Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary 

Article 20 ePrivacy Regulation – Cross-border cooperation

Art. 20 ePrivacy Regulation

Article 20 ePrivacy Regulation – Cross-border cooperation

Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union and cooperate with each other and with the Commission.

Art. 20 ePrivacy Regulation

Art. 20 ePrivacy Regulation mandates the EU supervisory authorities’ to cooperate with each other. Such is already implemented under Art. 18 Secs. 1b and 2; Art. 19 Sec. 2 lit. d ePrivacy Regulation. It states, moreover, that such cooperation encompasses not only an exchange with other supervisory authorities, but also the European Commission. A comparable stipulation was not included to the preceding ePrivacy Directive. Alone its Recital 48 stated that, in the field of application, it was useful to draw on the experience of the Art. 29 Working Party (the EDPB’s predecessor). Consequently, this is the first time that legislation in the field of European privacy protection establishes an exchange between authorities on the enforcement of its provisions, which, however, continues to refer to the GDPR with regard to structural questions, i.e., for example, the specific organization of information exchange.[1]

The purpose of providing for a cooperation to ensure uniform standards of application throughout the European Union is to prevent companies from basing their choice of location on the degree of enforcement of end-users’ freedoms.[2] Compared to a so-called “forum shopping”, this is arguably the more efficient strategy, especially if a company’s business purpose aims at multiple interferences with the privacy of their customers. Art. 20 ePrivacy Regulation, thus, serves to limit a de facto-creation of greater scopes of action. The fact that this is already difficult to ensure within the framework of some Member States themselves, however, leaves it questionable, to what extent a uniform enforcement standard can be achieved throughout the Union.

[1] Cf., for example Art. 19 Sec. 2 lit. d ePrivacy Regulation, which requires an exchange not only with the ePrivacy authorities, but also with data protection authorities. Respective stipulations are found in Arts. 61 Sec. 9; 67 GDPR.

[2] Schmitz, in: Hoeren/Sieber/Holznagel, Handbuch Multimedia-Recht (2021), Part 16.2. Rec. 427.

Supervisory authorities are obliged to contribute to the consistent application of the ePrivacy Regulation throughout the European Union. The wording „shall contribute“ makes it clear that this must consist in a proactive cooperation between authorities, whereby the specific framework and frequency of respective contact between authorities is determined in their own discretion.[3] This corresponds to the stipulation of Art. 18 Sec. 1b ePrivacy Regulation, pursuant to which cooperation is required “to the extent necessary to perform their tasks”.

The ePrivacy Regulation does not stipulate the details of a consistent application or specific standards to adhere to. Rec. 129 S. 1 GDPR only repeats the requirements of a “consistent monitoring and enforcement”. Thus, in the absence of specific provisions, guidance is only provided by the requirements of fundamental rights under the CFR and ECHR. Accordingly, in light of Arts. 16, 17 CFR (freedom to conduct a business and right to property) supervisory authorities should evaluate the effects of their measures and in future adjust them pursuant to the principles of proportionality. Arts. 20 to 23 CFR and Art. 14 ECHR (equality before the law and principles of non-discrimination) should, moreover, impel authorities not to decide differently in cases that are essentially the same. This concerns all fields of application, such as fines, enforcement, compulsory execution or individual legal protection (cf. Chapter V ePrivacy Regulation).

Under these vague conditions it is, indeed, questionable, to what extent Art. 20 ePrivacy Regulation can actually ensure a fully harmonized and uniform enforcement practice. In particular, it is not clear to what extent cooperative decisions amongst authorities unfold a binding effect and whether the decisions of other authorities constitute a binding standard for an individual authority’s own conduct. Even though the latter might not be the case pursuant to the CJEU’s Facebook Fanpage decision[4] (the court ruled that data protection authorities could decide independently of the view of other supervisory authorities) at least in cases of an obviously divergent supervisory practice the question should be raised, if not a prior coordination between authorities (whatever result it has) must be regarded as mandatory.[5]

[3] Cf. Polenz, in: Simitis/Hornung/Spiecker gen. Döhmannn, Datenschutzrecht (2019), Art. 51 Rec. 15; see also below under No. III. and Art. 18 No. IV.

[4] CJEU, judgement of 5 June 2018, C-210/16 – Wirtschaftsakademie Schleswig-Holstein/Facebook Ireland, Recs. 68-70.

[5] Schmitz, in: Hoeren/Sieber/Holznagel, Handbuch Multimedia-Recht (2021), Part 16.2. Rec. 430.

Cooperation between the supervisory authorities must take place both on a national and European level. This serves to facilitate consistent application of the ePrivacy Regulation throughout the Union. Cooperative duties particularly encompass mutual assistance and information exchange. Indeed, there is a terminological difference between ‘cooperation’ under Art. 18 Sec. 1b and 2; 19 Sec. 2 lit. d and 20 ePrivacy Regulation and ‘mutual assistance’, as indicated by Art. 60 Secs. 1 and 2 GDPR. At first glance, this could be understood in such a way that the ePrivacy Regulation only encompasses cooperation, but not mutual assistance. However, already the similar wording in Art. 51 Sec. 2 S. 2 and 57 Sec. 1 lit. g GDPR indicates a terminological affiliation between these two, which is also further illustrated by Art. 60 Secs. 1 and 2 GDPR.[6] Consequently, ‘cooperation’ serves as an umbrella term for other examples, such as those mentioned above. This corresponds to the approach taken under Art. 19 Sec. 2 lit. d ePrivacy Regulation, which also classifies the exchange of information as a subtype of cooperative duties. Finally, authorities’ obligations include a contribution to the work of the EDPB, which can be inferred from an overall view of Art. 57 Sec. 1 lit. t GDPR and Art. 19 Secs. 2 lit. d and 5 ePrivacy Regulation.

As regards the applicability of the so-called ‘One-Stop-Shop’ solution under Art. 56 Sec. 1 GDPR, such is, unfortunately, ruled out by the explicit stipulation of Rec. 39 S. 1 ePrivacy Regulation in conjunction with its intended cutout under Art. 18 Sec. 0 ePrivacy Regulation.[7] In cases of transnational privacy interferences, which might be the rule rather than the exception, this means that multiple Member State authorities are competent, rather than one (based on the location of the acting person’s main or single establishment). Consequently, a special need for cooperation is given, here.

[6] Nguyen, in: Gola, Datenschutz-Grundverordnung (2018), Art. 51 Rec. 7. According to Art. 57 Sec. 1 lit. g GDPR, supervisory authorities shall “cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities […]”.

[7] Cf. Art. 18 No. II.1.c).