A. The Interdependence of NSAs: The Cooperation Mechanism

Independent NSAs, the mainstay of EU data protection enforcement since the 1995 Directive, remain the primary actors responsible for oversight and enforcement under the GDPR.Footnote ¹⁷ Like the Directive, the GDPR stresses that the independence of NSAs is an ‘essential component’ of the protection of individuals in the context of personal data processing.Footnote ¹⁸ Yet such independence has been enriched by interdependence through the main institutional innovation of the GDPR, the ‘one-stop-shop’ (OSS) mechanism.Footnote ¹⁹ This procedure applies in cases of cross-border processingFootnote ²⁰ and entails an obligation on the NSAs to engage in horizontal cooperation. This mechanism is thus an exception to the general competence of each NSA to conduct its tasks and exercise oversight, investigative and sanctioning powers on the territory of its Member State.Footnote ²¹

Article 60 GDPR regulates the terms of the cooperation among NSAs under the OSS. The linchpin in this system is the idea of a ‘lead supervisory authority’ (LSA). The LSA is the supervisory authority of the place of main establishment for data protection purposes of the controller or processor,Footnote ²² which will be tasked with the supervision of GDPR cross-border processing. The LSA must work with other NSAs (designated ‘supervisory authority concerned’ or SAC) which have a stake in the outcome of the proceedings. An NSA may become a SAC for the purposes of the OSS when, in the context of cross-border processing: the data controller or processor also has an establishment in the NSA's jurisdiction; because data subjects who reside in the NSA's jurisdiction are likely to be substantially affected by the processing; or because the complaint being investigated was initially lodged with them.Footnote ²³

Therefore, in situations of cross-border personal data processing, the competent authority will be the LSA, but that authority does not act alone in handling complaints and the relevant investigation. To the contrary, there is a duty imposed on the LSA to endeavour to reach consensus with SACs and to exchange all relevant information with one another.Footnote ²⁴ In leading the proceedings, the LSA should ‘without delay’ communicate relevant information to SACs and submit the draft decision to them to obtain their opinions.Footnote ²⁵ The LSA is then obliged to take ‘due account’ of their views.Footnote ²⁶ The Court considered the operation of this cooperation mechanism in Facebook Belgium.Footnote ²⁷ It was asked whether, under the GDPR, an NSA can continue legal proceedings before a domestic court even though it is not the LSA. In its judgment, discussed further below, the Court confirmed that the cooperation mechanism was underpinned by the general principle of sincere and effective cooperation and emphasised the obligation of NSAs to cooperate to reach a single decision, binding on all authorities.Footnote ²⁸ As a result, concurrent judicial proceedings before the courts in the territory of SACs should be discouraged.

As an interim conclusion, it can be observed that the OSS has a twofold rationale: first, to limit opportunities for fragmentation by creating a single point of contact for data controllers and processors for data protection oversight and enforcement in transnational contexts; and, second, to enhance cooperation among NSAs. Yet where this cooperation fails to reach consensus because the LSA does not wish to implement a ‘relevant and reasoned’ objection to its draft decision by a SAC, the adoption of the draft decision is temporarily blocked and the GDPR's consistency mechanism is engaged.Footnote ²⁹

B. Dispute Resolution through the Consistency Mechanism

There are two elements to the consistency mechanism: the power to issue opinions; and the power to engage in dispute resolution. Article 64(1) GDPR identifies certain circumstances in which the opinion of an EU body—the European Data Protection Board (EDPB)—must be sought, while Article 64(2) provides that an opinion can be requested by any NSA, the Chair of the EDPB or the Commission on any matter of general application or producing effects in more than one Member State. The latter covers some failures in cooperation, with Article 64(2) GDPR explicitly noting that this includes instances where a competent supervisory authority does not comply with its mutual assistance or joint operations obligations. This opinion, if followed, should suffice to ensure consistency.

However, the GDPR also envisages circumstances where dispute resolution among NSAs is necessary. In these cases, the EDPB issues binding decisions as opposed to opinions. The EDPB skips straight to binding decisions where the LSA does not follow or rejects the reasoned and relevant objection of a SAC.Footnote ³⁰ Binding decisions are also delivered where there is disagreement over the designation of the LSA and where the EDPB's Article 64 GDPR opinion is not followed.Footnote ³¹ This binding decision is addressed to the LSA and all SACs, and thus supersedes any conflicting decisions of NSAs.Footnote ³² The LSA and/or the NSA of the State where the complaint was lodged must then adopt a final decision based on the binding decision of the EDPB. Therefore, the EDPB's decision may be seen as a sort of ‘preliminary act’ to the binding decision adopted by the NSA. Such preliminary findings can be a feature of composite administrative decision making where:

The final decision is adopted based on the following division of labour: the LSA notifies the controller or processor of the decision and the NSA of the State in which the initial complaint was lodged must notify the complainant. Nevertheless, where the complaint is rejected wholly or partially, the NSA of the complainant notifies both the controller or processor and the complainant of this dismissal or partial dismissal.Footnote ³⁴ The presence of a ‘chain’ of EU and national acts is another feature of composite administrative decision-making.Footnote ³⁵

