Last week, the European Data Protection Board adopted its first Article 65 GDPR decision and we eagerly await the full decision and outcome in due course.
This has been a matter of real interest for large organisations who process data across various EU member states and as such, may be subject to decisions and views with input from multiple supervisory authorities across the EU. It is interesting to see Article 65 of the GDPR come into action and what does happen when the regulators disagree.
Article 65 of the GDPR is intended to be invoked where a local supervisory authority, in this case the Irish Data Protection Commission ("DPC"), faces criticism from or does not agree with supervisory authorities in other EU Member States.
In this case, various supervisory authorities made representations that they disagreed with certain allegations made against Twitter by the Irish DPC in respect of its GDPR compliance, following notification of a personal data breach in January 2019.
The EDPB will publish its decision once the final decision has been communicated to Twitter as the relevant data controller.
Following the submission by the LSA, the completeness of the file was assessed, resulting in the formal launch of the Art. 65 procedure on 8 September 2020. In compliance with Article 65 (3) GDPR and in conjunction with Article 11.4 of the EDPB Rules of Procedure, the default adoption timeline of one month was extended by a further month because of the complexity of the subject matter. On 9 November 2020, the EDPB adopted its binding decision and will shortly notify it formally to the Irish SA.
https://edpb.europa.eu/news/news/2020/edpb-adopts-first-art-65-decision_en