Brussels, BELGIUM – In order to speed up cross-border enforcement of the General Data Protection Regulation (GDPR), the European Commission presented a new set of rules today. Minor improvements aside, GDPR’s most pressing procedural shortcomings remain unaddressed.
The Computer & Communications Industry Association (CCIA Europe) agrees that clarifications are needed to improve cooperation between national privacy authorities in cross-border cases. Yet, it is disappointing to see that the proposal lacks the ambition to address the gravest deficiencies in a meaningful way, especially considering that some of defendants’ most basic rights continue to be trampled.
The new enforcement rules for Europe’s privacy framework aim to harmonise existing national practices and laws, for example by giving defendants the right to a fair hearing before a decision is taken by a national data protection authority (DPA) or the European Data Protection Board (EDPB).
However, whenever national authorities cannot reach a decision and escalate the case to the EDPB, companies will only have one week (two weeks in limited cases) to respond to new allegations or alleged evidence brought forward by the EDPB. This is particularly worrying, as it leaves insufficient time for any defendant to respond to additional evidence or new interpretations of the law, which are increasingly introduced only once the case is in the EDPB’s hands.
What is more, companies are still not granted the right to appeal binding EDPB decisions, even not when they directly affect them. Not recognising this fundamental right of defendants in EDPB proceedings goes against very basic legal principles, CCIA Europe warns.
The Commission also proposes involving data protection authorities from multiple EU countries in a preliminary (national) investigation at a very early stage, as well as deadlines for authorities to handle cross-border cases. At the same time, the proposal does not provide any mechanism to prevent inconsistent enforcement when authorities other than data protection agencies are investigating GDPR infringement claims for their own purposes.
Earlier today, the Court of Justice of the European Union (CJEU) ruled that competition authorities now also can have a say in GDPR enforcement.1 The absence of a robust cooperation mechanism addressing this issue and the involvement of various DPAs early in the process, risk severely undermining GDPR’s “one-stop-shop” mechanism and thus further fragmenting enforcement.
Indeed, when the Commission proposed the GDPR over a decade ago, one of its main selling points was the introduction of a single point of contact in the EU, with the DPA of the complainant’s or defendant’s country providing a one-stop-shop solution for enforcement-related matters.
The European Parliament and Member States are due to review the proposal in the coming months.
The following can be attributed to CCIA Europe’s Public Policy Director, Alexandre Roure:
“After five years of GDPR enforcement, this Commission proposal makes some small steps towards improving cross-border procedures, but unfortunately it fails to address major shortcomings. We hope that the European Parliament and EU Member States will reinforce defendants’ most basic rights, including the right to appeal EDPB decisions against them and the right to a fair hearing within a realistic time frame.”
“EU lawmakers really must prioritise consistent enforcement of the GDPR and further strengthen the ‘one-stop-shop’ mechanism. This is more important than ever, given that in addition to the 27 data protection authorities, national authorities responsible for enforcing laws other than data protection now suddenly are also empowered to verify companies’ compliance with the GDPR.”
Notes for editors
1 In a Decision issued earlier this morning (C-252/21), the EU Court of Justice does not exclude the possibility for a competition authority – and potentially any authority other than data protection supervisory authorities – to examine the compliance of a company’s practices with the GDPR, subject to minimal cooperation with the competent data protection authority.