decided once a year on a selected topic of enforcement that we will make together at the board level, for instance to conduct a joint investigation or sweep activities.
So the first action relates to the use of cloud computing in the public sector for which 20 authorities are working together. We realized that the impact of EU wide investigation on enforcement is much higher than when each DPA, authorities, are working separately, individually.
The authorities can then develop these annual enforcement priorities at European level. The last block of decisions in Vienna, the last important one is to try to remedy the obstacle created by the difference of the national procedural laws.
In the GDPR, you will find the general rules for cooperation but in practice, every authority at national level; as they are administrative authorities are subject to their own national administrative law. We realized that you those legislation are not always harmonized because it’s a national matter.
We realized that we can try to improve the harmonization on those questions to foster the cooperation of the GDPR. So the idea is to make a proposal to the European Commission in October to invite them to make a legislative initiative to create more harmonization in this area of legislation.
Kohei: Thank you I think in a Vienna conversation will be accelerating of the new enforcement things,I’ve been feeling it’s in visiting into the conference, there was a very amazed.
A lot of export is talking, discussing many things for the future. So that could be the expectation from my insight. So the next question is about your topics.
I was lucky to be a part of your speaking session then you accorded the one good use case about the WhatsApp privacy policy decision. Could you tell us about the details of this decision?
- Why did the EDPB make a binding decision against WhatsApp case?
Isabelle: Yes, so this is one of our binding decisions. So I think you talk about the article 65 binding decision on WhatsApp that we adopted last summer. So in practice, it’s an example where the EDPB had to intervene to settle a dispute between the authorities on an enforcement action.
So the lead supervisory authority for WhatsApp is the Irish one, the DPC and they launched an investigation on the respect of transparency duties by WhatsApp in its privacy policies, and they proposed a draft decision to the different authorities and several of them raised objections and considered that there was a need to make some changes in this draft decision.
And despite the cooperation, they didn’t manage to reach an agreement. So at the EDPB, we intervened.In practice, it was the Secretariat that was leading the work.
We first assessed the objections that were raised by the authorities, to check if they were reasoned and relevant because they need to be motivated and to meet a certain threshold imposed by the GDPR to enable the to be competent to assess the matter.
And then after, we went into the merit, so to the content of the decision. So in practice, what was the consequences on that? The EDPB requested the Irish LSA to modify its draft decision as the EDPB considered that there were an additional breaches of GDPR, that more articles were breached than the ones that were identified by Irish LSA.
There was an additional breach of Article 5 GDPR, and also some articles relating to transparency, and we also discussed the method for the calculation of the fine.
In the the draft decision prepared by the Irish, they took the gravest infringement and only fined that one, while the the EDPB clarified that all the infringements should be taken into consideration when calculating the amount of the fine.
So we asked the Irish authority to change its decision and also to increase the level of the fine on the basis of the new method of calculation and following the additional infringements found.
In the draft decision, WhatsApp was supposed to receive a fine of 50 million of euros and following our decision, the DPC decided to impose 225 million of euros on WhatsApp.
WhatsApp is making an appeal against the decision in front of the Irish court, but also in front of the European general court.
We are working on this right now and the written part of the procedure will be soon closed.It is a very interesting activity because it is the first time we have litigation at the board level and we are quite confident for the future.
Kohei: That’s I think it’s very challenging and you are competing, not just to compete, just in challenging the gains to be any infringement of the consumer.
So that’s going to be a very interesting action on the European level, this should be very significant to the other regions as well, because those kinds of the big tech businesses, not just one single country, so why do we need to be in business over the world?
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