A. Procedural Ambiguities and Divergences in the Cooperation Procedure

The cooperation mechanism is initiated at the national level and entails the application of national procedural rules jointly with (minimal) procedural rules foreseen by the GDPR. At present, there is a lack of clarity regarding the definition of key procedural concepts relevant for the cooperation mechanism under Article 60 GDPR. Such ambiguities are well-documented.Footnote ³⁷ It can be confidently asserted that, as EU law concepts, the procedural notions included in Article 60 GDPR should be subject to the autonomous interpretation provided by EU institutions, especially the Court of Justice.Footnote ³⁸

The EDPB's adoption of Guidelines on the functioning of Article 60 GDPR seeks to promote such an autonomous understanding of the concepts and rules included in the cooperation mechanism.Footnote ³⁹ The Guidelines start from the premise that a ‘common understanding of the terms and basic concepts is a prerequisite for the cooperation procedure to run as smoothly as possible’.Footnote ⁴⁰ They emphasise that the endeavour to reach consensus required by the cooperation procedure is a legal objective which ‘sets the direction for cooperative acting in such a way that SAs [ie supervisory authorities] do their utmost and make a ‘‘serious determined effort’’ in order to achieve consensus’.Footnote ⁴¹ It is clear that the EDPB envisages that an ethos and an obligation of sincere cooperation should permeate the interpretation and application of Article 60 GDPR. The EDPB Guidelines also specify the meaning of key procedural concepts found in the GDPR. It reads notions such as ‘without delay’, where it would be inappropriate to specify a single universally applicable time period, in light of the legislature's intent to increase ‘the speed in the information flow connected with the draft decision’.Footnote ⁴² Moreover, the LSA ‘has to act proactively and, as quickly as possible, appropriately to the case’.Footnote ⁴³ While not precisely defining the term ‘draft decision’, the EDPB considers that it should be ‘subject to the development of common minimum standards to enable all involved SAs to participate adequately in the decision-making process’. It therefore identified the minimum components of a ‘draft decision’.Footnote ⁴⁴

It is evident that these Guidelines facilitate alignment of the understanding of GDPR terms while not entirely eliminating scope for divergence. They go some way towards providing the elements of a common administrative procedure, requested by both the Commission and prominent consumer organisation BEUC.Footnote ⁴⁵ Yet, as Guidelines, they are non-binding. Therefore, as will be discussed below, if these Guidelines are not followed, it will fall to the Commission or the Court to rectify this failure, with procedural harmonisation via legislation acting as a final fall-back solution.

In any event, not all elements of the cooperation procedure lend themselves to an autonomous EU law interpretation. National procedural rules have a pivotal role to play in the cooperation mechanism. Yet disparities between national procedural rules have become a source of friction and delay.Footnote ⁴⁶ Take, for instance, rules on standing for representative bodies: the GDPR allows data subjects to mandate a non-profit organisation to lodge complaints and initiate legal actions on their behalf.Footnote ⁴⁷ Nevertheless, divergences between the nature and the extent of the information required to verify the representation and standing of such organisations by, on the one hand, the NSA where a complaint is lodged, and, on the other hand, the LSA have emerged.Footnote ⁴⁸ Such divergences have knock-on implications for the triggering of the cooperation procedure: the barriers encountered at the national level to submitting complaints may impede the initiation of the cooperation mechanism at the transnational level via the OSS. The ultimate result is a high risk of under-enforcement of the GDPR and ultimately of ineffectiveness of the cooperation mechanism. Moreover, standing is but one example of a wider problem: as we discuss below, procedural divergences and gaps lead to issues of procedural fairness for complainants in the OSS.

A by-product of this terminological ambiguity (what constitutes a ‘draft decision’) and national procedural divergences is that it is difficult to compare the performance of NSAs. As Advocate General Bobek suggested in Facebook Belgium, any assessment of the effectiveness of GDPR enforcement would need to be ‘evidenced by facts and robust arguments’ rather than speculation and assumptions.Footnote ⁴⁹ Yet the absence of reliable comparator data renders this task more difficult.Footnote ⁵⁰

B. The Lack of Equality between NSAs

The LSA should function as a primus inter pares.Footnote ⁵¹ The GDPR supports this assertion. First, during the legislative process, there was a concern that the Commission's original proposal granted an outsized role to the LSA at the expense of the independence of other NSAs.Footnote ⁵² To address these concerns, the notion of a ‘supervisory authority concerned’ (SAC) was formalisedFootnote ⁵³ and the mechanisms for cooperation between the LSA and other concerned authorities were set out in Article 60 GDPR. Secondly, as the Court emphasised in Facebook Belgium, there is a legal obligation on the LSA to work with SACs to endeavour to reach consensus and to exchange all relevant information with one another.Footnote ⁵⁴

Thirdly, even if in principle the LSA is competent to deal with proceedings with a transnational dimension, there are exceptions to this rule. In Facebook Belgium the Court emphasised that where a LSA does not comply with a request for mutual assistance, a SAC may adopt a provisional measure on the territory of its own State and request the input of the EDPB if a final measure is urgently needed.Footnote ⁵⁵ In this way, the Court reminded NSAs of their own obligations to take the reins to secure enforcement of the GDPR. Moreover, any NSA can request that any matter of general application or that produces transnational effects be examined by the EDPB.Footnote ⁵⁶ In such circumstances, the SAC must be able to take measures necessary to ensure compliance with the EDPB's findings.

