EU DPAs: Some reservations on proposed EU DP Regulations

The EU Data Protection Authorities says that a 24-hour limit for breach notification, as proposed in the EU DP Regulations, could, under certain circumstances, not be feasible. The DPAs propose a 2-stage process where the controller would notify within 24 hours but could provide further details later. The notification form should contain an evaluation of the severity of the breach based on objective criteria.

While the DPAs are in favour of creating the concept of a lead authority, they say that the definition of ‘main establishment’ needs to be clarified. The regulations lack a proposal for ‘lead’ authority in situations where the organisation is not established within the EU but an EU Member State is affected by processing operations of that organisation.

The DPAs therefore propose that the process of defining a lead DPA should be non–exclusive, but subject to the DPA's obligations to cooperate, provide and accept mutual assistance. The criteria could include:

• the Member State in which the main processing activities in question are taking place;
• the Member State in which individuals are affected;
• the Member State in which individuals have specifically complained to or raised concerns with the DPA.

The relevant DPAs should agree amongst themselves who should be the lead. Failing that, the European Data Protection Board should decide.

The Working Party welcomes the introduction of fines, but the DPAs should have a margin of discretion in deciding when to impose a fine.

The DPAs are concerned about the number of delegated and implementing acts, and call on the Commission to clarify which implementing acts it intends to adopt in the short, medium and long term.

The EU DPAs published their Opinion on 29 March.