Tech lobby fears the updated GDPR rules will increase abusive complaints and further slow lengthy procedures.
ADVERTISEMENTLawmakers are set next week (10 April) to approve rules under the EU's General Data Protection Regulation (GDPR) designed to ease cross-border cooperation between national data protection authorities.
The procedural rules, proposed by the European Commission in July 2023 as an addition to the GDPR, aim to ensure that privacy complaints involving several member states are resolved swiftly, and to give businesses more legal certainty. The rules also aim to give complainants as well as parties under investigation more rights in disputes.
Under the GDPR, which came into force in 2018, complaints are filed with national authorities and - in the case of EU-wide companies - are sent to the country of headquarters. For Big Tech companies, this is often Ireland, meaning that the Irish regulator deals with the majority of cases.
Limits
Companies fear that the new rules actually limit their rights, however, claiming that the defendant's involvement in cases is likely to be reduced.
Big Tech lobby CCIA Europe is worried that companies' rights would be undermined by the judgments of the European Data Protection Board (EDPB) – which brings all national EU privacy watchdogs together. In its response to the European Commission consultation, CCIA expressed its concern on the lack of scope for appeals of decisions, and rights of audience before the EDPB prior to settlement.
The European Parliament’s justice committee (LIBE) noted of the draft law that it aimed to reinforce rights for all parties: consumers, NGOs, and companies.
“It will also clarify issues such as translations of reports when they are sent between data protection authorities,” said MEP Jana Toom (Estonia/Renew) one of the lead lawmakers involved in the proposal.
However, DOT Europe, a trade association representing major online platforms, considered that the procedure would be prejudicial.
“DOT Europe has raised fundamental rights concerns here as well as highlighting the fact that the very structure and role of supervisory authorities, that of an investigating authority and not a judge-like neutral arbiter, does not correspond to what the parliament envisions,” the association said in a statement.
Confidential information
Companies are also concerned about the obligation to share confidential information with multiple actors, as the increasing competencies for national and European agencies cut against a one-stop-shop approach - in which cases are referred to the lead authority where the business is established.
According to CCIA this will “only lead to an increase in abusive complaints and further slow down already lengthy procedures.”
“Our hope also was that it would put to bed at least some of the rancour over how the GDPR has been enforced to date, and allow all of Europe's data protection authorities to get on with the very important work that they do on cross-border enforcement,” said Clare Daly (Ireland/The Left), shadow rapporteur for the Left.
Austrian privacy lawyer Max Schrems said his organisation NOYB had wanted the rules to offer more scope for citizens to be heard. “The commission’s approach [tilts] the already problematic balance of arms in data protection cases further towards companies. While citizens will only be heard in a minimal manner, the draft provides for ample rights for the companies: they are heard throughout the procedure and get access to the case files,” he said in a statement.
Jana Toom told Euronews that she expected the rules to be adopted in next week's plenary session (10 April), despite opposition from the centre-right EPP group.
GDPR review
The GDPR itself is also up for review this summer. A commission report will address how the rules have been applied until now. An earlier review carried out in 2020 found that, though national data protection authorities are working together under the European Data Protection Board (EDPB), there remained room for improvement.
The commission said that while one-stop-shop complaints have been filed, “more can be done to develop a truly common data protection culture.”
Data protection authorities themselves have often complained about the lack of resources to swiftly deal with complaints. In the case of the Netherlands, for example, the privacy watchdog receives more than 13,000 complaints every year, it said in its 2023 annual report, and has not enough capacity to look at them all.
In Ireland, the data protection authority said in its 2022 annual report that it concluded 17 large-scale inquiries, with administrative fines worth €1bn. Some two-thirds of the fines issued in Europe last year, including the EU, EEA and UK, were issued by the Irish watchdog.
ADVERTISEMENTAmong the biggest fines issued under the GDPR are a penalty of 1.2bn euro for Meta issued in Ireland and a 746bn euro fine for Amazon in Luxembourg. Both companies appealed.
