The Data Protection Commission takes the lead in assessing cross-border complaints

The Data Protection Commission (DPC) recently published its “One-Stop-Shop Cross-Border Complaint Statistics” report detailing the DPC’s handling of cross-border complaints from 25 May 2018 to 31 December 2021 through the “one-stop-shop” (OSS) mechanism provided for in the General Data Protection Regulation (GDPR).

The OSS mechanism under the GDPR allows data controllers or processors which carry out cross-border processing of personal data in the EU/EEA to appoint a single leading supervisory authority (LSA) which has primary responsibility for an organisation’s processing activity and coordinate investigations where necessary. Organisations which process personal data with no cross-border element are subject to their national data protection authority. However, where the organisation processing personal data is established in more than one member state of the EU/EEA or the processing of personal data takes place in one member state but substantially affects data subjects in other member states, the processing will be considered cross-border. The organisation can therefore benefit from the OSS mechanism by designating a LSA. The supervisory authority of the member state where an organisation’s main establishment is located will be the LSA for that organisation’s processing activities. For example, organisations with their headquarters based in Ireland would generally refer to the DPC as the LSA.

The GDPR’s OSS mechanism also provides for supervisory authorities, other than the LSA, to be designated a “concerned” supervisory authority (CSA). A supervisory authority is deemed to be “concerned” with a case if the organisation (controller or processor) is established on the territory of the member state of that supervisory authority; if data subjects residing in the member state of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or if a complaint has been lodged with that supervisory authority.

The DPC carries out an assessment exercise on all cross-border complaints received directly from individuals. This assessment firstly involves establishing that the complaint relates to a data protection issue and that all necessary documentation has been submitted. The DPC will then determine whether the processing at issue is cross-border, whether it concerns the dropping of cookies regulated under e-privacy legislation for which there is no OSS mechanism, whether the DPC is acting as LSA or CSA and in some cases further information may be needed from the complainant or the data controller before a determination can be made on the admissibility of a complaint. A similar assessment is also carried out on cross-border complaints received by other EU supervisory authorities.

The key highlights of the DPC’s “One-Stop-Shop Cross-Border Complaint Statistics” report are outlined below:
 

• 1,150 valid cross-border complaints have been received by the DPC, 969 as LSA and 181 as CSA.
• 588 of the 969 cross-border complaints handled by the DPC as the LSA were not originally lodged with the DPC but were transferred to the DPC by another EU/EEA supervisory authority. Interestingly, the report shows that valid cross-border complaints lodged with supervisory authorities in Germany account for 30% of all cross-border complaints sect to the DPC between May 2018 and December 2021.
• 65% of all cross-border complaints handled by the DPC as the LSA since May 2018 have been concluded, with 82% of those received in 2018 and 75% in 2019 now concluded. The rate of closure therefore continues to increase.
• Of 634 concluded cross-border complaints that were handled by the DPC as the LSA, 544 were resolved by means of amicable resolution in the interests of the complainant. The amicable resolution process is designed to achieve speedier and more resource efficient outcomes for complainants.
• 86% of all cross-border complaints handled by the DPC as the LSA relate to just 10 data controllers

Ireland is now recognised as a new global fintech hub and is home to the operations of nine of the world’s top 10 technology companies, including Meta (the company behind Facebook), Google, and Amazon and major players in global financial services. This report highlights the important and active role that the DPC plays in cross-border cases in Europe with 61% of complaints having been transferred to the DPC from another EU/EEA supervisory authority.

The DPC’s report was in fact published on the same day it concluded a cross-border inquiry into a series of data breaches involving Meta Platforms Ireland Limited (formerly Facebook Ireland Limited). The DPC imposed a fine of €17 million on Meta for failing to have appropriate technical and organisational measures in place which would enable it to demonstrate the security measures it had implemented to protect users’ personal data. Objections to the DPC’s draft decision were raised by the Polish and German supervisory authorities however consensus was achieved through further engagement. The DPC notes that the decision “represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU”.

Written by: Steven Whelan