Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary 

Article 18 ePrivacy Regulation – Supervisory authorities

Art. 18 ePrivacy Regulation

Article 18 ePrivacy Regulation – Supervisory authorities

0. Each Member State shall provide for one or more independent public authorities meeting the requirements set out in Articles 51 to 54 of Regulation (EU) 2016/679 to be responsible for monitoring the application of this Regulation.

Member States may entrust the monitoring of the application of Articles 12 to 16 to the supervisory authority or authorities referred to in the previous subparagraph or to another supervisory authority or authorities having the appropriate expertise.

1.

1ab. The supervisory authorities shall have investigative and corrective powers, including the power to impose administrative fines pursuant to article 23.

1b. Where more than one supervisory authority is responsible for monitoring the application of this Regulation in a Member State, such authorities shall cooperate with each other to the extent necessary to perform their tasks.

2. Where the supervisory authorities are not the supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679, they shall cooperate with the latter and, whenever appropriate, with national regulatory authorities established pursuant to Directive (EU) 2018/1972 and other relevant authorities.

Art. 18 ePrivacy Regulation

(38) Member States should be able to have more than one supervisory authority, to reflect their constitutional, organisational and administrative structure. The designation of supervisory authorities responsible for the monitoring of the application of this Regulation cannot affect the right of natural persons to have compliance with rules regarding the protection of personal data subject to control by an independent authority in accordance with Article 8(3) of the Charter as interpreted by the Court. End-users who are legal persons should have the same rights as end-users who are natural persons regarding any supervisory authority entrusted to monitor any provisions of this Regulation. Each supervisory authority should be provided with the additional financial and human resources, premises and infrastructure necessary for the effective performance of the additional tasks designated under this Regulation.

(39) Each supervisory authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks set forth in this Regulation. Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.

(40) In order to strengthen the enforcement of the rules of this Regulation, each supervisory authority should have the power to impose penalties including administrative fines for any infringement of this Regulation, in addition to, or instead of any other appropriate measures pursuant to this Regulation. This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. For the purpose of setting a fine under this Regulation, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 of the Treaty.

As an enforcement body, supervisory authorities play an important role in the system of privacy and data protection as provided by the ePrivacy Regulation and its underlying Arts. 7 and 8 CFR. Supervisory authorities not only guarantee compliance with its legal requirements, but also exercise preventive and evaluative tasks.[1] The issuance of fines within the meaning of Art. 23 ePrivacy Regulation and other penalties pursuant to Art. 24 ePrivacy Regulation, moreover, represent repressive instruments. In this respect, the amount and quantity of fines send a direct signal to the addressed economic actors and steer their market behavior. At the same time, the constant monitoring of causes and effects of certain compliance and infringement patterns impacts the behavior of the authorities and allows adaption to the requirements of the telecommunication-market. This said, it should be noted that the ePrivacy Regulation, in view of its comprehensive claim to protection, is not unilaterally tailored to the interests of the end-user alone. Rather, numerous exceptions and limitations show that it also aims to balance the conflicting interests, namely a free single data and advertising market and the needs for a self-determined care of individual privacy. This goal is anchored not least in Art. 18 Sec. 0 ePrivacy Regulation in conjunction with 51 Sec. 1 GDPR, which in turn is based on Art. 16 Sec. 2 TFEU. Recital 39 S. 2 ePrivacy Regulation explicitly states that “Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation”. Moreover, in order to ensure a uniform application of the provisions, the supplementary provisions of Art. 18 Sec. 1b, 2 and Art. 20 ePrivacy Regulation are intended to urge mutual cooperation and coordination.

Withal, supervisory authorities have a comprehensive scope of control encompassing the actions of both the private sector and the state.[2] They are an executive body, subject to the principle of separation of powers. In this sense, particular importance is attached to the principle of independence, which allows for an unbound authority of investigation and decision-making vis-à-vis other national or Union institutions.[3] Moreover, with regard to their expertise, supervisory authorities´ decisions are accorded a special significance, sometimes even referred to as a “prior legal protection”.[4]

[1] Simitis, NJW 1997, 281 (286); with regard to the preventive function: Roßnagel, Zusätzlicher Arbeitsaufwand für die Aufsichtsbehörden der Länder durch die Datenschutz-Grundverordnung, p. 89.

[2] Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 51 Rec. 10.

[3] Cf. CJEU, judgement of 6 October 2015, C-362/14 – Schrems I = NJW 2015, 3151 (3167), Rec. 99.

[4] German Federal Constitutional Court (BVerfG), judgement of 16 December 1983, 1 BvR 209/83 – Volkszählung = NJW 1984, 419 (422).

The existence of an independent supervisory authority for data protection is entrenched in primary law. According to Article 16 Sec. 2 TFEU “the European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.” Also, compliance with these rules shall be subject to the control of independent authorities, as stipulated by both Art. 16 Sec. 2 TFEU and Art. 8 Sec. 3 CFR. As such existence is not provided according to Art. 7 CFR, however, the reference made within Art. 18 Sec. 0 ePrivacy Regulation is constitutive for the area of privacy protection.

The regulation on supervisory authorities pursuant to Art. 18 ePrivacy Regulation is located in a separate Chapter IV (“Independent Supervisory Authorities and Enforcement”) preceding the provisions on the European Data Protection Board (Art. 19 ePrivacy Regulation) and cross-border cooperation between authorities (Art. 20 ePrivacy Regulation). The structural set-up of the authority, as well as its main means of sovereignty – the issuance of penalties – is regulated by reference. Thus, Art. 18 ePrivacy Regulation fits into the interdependent network between ePrivacy Regulation and GDPR.