Fourthly, the LSA is given no special recognition in the voting procedure for binding EDPB decisions. Such decisions are adopted by a two-thirds majority of EDPB members and thus it is possible that the LSA's perspective is overridden in this context. In theory, therefore, although it is the competence of the LSA to coordinate the proceedings, the LSA and SACs remain on an equal footing throughout the cooperation procedure. Yet in reality, there is a discernible lack of equality between NSAs: the LSA can play an outsized role in administrative proceedings while the input of other concerned authorities is minimised.

To begin with, it should be recalled that the administrative enforcement of the GDPR involves the following five steps: (1) delimiting the scope of investigation and potential infringement based on an initial assessment of the facts; (2) establishing the facts; (3) establishing whether these facts amount to a violation of the Regulation or other data protection rules; (4) determining the corrective measures to be applied, including possible sanctions; and (5) ensuring that the corrective measures are enforced.Footnote ⁵⁷ Early experience suggests that the LSA plays a decisive role in steps (1), (4) and (5) in these procedures and therefore can exercise a disproportionate influence on GDPR enforcement, to the exclusion of its peer regulators. How this comes about can be considered by taking the example of an investigation by the Irish NSA concerning Twitter which culminated in a binding decision of the EDPB pursuant to Article 65 GDPR.Footnote ⁵⁸

First, the role played by the LSA in scoping the initial inquiry can shape the entire proceeding in a decisive way. The Irish NSA initiated an investigation of Twitter's data protection compliance, informing Twitter that its inquiry concerned the GDPR's data breach notification requirements.Footnote ⁵⁹ Several SACs objected to the scope of the draft decision, which had been determined by the LSA alone at the outset of the process. They considered that Twitter engaged in further infringements of provisions such as the principles of integrity and confidentiality as well as accountability, amongst others.Footnote ⁶⁰ However, the Irish NSA considered that it was within its discretion to limit the scope of the inquiryFootnote ⁶¹ and, given the original scope of the inquiry, the EDPB did not have sufficient material to establish the existence of these further infringements.Footnote ⁶² Although the GDPR does not explicitly grant SACs procedural rights until after a draft decision is submitted by a LSA, the exclusion of peer regulators from determining what violations will be investigated is incompatible with the general principle of loyal cooperation and throws cold water on the idea that the LSA is a primus inter pares.

Secondly, as the consistency mechanism does not cover the determination of corrective measures and fines—a task left to the LSA, the SACs have a limited role in defining the nature of corrective measures and sanctions, even though GDPR infringements may affect data subjects on their territory. During the legislative process, the Council considered this exclusion necessary to ensure that the workload of the EDPB remained reasonable and because NSAs are entitled to take account of many factors in exercising their corrective powers, including some which may be particular to that Member State.Footnote ⁶³ In the Twitter proceedings, the German NSA had suggested a fine in the range of 7.3 to 22 million Euro. The Irish NSA ultimately imposed a fine of only 450,000 Euro on Twitter. The EDPB was seemingly unable to specify even the range in which the fine should fall.Footnote ⁶⁴ The EDPB was more assertive in the subsequent WhatsApp decision, where the fine imposed increased fourfold following its intervention.Footnote ⁶⁵ This is significant as the GDPR enforcement apparatus risks becoming devoid of purpose if the imposition of fines and corrective measures does not take into account the opinions of NSAs protecting the rights of those directly affected by the consistency mechanism decision.

Thirdly, it is notable that where there is disagreement between the LSA and SACs on a draft decision, SACs must meet a demanding threshold—that of reasoned and relevant objection—for their objection to count.Footnote ⁶⁶ According to the EDPB Guidelines, a SAC's reasoned objection must show why the LSA's draft decision would pose significant risks for the rights and freedoms of data subjects and/or the free flow of data.Footnote ⁶⁷ Therefore, simple disagreement on the merits of the case is insufficient; rather, the difference must have a real impact.Footnote ⁶⁸ This may seem an appropriate limitation on the role of SACs: one might wonder why they should intervene where the draft decision poses no significant risks to rights and freedoms. Yet its impact, it is suggested, must be considered in the aggregate: the requirement to prove a ‘significant risk’ is demanding and the SAC needs to show this in each individual case.Footnote ⁶⁹ This becomes an onerous task for SACs and, de facto, creates a presumption in favour of the draft decision of the LSA while ultimately minimising the role of SACs.

What is clear is that, from its initial role in defining the scope and the direction of the investigation through to its determination of corrective measures, the LSA plays a preponderant role in proceedings. Meanwhile, the odds remain stacked against the perspectives of SACs which need to evidence their reasoned and relevant objections to LSA decision-making. This reality militates against the claim that the LSA acts as a first amongst equals. One might wonder, however, why equality between NSAs remains important. This equality matters for several reasons.

