The European Commission has proposed to make surgical changes to the bloc’s landmark data privacy legislation.
It also enshrined in law the now-famous “right to be forgotten,” which citizens can invoke to permanently delete their data from a company’s register.
But five years after its entry into force, the legacy of the GDPR is far from immaculate.
Government bodies, the private sector, privacy advocates and civil society organisations have all raised concerns about how the legislation is being enforced, including the hefty fees required to file a case, the divergent procedures among member states and the protracted waiting times for resolution.
Another long-running point of controversy is the relation between the data protection authorities (DPAs) of each member state.
“In five years we can count over 711 final decisions that have been taken by data protection authorities. This clearly shows that the GDPR is well enforced. But we can do better,” Didier Reynders, the European Commissioner for Justice, said on Tuesday.
Under the GDPR, enforcement falls on the authority of the country in which the company has set up its European headquarters. The vast majority of GDPR cases have a nationwide dimension and involve only one single DPA.
However, in certain instances, the infringement has a cross-border nature and several authorities are called to weigh in. This collaboration has often proven fraught and convoluted, leading to delays and litigation to the detriment of plaintiffs.
Special attention has been paid to the Irish DPA, which has to deal with the most high-profile cases given the abundance of Big Tech companies present in Ireland.
Earlier this year, a disagreement between the Irish DPA and other national authorities forced the intervention of the European Data Protection Board (EDPB) in a case against Meta, which resulted in a record-breaking fine worth €1.2 billion.
In a bid to address these persistent tensions, the European Commission has put forward a regulation that introduces a targeted reform of the GDPR’s rules of procedure, with a focus on cross-border lawsuits.
The proposed obligations will compel the leading DPA to bring on board the authorities from other concerned countries in the early stages of the process so as to collectively discuss the substance of the case, including its legal scope, the potential breaches, the collection of evidence and the technological assessment.
This communication line, the Commission says, will facilitate consensus and help address disputes before they spiral out of control. The new rules will harmonise the requirements for the admissibility of cross-border cases and guarantee citizens are equally treated in all member states, regardless of their nationality.
In other words, work closer to work better.
“What we try to do here is to have better enforcement of the GDPR through common rules in cross-border cases, to harmonise the different rules at a national level and to ensure that it’s possible to react earlier than now because now, sometimes, it (takes) very long to organise the process till the final decision,” Reynders said.
The Commissioner refuted calls for a full-blown revision of the law, arguing the time was not ripe to have such a conversation between the EU co-legislators, and defended the principle of the country of origin, which allows citizens to directly reach out to the DPAs in their native language.
The GDPR is a “very young child,” Reynders said. “It’s been five years and we need to continue to see how it’s possible to enforce better and better the GDPR.”
“For the moment we don’t want to reopen Pandora’s box,” he added.
But it might be a matter of time until Brussels realises that the GDPR requires a centralised entity on top of the national DPAs to effectively hold Big Tech accountable, says Alexandre de Streel, the director of the digital research programme at the Centre on Regulation in Europe (CERRE).
“This reform is a step in the right direction, but it will probably not be enough,” de Streel told Euronews in an interview. “For Big Tech – those firms that are present globally – you need to have a European regulator. It cannot just be only the country of origin doing the task for all Europeans.”
The failures of GDPR enforcement, de Streel said, had an obvious influence on the regulation that came after 2018, such as the Digital Services Act (DSA) and the Digital Markets Act (DMA), both of which bestow upon the European Commission the ultimate role of supervisor.
The emergence of AI-powered chatbots, which are trained with vast troves of data to self-learn new tasks, further reinforces the need for a comprehensive overhaul, the academic added.
“The country-of-origin principle was created for small companies that wanted to upscale in the international market, not for companies that have already scaled up, This is the big misunderstanding,” de Streel said, referring to giants like Meta, Apple, Amazon, Google and TikTok, whose market value vastly exceeds Ireland’s GDP.
“You cannot rely on Ireland to be the judge of all Europe.”