According to Art. 18 Sec. 0 ePrivacy Regulation, each Member State is delegated to provide for one or more independent public authorities responsible for monitoring the application of the ePrivacy Regulation. As far as the concrete set-up of the organization is concerned, Art. 18 Sec. 0 ePrivacy Regulation refers to Arts. 51 to 54 GDPR, so that in this respect all provisions are applicable accordingly. Critique relates to the facilitation of different authorities, as in experience pursuant to the GDPR and ePrivacy Directive, considerable conflicts of responsibility and inconsistent handling of similar issues have been the result of this approach. Contrary to the intended purpose of Rec. 38 ePrivacy Regulation, which is to provide Member States with the opportunity to “reflect on their constitutional, organizational and administrative structures”, the actual effect, moreover, was a considerable enforcement deficit. It justifies alone with regard to the associated interference with the Member States´ organizational autonomy, i.e. the principal of an autonomous designation of independent agencies for the performance of governmental functions.[5] The facility to appoint different authorities must, in this sense, be regarded as a compensation to this interference. It is achieved by an open wording under both Art. 18 Sec. 0 ePrivacy Regulation and its referral-provision of Art. 51 GDPR, which delegate the concrete design of the organization as well as the appointment of responsible authorities to the Member States. With regard to the practical significance of the independent provision of Art. 18 Sec. 0 ePrivacy Regulation, however, it must be noted that such will be conceivably low, since a respective installation of specific or combined authorities has already taken place in the course of both the GDPR and the ePrivacy Directive. It must be assumed that these structures will be kept, particularly since Art. 18 Sec. 0 ePrivacy Regulation does not introduce essentially new stipulations.
[5] Schneider, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 51 Rec. 5.

a) The term ‘supervisory authority’

Supervisory authorities within the meaning of Art. 51 Sec. 1 GDPR and pursuant to the definition of Art. 4 No. 21 GDPR are independent public authorities established by a Member State. They are responsible for monitoring both public and non-public bodies. The provision establishes a guarantee of both existence and institutional independence, which is only secured in a comparable manner by Art. 16 Sec. 2 S. 2 TFEU and Art. 8 Sec. 3 CFR under primary law.[6]

b) Appointment of multiple authorities

Member States may appoint several supervisory authorities at the same time. Yet, they should consider designating one particular supervisory authority to act as focal point ensuring swift and smooth cooperation with other supervisory authorities. Cooperation should, furthermore, take place with regard to the EDPB and the Commission. In that, it must be ensured that the binding nature of the EDPB´s decisions is respected by all national supervisory authorities. This pertains particularly to compliance with the rules of the consistency mechanism pursuant to Art. 63 GDPR, which serves to solve issues of inter-authority and cross-border assistance.[7] Finally, according to Art. 51 Sec. 3 ePrivacy Regulation, Member States shall determine, which authority is responsible for representation in the European Data Protection Board (‘EDPB’).

The regulatory intent encompasses both a horizontal and vertical division of tasks, as well as a functional assignment according to particular topics and organizations.[8] Member States are, thus, free to both assign different tasks to competentially equal bodies or subsidize competences along hierarchical structures, e.g. alongside a federal organization. Problematic, and also hardly in line with Art. 18 Sec. 0 ePrivacy Regulation´s regulatory intent, however, is the simultaneous utilization of various levels in order to distribute different but equivalent competencies. A negative example in that regard provides the regulation of Germany, which attributes similar tasks to competentially equal bodies and applies a high amount of vertically subsidized distributions throughout different federal levels. It splits up federal and state enforcement, distinguishes between the public and the private sector, discerns different topics of enforcement and selects between industries.

The result is a considerable interweavement of competencies. This is structured as follows:

  • Pursuant to § 29 Sec. 1 German Telecommunication Telemedia and Data Protection Act (TTDSG), the Federal Commissioner for Data Protection and Freedom of Information (BfDI) is competent, insofar as data of natural persons or legal entities is processed in the course of the commercial provision of telecommunications services.
  • The Commissioner is also responsible for the use of processing and storage capabilities of terminal equipment and the collection of information from it (cf. § 29 Sec. 2 TTDSG).
  • The prosecution of all other infringements of data and privacy rights is, then, split up between the federal and state level. Accordingly, the central enforcement body of the BfDI corresponds sixteen governmental authorities within each federal state, i.e. the so-called ‘Landesbeauftragte für den Datenschutz’. Here, the competential demarcation is drawn between the legal nature of concerned parties, namely, whether they pertain to the public or the private sector. Thus, issues concerning public parties are assigned to the Federal Commissioner (the BfDI), while issues concerning the private sector fall into the domain of the State Commissioner.[9]
  • The processing of traffic data, determination and billing of network-charges, use of location data and interference with telecommunications equipment or misuse of telecommunications services, pursuant to § 30 Sec. 1 TTDSG, fall into the competence of the Federal Network Agency (Bundesnetzagentur).
  • Eventually, in matters of public broadcasting, the responsibility of the Broadcasting Commissioner for Data Protection applies, as does a separate body of the German protestant and catholic church.[10]

In addition, one relevant action can lead to a layer of multiple authority-competences. A prominent example is the use of cookies: while the initial data processing activity at the device falls under the scope of the TTDSG (i.e. the ePrivacy layer) and its above mentioned – already complex – competence regime between both BfDI and State Commissioners, any subsequent monetarization of the cookie is subject to the GDPR and its own relevant authorities.

This plurality of authorities and competences not only causes a considerable coordination effort[11] but also leads to unclear responsibilities and, in some places, even gaps in legal protection.[12] This condition goes to the detriment of legal certainty and is, therefore, questionable in terms of rule of law. Consequently, it is preferable (and also more in line with the legislative intent) to bundle competencies in one supervisory authority.[13]

[6] Schneider, ibid., Rec. 4.

[7] Cf. No. IV.

[8] An overview of the status quo provides v. Lewinski, NVwZ 2017, 1483.

[9] Nguyen, in: Gola, Datenschutz-Grundverordnung (2018), Art. 51 Rec. 6.

[10] This has constitutional reasons, since pursuant to Art. 5 Sec. 1 S. 2 German Constitution (GG), public broadcasting regards a fundamental-rights-wise sensitive area, which is historically “distanced from the state”, cf. e.g. Ziebarth, in: Sydow, Europäische Datenschutzgrundverordnung (2018), Art. 51 Rec. 15.

[11] In Germany pursued by the so-called Conference of Data Protection Agencies (DSK).

[12] Selmayr, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 51 Rec. 19; v. Lewinski, ibid., p. 1489; also Schneider, ibid., Rec. 5.

[13] In Germany, a vivid debate has put forth various proposals to enhance this condition: Kommission Wettbewerbsrecht 4.0, Ein neuer Wettbewerbsrahmen für die Digitalwirtschaft, pp. 84 et seqq., available under https://www.bmwi.de/Redaktion/DE/Publikationen/Wirtschaft/bericht-der-kommission-wettbewerbsrecht-4-0.html; Datenethikkommission, Gutachten der Datenethikkommission, pp. 103 et seqq., available under https://www.bmi.bund.de/SharedDocs/downloads/DE/publikationen/themen/it-digitalpolitik/gutachten-datenethikkommission.pdf?__blob=publicationFile&v=6; both last retrieved 3 May 2022.