Equality between NSAs is desirable because it is necessary to flatten national interests in the context of these transnational administrative proceedings and to encourage NSAs to act as agents of EU law. Albeit composed of representatives of the NSAs and the European Data Protection Supervisor, the EDPB is an EU body. The member of the NSAs on the EDPB should ‘act in the sole interest of the Union rather than act as vessels for a variety of national interests’.Footnote ⁷⁰ Indeed, the cooperation and consistency mechanisms were designed to Europeanise EU decision-making on data protection, moving it away from disparate national interpretations and making oversight and enforcement in transnational contexts a collegial endeavour.Footnote ⁷¹ The price of this Europeanisation was that the level of protection offered in some Member States might be lower and that the pace of enforcement by active authorities might be slowed down.Footnote ⁷² The quid pro quo for this erosion of national interests was consistency. The bargain struck might be thought of as follows: all Member States lost their individual stake, yet stood to gain from more effective enforcement.

However, to date, this bargain has not materialised: not all national interests have been flattened to the same extent as the LSA continues to play an oversized role in these mechanisms, but nor has there been more effective enforcement of EU data protection law. The role of SACs in the cooperation mechanism is deliberately designed to ensure maximum proximity between complainants and those investigating complaints.Footnote ⁷³ Yet these entities encounter significant limitations in their potential influence in the cooperation mechanism. It is suggested that while there is no explicit principle of equality between NSAs, this lack of equality undermines the legitimacy of the framework.

A further by-product of the lack of equality between NSAs is that, failing the emergence of a truly cooperative culture between NSAs, resort to the consistency mechanism may well shift from being the exception to being the rule. This procedure places an extraordinary burden on all NSAs. Docksey has highlighted the challenges in the handling of reasoned objections in the Twitter case, where ‘the LSA was obliged to respond to them in detail and finally the matter had to be addressed by the Board’.Footnote ⁷⁴ Moreover, given that the LSA may need to reconcile potentially conflicting objections of SACs, the prospect of the consistency mechanism being invoked is heightened. Therefore, what could be a single decisional process in situations where cooperation functions effectively risks becoming a protracted multi-jurisdictional and multi-tiered process.Footnote ⁷⁵ Such a scenario seems destined to favour organisations with deep-pockets and experience of complex multi-jurisdictional litigation.

In sum, the consequences of the absence of equality among NSAs are stark: such lack of equality delegitimises the legislative choice to neuter the more stringent NSAs in favour of a more Europeanised approach to enforcement; it has placed significant resource burdens on NSAs; and, ultimately, has impeded NSAs from becoming agents of European rather than national law. These implications are further exacerbated by gaps in the procedural fairness guarantees found in the cooperation and consistency mechanisms.

C. Insufficient Procedural Fairness Guarantees

The diagonal composite administrative proceedings created by the GDPR raise the prospect of myriad procedural fairness challenges. Procedural fairness is essential in any legal system because it enhances the legitimacy of and trust towards public authorities while ensuring fair decision-making.Footnote ⁷⁶ It does so, among others, by favouring democratic participation in decision-making procedures and by guaranteeing the neutrality of public authorities towards the parties to a dispute.Footnote ⁷⁷ Procedural fairness ultimately contributes to judgments and settlements which favour compliance with the law.Footnote ⁷⁸ It is therefore not surprising that procedural fairness guarantees underpin the text of several constitutions and fundamental rights treaties, including the EU Charter of Fundamental Rights.Footnote ⁷⁹

The OSS and the consistency mechanism involve an intrinsic contradiction in terms of procedural fairness: while they sought to introduce stricter rules on cooperation among NSAs with the objective of facilitating effective decision-making under the GDPR, they also feature significant gaps in terms of procedural rights. For instance, a crucial aspect of procedural fairness is that decisions should be issued in a reasonable time.Footnote ⁸⁰ Considerations of timeliness are built into the OSS mechanism. For instance, Article 65(1) GDPR provides that where a LSA does not request or follow the opinion of the EDPB, SACs or the Commission may communicate the matter to the Board, thus immediately triggering the consistency mechanism. Yet although the OSS mechanism was designed to enhance efficiency by arriving at a single supervisory decision through a quicker administrative procedure, the reality of its operation has been described differently: ‘serious cross-border cases involving all DPAs hang in the mill of a bureaucratic procedure for years and absorb the strength and the poor resources of the authorities’.Footnote ⁸¹ This type of paralysis is not unique to data protection law and is an inherent risk in European procedures involving Member States’ representatives.Footnote ⁸² The EDPB rules of procedure have been amended to expedite the initiation of the consistency mechanism by allowing the EDPB Chair to initiate the dispute resolutions procedure.Footnote ⁸³ Other issues, such as the sometimes-lengthy wait before a LSA is designated, could similarly be more quickly resolved.Footnote ⁸⁴

A further aspect of procedural fairness is that no one should be tried or punished twice for the same offence, a principle enshrined in Article 50 of the EU Charter.Footnote ⁸⁵ This provision is central to ensuring due process guarantees under the GDPR considering the possibility of overlapping fines and proceedings of a criminal nature within the EU territory. As established in Facebook Belgium, the general rule is that data protection proceedings will be managed by the LSA, the competence of SACs being the exception.Footnote ⁸⁶ Yet where SACs trigger the urgency procedures foreseen, the risk of parallel data protection proceedings across the Member States becomes more tangible.

