Section 2
Consistency
Author:Indra Spiecker gen. Döhmann
In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.
I. History, subject, purpose and systematic
The Articles 63 et seq. create a new instrument of interaction of the supervisory authorities and are part of the central reforms by the GDPR. With the consistency mechanism the consistent application of the GDPR in the Member States is to be guaranteed (recital 135 sentence 1).[1] Therefore the cooperation between the supervisory authorities in the Member States is procedurally and institutionally developed[2] and provided with a special decision mechanism that has no equal in European Law. The European legislator decides to affect the independence of the supervisory authorities of the Member States, guaranteed by Art. 16 para. 2 p. 2 and Art. 52, even though in the end does not infringe the independence. In the end, this restriction can be justified with the effectivity of the protection of fundamental rights through the supervisory authorities now obligated to consistent decisions.[3]
The DPD did not provide for such a proceeding. This led to one of its main problems, i.e. missing harmonization of the implementation in the Member States which created the prominent enforcement deficit because the supervisory authorities could not be forced into consistent decisions, and not even a real voting system existed.[4] Similarities can be found only with the previous so-called Art. 29 Working Party, that should have contributed to a uniform application of law, but – different from the EDPB in the consistency mechanism – only had an advisory function and was not able to conclude binding decisions.[5] These similarities have been enhanced by the EDPB itself by obtaining as early as in the first meeting a number of working papers and recommendations of the Art. 29 Working Party[6] and thereby positioning itself in its legal tradition.
Union law knows the term “consistency”[7] as an “fuzzy” legal concept that still lacks a fixed framework, a consistent concept and also applications beyond specific areas.[8] In European primary law, the term is used in different contexts and in particular forms the base for Art. 7 TFEU as a general principle of every Union policy.[9] The GDPR uses the term ‘consistency’ in the sense of a consistent application of law.[10].
The consistency mechanism is based on the one-stop shop principle (→ Art. 56 mn. 1) restricting the shaping power of the lead authority.[11] The mechanism can be of decisive significance for the effective implementation of a consistent Data Protection Law in the EU.[12] While the one-stop shop creates one single point of contact for controllers and processors according to Art. 56 para. 6, the consistency mechanism prevents an overweight of this lead supervising authority respecting the interpretation and implementation of the GDPR as a European legal framework. The effectivity of a consistent European regime depends significantly on the effectivity of national supervising authorities and the cooperation between them (→ Art. 60 mn. 2 et seq.). It also relies on a consistent enforcement of Data Protection law.[13] The consistency mechanism ensures the coordination of national supervisory authorities. In that way, the consistency mechanism impedes forum shopping by companies that might be promoted by the one-stop shop procedure and which has already been observed under the DPD.[14] With Art. 65, a procedure is institutionalized that in conflict makes a common, binding, preponderant decision-making process possible, while the procedure according to Art. 64 contributes to regulate unity in fundamental questions. Art. 66 deals with measures of urgent action and thereby allows extraordinarily for fast decisions.
The consistency mechanism is regulated fully and finally in Arts. 63 et seq. Implementation into national law or a concretion of the norm itself is not admissible, as the consistency mechanism itself aims at a full harmonisation through centralisation of the final decision.[15] Opening clauses do not exist. The consistency mechanism is closely linked in terms of content and systematic to the cooperation between single supervising authorities, regulated in Arts. 60-62, and cooperation with the EDPB, created in Arts. 68-76.[16] As an aid to interpretation, recitals 135-138 serve. There are no direct models for this regulatory structure, although mechanisms can be identified in Union law which have a similar function,[17] e.g. in telecommunications law. However, in view of the lack of comparable independence of the supervising authorities, but also the Comm’s considerable influence, for example in the market definition procedure, the existing procedures and interaction of the parties involved are completely different than in data protection law. With the data protection consistency mechanism, the GDPR institutionalises a completely new instrument of European administrative law. This is characterised by the fact that although a supranational institution, the EDPB, is created, this process does not lead to a complete shift of competences and powers, comparable to the European agencies, since the institutional design is oriented towards a comprehensive integration of the national supervisory authorities. The newly created hierarchical level preserves and manifests essential powers and competences of the supervising authorities in a cooperative mechanism.[18]
[…]
[1] Reding ZD 2012, 195 (197); Klabunde in Ehmann/Selmayr Art. 63 mn. 1; Van Eecke/Šimkus, ‘Art. 63’ in Kuner/Bygrave/Docksey, A p. 996, on potential risks to deterioration Art. 63 C. 3 3.3 p. 1001 et seq.
[2] Schöndorf-Haubold in Sydow Art. 63 mn. 1.
[3] On the functionality of the supervisory authorities as effective and prior protectors of the liberties and freedoms, cf. Spiecker gen. Döhmann in Kröger/Pilniok (eds), Unabhängiges Verwalten in der Europäischen Union, 2016, 97 (107 et seq., 117 et seq.); similar Dix in Kröger/Pilniok, Unabhängiges Verwalten in der Europäischen Union, 2016, 121 (127, 129).
[4] Cf. Spiecker gen. Döhmann K&R 2012, 717 (718 et seq.).
[5] Cf. Schöndorf-Haubold in Sydow Art. 63 mn. 6; Eichler, ‘Art. 63’ in Gola/Heckmann, mn. 3.
[6] EDPB, Endorsement of WP29 Documents 1/2018, https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
[7] Cf. about the legal term “consistency” Ronellenfitsch DuD 2016, 357 (357).
[8] Also: Schöndorf-Haubold in Sydow Art. 63 mn. 2.
[9] The term can also be found in Arts. 181, 196, 256, 329, 349 TFEU and Arts. 11, 13, 16, 17, 21 TEU.
[10] For more details Schöndorf-Haubold in Sydow Art. 63 mn. 2.
[11] Caspar in Kühling/Buchner Art. 63 mn. 8 et seq.
[12] Nguyen ZD 2015, 265 (265).
[13] Nguyen ZD 2015, 265 (265); Marsch in BeckOK DatenschutzR Art. 63 mn. 1; on fears of member state supervisory authorities regarding restrictions of their own discretionary powers through the harmonisation of enforcement, see ibid, Art. 63 mn. 2.1.
[14] Schantz NJW 2016, 1841 (1847).
[15] Marsch in BeckOK DatenschutzR Art. 63 mn. 17; Caspar in Kühling/Buchner Art. 63 mn. 28.
[16] Similar Klabunde in Ehmann/Selmayr Art. 63 mn. 5; Caspar in Kühling/Buchner Art. 63 mn. 1.
[17] On this in detail with regard to the Joint Committee of the Member States under the REACH Regulation, the dispute settlement procedure under the ReNEUAL draft and in the context of European banking supervision law; Schöndorf-Haubold in Sydow Art. 63 mn. 19 et seq.
[18] Also Schöndorf-Haubold in Sydow Art. 63 mn. 16 et seq.