This week the European Commission took noteworthy steps on several fronts. These are mostly procedural, but still significant for a number of reasons.
Effective judicial remedy
On 26 Jan., the European Commission launched an infringement procedure against Belgium for the lack of judicial remedy afforded to former authority’s members, dismissed in July 2022. The commission established the conditions of the dismissal were in breach of the EU General Data Protection Regulation because they did not provide an effective judicial remedy. Belgium now has two months to respond or the European Commission may decide to issue a reasoned opinion.
Belgium's Data Protection Authority has been in turmoil since the dismissal, triggered by concerns about transparency issues within the authority. Reform is in the works. The Belgian Parliament will soon adopt a new law reforming the DPA's set up and changes will go into effect in early 2023.
That same week, the European Commission sent a warning to Finland for failing to provide an effective judicial remedy in case of the inaction of the DPA when handling a complaint — for either not handling or responding under the set timeline.
In this instance, in April 2022 the European Commission interjected, to both Finland and Sweden, the ability to bring these complaints to the Chancellor of Justice or the Parliamentary Ombudsman did not satisfy the requirements for an effective remedy before a court or a tribunal. Finland has two months to respond to the European Commission. If they fail to meet the commission’s expectations, this case may end up before the Court of Justice of the European Union.
Adequacy
EU Commissioner for Justice Didier Reynders addressed the European Parliament Committee on Civil Liberties, Justice and Home Affairs earlier this week. The Parliament has no formal role in the approval process of EU draft adequacy decisions but has certainly informed atmospherics in previous iterations of the process vis-a-vis the U.S. and other EU partners like the U.K. and Japan. Since the political agreement on a new transatlantic privacy framework was reached in March 2022, Reynders has defended the new framework and adopted a reassuring tone regarding its survival rate should it be challenged before the CJEU as its predecessors were.
In today’s exchange of views with the LIBE, Reynders clearly distanced the new framework from Privacy Shield, “We are talking about a fundamental change of the Privacy Shield with new tools and just fixes,” he said, as the new arrangement creates binding safeguards, access by Europeans citizens to an independent court. “It needs to be properly implemented.” The priority for the European Commission will be complying with rules and ensuring EU citizens are protected when data is transferred to the U.S.
When asked about a legal challenge to the new framework, Reynders conceded it is “probable,” but he is committed to defending the European Commission’s position and system. Next, the European Data Protection Board will provide a nonbinding opinion at the end of February, which the European Commission can take into account when making adjustments to its draft decision before it goes before member states for formal approval this spring.
Information exchange
Finally, correspondence between the European Commission’s Department for Justice and the European ombudsman made some headwinds this week. Last year, the ombudsperson launched an inquiry prompted by a complaint lodged by the Irish Council of Civil Liberties into concerns the European Commission might not be able to properly monitor the GDPR application by Ireland's Data Protection Commission and others more broadly due to the lack of information the commission collects in this respect.
This week the European Commission committed to asking national DPAs to share “on a bi-monthly and strictly confidential basis, an overview of large-scale cross-border investigations under the GDPR” with information on the controller or processor involved, a summary of the investigation scope, key procedural steps and measures taken by the DPA. The European Commission also indicated it will provide an account of information sharing in its second report on the application of the GDPR.
It remains to be seen how much this information sharing will impact the current state of play. It might help improve transparency and data driven assessments and measure how GDPR application and DPA cooperation is functioning at European level. It may also help the European Commission assess the merits of the EDPB’s wishlist of procedural aspects that could be harmonized at EU level. For example, the EDPB underlined DPAs “have different approaches regarding the start of the cooperation procedure, the timing of involvement of other DPAs, and the communication of relevant information to them.”