An exhaustive identification and treatment of the potential procedural fairness issues of composite data protection proceedings is beyond the scope of this article. Instead, it focusses on the most immediate challenges that the OSS and the consistency mechanism engender. First, these proceedings entail the de facto exclusion of data subjects from the cooperation and consistency procedure. Secondly, the interaction between these composite proceedings and Articles 78 and 79 GDPR sits uncomfortably with the EU Charter right to an effective remedy. In practice, the role of the individual in these procedures seems to be lost behind the curtain of administrative cooperation. These concerns will be addressed in turn.

D. NSAs’ Discretion Impedes Effective Transnational Enforcement: Rule of Law Challenges

One of the founding values of the EU is the rule of law.Footnote ¹²⁰ The rule of law has clearly acquired normative content in the EU through recent legislative measuresFootnote ¹²¹ and the jurisprudence of the ECJ.Footnote ¹²² An expression of this is the principle of judicial independence, which guarantees that EU law should be applied effectively.Footnote ¹²³ In EU law, the rule of law also requires respect for the principles of legality,Footnote ¹²⁴ implying a transparent, accountable, democratic and pluralistic law-making process, legal certainty,Footnote ¹²⁵ and prohibition of arbitrariness of the executive powers.Footnote ¹²⁶ These principles reflect the consolidated formal theories on the rule of law.Footnote ¹²⁷

Applying the formal rule of law conception—which focuses on the equal application of the law—to the OSS and consistency mechanisms, it follows that the NSAs should strive, collectively and individually, to enforce the GDPR in an equal manner in the context of transnational enforcement, without creating different treatments for data subjects, controllers and processors located in different jurisdictions. In a way, the cooperation and consistency mechanisms seek to enhance compliance with the rule of law when it comes to the GDPR by regulating the rules of the cooperation game among NSAs. Yet the achievement of the equal enforcement of the GDPR in transnational settings, and thus of the formal aspect of the rule of law, is seriously hindered by the national strategies adopted by NSAs, especially LSAs.

As Hijmans observes, the consistency mechanism requires the consistent application of the law, rather than consistent strategies.Footnote ¹²⁸ Two main fault lines have emerged. The first concerns strategic or selective enforcement, including whether NSAs focus on particular sectors or data controllers. For instance, while many of the discussions of under-enforcement concern ‘Big Tech’, the Irish Commissioner has stated that such a selective focus is irrational as ‘it discloses far too narrow a view of the problems at hand, the result of which would be to permit substantial amounts of unlawful processing to continue, unchecked’.Footnote ¹²⁹

A second emerging divergence in terms of enforcement approach regards the extent to which amicable or negotiated settlements between the NSA and the data controller or processor meet the GDPR's enforcement objectives. Practice suggests that NSAs have historically sought to reach amicable solutions in the context of complaints, a position seemingly endorsed by the EDPB.Footnote ¹³⁰ Amicable solutions to complaints may have the strategic advantage of solving complaints more efficiently, while conserving the financial and human resources of NSAs. Moreover, the resolution of complaints via amicable settlement would further prevent the need to resort to judicial proceedings. Some argue that more effective compliance with the GDPR can be ensured by regulators engaging responsively with organisations to influence the ethical culture and behaviour of those market operators, rather than relying on ‘backward-looking’ rules enforced by sanctions.Footnote ¹³¹ However, the risk of emphasising amicable resolution over other enforcement strategies is that fundamental rights may be imperilled while regulators embolden systematic infringers of the regulatory framework.Footnote ¹³²

The GDPR does not explicitly resolve these more strategic questions. It obliges NSAs to ‘handle complaints … and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and outcome of the investigation’.Footnote ¹³³ This has been interpreted by some NSAs to mean that they are not obliged to produce a decision in all circumstances and can instead resort to the amicable settlement of disputesFootnote ¹³⁴ or even to switch to own initiative inquiries in the course of complaint-handling.Footnote ¹³⁵ On this reading, it is possible that transnational complaints might not reach the stage of a draft decision, thereby short-circuiting the OSS system and cutting SACs out of the picture. Such actions also eliminate or reduce the possibility for complainants to contribute to the investigations, although their input might be beneficial, and hinders the complainant from seeking follow-on damages in private litigation.

However, this reading is contestable. Not only must the LSA communicate ‘relevant information’ to SACs without delay; the non-binding recital 131, which is the only GDPR provision to refer to the amicable settlement of disputes, applies where the local NSA acts instead of the LSA due to the complaint's domestic nature or impact. This calls into question whether such amicable settlements can be used where the OSS is engaged. This example suggests that some NSAs continue to act as agents of national law rather than agents of European law when they apply data protection law. As a result of these differing enforcement strategies, the GDPR is subject to differential enforcement, leading to an unequal application of the law. The formal rule of law is therefore at risk with differentiated enforcement benefitting non-compliant data controllers and processors.

