Posted in Telecoms

A new era for the General Conditions?

By Peter Elliott and Mike Conradi, DLA Piper

By many accounts, the UK’s framework for regulating communications services is amongst the world’s most dynamic and successful. Leaving in its wake a telecommunications licensing regime, in 2003 the UK Government influenced and then implemented new EU Directives which took a different approach to regulating telecoms: general authorisation. In short, this meant that, subject to certain exceptions (such as in respect of the ever-so-valuable radio spectrum), companies were given a general right to provide communications services or networks provided they complied with a set of a rules, namely the General Conditions of Entitlement (or ‘General Conditions’ or ‘GCs’ for short). In the UK, unlike other EU countries, there was not even an obligation to notify Ofcom (the UK’s telecoms regulator) about the provision of communications services!

This fits in with Ofcom’s commitment towards ‘reducing regulation and minimising administrative burdens on its stakeholders‘ and its ‘bias against regulatory intervention‘. However, the General Conditions have increased in length and number since their inception; indeed, three new conditions and 63 pages have been added since 2003. Some of this is understandable; the communications market has changed significantly over the past 14 years, and Ofcom has had to respond to UK and global market developments in addition to implementing new EU Directives and regulations.

However, it is easier to build than deconstruct, and the General Conditions now often fail to meet Ofcom’s goal of seeking to ‘ensure that regulation does not involve…the maintenance of burdens which have become unnecessary‘ . Navigating the unwieldy and confusing structure of the General Conditions is a burden that eludes many.

It is for this reason that Ofcom began a consultation with industry stakeholders in August 2016 to ‘produce a coherent set of regulatory conditions which are clearer and more practical, easier to comply with and simpler to enforce‘. Whereas this may seem sensible, the stakeholders who have responded are nearly unanimous in celebrating the purpose of this exercise whilst criticising many of the Ofcom’s actual proposals.

The consultation has been split into two parts. The first part, which ended in October 2016, concerned the General Conditions relating to network functioning and numbering, and Ofcom’s focus was primarily on shortening and simplifying these requirements; the second part (which is due to conclude on 14 March 2017), relates to consumer protection, and Ofcom’s proposals frequently would extend the scope of these General Conditions in order to take account of changes in technology and consumer behaviour. The proposed changes include (with our comments in italics in brackets):

Consolidating definitions: consolidating the definitions by placing them into a single section. (This is long overdue! More time and energy is often dispensed trying to discern the different ways in which the same terms – such as “Communications Provider” – are defined differently across the various General Conditions than it is actually reading the requirements themselves. The current structure is confusing and contrary to Ofcom’s goal of achieving coherency);

Consolidating overlapping Conditions: consolidating those General Conditions which address associated issues, namely by (i) combining those covering emergency services and emergency situations (GC 3 and GC 4), (ii) combining those covering directory information (GCs 8 and 19), and (iii) placing into a single condition all of the information publication requirements across the General Conditions (whilst also simplifying these, where possible). (Again, this was overdue, particularly as GCs 8 and 19 do not consequentially follow from each other, and the drafting under GC 19 always seemed unnecessarily long given the simplicity of the obligation);

Removing unnecessary Conditions: removing those requirements which are covered under other UK laws, which are no longer needed due to regulatory and market developments, or which are unnecessary because Ofcom has the right to exercise the relevant rights in any event – e.g. removing (i) the obligation on communications providers to share confidential information with Ofcom (GC 1.3), (ii) the prohibition on imposing unreasonable restrictions of network access (GC 3.2), (iii) the rules relating to directory enquiry services (GCs 6.1(b), 8.1(b) and 8.4), and (iv) some requirements on VoIP providers to provide information about service reliability amongst other things, and to ensure emergency calls can be made (Annex 3 to GC 14). (Some of these are welcome – for example, for many new market entrants, the concept of directory enquiry services seemed to hark back to a byzantine era. Similarly, with VoIP increasingly becoming the standard means of making voice calls amongst many enterprises and consumers, it is unsurprising that Ofcom have focussed on clarifying regulations in this area. However, these changes relating to VoIP have been called into question by several stakeholders; for example, Microsoft do not believe it is necessary to ‘create a discrete definition of potential communications services using a specific technology or network architecture’ and Vodafone ‘finds it curious that Ofcom continues to regulate on a technology-centric basis, with specific requirements placed on VoIP call services’. We expect more jockeying in this area as, arguably, the future of VoIP (and data) is the near-future of telecoms);