Art. 52 GDPR elaborates the term of ‘independence’, which is already used by Art. 18 Sec. 0 ePrivacy Regulation. Independence of supervisory authorities entrenches in primary law, namely Art. 16 Sec. 2 S. 2 TFEU and Art. 39 S. 2 TEU.[14] It also has significance in terms of fundamental rights, since Art. 8 Sec. 3 CFR stipulates control of compliance to the right to protection of personal data by an independent authority. Over time, different criteria evolved in determining independence, partly by jurisdiction of the CJEU and partly by scholars. All must be given cumulatively, namely (i) ‘complete independence’[15], (ii) ‘independence of personnel’[16] and (iii) ‘financial independence’.[17]

a) Complete independence

Complete independence’, as derived from Art. 28 Sec. 1 Data Protection Directive and now materially incorporated by Art. 52 Sec. 1 GDPR, is defined as a functional and institutional autonomy, meaning that the authority is shielded from any form of external influence or scrutiny. In consequence, there must be no form of legal or technical supervision.[18] Although this approach is, by no means, unproblematic in view of both a (vertical) democratic legitimation and the (horizontal) limitation of power inherent in the principle of power-separation, these reservations must be set aside against the background of clear CJEU-case law.[19] Rather, an unambiguous separation between supervisory authorities must be given, meaning no supervision other than the intra-organizational itself exists. That includes the exclusion of political influence, be it by political appointments or other involvement with the party-political apparatus. Overall, respective measures shall ensure that the organization, in words of the CJEU “precludes inter alia any directions or any other external influence in whatever form, whether direct or indirect, which may have an effect on their decisions”.[20] Left alone, judicial review must continue to be possible, insofar as such is presupposed by the, unexceptionally guaranteed, rule of law.

b) Independence of personnel

According to Art. 52 Sec. 5 GDPR, authorities´ independence includes the ability to select, employ and direct personnel on their own terms. It follows the idea that only by enabling independent selection of personnel, it will be possible to fulfill the specific tasks and requirements of privacy and data protection competently. In the same way, it finally bans the before encountered practice of seconding officials from other policy areas (often without respective qualification or experience).[21] This had called into question de facto-independence in face of party-political guidelines and personal dependencies.[22]

Recital 121 GDPR states that an equivalent selection decision to the authority itself can only be made by an independent selection body. This does not include the exchange of qualified staff of data protection authorities within the Union, which, according to Art. 70 Sec. 1 lit. v GDPR, is an explicit objective of the GDPR and, according to Art. 20 ePrivacy Regulation, also of the ePrivacy Regulation. Given a respective independence, it is, moreover, conceivable to externalize the handling of technical issues on a private service provider, as for instance the organization of application procedures, vacation and sick leave policies or strategies on human resources.[23]

The independence in the selection of own personnel corresponds to the independent execution of the tasks by the personnel, which consequently may not be disturbed by so-called incompatible activities. Art. 52 Sec. 3 GDPR does not specify exactly which activities this concerns and leaves determination to the discretion of each Member State (Art. 54 Sec. 1 lit. f GDPR). Thus, applicable standards depend on the respective national legal tradition. Nonetheless, it is possible to determine different groups of possible incompatibilities. These include: further duties assigned by the same authority, inadmissible secondary work for other authorities or private services and possible biases, resulting from other occupations or relations.[24] In this sense, the combination of authorities, as allowed for by Art. 18 Sec. 0 ePrivacy Regulation and already implemented in some Member States, e.g. with regard to data protection and freedom of information in Germany, might be problematic.[25]

c) Financial independence

Closely related to the ability of organizing an independent personnel policy is the provision of adequate financial resources. Only by guaranteeing sufficient budgetary leeway an effective and independent performance of statutory tasks can be ensured.[26] Yet, specific tensions regularly arise between the reception of financial resources and the intent to link special demands concerning the way of expenditure.[27] Thus, the need for absolute independence per se somewhat contradicts the reliance on financial allowances. Art. 52 Sec. 6 GDPR solves this finding by stipulating that each Member State shall ensure that each supervisory authority has separate, public annual budgets, subject only to control, which does not affect its independence. Subsequently, authorities need to be able to plan and prioritize expenditure by themselves. This said, they are not immune to, for instance, judicial review regarding the amount and necessity of their spending.[28] Alternatively, this task can be performed by national audit offices, also.[29]

The provision does not make any restrictions on the concrete source of finance, but rather clarifies that such may be part of the overall state or national budget. Thus, finances will regularly derive from a budgetary plan of the national parliament. Defining the annual scope of the allowance, demands and projections of supervisory authorities will need to be respected accordingly.[30] That particularly includes expenses for premises, staff and technical equipment, as well as irregular costs, such as conferences and workshops, obtaining external expertise or legal representation.[31] According to Art. 52 Sec. 4 GDPR, indeed, the latter are no original part of a financial budgeting, yet will the procurement of respective resources regularly be handled by the authorities themselves and not be finally specified by the supplying body or within the budgetary plan.[32]

[14] Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 52 Rec. 1.

[15] CJEU, judgement of 9 March 2010, C-518/07 – Commission/Germany.

[16] CJEU, judgement of 16 December 2012, C-614/10 – Commission/Austria; CJEU, judgement of 8 April 2014, C-288/12 – Commission/Hungary.

[17] Further comments on the term of executive independence: Kröger/Pilniok/Kröger, Unabhängiges Verwalten in der EU (2016), p. 5.

[18] Polenz, in: Simitis/Hornung/Speicker gen. Döhmann, Datenschutzrecht (2019), Art. 52 Rec. 5.

[19] CJEU, judgement of 9 March 2010, C-518/07 – Commission/Germany; further comments in: Spiecker gen. Dohmann, JZ 2010, 787.

[20] CJEU, judgement of 8 April 2014, C-288/12 – Commission/Hungary, p. 10.

[21] Selmayr, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 52 Rec. 25.

[22] Cf. CJEU, judgement of 16 December 2012, C-614/10 – Commission/Austria, Rec. 56-61, which had regarded the practice of Austria´s data protection agency, receiving financial and personal resources by the chancellor (as head of the executive) incompatible with institutional independence.

[23] Selmayr, ibid., Rec. 26.

[24] Ziebarth, in: Sydow, Europäische Datenschutzgrundverordnung (2018), Arts. 52 Rec. 33 et seqq.

[25] Nguyen, in: Gola, Datenschuz-Grundverordnung (2018), Art. 52 Rec. 14.

[26] Spiecker gen. Döhmann, in: Kröger/Pilniok, Unabhängiges Verwalten in der Europäischen Union, 97 (109).