If data controllers perceive certain jurisdictions to be more lenient than others, there is a real risk that they will set up their establishment in those jurisdictions to shield themselves from regulatory action by more stringent regulators, a possibility alluded to by Advocate General Bobek.Footnote ¹³⁶ Regulators continue to jostle, as happened in Facebook Belgium, to claim oversight competence for various matters since the GDPR's entry into force.Footnote ¹³⁷ Nevertheless, whether motivated by GDPR enforcement, or broader commercial considerations such as favourable taxation regimes, it is clear that some jurisdictions—notably Ireland and Luxembourg—act as LSAs in a disproportionate number of proceedings.Footnote ¹³⁸ Assuming that data controllers and data processors secure a regulatory benefit—in the form of weaker enforcement—from this arrangement, this leads to lower levels of fundamental rights protection (by neutering the more active NSAs);Footnote ¹³⁹ weakens competition on the internal market by creating ‘geographical advantages as well as disadvantages’;Footnote ¹⁴⁰ and imposes unequal costs for data protection compliance across the residents of the EU. One might wonder, for instance, why the residents of Luxembourg should foot the bill to ensure the effective data protection of the residents of Sweden or Slovakia.

This situation may also lead to NSAs seeking alternative routes beyond the OSS to secure effective data protection, particularly those where the rights of data subjects have historically been subject to higher protection. For instance, in Facebook Belgium the Belgian NSA wished to continue with judicial proceedings before a domestic court rather than going down the administrative route through the OSS mechanism. Although neither the Advocate General nor the Court accepted its pleas, it explicitly argued before the Court that judicial proceedings were necessary to remedy the deficiencies in the OSS mechanism and ensure effective protection for data subjects.Footnote ¹⁴¹ This plea suggests that the Belgian NSA doubted the effectiveness of the cooperation with the Irish NSA which would have acted as LSA in the context of OSS proceedings. Recourse to proceedings before national courts as an alternative to the OSS would potentially lead to litigation concerning the differing levels of protection of fundamental rights when protected both at EU and national level.Footnote ¹⁴² Practice indicates that NSAs are finding other ways to sidestep the OSS to guarantee fundamental rights protection. For instance, the French NSA has sanctioned Google for breach of the ePrivacy Directive rather than the GDPR, thereby avoiding the OSS, with the French Conseil d'Etat upholding this course of action.Footnote ¹⁴³ In a similar vein, other regulatory agencies can sidestep the application of GDPR mechanisms by initiating legal proceedings where similar or identical factual circumstances give rise to an alleged infringement of a distinct area of law, such as consumer protection or competition law.Footnote ¹⁴⁴

In conclusion, the current application of the cooperation and consistency mechanisms appears challenging from the angle of the equal application of the law and risks stretching the limits of compliance with the rule of law, especially in its formal meaning. The following section considers how these problems with the transnational enforcement of the GDPR might best be addressed.

A. Leveraging General Principles of EU Law to Align Procedures

Many of the shortcomings of the cooperation and consistency mechanisms do not stem from their design but from the failure of NSAs and the EDPB to implement these mechanisms appropriately. A shift in approach from key actors would therefore lead to significant improvements.

As NSAs act within the scope of EU law, they should comply with general principles of EU law, including the principle of sincere cooperation and, indirectly, the sub-principle of effectiveness. Article 4(3) TEU imposes a duty on national authorities to assist each other in carrying out the tasks stemming from the Treaties, and to ‘take any appropriate measure […] to ensure fulfilment of the obligations arising out of the Treaties or resulting from the acts of the institutions of the Union’. Moreover, Member States must facilitate the achievement of the Union's tasks and refrain from any measure which could jeopardise the attainment of the Union's objectives.Footnote ¹⁴⁵ Therefore, the activities of NSAs in the context of the OSS and the consistency mechanism should be guided by the objective of attaining sincere cooperation in the EU legal landscape.

The principle of effectiveness may also be helpful in framing the enforcement duties of NSAs. This principle ensures that the enforcement of EU rights is not made impossible or excessively difficult.Footnote ¹⁴⁶ It was developed, alongside the principle of equivalence, by the CJEU to act as an outer limit on the national procedural autonomy.Footnote ¹⁴⁷ Under the principle of equivalence, the national courts are required to assess whether remedial rules used in the field of the GDPR are more stringent than those used for similar national claims—an example being rules on fines or on damages. While they are applied by national courts, both principles are subject to the exclusive interpretation by the Court of Justice, meaning that national courts should cooperate with the Luxembourg judges to set the standards of the effective enforcement of EU law, including the GDPR. Via judicial proceedings,Footnote ¹⁴⁸ parties unsatisfied with the way in which NSAs have applied EU law may bring legal action against that authority. However, as discussed above, there are significant hurdles when it comes to the right to effective judicial protection following the initiation of the OSS.

Moreover, NSAs are also bound by the EU Charter, which should be respected in the context of national procedures applied in the fields of EU law.Footnote ¹⁴⁹ For instance, one might argue that, in light of the criminal nature of the sanctions imposed for violation of the GDPR, the procedures of the LSA must be quasi-judicial in nature.Footnote ¹⁵⁰ According to Article 6 ECHR, in the light of which Article 47 of the EU Charter must be interpreted,Footnote ¹⁵¹ ‘[i]n the determination of his civil rights and obligations or of any criminal charge against him, everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law’. The guarantees of Article 6 ECHR have been applied in a more stringent way in relation to criminal rather than civil chargesFootnote ¹⁵² with a view to ensuring an effective and fair judicial process.Footnote ¹⁵³ Considering the severity of fines which could be imposed as a result of GDPR cross-border investigations, those sanctions may be seen as criminal, and thus the requirements of Article 6 ECHR would apply to the procedures before the NSAs. The applicability of Article 6 ECHR to NSAs reinforces the case that procedural fairness guarantees should be granted in the context of the OSS mechanism. It can be seen therefore that by simply respecting the general principles of EU law, NSAs can bring about a substantial improvement in the enforcement of the GDPR.

