EDPB adopts standards for cases involving cross-border GDPR cooperation

EU data protection authorities (DPAs) have long acknowledged that it takes too long to investigate and resolve complex cross-border cases involving Big Tech companies.

The European Data Protection Board (EDPB) members formally decided to improve cooperation in these situations in April. The EDPB adopted a set of guidelines earlier this month to determine whether a cross-border issue qualifies as a case of "strategic importance" for closer cooperation—and what to do if it does.


Cases of strategic significance typically involve the General Data Protection Regulation's (GDPR) one-stop shop mechanism and endanger the rights and liberties of data subjects in all member states of the European Economic Area (countries in the European Union, plus Norway, Liechtenstein, and Iceland).

Before a DPA can suggest closer cooperation, such cases must involve one or more of the following to be eligible:

  • A large number of complaints or data subjects;

  • High-risk data processing (such as processing data on children or vulnerable adults); 

  • Persistent or "structural" issues that have proven challenging to address under the GDPR; 

  • Potential overlap with other legal areas, such as competition; and 

  • High-risk data processing (such as processing data on children or vulnerable adults).


The EDPB then directs the process while EDPB members decide whether a case satisfies the requirements. Participation in the DPA is optional rather than required.


Three test cases have already been approved by the EDPB to launch the initiative. One involves a working group of Dutch, French, Lithuanian, and Polish DPAs that is looking into a number of GDPR complaints regarding Vinted's owner.


Legal experts think the EDPB should support any actions it can take to improve coordination of GDPR enforcement, including more consistency in approach and results.


According to Luke Dixon, commercial partner at law firm Freeths, "this change should speed up investigations of Big Tech firms as such cases are likely to be treated as ones of ‘strategic importance’ and will therefore be prioritized under the new approach."


The change "will not be the magic bullet for all investigations—only those which the EDPB members have agreed are of strategic importance at a European level," said Emily Cox, partner and head of media disputes at the law firm Stewarts.


Article 61 of the GDPR already permits mutual assistance and joint operations between a lead supervisory authority and other supervisory authorities (Article 62). DPAs, on the whole, have chosen not to use the available mechanisms.


Additionally, national priorities for data protection and enforcement do not always line up with those of the EDPB or other European DPAs.


According to Robert Grosvenor, managing director of the disputes and investigations practice at law firm Alvarez & Marsal, "sovereignty and the natural order of statism frequently prove to be critical factors in the success or failure of multilateral initiatives. National interests and concerns play out particularly where data protection rules blur into domestic privacy rights, consumer affairs, and strategies regarding online safeguarding and digital services."

By fLEXI tEAM