Last May 12, the Irish Data Protection Authority (DPC) fined META as much as €1.2 billion, the highest fine ever imposed on Data Protection by a European supervisory authority. However, the DPC's decision is the result of intensive cooperation among all European supervisory authorities, which led to the European Data Protection Board (EDPB) adopting a binding decision under Article 65(1) of the GDPR.
The system of cooperation among European supervisory authorities
Each Data Protection supervisory authority has jurisdiction in its own country but, under certain circumstances, it may be necessary for cooperation between the corresponding authorities in different European countries in order to best ensure the proper implementation and compliance with the provisions of Regulation (EU) 2016/679 (GDPR and/or Regulation). This is especially the situation in cases where the competent supervisory authority is faced with processing operations involving the interests of people living other member states and/or throughout the European territory.
In the mind of Article 60 GDPR, individual national authorities may request the cooperation of other supervisory authorities concerned by the processing operations carried out by the owner subject to the examination of the main authority (referred to as the "Lead Authority"), especially in the case of data processing of a cross-border nature. This cooperation takes the form of a close and mutual interchange of information useful for the purposes of adopting the final measure. In the event that one of the supervisory authorities called to cooperate raises a reasoned and relevant objection to the draft decision defined by the inter-authority collaboration group, the Lead Authority, if it does not intend to follow up on the objection or considers it inadequately reasoned or relevant, is obliged to promote the so-called “consistency mechanism” referred to in Articles 63 et seq. of the GDPR.
The dispute resolution mechanism by the EDPB
Under the consistency mechanism provided for in the GDPR, in view of the level of seriousness of the violations detected and any grounds of urgency, the EDPB may be called upon (i) to issue an opinion on a draft decision drafted by the supervisory authorities (Art. 64 GDPR), (ii) to adopt a binding decision (Art. 65 GDPR), (iii) also on grounds of urgency, pursuant to Art. 66 GDPR, if there are serious risks to the rights and freedoms of data subjects.
A binding decision may be adopted by the EDPB, pursuant to Article 65(1) GDPR, in order to ensure the correct and consistent application of the Regulation in the concrete case brought to its attention if (a) in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned; (b) if there are conflicting views on which of the supervisory authorities concerned is competent for the main establishment; (c) a competent supervisory authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64.
The lead supervisory authority shall then be required to take its final action in accordance with the binding decision of the EDPB, without undue delay and at the latest within one month after the EDPB's notification of the decision.
The META Case
In the case of Mark Zuckerberg's corporate behemoth, the Irish data protection authority initially deemed the imposition of a possible administrative fine against Meta Ireland unnecessary and disproportionate, instead deeming the suspension of data transfers to the United States sufficient. However, the other data protection authorities involved in the case, disagreeing with the DPC's draft decision, raised reasoned objections under Article 60(4) of the GDPR. The DPC, deeming these objections irrelevant, requested the EDPB to adopt a binding decision under Article 65(1)(a) of the GDPR, which settled the case with the highest sanction ever determined at the European level for personal data protection.
So, the Meta case showed us the extent to which individual European supervisory authorities are linked to each other by cooperation and collaboration. It is good to keep this in mind when trying to predict the penalty risk hidden behind conduct in violation of existing data protection legislation. If the Data controller carries out one or more personal data processing operations that have effects in the European territory, he will have to consider, with the utmost attention, the guidelines of the different European supervisory authorities and not limit its check to those of the competent authority operating in the member state in which it has its establishment. The system of cooperation between national authorities and the dispute resolution mechanism recognized in the EDPB require Data controllers to think of Europe as a "single country" and of the individual supervisory authorities as the extensions of a single body that is the European Union.