Extending billing requirements: increasing the scope of the rules on billing accuracy, debt collection and disconnection procedures for non-payment of bills so that, in addition to voice call services, they apply to data services. (This is unsurprising given the uptake in data-related services in recent years. In respect of billing accuracy, Ofcom appears to be targeting the largest players in the market as it also proposes increasing the turnover threshold for triggering these obligations from £40m to £55m; this should help support competition from the smaller players, although this is likely to be contested by the larger communications providers); and

Establishing a new code for disputes and complaints handling: creating a new code containing, for example, a requirement (i) to inform a customer proactively about how and when a complaint will be handled, and (ii) to provide certain information to customers who have made a complaint (e.g. the latest date following the closure/resolution of a complaint by which the customer can revert to the communications provider stating they remain unhappy). (Whilst the intention behind these changes is understandable, how readily they will operate in practice is questionable as different complaints may merit different responses that, in turn, may require different levels of resourcing which could be difficult for a communications provider to determine in advance. Again, communications providers are likely to resist some of these proposals).

All in all, whilst not a complete overhaul of the General Conditions of Entitlement, these changes are likely to represent a significant and – largely – much-needed makeover. It will be interesting to see if and how Ofcom takes into account the responses it receives from industry stakeholders.
Either way, Ofcom intends to publish a final statement on its proposals, in addition to the revised versions of the General Conditions, in the Spring of 2017.

Posted in Asia Privacy Cybersecurity International Privacy New Privacy Laws Privacy and Data Security


Guidance on who is a “key information infrastructure operator” under the PRC Cybersecurity Law, and draft regulations on handling minors’ data

In the rapidly evolving data protection compliance environment in the People’s Republic of China, this month has seen some helpful clarification around two areas of uncertainty – namely:

  •  some further indications as to whom will be deemed a “KIIO” (and so subject to the data localization rules under the PRC Cybersecurity Law); and
  • on the additional safeguards required when handling personal data of minors,

but unfortunately in both regards significant uncertainties remain.

New Cybersecurity Strategy gives first guidance on application of PRC Cybersecurity Law

Following the recent enactment of the PRC Cybersecurity Law, China’s Internet regulator published the country’s first National Cyberspace Security Strategy (the “Strategy“) on December 27, 2016. The Strategy offers few fresh initiatives but summarizes goals within the PRC Cybersecurity Law and other regulations passed over the past year. A guiding concept is “Internet sovereignty”, which the Strategy defines as China’s right to police the Internet within its borders and participate in managing international cyberspace. In particular, the Strategy emphasizes the strategic need to safeguard key information infrastructure operators (“KIIOs“).

Most importantly, the Strategy seeks to clarify the definition of a KIIO, by providing guidance on the industries which the Chinese Government will prioritize with respect to cybersecurity.

A KIIO is defined in the Strategy as an operator of “information facilities that have an immediate bearing on national security, the national economy or people’s livelihoods such that, in the event of a data leakage, damage, or loss of functionality, national security and public interest would be jeopardized“. This aligns with the definition in the PRC Cybersecurity Law, and indicates the potential impact of a security breach is a key factor in determining who will be considered a KIIO.

In addition, the expanded definition put forward in the Strategy includes clarification on the industries that the Chinese authorities consider to be operating key information infrastructure. The PRC Cybersecurity Law listed “public communications and information service, energy, transportation, hydropower, finance, public service, e-government and other critical information infrastructure”, and the Strategy clarifies this by:

  • listing “basic telecommunications networks that provide public communications, radio and television transmission and other such services” to expand on the definition of “public communications” operators;
  • noting that important information systems in sectors and State bodies in the additional fields of “education“, “scientific research“, “industry and manufacturing“, “medicine and health” and “social security” will also be caught; and
  • identifying that “important Internet application systems” will be deemed to be KIIOs as well. Unofficial reports suggest that this is intended to catch popular apps such as Taobao and WeChat which have millions of daily users in China who would be affected by a security breach.

Organizations within these newly-highlighted sectors are now also advised to pay attention to the additional cybersecurity and data protection obligations imposed on KIIOs in the PRC Cybersecurity Law and consider updating their compliance programs accordingly. For our summary of the key features of the PRC Cybersecurity Law click here.

