On February 13, 2024, the European Data Protection Board (EDPB) released its opinion on the notion of the main establishment of a controller in the EU under article 4(16)(a) GDPR and the criteria for the application of the “one-stop shop” mechanism, in particular, regarding the notion of a controller’s “place of central administration” (PoCA) in the EU.

The EDPB concluded that (1) the controller’s place of central administration in the EU can be considered as a main establishment under Article 4(16)(a) GDPR only if it takes the decisions on the purposes and means of the processing of personal data and it has the power to implement these decisions; and (2) the “one-stop shop” mechanism can only apply if there is evidence that one of the establishments of the controller in the EU takes the decisions on the purposes and means of the relevant processing operations and has the power to implement these decisions. If the decisions on the purposes and means and the power are exercised outside the EU, there should be no main establishment under Article 4 (16)(a) GDPR and the “one-stop shop” mechanism cannot apply.

Background

The “one-stop shop” is a mechanism for organizations that are engaged in cross-border EU data processing, allowing them to deal with a single lead supervisory authority (LSA) for their data protection compliance obligations. Under GDPR, the supervisory authority (SA) of the EU member state where that organization’s main EU establishment is located would often be its LSA. The LSA acts as a single point of contact for, and cooperates with, other SAs in relation to cross-border data processing activities.  

This mechanism intends to enhance consistency and uniformity in the application of data protection legislation and increase legal certainty. It also aims to facilitate central enforcement by a single decision of one LSA, as well as to reduce the administrative burden for controllers and processors, as they can navigate regulatory requirements more easily with this centralized point of contact.

The EDPB reiterates that GDPR does not permit “forum shopping” in the identification of the main establishment, as it must be determined by objective criteria. Therefore, before assessing who is the LSA of an organization, first it must be objectively concluded where its main establishment is.

Main Findings

Concerning the determination of the main establishment, the EDPB has indicated that, where an organization has several establishments in the EU, the main one will be the organization’s PoCA. That also implies that the establishment must be the one that takes the decisions on the purposes and means of the processing of personal data and that has the power to effectively implement these decisions.

With respect to the “one-stop shop” mechanism, the EDPB considers that it can only apply if there is evidence that it is the controller’s main establishment in the EU who takes the decisions on the purposes and means of the relevant processing and has the power to implement these decisions.

The EDPB’s opinion concludes that when decisions and the power are exercised outside the EU, there is no main establishment and, therefore, the “one-stop shop” mechanism cannot apply.

The EDPB’s opinion confirms that the burden of proof lies on controllers, as they have a duty to cooperate with the SAs. In this context, various elements such as recording processing activities and privacy policies are suggested by the data protection body – but as importantly is the ability to demonstrate that one has the actual power to control implementation of decisions taken. Compliance cannot be a paper trail.

Why Is This important?

The EDPB’s recent opinion implies that non-EU organizations with cross-border operations in several EU countries that cannot have a main establishment in the EU (i.e., their decisions are being taken outside of the EU/they do not have the powers to implement decisions) will not be able to benefit from the “one-stop shop” mechanism.

The lack of a “one-stop shop” poses significant challenges for those organizations: without a central point of contact, it may be difficult for them to navigate the various regulatory requirements across the EU member states. This could result in increased bureaucracy and higher compliance costs, and issues might be amplified in a crisis scenario such as a cyber incident, where timing is critical. Moreover, the affected entities might suffer from a lack of consistency in the application and enforcement of the rules. This could create legal uncertainty and might diminish their ability to execute their cross-border activities, having to interpret and comply with different requirements across multiple jurisdictions.

As determined by the EDPB, it is not enough with a company appointing an LSA, but SAs retain the ability to challenge the controller’s claim, requesting further information based on an objective examination of the relevant facts. In that sense, organizations claiming an SA as their LSA must have evidence to prove that, indeed, the PoCA is the one taking the decisions on the purposes and means of the processing and with the actual power to implement these decisions. Substance is key, also in privacy.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Transparency, from the medieval Latin “transparentia”, is thought to have emerged in the late 16th century as a general term for a transparent object. In essence, it means the property of allowing light to pass through so that objects behind it can be clearly seen. But in the 21st century, transparency has a different and broader meaning.