[27] Selmayr, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 52 Rec. 27.

[28] Rec. 118 GDPR.

[29] In Germany, e.g., it is performed by the Bundesrechnungshof (Federal Audit Office).

[30] Cf. with regard to concrete calculations Art. 29 WP, opinion 01/2012 on the data protection reform proposal, WP 191, p. 17.

[31] Simitis, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 52 Rec. 19.

[32] Cf. Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 52 Rec. 21; Ziebarth, in: Sydow, Europäische Datenschutzgrundverordnung (2018), Art. 52 Rec. 53 et seq.

The conditions for the members of the supervisory authority regulated in Art. 53 GDPR concern the appointment, qualification and end of the term of office of the manager or managers in the case of collegiate bodies. The latter, indeed, does not follow from the explicit wording itself, but rather from Recital 121 GDPR and Art. 54 Sec. 2 GDPR, distinguishing between ‘members’ and ‘staff’.[33] The provision derives from respective CJEU-rulings concerning the preceding provision of Art. 28 Data Protection Directive, which had not encompassed respective stipulations.[34] Here, the specific requirements itself are not regulated either, but rather delegated for elaboration by the Member States according to Arts. 53 Sec. 1 and Art. 54 Sec. 1 lit. b to f GDPR.

a) Appointment, Art. 53 Sec. 1 GDPR

Art. 53 Sec. 1 GDPR determines four different bodies for the appointment of authority-members, subject to further specification by the Member States: parliament, government, Head of State or an independent body entrusted with the appointment under Member State law. The appointment procedure is supposed to be transparent, i.e. it must be designed in a way, which citizens can comprehend and verify.[35] This requires a minimum standard of publicity and a previously given set of criteria by the Member States,[36] the latter being specified within Arts. 53 Sec. 2 and Art. 54 Sec. 1 lit. b GDPR.

As concerns the appointment procedure itself, Recital 121 GDPR stipulates that it should be preceded by a proposal from one of the aforementioned bodies. Further conclusions might be drawn from the requirement of independence, laid out in Art. 52 GDPR.[37] Subsequently, a particular political bias or party-membership must not play a (crucial) role, since otherwise the deliberate and unaffected performance of the office cannot be guaranteed.[38] In front of this background, an independent appointing body might be preferable.[39]

b) Qualification, Art. 53 Sec. 2 GDPR

According to Art. 53 Sec. 2 GDPR, requirements for qualifications are set out to concern the experience and skills, in particular in the area of protection of personal data, required to perform its duties and exercise its powers”. A comparable stipulation is found in Art. 42 Sec. 2 Regulation (EC) No. 45/2001 with regard to the EDPB. In the context of Art. 18 Sec. 0 ePrivacy Regulation, this pertains to the field of telecommunications, which a respective candidate may have performed prior to its nomination, either privately or within a public institution.[40] The stipulations aims to guarantee not only an effective performance of tasks, but also seeks to exclude purely political nominations.[41] What specific qualifications a member shall have and which conditions for eligibility to an appointment should be required, must, according to Art. 54 Sec. 1 lit. b GDPR, be stipulated by each Member State itself.

c) Temporal limitation of duties and dismissal, Art. 53 Secs. 3 and 4 GDPR

The duties of each authority-member shall be limited in time and end in accordance with the law of the Member State, as regards the expiration of the term of office, resignation or compulsory retirement. This said, Art. 54 Sec. 1 lit. d GDPR stipulates that the duration of the term must not be of less than four years. In case of a resignation or compulsory retirement, this, however, may be shorter, since an obligatory prolongation against the member´s will does not reconcile with its fundamental rights pursuant to Art. 15 CFR and Art. 4 ECHR. With regard to the latter, however, only statutory retirements apply, since a politically motivated “transfer into early retirement” would be incompatible with its ‘complete independence’ according to Art. 52 Sec. 2 GDPR.[42] For the same reason, a member´s dismissal can only be enforced under the strict requirements of Art. 53 Sec. 4 GDPR. Accordingly, the member must have exhibited ‘serious misconduct’ or no longer fulfil the conditions required for the performance of its duties. This might, for instance, be the case, when he or she performs ‘incompatible activities’ pursuant to Art. 52 Sec. 3 GDPR[43] or other actions, impacting a member´s personal integrity (e.g. criminal conduct) or personal independence.[44] Alternatively, the omission of a member´s professional qualification can be assumed, in case the conditions pursuant to Art. 53 Sec. 2 GDPR are no longer given or other reasons recommend the exemption from office, e.g. a long, severe illness.[45] Withal, a dismissal represents a serious (if not the most serious) interference with a member´s statutorily guaranteed independence and must, therefore, be the absolute exception.[46] Thus, following the similarly worded provision of Art. 247 TFEU, a particular severity must be ascertainable in each individual case.[47]

[33] Polenz, in: Simitis/Hornung/Spiecker gen. Döhmannn (2019), Datenschutzrecht, Art. 53 Rec. 1.

[34] CJEU, judgement of 9 March 2010, C-518/07 – Commission/Germany; CJEU, judgement of 16 December 2012, C-614/10 – Commission/Austria; CJEU, judgement of 8 April 2014, C-288/12 – Commission/Hungary.

[35] Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 53 Rec. 5; Nguyen/Stroh, in: Gola, Datenschutz-Grundverordnung (2018), Art. 53 Rec. 3.

[36] Polenz, ibid., Rec. 4.

[37] Ibid.

[38] Ibid.

[39] Opinion also held by Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 53 Rec. 5; Opposite view with regard to a resulting lack of democratic legitimacy held by Nguyen/Stroh, in: Gola, Datenschutz-Grundverordnung (2018), Art. 53 Rec. 3.

[40] Critically with regard to a conceivable private background, again: Nguyen/Stroh, ibid., Art. 53 Rec. 5.

[41] In this respect, cf. already Art. 52 GDPR, No. II.2.b).

[42] Ziebarth, in: Sydow, Europäische Datenschutzgrundverordnung (2018), Art. 53 Rec. 25.

[43] See No. II.2.b).

[44] Polenz, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 53 Rec. 13.

[45] Nguyen/Stroh, in: Gola, Datenschutz-Grundverordnung (2018), Art. 53 Rec. 9.

[46] Cf. CJEU, judgement of 8 April 2014, C-288/12 – Commission/Hungary, Recs. 54 to 56.

