The European Commission has proposed a new harmonisation law to simplify the process of enforcing the EU General Data Protection Regulation (GDPR) in cross-border cases. The new GDPR Procedures Regulation will create a common set of rules for data protection authorities (DPAs) when applying the GDPR in cases that affect individuals in multiple Member States.
The Commission claims the new rules will provide clarity for individuals making complaints and businesses involved in potential violations of the GDPR, resulting in swifter resolution of cases and increased legal certainty. The new rules are also intended to enhance efficiency and cooperation between DPAs.
Věra Jourová, European Commission Vice-President for Values and Transparency, said, "GDPR became a new synonymous for effective data protection law globally. Now, it is the enforcement of the law that will decide on its full success. While the independent authorities are doing a tremendous work, it’s time to ensure we can operate faster and in a more decisive way. Especially in serious cases in which one violation may have many victims across the EU. Our proposal lays down rules to guarantee smooth cooperation among data protection authorities, supporting more vigorous enforcement, to the benefit of the people and businesses alike."
The Commission published a Q&A document providing further details. Additional reporting in EURACTIV.
Despite high expectations, initial reactions have been less than positive.
Austrian privacy group NOYB labelled the proposal an attack on users' rights. According to NOYB, the proposal is mainly focused on removing citizens from procedures in order to simplify them. Furthermore, the Commission seems to only be addressing individual issues that have arisen in larger cases involving the Irish DPC rather than taking a systematic approach. The proposal also delegates jurisdiction to Member States for certain aspects of the procedure, resulting in a hybrid between EU and national laws and procedures.
Max Schrems, honorary NOYB chair, said, "We hoped for a solution, but this is fundamentally shifting a procedure about the rights of users to a procedure about the rights of companies. We need to study the proposal in more detail, many elements are clearly a step back for users' rights. We think there would be more traditional ways to tackle the problems that would at the same time interfere less with national procedural laws and be much simpler - while also fixing the problems on a systematic level. We will engage with the European legislators to see if the proposal can be fixed, but it seems this would be a long way to go."
In a separate response, the European consumer organisation (BEUC) said that the Commission's proposal falls short of improving complainants' rights to be heard and obtain timely and crucial information from investigations. The BEUC explained that it has previously highlighted this as an issue, and there is a risk that the proposal could even make the situation worse for consumers, the organisations representing them in cases against multinational companies, and DPAs.
Ursula Pachl, Deputy Director General of the BEUC, said, “As good as the GDPR is on paper, it has been hamstrung by weak enforcement when it comes to EU-wide infringements by big companies. Consumer organisations have repeatedly experienced how difficult it is for consumers to have their rights respected if authorities do not act faster and in a more coordinated way. Weak and slow enforcement only suits Big Tech and other companies who make money from trampling on people’s right to personal data protection... The Commission has recognised the situation but the cure it is proposing is unlikely to help the patient. The Parliament and national governments need to substantially improve the proposal and rectify what is missing, such as giving consumer organisations the same procedural rights as defendants in a case."
Meanwhile, the Computer & Communications Industry Association (CCIA Europe) also issued a response. The trade association, which represents the interests of technology companies in Europe, including the likes of Amazon, Apple, Google and Meta, highlighted companies will have a very limited timeframe to respond to any new allegations or evidence presented by the EDPB in cases where DPAs are unable to reach a decision. The association is concerned the proposal does not allow sufficient time for defendants to respond to new interpretations of the law or additional evidence, which are often only introduced once the case is escalated to the EDPB. The CCIA Europe is also disappointed companies do not have the right to appeal binding EDPB decisions.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.