Unfortunately this additional guidance is far from definitive, in that it remains unclear whether all organizations within the specified industries that are encompassed by the definition of a KIIO will automatically be KIIOs if they operate any networks (and potentially even just a website) in the People’s Republic of China. Further, other key uncertainties under the PRC Cybersecurity Law – including the definition of “network operator” and “important business data” – remain. The ongoing uncertainty is extremely unhelpful for local and international organizations trying to identify whether they need to update their China compliance programs in advance of 1 June 2017 when the PRC Cybersecurity Law becomes effective, and we hope that further guidance will be published shortly.

Draft Regulations on the protection of the use of Internet by minors published for comments

The State Council published for public consultation the draft Regulations on the Protection of the Use of Internet by Minors (the “Draft Regulations“) on January 7, 2017 to provide additional protection to minors (i.e., Chinese citizens under the age of eighteen) when they are online. In particular, the Draft Regulations propose additional data protection obligations, with which “network information service providers” (i.e., organizations and individuals using networks to provide users with information technology, information services, information products, including online platform service providers, and providers of online content and products) would need to comply. The definition of a “network information service provider” appears to catch any individual or business that operates websites or processes online data in China.

Some of the key provisions of the Draft Regulations include:

  • Network information service providers must conduct reviews of the information published on their platform. If any content is deemed unsuitable for minors, a warning must be placed prominently before the content is displayed. The Draft Regulations recognize the need for relevant authorities to publish policies to offer guidance to organizations on how to manage information unsuitable for minors.
  • “Minors’ personal information” is given a wide definition, and would capture all kinds of information, whether recorded electronically or through other means, that when alone or taken together with other information is sufficient to identify a minor’s identity, including but not limited to a minor’s full name, location, residential address, date of birth, contact information, account name, identification number, personal biometric information, and photographs.
  • Individuals or organizations collecting and using minors’ personal information online must clearly notify (for example, by way of a website privacy policy) the purposes, means and scope of collecting or using such personal information and obtain the consent of the minor or their parent/guardian. The Draft Regulations would require “specific privacy policies” to be formulated for such collection and use to enhance protection of minors’ personal information, although it is unclear whether the authorities would require a separate privacy policy specifically aimed at minors and their parent/guardian to be published on websites. Amid the uncertainties, if the Draft Regulations are passed, individuals or organizations collecting and using minors’ personal information online, especially on websites that are targeted at minors, are urged to review their existing privacy policies to ensure that as a minimum the required consent is obtained and that their privacy policy at least clearly addresses collection of data from or about minors.
  • Network information service providers that offer search functions on their platforms would not be allowed to display search results that comprise minors’ personal information. If a minor or his/her parent/guardian requests a network information service provider to delete or block the minor’s personal information that is available online, the network information service provider would also be required to do so.

Consultation on the Draft Regulations closes on 6 February 2017. It is hoped that some of the uncertainties in the Draft Regulations will be clarified before the Draft Regulations are finalized and come into force. In the meantime, organizations – particularly those whose websites are aimed at young people – are warned that, if passed, the Draft Regulations would require a pro-active review and update of their Chinese websites and privacy policies, and data collection/retention policies and procedures, to address these new safeguards.

DLA Piper’s Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe. To learn more please click here.

Posted in Cybersecurity

NIST Issues Draft Update to Cybersecurity Framework

Written by Jim Halpert and Michelle Anderson

The National Institute of Standards and Technology (NIST) released proposed revisions (draft Version 1.1) to its Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”) on January 10, 2017. The latest draft is intended to “refine, clarify, and enhance” Version 1.0, released in February 2014 in response to Executive Order 13636 – Improving Critical Infrastructure Cybersecurity.

Notable changes in draft Version 1.1 include:

  • Additional information on mitigating supply-chain risks. NIST expanded Section 3.3 (“Communicating Cybersecurity Requirements with Stakeholders”) to address the importance of communicating and verifying cybersecurity requirements among stakeholders as part of cyber supply chain risk management (SCRM). In addition, NIST added SCRM as a property of the Implementation Tiers (Section 2.2) and to the Framework Core under the Identify Function.
  • A new section (Section 4.0) on cybersecurity measures and metrics. NIST notes that by using metrics and measurements the Cybersecurity Framework can be used as the basis for assessing an organization’s cybersecurity posture. According to the draft, “metrics” help “facilitate decision making and improve performance and accountability” while “measurements” are “quantifiable, observable, objective data supporting metrics.” For example, organizations can measure system uptime—and this measurement can be used as a metric against which an individual responsible for developing and implementing appropriate safeguards to ensure delivery under the framework’s Protect Function can be held accountable.

