(135) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for cooperation between the supervisory authorities should be established. That mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States. It should also apply where any supervisory authority concerned or the Commission requests that such matter should be handled in the consistency mechanism. That mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
(136) In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation.
(137) There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded. A supervisory authority should therefore be able to adopt duly justified provisional measures on its territory with a specified period of validity which should not exceed three months.
(138) The application of such mechanism should be a condition for the lawfulness of a measure intended to produce legal effects by a supervisory authority in those cases where its application is mandatory. In other cases of cross-border relevance, the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned should be applied and mutual assistance and joint operations might be carried out between the supervisory authorities concerned on a bilateral or multilateral basis without triggering the consistency mechanism.
There is no recital in the Directive related to article 63.
Article 63 introduces a control principle for overall consistency in applying the Regulation across the EU, including requiring the supervisory authorities to cooperate with each other and with the Commission through the mechanisms set out in Article 64 to Article 67.
A brief outline of these mechanism are:
- Requesting the opinion of the European Data Protection Board on some draft decisions of national authorities before adopting them (Art. 64);
- Requesting a binding decision of the European Data Protection Board in case of disputes between national authorities (Art. 65);
- Allowing an authority, in some cases, to adopt provisional measures under an urgency procedure (Art. 66 (1) or even definitive measures after requesting the urgent opinion of the European Board (Art. 66 (2)).
The Directive did not address any consistency requirements for the supervisory authorities.
A system to ensure the consistency of the application of the Regulation is essential, especially as there is real room for manoeuvring left to the States in the application of the Regulation. Let’s hope that the system is not too restrictive and will not result in significantly slowing down the decision-making processes of the national authorities.
In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.
1st proposal close
For the purposes set out in Article 46(1), the supervisory authorities shall co-operate with each other and the Commission through the consistency mechanism as set out in this section.
2nd proposal close
1. For the purpose set out in Article 46(1a), the supervisory authorities shall co-operate with each other through the consistency mechanism as set out in this section.
2. The European Data Protection Board shall issue an opinion whenever a competent supervisory authority intends to adopt any of the measures below (…). To that end, the competent supervisory authority shall communicate the draft decision to the European Data Protection Board, when it:
(c) aims at adopting a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 33(2a);
or (ca) concerns a matter pursuant to Article 38(2b) whether a draft code of conduct or an amendment or extension to a code of conduct is in compliance with this Regulation;
or (cb) aims at approving the criteria for accreditation of a body pursuant to paragraph 3 of Article 38a or a certification body pursuant to (…) paragraph 3 of Article 39a;
(d) aims at determining standard data protection clauses referred to in point (c) of Article 42(2);
or (e) aims to authorising contractual clauses referred to in point (d) of Article 42(2);
or (f) aims at approving binding corporate rules within the meaning of Article 43.
3. The European Data Protection Board shall adopt a binding decision in the following cases:
a) Where, in a case referred to in paragraph 3 of Article 54a, a concerned supervisory authority has expressed a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected an objection as being not relevant and/or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of the Regulation;
b) Where, there are conflicting views on which of the concerned supervisory authorities is competent for the main establishment;
d) Where a competent supervisory authority does not request the opinion of the European Data Protection Board in the cases mentioned in paragraph 2 of this Article, or does not follow the opinion of the European Data Protection Board issued under Article 58. In that case, any concerned supervisory authority or the Commission may communicate the matter to the European Data Protection Board.
4. Any supervisory authority, the Chair of the European Data Protection Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the European Data Protection Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56.
5. Supervisory authorities and the Commission shall electronically communicate to the European Data Protection Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other concerned supervisory authorities.
6. The chair of the European Data Protection Board shall without undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the European Data Protection Board shall, where necessary, provide translations of relevant information.
No specific provision
No specific provision but note the following:
54. International co-operation
(1) The Commissioner—
(a) shall continue to be the designated authority in the United Kingdom for the purposes of Article 13 of the Convention, and
(b) shall be the supervisory authority in the United Kingdom for the purposes of the Data Protection Directive [F1 and the Data Protection Framework Decision].
(2) The [F2 Secretary of State] may by order make provision as to the functions to be discharged by the Commissioner as the designated authority in the United Kingdom for the purposes of Article 13 of the Convention.
(3) The [F2 Secretary of State] may by order make provision as to co-operation by the Commissioner with the European Commission and with supervisory authorities in other EEA States in connection with the performance of their respective duties and, in particular, as to—
(a) the exchange of information with supervisory authorities in other EEA States or with the European Commission, F3...
(b) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases excluded by section 5 from the application of the other provisions of this Act, of functions of the Commissioner specified in the order [F4, and
(c) the exercise within the United Kingdom at the request of a supervisory authority in another EEA State, in cases falling within the scope of the Data Protection Framework Decision as it applies to that State, of functions of the Commissioner specified in the order. ]
(4) The Commissioner shall also carry out any data protection functions which the [F2 Secretary of State] may by order direct him to carry out for the purpose of enabling Her Majesty’s Government in the United Kingdom to give effect to any international obligations of the United Kingdom.
(5) The Commissioner shall, if so directed by the [F2 Secretary of State] , provide any authority exercising data protection functions under the law of a colony specified in the direction with such assistance in connection with the discharge of those functions as the [F2 Secretary of State] may direct or approve, on such terms (including terms as to payment) as the [F2 Secretary of State] may direct or approve.
(6) Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.
(7) The Commissioner shall inform the European Commission and the supervisory authorities in other EEA States—
(a) of any approvals granted for the purposes of paragraph 8 of Schedule 4, and
(b) of any authorisations granted for the purposes of paragraph 9 of that Schedule.
(8) In this section—
“the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28th January 1981;
[F5 “the Data Protection Framework Decision” means the Council Framework Decision 2008/977/ JHA of 27th November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters; ]
“data protection functions” means functions relating to the protection of individuals with respect to the processing of personal information.