[47] Further explanations by Nguyen/Stroh, ibid.

a) Delegation to Member States, Art. 54 Sec. 1 GDPR

Art. 54 Sec. 1 GDPR delegates specification of the principles set out in Arts. 51 to 53 GDPR to the Member States. In this regard, the provision has mere declaratory nature, since it does not go beyond their regulatory content.[48] Rather, Art. 54 Sec. 1 GDPR only defines the regulatory frame, in which national legislation needs to unfold and clarifies the compulsory mandate on the regulatory fields, addressed before.[49] To begin with, this concerns lit. a, pursuant to which Member States shall provide by law for the establishment of “each supervisory authority”. A respective delegation has taken place already within Art. 51 Sec. 1 GDPR, so that here, no other statement is made, than that the Member States are still allowed to establish different bodies within the same field of legislation. Lit. b concerns the qualification requirements and eligibility conditions established under Art. 53 Sec. 2 GDPR. Accordingly, not only evidence of relevant education is among the requirements to prove acquisition of theoretical knowledge, but the legislators of the member states must also standardize requirements for practical experience.[50] As regards the purely repetitive character in the course of delegating specification, this also applies to lit. c, which concerns the rules and procedures for the appointment of authority-members according to Art. 53 Sec. 1 GDPR.

A separate regulatory content, however, entail lits. d – f. As referred to above, lit. d stipulates the duration of office terms to no less than four years.[51] This shall guarantee the members´ independence as a reaction to the CJEU´s judgement in the case Commission/Hungary.[52] It applies to Art. 53 Sec. 3 GDPR, regulating the termination of duties, which may only take place after expiration of office-terms, resignation or compulsory retirement. Closely related is lit. e, allowing for a reappointment. Member States may, here, decide on whether such may be admissible and, if so, for how many terms. Since no other stipulation is present, as to how long consecutive terms may endure, lit. d must also be read to set forth a minimum requirement for all consecutive terms, meaning that reappointment must be linked to a minimum of four other years.

Lit. f contains the most comprehensive separate regulation. Accordingly, Member States are delegated to provide by law for the conditions governing the obligations of both members and staff, respective prohibitions on actions or occupations and benefits incompatible therewith, as well as rules on the cessation of employment. Thus, it refers to Arts. 52 Sec. 3 and Art. 53 Secs. 3 and 4 GDPR. It, however, distinguishes between members of the authority and staff, which leads to the conclusion that ‘members‘ define only managers of offices and ‘staff’ all lower ranking employees.[53] Consequently, the cessation of employment pursuant to lit. f does not interfere with the more rigid stipulations on the dismissal of members.[54] Since lit. f does not set out any further material stipulations, such cessation can, subsequently, be initiated in mere accordance to the conditions under national law.

b) Professional secrecy, Art. 54 Sec. 2 GDPR

Finally, Art. 54 Sec. 2 GDPR subjects members and staff of each supervisory authority to a duty of professional secrecy both during and after their term of office. The duty concerns any confidential information and must be regarded extensive accordingly. Particularly, it includes reporting of natural persons in view of infringements, which, in this context, concern stipulations under the ePrivacy Regulation. The legislator correctly assumes that the direct contact between a concerned end-user and employee allows for an acquisition of particularly sensitive and private information and, thus, requires a high level of trust into the reference person´s absolute and encompassing secrecy. As Art. 54 Sec. 2 GDPR, moreover, notices, this includes the time both during and after office or employment.

Eventually, to the extent that some Member States may already be able to resort on own statutory provisions, they are free to apply them, accordingly, or, alternatively, refer to Union law. This follows from the respect for Member States´ legal traditions, which emerged in the course of the negotiations on Art. 54 GDPR.[55]

[48] Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 54 Rec. 8.

[49] Nguyen/Stroh, in: Gola, Datenschutz-Grundverordnung (2018), Art. 54 Rec. 1.

[50] Polenz, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht (2019), Art. 54 Rec. 5.

[51] No. II.3.c).

[52] CJEU, judgement of 8 April 2014, C-288/12 – Commission/Hungary.

[53] See No. II.3.

[54] Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 54 Rec. 16.

[55] Boehm, ibid., Rec. 17.

Art. 18 Sec. 1ab ePrivacy Regulation assigns repressive powers to supervisory authorities and, thus, allows for an encompassing performance of their statutory purposes. According to the provision´s wording, supervisory authorities shall have both “investigative and corrective powers”, including the power to impose administrative fines pursuant to Art. 23 ePrivacy Regulation. Unlike the GDPR, which in both Art. 57 and Art. 58 describes the relevant tasks and powers in detail, the ePrivacy Regulation does not enlist these, whatsoever. With regard to the earlier, a specification had become necessary in light of the significant differences of enforcement under Art. 28 Data Protection Directive.[56] In view of the latter, after the legal enforcement framework of the GDPR has concretized, this need has now apparently ceased to exist.

The ‘tasks’ described under Art. 57 et seq. GDPR, yet do not transfer unrestrictedly to the powers of privacy authorities. To the extent that these remain unmentioned in Art. 18 ePrivacy Regulation, it must rather be concluded that they do not apply, at all.[57] Thus, Art. 18 Sec. 1ab ePrivacy Regulation represents a conclusive assignment of powers. The ePrivacy Regulation abandons the (principally sensible) distinction between tasks and powers in favor of a purely enforcement-oriented approach. This is, subsequently, narrowed solely to the review of infringements as defined by the regulation and a subsequent “correction”, i.e. repression. Still, the powers to investigate and correct relevant cases are comprehensive. While the ‘tasks’, indeed, do not apply to Art. 18 ePrivacy Regulation, investigative and corrective ‘powers’ pursuant to Art. 58 Secs. 1 and 2 GDPR, which represent an appropriate concretization of the (merely generically described) competencies under Art. 18 Sec. 1ab ePrivacy Regulation are extensive.[58]

[56] Art. 29 WP, The Future of Privacy, WP 168, p. 29 Rec. 90, speaking of “widely diverse enforcement powers”.

[57] In most parts, they, however, do not apply to the specific situation of privacy supervision any way. Cf., for instance, Art. 57 Sec. 1 lits. d, j – r GDPR.

[58] On the contrary, authorization and advisory powers pursuant to Art. 58 Sec. 3 GDPR are not included to the legal framework of the ePrivacy Regulation.

The ePrivacy Regulation provides supervisory authorities with comprehensive investigative powers, which essentially correspond to the ones set out already under Art. 58 Sec. 1 GDPR. Since Art. 18 Sec. 1ab Alt. 1 ePrivacy Regulation only undertakes a general assignment without further specification, such, consequently, can be drawn from Art. 58 Sec. 1 GDPR mutatis mutandis.

