Since the EU General Data Protection Regulation's entry into application, one area has been particularly scrutinized — its enforcement. This July, the European Commission proposed an additional regulation to harmonize procedural differences across the EU and streamline the cross-border cooperation procedure. The proposal is currently under discussion by member states and members of the European Parliament, led by MEP Sergey Lagodinsky, who has been involved in the EU's digital agenda as a shadow-rapporteur for other proposals including the Artificial Intelligence Act and the AI Liability Directive.
The proposal to improve the cross-border GDPR enforcement was welcomed by all — EDPB and EDPS, and both trade and consumer representatives — but each side has remaining concerns.
Industry associations and think tanks, such as DigitalEurope, Bitkom and the Centre for Information Policy Leadership, found the proposal, in its current state, may undermine the lead authorities' role and responsibilities necessary to maintain functioning of the one-stop-shop mechanism. To ensure strong confidentiality provisions, they suggested considering rules from other areas of law, like competition, and introducing sanctions or liability for breaches. They also called for clearer rules on amicable settlements, the need to improve and harmonize rules regarding the right to be heard and ensure its availability to all parties throughout the procedure. While recognizing the need to resolve cases in a timely manner, they highlighted the importance of maintaining proportionate deadlines, considering the complexity of the case and the stage of procedure.
BEUC, the European Consumer Organization, is rather skeptical about the proposed regulation's ability to improve cross-border enforcement of the GDPR. According to BEUC, the proposed amendments are not substantial enough and lack binding administrative procedures to lead to stronger complainants' rights. The BEUC recommends consumer organizations receive the same procedural rights as defendants.
Max Schrems' noyb shares the skepticism. Both BEUC and noyb identify that the proposal may aggravate consumers' position by providing extensive rights to be heard and access to case information only to companies. BEUC started two major GDPR enforcement cases against Google — regarding location data tracking practices and pushing users to extensive data sharing — in recent years and is still awaiting results.
In September, the EDPB and EDPS provided their Joint Opinion with various recommendations. Among others, they suggested current admissibility and preliminary vetting rules impose unnecessary barriers and may not lead to sufficient clarity and harmonization. They recommend further improving the cooperation procedure and consensus finding among data protection authorities to avoid possible disputes at a later stage and overburdening the lead authority.
MEP Lagodinsky is expected to release his draft report for Parliament's Committee on Civil Liberties, Justice and Home Affairs in the coming weeks. As the file is moving through the legislative process, it remains to be seen whether it will result in any substantial changes to the proposed version of the regulation and whether the file will be wrapped up before the European elections in June.
Other updates:
- IAPP Westin Fellow Luke Fischer explores details of the EU e-evidence package and its facilitation of government access to privately-held data across jurisdictions.
- To receive invitations and reminders about IAPP KnowledgeNets organized in your region, do not forget to choose your KnowledgeNet Chapters. After logging-in to your IAPP account, proceed to your profile, where (after scrolling down a bit) you will be able to make the necessary selections. Don't forget to save your preferences. KnowledgeNets, exclusively available to IAPP members (for free), are thematic regional meetings during which you can meet other privacy pros in your area and discuss the latest privacy developments.