The Spanish Data Protection Agency (Agencia Española Protección de Datos, or AEPD) published an article in September 2023 on transparency in the context of the proposed Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR), clarifying that different actors, different information and different recipients are involved, depending on the regulation.

Continue Reading AEPD’s Position Regarding Transparency (AIA vs. GDPR)

The start of a new year always brings New Year’s resolutions. If privacy by design is one of yours (just months after the Irish watchdog announced a €265 million fine for a breach of this concept, it seems reasonable to have it on your radar), 2023 is off to a good start with a new “privacy by design” international standard. On January 31, 2023, the International Organization for Standardization (ISO) published the standard numbered ISO 31700, officially titled “Consumer protection – Privacy by design for consumer goods and services.” It consists of two parts: a list of requirements (31700-1) and use cases (31700-2). The standard is due to be adopted by ISO on February 8.

The new standard bears an obvious resemblance to “data protection by design and by default” – a concept that is well known to companies striving to comply with (and operationalize the requirements of) the General Data Protection Regulation (GDPR). It is, therefore, worth exploring whether the two have anything in common and, if so, whether the new regime brings any good news to those dealing with the GDPR.

A Quick Overview

ISO is a global network of national bodies tasked with setting standards in different areas to address, for example, technology or societal issues. In essence, an ISO standard is an internationally recognized way of doing “things.” Some standards allow businesses to (voluntarily) certify as operating at that level if they meet the prescribed specifications and pass appropriate reviews.

On the other hand, privacy by design is a concept calling for the integration of privacy into the design and architecture of systems and business practices. Initially developed in 2009 by the Information and Privacy Commissioner of Ontario, it became an express requirement under EU law following the adoption of the GDPR. Article 25 GDPR requires all data controllers to embed data protection by design (and by default, which is a complementary concept) into their processes from the design stage and throughout their life cycle.

“Data protection by design” means that controllers must apply appropriate technical and organizational measures to their processing of personal data. There is no exhaustive list of measures, and they may vary depending on the available technology, circumstances of the processing, costs and risk assessment. The bottom line is that any design must respect data protection principles and rights. “Data protection by default” builds upon this requirement and prevents controllers from using default settings that result in “excessive” processing. Further guidance on how to operationalize these obligations is provided by the European Data Protection Board (EDPB) guidelines. For example, in relation to transparency, EDPB clarifies that this would entail clear and plain language, accessibility, timeliness, etc.

Anything New?

ISO 31700 lays down 30 requirements for embedding data privacy into consumer products and services. Like the EDPB’s approach, it does not specify thresholds or steps but keeps the ruleset high-level and provides examples for better understanding.

The standard revolves around a few pillars, each consisting of several privacy requirements. For example, the “consumer communication” pillar instructs on how to provide consumers with privacy information, respond to inquiries and complaints or prepare a data breach communication. The “risk management” pillar addresses processes such as privacy risk assessments or third-party due diligence. Further, there is an entire pillar dedicated to “privacy controls” such as data breach management. ISO 31700 also covers many other requirements, including the enforcement of consumers’ privacy rights, the assignment of relevant roles and authorities and allowing for the determination of consumer privacy preferences.

ISO 31700 is not directly linked to the EU data protection framework, but some overlaps do exist. For example, it adopted a “GDPR-ish” definition of personal information, and many of its requirements overlap with those from the GDPR. The obligation to provide privacy information and to ensure the enforcement of privacy rights is just one of the examples. Also, the standard’s sources clearly reveal that both the GDPR and the EDPB’s guidelines were used in the preparation of ISO 31700.

So, what is the relationship between ISO 31700 and the GDPR’s privacy by design and by default requirement? For now, officially, none. Conformity with the ISO standard does not equate to complying with the GDPR (and vice versa), and businesses looking to adhere to the GDPR must still observe its requirements separately.

