Brussels, BELGIUM – The European Commission needs to address significant shortcomings in the way EU cross-border data protection cases are being handled right now, the Computer & Communications Industry Association (CCIA Europe) cautions.
In comments filed to a Commission consultation today, CCIA Europe urges the EU executive arm to fix the most urgent deficiencies in the enforcement of the EU General Data Protection Regulation (GDPR) as part of the new procedural rules expected later this year.
CCIA calls on the Commission to explicitly recognise the fundamental rights of defendants in cross-border proceedings, particularly when (national) supervisory authorities cannot reach a decision and the case is escalated to the European Data Protection Board (EDPB).
Among others, the Commission should grant companies an explicit right to appeal binding EDPB decisions that directly impact them. This comes after a recent EU General Court ruling eliminated defendants’ appeal rights and judicial review of such decisions.
CCIA Europe also expresses significant concerns regarding the inconsistent adherence to the right to a fair hearing in cross-border cases, both at national and EDPB levels.
Should the EU Court of Justice authorise national competition bodies or other authorities to examine companies’ GDPR compliance, detailed rules need to set out how those authorities should cooperate in order to prevent enforcement fragmentation across the EU. CCIA’s submission also includes fixes to speed up the resolution of clear-cut cross-border cases.
The following can be attributed to CCIA Europe’s Public Policy Director, Alexandre Roure:
“Five years after the GDPR came into force, the enforcement of the EU’s main data protection regulation shows significant shortcomings. It raises serious concerns when defendants’ most basic rights are being undermined, such as the right to appeal an EDPB decision affecting them and the right to a fair hearing.”
“The European Commission should also prioritise preventing inconsistent GDPR enforcement, especially in those cases in which national authorities responsible for enforcing other laws than data protection are now suddenly authorised to verify companies’ compliance with the GDPR.”
“The absence of detailed rules on how exactly competition enforcers and other authorities should cooperate with data protection bodies in GDPR cases could lead to an unprecedented level of fragmentation. This, in turn, jeopardises companies’ data processing practices and exposes them to potentially unsustainable liability.”
Notes for editors
In case C-252/21, Advocate General Rantos recently advised the EU Court of Justice to grant any authority – beyond data protection supervisory authorities – the power to examine the compliance of a company’s practices with the GDPR. The EU Court of Justice tends to follow the Advocate General’s non-binding opinion, and is expected to issue a ruling later this year.