Investigative powers are applicable regardless of which reason underlies.[59] Particularly, they do not require an initial suspicion or complaint, pursuant to Art. 21 Sec. 1a ePrivacy Regulation in conjunction with Art. 77 GDPR. This is justified against the background of likewise surreptitious infringements of privacy, as particularly in the case of Art. 5 et seq. ePrivacy Regulation, which are difficult for the end-user to fend off or to subject to adequate legal protection.[60] In order to guarantee an effective enforcement of subsequent corrective powers under Art. 23 et seq. ePrivacy Regulation, a comprehensive investigation prepares the respective groundwork and serves to determine and clarify the relevant factual and legal matter. This explains the character of the individual powers listed in Art. 58 Sec. 1 GDPR, which essentially relate to a sufficient access to information.

Accordingly, supervisory authorities must be able to order addressees of the ePrivacy Regulation to provide any information, it requires for the performance of its tasks. That may include the conduct of audits, which are aimed to receive respective information. In order to access and, consequently, acquire such on its own terms, a conceivable frame of investigation can encompass digital or physical access to documentation. This might also include the entering of premises and operational equipment, as facilitated under Union or Member State procedural law.

a) Request of information

Requested information must, hereby, be complete, i.e. the addressee may not withhold it partially, if doing so would pose difficulties to the authority in undertaking a full clarification of the underlying facts. At the same time, the information must be presented in a way that does not mislead the knowledge process, e.g. through an irritating sequence or visual presentation. Limitations to the duty to provide information are given only with regard to the freedom of the addressee, not to incriminate themselves and to information that is not available at the time of the request. Moreover, the access to information, which comprises primarily personal data, must be excluded, since such is regulated in the more pertinent Art. 58 Sec. 1 lit. f GDPR. Art. 58 Sec. 4 GDPR establishes a specific rule of law-reservation, in particular, with regard the principle of “nemo tenetur se ipsum accusare”.[61] Thus, the addressee must have a right to refuse providing information, if such would incriminate themselves. Moreover, information does not have to be provided if such is not available by the time of request. The respective information obligation revives alone, if the information is acquired at a later point in time and the investigation has not yet been completed. Since a certain initiative of the addressee is required here, however, an objectively apparent interest in the information must continue to exist.

The informatory obligation does not go as far as to allow completely transferring the investigation of non-existent material to the addressee. After all, the related powers represent an outflow of the principle of official investigation, i.e. a supervisory authority´s legal obligation to pursue conceivable infringements, which it must generally perform. Acquiring information, thus, stays principally an authority´s task.

b) Conduction of audits

Following Art. 58 Sec. 1 lit. b GDPR, supervisory authorities may conduct audits to fulfil their purpose in guaranteeing compliance with the ePrivacy Regulation. An audit is commonly understood to be a comprehensive qualitative examination of the effectiveness of procedures within an organization or company.[62] In the context of Art. 18 Sec. 1ab ePrivacy Regulation this pertains to the existence of sufficient safeguards in respect of the privacy of end-users and subscribers, e.g. the implementation of adequate codes of conduct, consenting-procedures or inter-operational reporting mechanisms for infringements. Thus, the audit goes beyond a mere informative request, since it is a comprehensive review, which, moreover, refers to one or more specific addressees. In contrast, the informative request is a mere instrument in this sense, which might be regularly part of an audit, but can also refer to a mere preliminary clarification of possible suspicions. There is no need for a specific occasion, but rather an audit depends on the discretionary decision of each supervisory authority. Neither it requires a prior announcement of the audit, so that it can initiate directly by a first informatory request.

Audits are already a standard practice in the field of data protection and may, thus, resort to a broad field of experience.[63] Similar to competences of the European Commission, national competition authorities in EU antitrust proceedings and data protection authorities, ePrivacy authorities have a right to access premises and equipment of the auditee.[64] This enables direct access to the relevant documentation and allows for a direct picture of the business operations. With reference to the wording of Art. 58 Sec. 1 lit. f GDPR, there is no restriction of possible objects.[65] Consequently, inspection may pertain to both business and private sights, as long as the latter does not serve “only private purposes”.[66] Then, however, the heightened standards of the fundamental right to inviolability of the home (Art. 7 CFR) must be observed, as well as the requirement of prior judicial approval, which regularly apply under Member States law (see below).[67]

A limitation to the right of access provides the relevant Union or Member State procedural law, which, according to Art. 58 Sec. 1 lit. f GDPR, defines the applicable preconditions. With regard to the Union, such derives from antitrust law, namely its Arts. 20 Sec. 7 and 8; 21 Regulation (EC) No. 1/2003[68] and corresponding case law[69]. Accordingly, the addressee must generally tolerate access to the premises and assist in fulfilling the purpose of the audit, e.g. by making visible the relevant information.[70] The authority might also involve other executive institutions, particularly the police, in order to enable accessing the premises. If the addressee resists, this might, accordingly, apply coercive means.[71] Furthermore, access to premises can be regulated by the Member States. Recital 129 GDPR clarifies that such might require obtainment of a prior judicial authorization. According to the rule of law, this serves to safeguard proper examination and justification to the correspondingly deep interference with the addressee´s own privacy. Since such, however, only applies to private homes, the actual scope of application might be limited.[72] In this respect, a proportionality test by the authority itself is more significant, according to which the effects of the on-site inspection for the controller or processor, the prospects of success of any milder means and the reasons in favor of it must be carefully weighed against each other.[73] In particular, unannounced access to the addressee’s premises places high demands on proportionality. Regularly, such will only be necessary, if there are indications that the success of the investigation could otherwise be jeopardized.[74] That said, also practical requirements might require an announcement, since only then, the presence of the respective contact person and an effective clarification of the aimed facts can be guaranteed.

 

[59] Nguyen, in: Gola, Datenschutz-Grundverordnung (2018), Art. 58 Rec. 5.

[60] Ibid.

[61] Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 58 Rec. 14.

[62] Selmayr, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 58 Rec. 13.

[63] Cf. Boehm, ibid., Art. 58 Rec. 15.

[64] See Art. 58 Sec. 1 lit. f GDPR; further remarks by.Selmayr, ibid., Art. 58 Rec. 17.

[65] Nguyen, in: Gola, Datenschutz-Grundverordnung (2018), Art. 58 Rec. 11.

[66] Boehm, ibid., Art. 58 Rec. 19..

[67] Cf. Eichler, in: Wolff/Brink, BeckOK Datenschutzrecht (2021), Art. 58 Rec. 16.