But …

By all means, ISO 31700 should prove to be helpful for organizations. For some, ISO can serve as an inspiration for those developing technical and organizational measures and safeguards under the GDPR – a sort of “cheat sheet” with guidance and ideas. Also, the EDPB itself encouraged controllers to make use of certifications and codes of conduct available on the market. This suggests that companies relying on international standards may find it easier to showcase their compliance to authorities or build trust from consumers, which could also prove to be a strategic advantage over competitors. Finally, it is worth remembering that the GDPR foresees the introduction of special certification mechanisms according to the GDPR criteria. In providing guidance on this topic, the EDPB accepted that the certification criteria may be drawn up in observance of the ISO standards. There is certification for (almost) everything; here are another set of standards that could serve as a relevant compliance benchmark.

In a CLE webinar earlier this week, Malcolm Dowden (Partner, London) and Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.

Continue Reading Malcolm Dowden and Niloufar Massachi Discuss Vendor Contracting Requirements Under New US Privacy Laws and the GDPR

In a case of first impression, a federal court in California rejected an attempt by plaintiff, a UK citizen, to bring GDPR-based claims against an American company on behalf of a UK putative class.  Elliott v. PubMatic, Inc., 2021 U.S. Dist. LEXIS 154053 (N.D. Cal. Aug. 16, 2021).  Because this is the first instance in which a plaintiff sought to bring a GDPR-based suit in American courts, it is a notable decision anticipated to shape the data privacy litigation landscape going forward.

Some legal background.  As summarized by the court in Elliot, the United Kingdom’s General Data Protection Regulation (“UK GDPR”) provides rules relating to the protection of natural persons with regard to the processing of personal data, and rules relating to the free movement of personal data in the United Kingdom.  This includes protections that limit the use of uniquely identifying cookie IDs where consent is not expressly granted.  The UK GDPR includes a private right of action.  While it is “materially identical” to the EU GDPR, it contains a significant substantive difference: unlike the EU’s GDPR, the UK GDPR does not require complaints to be filed in a European court.  In this case, Plaintiff asserted, he was authorized to filed suit under the UK GDPR in the United States—notwithstanding that he resided in England.

Now, let’s take a look at the (alleged) facts of the case.  Unlike Plaintiff, Defendant PubMatic, Inc. (“PubMatic”) is based in the US.  PubMatic is a digital advertising technology company.  Plaintiff alleged that “[a]s part of its business practices, PubMatic placed unique and therefore individuating identifiers in the form of cookies on Elliott’s device and used those uniquely identifying cookies to monitor and track [Plaintiff’s] U.K.-based online activities.”  Plaintiff additionally alleged that he was injured by PubMatic’s alleged internet cookie placement practices in violation of his U.K. data privacy rights.  He sought to represent a class of “[a]ll persons residing or who resided in England and Wales who used Chrome, Edge, or Internet Explorer browsers and have had a PubMatic cookie placed on their device”.

Defendant moved to dismiss under Rule 12(b)(1) and 12(b)(6), asserting arguments based on standing, forum non conveniens, and international comity.  The court ultimately granted the motion and dismissed the case after adopting the Defendant’s forum non conveniens and international comity grounds—leaving the question of standing unresolved.

First, insofar as forum non conveniens is concerned—the doctrine is based on the notion that “[a] district court has discretion to decline to exercise jurisdiction in a case where litigation in a foreign forum would be more convenient for the parties.”  A district court may dismiss a litigation once it determines that “the appropriate forum is located in a foreign country.”  This  involves the consideration of various public and private interest factors, which include such as: (i) the residence of the parties and witnesses, (ii) the forum’s convenience to the litigants; (iii) the local interest in the lawsuit, and (iv) the court’s familiarity with the governing law, among others.  The court held that in this case there was “no argument—there exists an adequate alternative forum,” particularly as Plaintiff himself was a UK resident and Defendant was willing to accept services of process in the UK if the USu litigation was dismissed.