NIST invites comments on draft Version 1.1. Comments are due by April 10, 2017, and can be sent to After reviewing these comments and convening a workshop, NIST intends to publish a final Framework Version 1.1 in Fall 2017.

NIST reiterates that “[a]s with Version 1.0, use of the Version 1.1 is voluntary,” and says that users of Version 1.1 may “customize the Framework to maximize organizational value.”

That said, NIST’s encouragement of using cybersecurity measures and metrics for internal organizational accountability could lead to the creation of metrics that can also be used by third parties (e.g., regulators) to hold organizations accountable under the framework. While it remains to be seen what the Federal Trade Commission (FTC) will do under the incoming Trump administration, the FTC (and other regulators) could use such metrics as the bases for enforcement actions. Indeed, there is significant overlap between what the FTC considers to be “reasonable” security and the Cybersecurity Framework. According to the FTC’s blog post on The NIST Cybersecurity Framework and the FTC, “The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.”

According to NIST, this latest draft incorporates feedback to Version 1.0, responses to its December 2015 request for information, and comments from NIST’s April 2016 Cybersecurity Framework Workshop.

Posted in Cross-Border Transfers Cybersecurity EU Data Protection Privacy and Data Security Uncategorized

Blog Post: Swiss-US Privacy Shield Adopted, Aligns with EU-US Privacy Shield

Written by Michelle Anderson

The Department of Commerce International Trade Administration and Swiss Federal Council announced on January 11, 2017, the creation of a Swiss-US Privacy Shield framework that will “apply the same conditions as the European Union” under the EU-US Privacy Shield framework.

This is welcome news for companies that transfer personal data from both the EU and Switzerland to the United States. Since the Department of Commerce began accepting certifications under the EU-US Privacy Shield in August 2016, companies that transfer personal data from both the EU and Switzerland to the United States have had to certify under two different frameworks. However, implementation of the Swiss-US Privacy Shield will help align the obligations for Switzerland-US transfers with those of EU-US transfers. Companies can begin certifying compliance on April 12, 2017.

The Swiss-US Privacy Shield Framework replaces the US-Swiss Safe Harbor Framework, the legitimacy of which has been in question since the European Court of Justice (ECJ) determined in October 2015 that the EU-US Safe Harbor framework was invalid. Following the ECJ decision, EU and US officials announced the EU-US Privacy Shield framework in February 2016 and finalized it in July 2016.

In its press release, the Swiss Federal Council highlighted “the stricter application of data protection principles by participant companies on the one hand and the administration and supervision of the framework by the US authorities on the other” as benefits of the Swiss-US Privacy Shield. It also underscored the creation of an arbitration body and the ability of people living in Switzerland to inquire with the US Department of State as to the processing of their data by US intelligence services.

The Department of Commerce has said that the new framework “will enhance transatlantic data protection and support the continued growth of U.S.-Swiss commercial ties.” Federal Trade Commission (FTC) Chairwoman Edith Ramirez has pledged that the FTC will “continue [its] vigilant approach to enforcement of the new Framework.”

Posted in Cybersecurity Privacy and Data Security

Presidential Commission Issues Recommendations for Improving Public and Private Sector Cybersecurity

Written by James Duchesne

The President’s Commission on Enhancing National Cybersecurity (the “Commission”) recently issued a thoughtful report on improving the United States’ cybersecurity posture.  (The full report can be read here.)  The majority of the Commission’s recommendations would require action by the Trump Administration but may nonetheless prove influential.   The Commission was charged under President Obama’s February 2016 Executive Order 13718 with “mak[ing] detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions” and enhancing partnerships between the private sector and all levels of government. The Commission recently issued a report detailing its recommendations.

As part of its cybersecurity study, the Commission conducted several open meetings and issued a request for information. The Commission also analyzed previous federal agency and legislative cybersecurity reports and initiatives, although it found that many of these previous reports’ recommendations were unrealistic. The Commission focused its study on ten topics: federal governance, critical infrastructure; cybersecurity research and development; cybersecurity workforce; identity management and authentication; Internet of Things (IoT); public awareness and education; state and local government cybersecurity; insurance; and international issues.