The EDPB also has a role to play, in particular in ensuring the equality of NSAs in the consistency mechanism. For instance, in the Twitter case, the EDPB could have required further investigation to remedy gaps in the draft decision.Footnote ¹⁵⁴ Docksey surmises that this was probably deemed impractical given that it would effectively have required the entire procedure to start from the beginning.Footnote ¹⁵⁵ While undoubtedly true, more robust handling by the EDPB of these early experiences would have sent a strong signal to LSAs about expectations in the context of the consistency mechanism. The EDPB Guidelines require a LSA to ‘seek consensus regarding the scope of the procedure (ie the aspects of data processing under scrutiny) prior to initiating the procedure formally’.Footnote ¹⁵⁶ Where such consensus building is absent or inadequate, it is therefore for the EDPB to be firm in its response and to relaunch proceedings if necessary. While this might be inefficient in the short term, it may pay longer-term dividends. However, as shall now be discussed, it may be that where such changes on the part of NSAs and the EDPB are not forthcoming, more significant intervention is required. This might come in the form of a corrective role for the Commission or intervention from the EU Courts, again neither of which would require reform of the existing framework.

B. A Corrective Role for the Commission

The European Commission, as guardian of the Treaties, is responsible for ensuring that Member States do not violate their Treaty obligations.Footnote ¹⁵⁷ Accordingly, Member States can be held responsible for the activities of their organs falling foul of EU law, including the violation of EU case law.Footnote ¹⁵⁸ More generally, the Commission should seek the effective enforcement of EU law, including Article 16 TFEU. During the GDPR legislative negotiations, the consequences of a failure to cooperate between NSAs was queried.Footnote ¹⁵⁹ This is answered in the GDPR itself: recital 135 GDPR provides that the consistency mechanism ‘should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties’. Failure to comply with GDPR obligations, like failure to comply with any EU legislative instrument, can therefore lead to infringement proceedings against the relevant Member State under Article 258 TFEU. If, for instance, a LSA consistently interpreted a procedural concept such as ‘draft decision’ or ‘without undue delay’ in a way that hindered the effective involvement of other NSAs in the cooperation procedure or in contravention of the EDPB Guidelines, the Commission could initiate an infringement action against the Member State concerned.

It might be asked what the threshold for the initiation of such a procedure would be, in particular in light of the independence of NSAs, and how effective it might be in practice. Two reflections are relevant in this regard. First, the infringement procedure is renowned for its ‘dialogical’ nature: before bringing a Member State before the EU Courts, the Commission will find avenues for compromise and political dialogue with the Member States.Footnote ¹⁶⁰ The initiation of this dialogue with a Member State concerning its NSA may be sufficient to correct violations of the GDPR where the resolution sought is of a technical nature (for instance, the amendment of a national procedural rule providing an excessively short time limit to challenge an NSA decision). Secondly, by analogy with recent case law on the breach of judicial independence by the Polish authorities, the Commission may decide to prosecute one-off cases of breach of the OSS or consistency mechanism where their implications would be considered of a systemic nature.Footnote ¹⁶¹ The requirement of impartiality stemming both from Articles 41 and 47 of the Charter should receive special attention with reference to NSAs. A finding against the Member State may lead to the imposition of penalties against the Member State.Footnote ¹⁶² Proceedings before national courts for Francovich damages for the violation of EU law by national authorities would further strengthen the enforcement of the GDPR.Footnote ¹⁶³

C. Intervention from the EU Courts

The EU Courts will also have a role to play should the current transnational enforcement challenges persist. Respect for the EU Charter of Fundamental Rights, and in particular relevant rights in the Citizens’ Rights and Justice Chapters, should be central to the case law on the GDPR:Footnote ¹⁶⁴ the Court of Justice should be ‘proactive’ in putting flesh on the bones of these fundamental rights in the context of the GDPR. The interpretation of the GDPR should be guided by these fundamental rights with a view to ensuring the effective enjoyment of the data protection rights, thus going beyond the mere respect of procedural requirements and rather focusing on the possibility for data subjects to be granted the full extent of their entitlements. Principles of good administration and due process should acquire a central importance as they are key to ensuring the procedural fairness necessary to enhance the legitimacy of and trust in public authorities and the law. For instance, any guidance from the Court of Justice on the extent to which Articles 41 and 47 EU Charter apply to NSAs and the EDPB would be welcome.