[68] Regulation (EC) No. 1/2003, of 16 December 2002 of the Council on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty.

[69]CJEU, judgement of 21 September 1989, C-46/87 and C-227/88 – Commission/Hoechst.

[70] Selmayr, ibid.

[71] Ibid.

[72] Nguyen, ibid., Art. 58 Rec. 12.

[73] Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 58 Rec. 15.

[74] Eichler, ibid., Art. 58 Rec. 16.

According to Alt. 2 of Art. 18 Sec. 1ab ePrivacy Regulation, supervisory authorities are entitled to corrective powers, which ultimately complement the before conducted investigation. As the provision clarifies, this particularly includes the power to impose administrative fines pursuant to Art. 23 ePrivacy Regulation. Thus, Alt. 2 represents the sharper remedy of both and requires not only an adequate factual ground, but also a careful consideration of its necessity in each individual case. The problem with its mere generic assignment of ‘corrective powers’ is both a lack of precision with regard to the principle of administrative legality and a lack of predictability for the addressees.[75] Indeed, in front of the background of a comprehensive regulation in Art. 58 GDPR and the legislator´s apparent expectation of a cooperative exercise of data protection and privacy enforcement, this approach appears comprehensible. However, this does not change the fact that the enactment of repressive measures must meet higher requirements with regard to the clarity and determination of the norm. Legal certainty requires that a regulation, which burdens its addressee, must be clear and unambiguous, so that the person concerned can recognize their rights and obligations and, thus, make corresponding arrangements.[76] This applies in particular to the assignment of sanctioning-authorities.[77] Art. 18 Sec. 1ab ePrivacy Regulation, facilitating a general corrective power, rather than specific sanctioning measures and regimes, does not meet these requirements.

In order to fill this gap, Art. 58 Sec. 2 GDPR must be regarded to apply accordingly. It provides for different options, which allow a graded response to different severities of non-compliance.[78] These include warnings, reprimands, orders, restrictions and fines. Recital 129 S. 5 GDPR clarifies (as already follows from the rule of law) that each measure should be appropriate, necessary and proportionate, while taking into account the circumstances of each individual case.

a) Warnings, Art. 58 Sec. 2 lit. a GDPR

Warnings pertain to future actions and fall under the category of preventive measures. They can be issued on basis of a definite assessment that such actions will infringe the stipulations of the ePrivacy Regulation.[79] Thus, it is not sufficient for the authority to assume or to provide sound reasons that an infringement will take place, but it must base its decision on a conclusively investigated, factual situation. Consequently, warnings refer to expected, not alleged infringements.[80] This, at the same time, defines the difference to a mere notification (Art. 58 Sec. 1 lit. d GDPR), which can pertain to unverified assumptions and, unlike warnings, can be invalidated by counter-evidence.[81]

Warnings aim to correct a particular behavior of the addressee in order to guarantee compliance to the ePrivacy Regulation and should, therefore, be respected accordingly. Yet, warning does not create a legal obligation, nor does non-compliance result in an (automatic) penalty.[82] This follows from Art. 83 Sec. 5 lit. e GDPR e contrario, which does not specify the warning as a prerequisite for a fine (but only an ‘order’ pursuant to Art. 58 Sec. 2 GDPR). Rather, the authority will have to escalate the level of corrective measures. This might include to consider earlier non-compliance as an increasing factor pursuant to Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Sec. 2 S. 2 lit. i GDPR.[83]

b) Reprimands, Art. 58 Sec. 2 lit. b GDPR

On the contrary to warnings, reprimands require the existence of a given privacy-infringement.[84] In this sense, they represent the mildest measure following a verified non-compliance. As a corrective means, the reprimand aims to make the addressee aware of their violation and, thus, has both a repressive function and an informative one. Even if it does not have any regulatory effect beyond that, it is intended to prompt the addressee to correct their actions and to ensure compliance with the regulations in future. Reprimands are, thus, appropriate, in particular, if the threshold for a fine has not yet been exceeded, for example because of the required gravity of the violation, pursuant to Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Sec. 2 lit. a Var. 2 GDPR, has not been passed, yet. Recital 148 S. 2 GDPR clarifies that reprimands serve to correct ‘minor infringements’ and as an alternative measure to fines, if such would constitute a “disproportionate burden to a natural person”. As results from Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Sec. 5 lit. e GDPR, only ‘orders’ are subject to fines, meaning that non-compliance to ‘reprimands’ remain unpenalized. Yet, a disregard might be considered in the course of subsequent measures, e.g. as an increasing factor for a fine pursuant to Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Sec. 2 S. 2 lit. i GDPR.[85]

c) Orders, Art. 58 Sec. 2 lit. c – e GDPR

In cases of verified infringements, supervisory authorities can issue orders, either to (i) comply with the end-user´s request to exercise their rights pursuant to Art. 21 ePrivacy Regulation, (ii) to disclose a privacy-violation to them or (iii) to bring processing operations into compliance with the provisions of the Regulation.[86] From the first power, the special role of supervisory authorities becomes apparent, since they not only perform executive tasks, but can also serve as a body of specific legal (i.e. judicial) protection.

Withal, Recital 129 S. 7 GDPR stipulates that an order must be worded clearly and unambiguously, so that the addressee can comprehend its regulatory intent and the scope of actions, as expected by the authority.[87] As Art. 58 Sec. 2 lit. d GDPR stipulates, this might include a specified instruction on the required actions and the determination of a specific implementation-period. For instance, it would not be sufficient to order ‘compliance to the stipulations of Art. 8 ePrivacy Regulation’. Rather, the authority must describe, what conduct in particular interferes with the end-user´s privacy and which individual steps need to be taken, in order to establish compliance. Accordingly, contrary to both warnings and reprimands, orders unfold regulatory effects. This can also be seen by the fact that, according to Art. 23 Sec. 1 ePrivacy Regulation in conjunction with Art. 83 Sec. 5 lit. e GDPR, non-compliance to orders may be subject to administrative fines.

d) Restrictions, Art. 58 Sec. 2 lit. f GDPR

A corresponding application of Art. 58 Sec. 2 lit. f GDPR allows supervisory authorities to issue restrictions. Accordingly, the addressee may be ordered to temporarily or permanently cease its privacy-intrusive activities. This excludes the option of continuing business activities under ePrivacy-compliant conditions, as would be the case pursuant to Art. 58 Sec. 2 lit. d GDPR. Consequently, restrictions represent a comparatively strong encroachment on the addressee´s entrepreneurial freedom pursuant to Art. 16 CFR. The scope of the measure must, therefore, carefully be tailored to the severity of the infringement. Conversely, the restriction may also represent a milder means, insofar as the aforementioned severity would permit a fine at the lower end of Art. 83 Secs. 2 and 5 lit. e GDPR. Thus, restrictions mark the “threshold to a fine”. A possible area of application might be first-time violations or cases, which justify the expectation of future compliance, such as the addressee´s comprehensive cooperation in investigation (cf. Art. 83 Sec. 2 lit. f GDPR) or the installation of sufficient safeguards.

