EU General Data Protection Regulation enforcement was at the center of a conference last week organized by the European Data Protection Supervisor. Stakeholders pointed out several structural problems within the GDPR’s architecture and potential ways to address them.
"Some of you might ask: 'why is the EDPS organizing this conference?' There is a path we can follow to finally deliver what was started 10 years ago, in January 2012, when the GDPR proposal was announced," said the EDPS Wojciech Wiewiórowski, calling on European policymakers and regulators "to come back to the drawing board."
The conference was organized at a time when the EU data protection law has been recurrently the object of criticism for not having yet delivered to the expectations it had raised.
Wiewiórowski acknowledged such an assessment, indicating that the GDPR was meant to provide a level playing field. Instead, big companies with more resources expanded their advantage over small competitors. In contrast, individuals wait for years to obtain justice, he said.
"I also see hopes that certain promises of the GDPR will be better delivered. I share views of those who believe we still do not see sufficient enforcement, particularly against Big Tech," Wiewiórowski added.
Structural problems
A recurrent topic in the discussions on the enforcement of the GDPR is the role of Ireland's Data Protection Commission. Under the GDPR's one-stop-shop mechanism, the Irish authority has the lead on most cross-border cases involving Big Tech companies, as that is where many have their European headquarters.
In May 2021, European lawmakers adopted a non-binding resolution calling on the European Commission to open an infringement procedure against Ireland for failing to enforce the GDPR effectively. Last November, the Irish Council for Civil Liberties filed a formal complaint before the European Ombudsman against the Commission for allegedly not holding Ireland accountable.
"I don't think that, at the moment, the way to answer the questions is to accuse individual DPAs of wrongdoing,” Wiewiórowski told reporters. “The problems are structural. And we should think about them in a structural way, knowing that there will be no changes in the GDPR in the next few years."
The EDPS underlined three main structural obstacles the GDPR architecture must overcome. Unequal burden sharing, procedural law differences hampering cooperation and the fact that the European Data Protection Board, which gathers all EU DPAs in a collective body, is often involved too little and too late.
The governance question
The EDPB is the linchpin of the cooperation between European DPAs. It has supported the harmonization of the law adopting 57 guidelines and six recommendations in four years to improve clarity on legal concepts and explain how GDPR applies to new technologies.
The question around enforcement has mostly been raised in large, cross-border cases, whereas the EDPS estimates that 95% of data protection cases in Europe are at the local level. Although less numerous, cross-border cases can have far-reaching consequences for millions of data subjects and affect tens of other cases.
That is where the EDPB comes in, as the leading authority must submit its draft opinion to its peers. In case of conflict, a majority of EU DPAs can overrule the leading authority. That is what happened with the record 225 million euro fine the Irish DPA issued against WhatsApp, an amount that was significantly increased following a dispute resolution mechanism.
For European Justice Commissioner Didier Reynders, the WhatsApp fine proves that the EDPB provides a platform for consistency and cooperation. Still, the system has been accused of being too laborious and taking too long to deliver on time-sensitive decisions.
"The use of these emergency or dispute resolution procedures should not be seen as a failure of cooperation, but as a way to move forward and create jurisprudence," stressed Marie-Laure Denis, President of the CNIL. "We do not consider status quo as an option, and we are fully aware of the margins for progress and obstacles that we still have to overcome, including to ensure optimal cooperation."
In April, European DPAs met in Vienna and committed to closer cooperation for strategic cases that fulfil specific quantitative and qualitative criteria. In particular, potential GDPR violations affect many data subjects or touch upon structural or recurring problems in several member states.
Looking at the history of competition enforcement, the CNIL noted that the European Commission used to work on its own at the beginning, but gradually integrated national authorities in its investigations. Moreover, it took many years to bring the first big competition enforcement action as there is always a learning curve, although the digital environment requires regulators to act much faster.
Administrative procedures
For Wiewiórowski, the fact that procedural laws are fully defined at the national level is causing “critical problems” for the cooperation between DPAs. In his view, it would be up to the European Commission to intervene to streamline administrative procedures. In national legislation, there are sometimes differences so significant as to touch upon even what is a final complaint decision.
This approach is opposed by Paul Nemitz, the principal advisor of the European Commission's justice and consumer department, who stressed that it is much too early to talk about new EU legislation. For Nemitz, discrepancies in procedural law can be solved by the DPAs simply by ignoring national procedures that hamper the effective application of the GDPR, since European law takes priority over national rules.
However, the problem is that national procedural law is very precise, whereas the DPAs could only refer to some vague principles of the GDPR as the data protection law does not address these procedural issues. For privacy advocate Max Schrems, there is a concrete risk that national courts would rule against the DPAs in that case.
Schrems highlighted how NOYB is not recognized as a party in data protection cases in certain countries like Sweden and that for administrative law harmonization to take place merely by judicial review, it could take 10 to 20 years. Moreover, the costs for initiating a lawsuit vary considerably across EU countries, with an average of 5,000 euros that can reach up to 100,000 euros in Ireland.
"If there's a real contradiction between national law and the European law, it's the task of the European Commission to step in. Maybe first with the dialogue and not with an infringement process, to have that improvement," said Ulrich Kelber, Germany's federal commissioner for data protection and freedom of information.
Three scenarios
In her keynote speech, European Commission Vice-President Věra Jourová presented three possible scenarios for the GDPR in the next five to 10 years.
The first scenario involves changing nothing, counting on the fact the cooperation in the context of the one-stop show will improve with time, as there are signs of improvement already. However, this scenario entails the risk of unhealthy competition and tension between the DPAs and their interpretations of legal concepts.
The second scenario she called the “revolution.” It entails reopening the file to clarify certain concepts aligned with the EDPB's guidelines and to centralize enforcement. While tempting, Jourová noted that old legislative battles would come back and that fully centralized enforcement would mean that more minor cases might be neglected.
For her, the preferable is the third scenario, called “targeted improvements.” Administrative procedures would be streamlined as far as possible under EU law, DPAs would collaborate with other regulators, such as competition authorities, based on the one-stop-shop experience, and the EDPB would have a more decisive role with a stronger secretariat. At the same time, the member states would ensure sufficient resources for specialized experts and lawyers.
"We are at the crunch time. Either we all collectively show that GDPR and its enforcement is effective and fit for purpose. Or others will do it for us. The expectations are very high. The pressure will only grow because there will be more emotions and competition," Jourová said.
Photo by François Genon on Unsplash