Second, the court also held that internal comity supported dismissal of the litigation.  It is well-established that “international comity is a doctrine of prudential abstention, one that ‘counsels voluntary forbearance when a sovereign which has a legitimate claim to jurisdiction concludes that a second sovereign also has a legitimate claim to jurisdiction under principles of international law.'”  (citations omitted).  In the context of this litigation, the court found that “[t]he U.K. has a strong interest in addressing injuries to English and Welsh subjects . . . [w]hile plaintiff focuses on the California-based conduct of PubMatic, he glosses over any potential conduct by the company in the U.K. and the injuries suffered to a class of plaintiffs in England and Wales.”

So there you have it.  Because class actions are not well developed as a procedural device or commonplace in Europe, creative plaintiffs lawyers were hoping this case could start a new trend of litigating UK GDPR-based claims in US courts.  The court’s dismissal of the litigation have put a stop to that for now—although stay tuned.  Elliot is only the first decision to address this novel legal question, and the Defendant here specifically consented to accepting service of process in the UK—meaning that there may still be other test cases seeking to bring similar legal theories.  Not to worry, CPW will be there to keep you in the loop.

 

In the wake of CPW’s must-read four part series on the European Data Protection Board’s (“EDPB”)  draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR,” we have a follow up on important documents that have recently been released relating to rules governing the transfer of EU personal data.  These materials were published by the EDPB and the EU Commission.

In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers (with potential significant impact on U.S. companies) – the so-called Schrems II judgment  – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of  the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).  A comprehensive overview of this must-read guidance is here.

 

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.  CPW will be re-reposting a four part series addressing the key concepts and issues covered.

This is the final post in our series  on the  Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) focusing on the updates to the concept of “third parties” and “recipients” in the draft Guidelines.  Notably, as the authors explain, this clarity is important as the GDPR refers to “third parties” and “recipients” without laying down any specific responsibilities or obligations.  The EDPB Guidelines, however, offer clarity as they consider the roles of “third parties” and “recipients” from the perspective of their relationship to a controller or processor.

Find out what it all means here.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.  CPW will be re-reposting a four part series addressing the key concepts and issues covered.

This is the third in our series of posts on the  Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”) focusing on the role of joint controllers.  What is a joint controller under the GDPR? A joint controller is an entity that jointly determines the purposes and means of processing data with another controller.  Find out what it all means here.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a must-read four part series addressing the key concepts and issues covered.  This development matters for CPW readers as even if you are an entity doing business in the United States, if you collect any personal data of people in the EU and meet other criteria you are required to comply with the GDPR.

This is the second in our series of posts on the draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR (the “draft Guidelines”).  In case you missed it, the first part is available here.  You can access the second part in the series here.  As the authors explain, “[a]lthough the draft Guidelines provide some additional clarity on the distinction between controllers and processors, there remain various uncertainties in the application of the criteria for determining these roles under the GDPR.  Evaluation continues to require a careful assessment of the relevant criteria and regulatory risks.  It is important to keep in mind that not every “service provider” will qualify as a data processor. Indeed, the regulatory approach proposed by the EDPB appears to continue the trend towards limiting the scope of the “processor” classification and categorizing data recipients that play a role in determining the purposes or essential means of the processing as joint controllers instead of processors.”

If you are a reader of CPW, you have probably heard of the the General Data Protection Regulation (“GDPR”).  The GDPR applies to companies outside the European Union (including, that is right, United States companies) because it is extra-territorial in scope.  Which means, to overly generalize, if you collect any personal data of people in the EU and meet certain criteria, you are required to comply with the GDPR.  Even if you are based in the United States.

This fall, the European Data Protection Board (“EDPB”) published the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR.”  CPW will be re-reposting a fantastic, four part series addressing the key concepts and issues covered.  As Part 1 explains, “One of the baseline issues that must be considered when assessing the obligations and potential liabilities of an organization that is subject to the GDPR when it collects and processes personal data is whether the organization should be classified as a data controller or a data processor, as defined in the GDPR.  This is not a new issue, since these terms were originally introduced in the 1995 EU General Data Protection Directive and the definitions were not changed significantly by the GDPR.  Determining whether an organization is acting as a controller or processor is often not straightforward as the dividing line between these concepts is not always clear.”

Part 1 of the must read series, available here, provides an overview of the updated guidance on the concept of data processor.  Subsequent posts will deal with the concepts of data controller and joint controllers.