In addition, via the combined reading of recital 13 GDPR, Articles 61(1) GDPR, 4(3) TEU and 41 of the EU Charter it may be possible to challenge the violation of the principle of sincere cooperation in the context of the OSS mechanism.Footnote ¹⁶⁵ It should be recalled that recital 13 GDPR and Article 61(1) GDPR both demand that NSAs engage in sincere cooperation. The sincere cooperation requirement also stems from the right of good administration protected under Article 41 of the EU Charter. Moreover, the principle of sincere cooperation is laid down in Article 4(3) TEU, which has general application regardless of the division of competences among the EU and the Member States.Footnote ¹⁶⁶ Potential violations of this principle could be raised in the context of national judicial proceedings under Article 78 GDPR and brought to the attention of the CJEU via a preliminary ruling, or via direct actions against the EDPB's decisions before the EU judicature. As mentioned, they could also be the object of an infringement procedure.

The EU judicature should also consider developing a principle of equality among the NSAs. This would tackle the over-representation of the LSA. In this sense, the CJEU has a crucial role to play in levelling up the currently deficient due process guarantees provided under the OSS and the consistency mechanisms. Indeed, it has already started to delineate the content of procedural rights in its GDPR decisions.Footnote ¹⁶⁷

Advocate General Bobek opined that the Court may be ready to go further and place these challenging demands on its shoulders. He observed that should the legislature's choice in enacting the GDPR be undermined—should ‘the child turn out bad’—then the Court would not ‘turn a blind eye to any gap which might thereby emerge in the protection of fundamental rights guaranteed by the Charter and their effective enforcement by the competent regulators’.Footnote ¹⁶⁸ He also hinted at the options available to the CJEU: interpreting the OSS and consistency mechanisms in conformity with the EU Charter; or assessing the validity of the mechanisms in light of the EU Charter. This serves as a shot across the bow for recalcitrant NSAs and the EDPB itself: should the GDPR cooperation and consistency mechanisms not function, alternative options will need to be made available. These alternatives shall be considered briefly.

D. Reform of the Existing Rules

In case reliance on general principles of EU law proves insufficient to enhance the substantive and procedural consistency of the GDPR, procedural harmonisation could occur via EU secondary measures. The ReNEUAL 2.0 principles on good administration may offer the starting point for drafting legislation on the procedures governing transnational cooperation under the GDPR. A principle-based framework may nevertheless be considered partial and not sufficiently defined to address the gaps in GDPR enforcement. Therefore, it is suggested that EU secondary rules would offer a more appropriate outlet for regulating the procedural rules and rights in the context of the OSS and the consistency mechanism. There are examples of similar procedural approximations in the field of competition law.Footnote ¹⁶⁹ So far, approximation has occurred through the EDPB guidelines.Footnote ¹⁷⁰ However, the absence of binding effects for those instruments may hinder their enforcement and, as noted above, the guidelines only pertain to the aspects of GDPR enforcement provided for explicitly by the GDPR.Footnote ¹⁷¹ Other elements of national administrative procedures fall outside their scope and may thus hinder smooth cooperation among NSAs.

A question to address in this context is that of the legal basis for the EU to adopt such procedural rules. Although Article 16(2) TFEU does not refer explicitly to procedural rules, this Article could constitute the legal basis to introduce procedures aimed at protecting individual rights connected to data processing. Another possible legal basis is the harmonisation clause included in Article 114 TFEU.

While it is beyond the scope of the present contribution to identify the precise content of these rules and to assess the viability of this prospect in light of prior EU experience of procedural harmonisation, two points bear noting. First, in terms of the content of these rules, it is critical that they enable complainants to engage effectively in NSA proceedings concerning cross-border processing operations. Consumer organisation BEUC, for example, suggests that complainants should be able to intervene throughout the GDPR administrative procedures, including concerning the allocation of complaints, rather than only at the end when a decision is reached.Footnote ¹⁷² Secondly, the limited EU experience of procedural harmonisation suggests that such harmonisation can be politically sensitive. Yet should subsidiarity so dictate, the harmonisation could cover the procedures applicable domestically when the cooperation and consistency mechanisms are engaged. Such harmonisation should also consider whether pan-European procedures should be introduced when it comes to national proceedings before NSAs and courts in the field of data protection. The existence of harmonised procedures in these two fields would further achieve the objectives of uniform application of the GDPR framework. While, historically, EU law has played a limited role in determining how EU law should be applied, EU legislative instruments—even those without an explicit procedural dimension—increasingly incorporate procedural requirements, going well beyond the old formula of ‘effective, dissuasive and proportionate’ sanctions. The GDPR itself is a case in point.Footnote ¹⁷³

A further potential reform concerns the possibility for the EDPB to act as central authority for the handling of cross-border complaints. By attributing this competence to the EDPB, some of the current deficiencies of GDPR enforcement in transnational settings would be addressed. The enforcement model existing in the EU competition law field could be taken as an example. However, this possibility risks significant complications. First, the centralisation of GDPR enforcement in the hands of a European body may meet resistance from the Member States as the reform would remove a significant part of EU data protection from NSAs. The political consensus needed to amend the relevant aspects of the GDPR might therefore not be forthcoming. Furthermore, other stakeholders such as civil society organisations might also be wary of such a move: placing such enforcement power in the hands of a single entity may, for instance, leave it more vulnerable to regulatory capture. Finally, any potential attribution of competence to the EDPB for cross-border complaints could hinder the proximity principle, according to which data subjects should be able to address national authorities to raise a complaint under the GDPR. Such reform would therefore require careful consideration, lest by addressing existing procedural justice deficiencies new problems would be created.