In preparing its recommendations, the Commission analyzed cybersecurity issues through a set of principles that are useful for any organization when considering cybersecurity issues. Some principles include:

  • Responsibility, authority, capability and accountability for cybersecurity and cyber risk management should be explicit and aligned within an enterprise’s risk management and governance strategy.
  • Effective cybersecurity depends on consumer and workforce awareness, education, and engagement in protecting their digital experience.
  • Technologies and products should make the secure action the easy option as users continue to rely on defaults and human behavior tends to follow the “easy” option.
  • Security, privacy, and trust must be primary considerations at the outset when new cyber-related technologies and policies are conceived.

The Commission identified a number of hurdles that create challenges—in both the public and private sectors—to implementing effective cybersecurity measures.

  • First to market pressures. The drive to bring products to market quickly often leads to cybersecurity being an afterthought. While security features may be added later through product updates, the result is a lower level of security when compared to products for which security was integrated into product development.
  • Flexible and mobile work environments introduce cyber risk. The myriad devices that now connect to an organization’s network, from employees’ personal mobile devices to vendors’ devices, hampers an enterprise’s ability to protect its networks. As the Commission stated, “[T]he classic concept of the security perimeter is largely obsolete.”
  • Many organizations and individuals fail to implement basic security measures.
  • Complexity creates vulnerabilities. As the size and complexity of software and devices and their supply chains grow, so too do the number of vulnerabilities. Systems and software must be managed and updated, which can become difficult as the environment expands, especially with legacy systems and even new systems, such as IoT devices.

The Commission organized its findings and recommendations into six issue areas. The areas and some of the key recommendations under each follow.

1.  Protect, defend, and secure today’s information infrastructure and digital networks:

  • The public and private sectors must collaborate to protect networks and infrastructure. The Commission recommends the creation of a National Cybersecurity Private-Public Program to define the cybersecurity roles of the respective sectors, share classified information, and conduct and improve training. The federal government should build on and improve its information sharing programs and should work with industry to identify statutes, rules, and policies that discourage the private sector from sharing cyber information (e.g., FOIA, use in civil discovery or regulatory enforcement action, waiver of attorney-client privilege). The new administration should build on the NIST Cybersecurity Framework, and regulatory agencies should harmonize their regulations with the Cybersecurity Framework (which would both simplify and enhance cybersecurity compliance).

2.  Innovate and accelerate investment for the security and growth of digital networks and the digital economy:

  • The federal government and private sector partners should work together to improve security in IoT devices, such as through the creation of voluntary standards, which agencies should consider when undertaking rulemakings. Federal agencies should initiate an interagency study to evaluate “the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations” to incentivize companies to design secure products.

3.  Prepare consumers to thrive in the digital age:

  • The private sector should work with the FTC to identify ways to provide consumers, through a public awareness campaign, with better information so consumers can make informed decisions when purchasing and using connected products and services. This campaign should be coupled with security improvements in devices and systems. The Commission recommends an independent organization develop a “cybersecurity nutrition label” for technology products and services. The FTC, working with industry and consumer advocates, should develop a Consumer’s Bill of Rights and Responsibilities for the Digital Age that would improve consumer education, clarify privacy protections and how information is used, and identify products’ security attributes.

4.  Build cybersecurity workforce capabilities:

  • The federal government should launch a national cybersecurity workforce program to train new cybersecurity practitioners.

5.  Better equip government to function effectively and securely in the digital age:

  • Federal civilian agencies should be allowed to consolidate and share network connections while moving to an enterprise risk management approach for handling cybersecurity. Government at all levels must clarify cybersecurity mission responsibilities across departments and agencies to protect, defend against, respond, and recover from cyber incidents; to accomplish this, the next administration should issue a National Cybersecurity Strategy while Congress should consider consolidating cybersecurity and infrastructure protection functions under a single federal agency.

6.  Ensure an open, fair, competitive, and secure global digital economy.

  • The Administration should work with the international community to harmonize cybersecurity policies and practices. The next administration should appoint an Ambassador for Cybersecurity to engage the international community on cybersecurity issues. NIST and the Department of State should work with international partners to develop cybersecurity standards and to promote the NIST Cybersecurity Framework’s risk management approach.

Most of these recommendations are both thoughtful and non-ideological. It remains to be seen whether the Trump Administration will embrace them, although they sketch out many areas for potential progress.  Its recommendations also make interesting reading for private sector businesses with regard to strategies to improve cybersecurity at the federal level as well as on private sector networks and products and services.

Posted in Data transfers EU Data Protection Privacy and Data Security

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

While WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g., WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.