On 20 July 2015 the PHAEDRA II project consortium published its first deliverable: Authorities’ views on the impact of the data protection framework reform on their co-operation in the EU, authored by David Barnard-Wills and David Wright (Trilateral Research & Consulting LLP).
This report provides the findings from a series of interviews with senior representatives of EU data protection authorities (DPAs) in April-May 2015. Topics covered in the interviews include the main developments of the General Data Protection Regulation (GDPR), including the consistency mechanisms, one-stop shop, European Data Protection Board (EDPB), and their impact on cooperation between EU DPAs; challenges to co-operation and co-ordination between EU DPAs; cooperation and coordination regarding enforcement and the perspectives of the DPAs on the activities envisaged within the PHAEDRA II project – a repository of key DPA decisions, investigating the feasibility of a common approach to complaint handling, mapping enforcement powers and technology watch activities.
Most DPAs anticipated a significant, strong impact from the passing of the GDPR in general, and particularly for co-operation between European DPAs. The stance of many DPAs towards the GDPR was optimistic, although this was often balanced with some caution, or a recognition of additional work that needed (and needs) to be done, and pending issues that would need to be resolved. All DPAs interviewed recognised the need for increased collaboration within the EU (which was seen by some as critical, given that a spirit or attitude of co-operation may be as important as specific legal provisions for co-operation). Several DPAs informed us that they anticipated the GDPR reforms to act as driver for more frequent co-operation. A still pending issue is how practical co-operation required by the GDPR, particularly through the consistency mechanism, one-stop-shop and the EDPB will be resolved in practice. Further, the extent to which the GDPR will harmonise data protection in the EU is still debated.
Key challenges for DPAs include maintaining legitimacy, freedom of action and ability to determine their own strategies and methods, and ability to take what they see as appropriate measures, whilst maintaining co-ordination and consistency with their peers. a practical debate about the extent to which structure and formalisation can contribute to more effective co-operation and co-ordination between European DPAs. For a minority of DPAs, the creation of structured systems for information exchange, shared complaint handling strategies, templates, forms, alerting systems, etc. were likely to be necessary given the scale of co-operation under the GDPR. For another minority, such systems were seen as problematic, in that they either reduced the operational flexibility of DPAs and their ability to respond to the particular context of a particular case, or they believed that agreement on such structures would not be possible given the remaining diversity between DPAs, even under the GDPR. Language differences, and the way that these can be resolved in practice, were also a common topic of discussion. Tools – including communication, information exchange, alerting tools and systems for structuring requests – were seen as generally useful, but not the limiting factor for co-operation. The report provides an overview of the perspectives of EU DPAs at this stage in the data protection reform process and in particular of areas where further work is required and identifies issues that will need to be debated in more detail. Text based on the executive summary of the Deliverable D1.