e) Administrative fines, Art. 18 Sec. 1ab; 23 ePrivacy Regulation

Art. 18 Sec. 1ab of the ePrivacy Regulation acts as a reference provision with regard to the issuance of administrative fines and, thus, does not contain any independent regulatory content other than assigning respective powers to the supervisory authorities. It merely states that fines are part of the corrective measures authority and that such can be imposed instead of or in addition to other measures (according to the wording of the corresponding provision of Art. 58 Sec. 2 lit. i GDPR). With regard to the conditions, amount and admissibility of fines, however, Art. 23 ePrivacy Regulation (which itself refers to Art. 83 GDPR) applies. Thus, the explanations under Art. 23 GDPR are pertinent at this point and are referred to comprehensively.

[75] Both result from Art. 6 TEU, cf. Streinz, in: Streinz, EUV/AEUV (2018), Art. 6 Rec. 31; Mayer, in: Grabitz/Hilf/Nettesheim, Das Recht der Europäischen Union (2022), Art. 6 Rec. 389 et seqq.

[76] CJEU, judgement of 9 July 1981, C-169/80 – Gondrand Frères, Rec. 17.

[77] CJEU, judgement of 11 July 2002, C-210/00 – Hofmeister, Rec. 52.

[78] Boehm, in: Kühling/Buchner, DS-GVO BDSG (2020), Art. 58 Rec. 20.

[79] Selmayr, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 58 Rec. 19.

[80] Ibid.

[81] Körffer, in: Paal/Pauly, DS-GVO BDSG (2021), Art. 58 Rec. 17.

[82] Körffer, ibid., Art. 58 Rec. 18.

[83] Selmayr, ibid.

[84] Martini/Wenzel, PinG 2017, 92.

[85] Ibid.

[86] Measures according to Art. 58 Sec. 2 lit. g GDPR, i.e. the rectification or erasure of personal data or the restriction of processing pursuant to Arts. 16 to 18 GDPR, as well as the notification of infringements to recipients to whom personal data has been disclosed to, remains a specific measure of the GDPR, which will apply in this regard alone.

[87] This, however, already follows from the rule of law pursuant to Art. 6 TEU, cf. Mayer, in: Grabitz/Hilf/Nettesheim, Das Recht der EU (2022), Art. 6 Rec. 39.

Art. 18 Secs. 1b and 2 ePrivacy Regulation incorporate the principle of cooperation between authorities. A respective necessity arises every time that more than one authority is responsible for monitoring compliance to the Regulation pursuant to the respective facilitation by Art. 18 Sec. 0 ePrivacy Regulation. Also, this might pertain to authorities, responsible for different but related topics, such as the GDPR, the EECC or other regulations, since the enforcement of such topics might create inconsistencies and unequal treatment within the area of their interface. Consequently, only an effective cooperation and coordination of tasks can reduce this risk.

It remains unclear what the scope of the cooperation should be and what specific measures are covered by it. This corresponds to the approach pursued already under Art. 28 Sec. 6 S. 3 Data Protection Directive. Consequently, it remains an issue of the authorities´ discretion, which measures are necessary and which they want to implement. For that matter, the EDPB is asked to issue guidelines, recommendations and best practices, in order to facilitate cooperation pursuant to Art. 19 Sec. 2 lit. d ePrivacy Regulation. In any case, a central element of cooperation represents the exchange of relevant information. In this respect, it might be conducive to the cause, setting up a central coordination body, which is also responsible for maintaining a database accessible to all authorities. This could ensure sufficient transparency of the enforcement measures, both intended and enacted. With regard to the permissibility of the corresponding data processing, the exception under Art. 6 Sec. 1 lit. e GDPR applies accordingly.

Another point of reference is provided by the requirements of the GDPR. A central measure of coordination is the principle of mutual assistance, which may be asked from any other supervisory authority, regardless of their prior relation (cf. Art. 61 GDPR).[88] Assistance is not restricted to mere informatory requests. They might also aim at undertaking supervisory measures within their own field of expertise, if such might lead to information, relevant for the enforcement of the ePrivacy Regulation.[89] To that end, even a specific conferral of powers is conceivable, yet under the supervision and presence of the host authority (cf. Art. 62 Sec. 3 GDPR).

Furthermore, cooperation might encompass joint measures of the authorities, not only, but also in transnational cases (cf. Art. 20 ePrivacy Regulation and Art. 62 Sec. 2 GDPR). These might entail joint investigation and enforcement measures (cf. Art. 62 Sec. 1 GDPR). As regards the time frame of operations, the GDPR assumes a particular urgency and, thus, suggests the implementation of emergency procedures. Accordingly, if a supervisory authority does not, within one month, respond to the case, the other authority or authorities may adopt a provisional one on its territory.

Problematic might be the case, if a requested authority refuses to cooperate or to provide assistance as required by Art. 18 Sec. 1b and 2 ePrivacy Regulation. Different to Art. 64 Sec. 2 GDPR, which mandates the EDPB to issue an opinion, Art. 19 ePrivacy Regulation does not stipulate a respective solution. According to the opinion expressed here, however, a corresponding arbitration mechanism can be derived from the regulatory idea of Art. 19 Sec. 2 lit. b and lit. d ePrivacy Regulation, which corresponds to Arts. 64 Sec. 2; 65 Sec. 1 lit. c GDPR. In cases of dispute, the issue of cooperation may be submitted to the EDPB for an opinion on a case-by-case basis. The EDPB, then, decides on the matter in eight, or in more complex cases, fourteen weeks. The opinion has no direct regulatory effect, but failure to comply with the opinion opens up the specific dispute resolution mechanism of Art. 65 GDPR. This, indeed, leads to a binding decision by the EDPB.[90]

[88] Klabunde, in: Ehmann/Selmayr, Datenschutz-Grundverordnung (2018), Art. 61 Rec. 7.

[89] Klabunde, ibid., Rec. 8.

[90] For more details, cf., for instance, Voigt/v. d. Bussche, The EU General Data Protection Regulation (GDPR), pp. 197 et seqq.

Comment