The Proposed General Data Protection Regulation: The Consistency Mechanism Explained
The main innovations of the proposed General Data Protection Regulation relate to the institutional system it creates rather than to the substance of data protection law. The consistency mechanism is at the heart of this system.
The current situation – fragmentation and incoherence
Under the current Data Protection Directive 95/46/EC, a company operating in more than one EU country will have to deal with several Data Protection Authorities (‘DPAs’) with very different powers (up to one per Member State). This leads to uncertainty for business and situations where different rules can apply in each Member State for the same operation. There is no system to reconcile different DPA decisions apart from a non-binding discussion in the so-called Art 29 Committee, which brings together EU DPAs.
The flaws of the present system were illustrated in the Google Street View case. The actions of a single company affected individuals in several Member States in the same way. Yet they prompted uncoordinated and divergent responses from DPAs.
The proposal – simplicity and consistency
The proposed Regulation establishes a new system of supervision for businesses or organisations processing personal data in more than one EU Member State or with a pan-EU impact, based on two elements:
- First, only one DPA is responsible for taking legally binding decisions against a company (‘one stop shop’). That DPA is determined by the company's “main establishment” in the Union;
- Second, the proposed Regulation provides for mandatory cooperation between DPAs, and sets up a consistency mechanism at EU level to ensure coherent application of the rules which combines an advisory role for the European Data Protection Board (the ‘Board’) and a role for the Commission.
The three basic principles of the consistency mechanism
- DPAs take decisions on individual cases without an EU-wide impact;
- Where there is an EU-wide impact, the Board is engaged and issues an opinion;
- The Commission acts as a backstop to ensure the consistency mechanism is effective. This is good for citizens and for business.
The consistency mechanism process
- In cases where there is no EU-wide impact, individual decisions are taken by national DPAs. This is the core of DPA independence;
- Where there is an EU-wide impact, the matter is referred to the Board. The Board issues an opinion (non-binding) which must be taken into account by the national DPA. The onus is for DPAs to agree a position together;
- After the Board has issued its opinion, and where this is necessary in order to ensure the consistent application of the Regulation, the Commission may adopt a (non-binding) opinion. The DPA has to take the Commission’s opinion into account before adopting its measure. The Commission’s initial intervention is non-binding;
- Only if the Commission or the Board have “serious doubts as to whether the measure would ensure the correct application of the Regulation” the Commission may require the DPA to suspend the draft measure by a maximum of 12 months. This can only be done in two specific circumstances:
- In order to reconcile diverging positions between a DPA and the Board;
- To adopt an implementing measure in particular where the proper functioning of the internal market is at issue.
The consistency mechanism establishes a graduated procedure that preserves the role of national DPAs, ensures cooperation between DPAs within the Board and gives the Commission a role as a backstop.
The importance of the Commission as a backstop
- The role provided for by the Commission is the key supranational element of the proposal. Without a role for the Commission, the Board will be an intergovernmental club;
- A consistency mechanism without the Commission would be bad for citizens. The Commission acts as a necessary backstop to the Board ensuring that the Board acts decisively and protects the right to data protection enshrined in the Charter of Fundamental Rights. The threat of action by the Commission ensures that DPAs do not shy away from difficult cases;
- A consistency mechanism without the Commission would be bad for business. The Commission is the guardian of the internal market and is responsible for the proper implementation of EU law. The Regulation will not be properly applied based on knowledge of data protection laws alone. The internal market must be brought about and the consistency mechanism, with the Commission as backstop, is the only way to do this;
- Allowing the Board to take binding decisions, an alternative which has been proposed, would be illegal. Under the Treaties, only the Commission can take decisions that are binding on the Member States;
- The alternative would be the creation of a data protection super-agency. This would entail enormous costs;
The role of the Commission does not interfere with the independence of DPAs who remain competent to tackle individual cases. The proposed Regulation strengthens DPAs by making sure they act in concert. The Commission’s role is to ensure coherence and build the single market. During this mandate, the Commission has fought hard with several Member States over the independence of national data protection authorities.