On Thursday, MEPs and guest speakers took stock of General Data Protection Regulation (GDPR) implementation, after it has been in force for almost four years.
In the hearing chaired by Civil Liberties Committee Chair Juan Fernando López Aguilar, MEPs and experts discussed current issues in three thematic panels.
Data subjects’ rights
Starting the first panel, Ursula Pachl (Deputy Director General, European Consumer Organisation BEUC) described the GDPR experience as mixed from a consumer protection perspective: consumer and business awareness of privacy has been raised, but some business practises remain questionable. For example, companies may not offer transparent information, may not response to access requests, and rarely offer a right to portability. She also highlighted issues on dark patterns, or practises that manipulate the user to impact their choices. Pachl recommended making the one-stop-shop mechanism more flexible, having companies embrace privacy by design instead of declarations that users may not read, and encouraged the European Parliament to draft a strong Artificial Intelligence Act to complement data protection rules.
Vodafone Global Privacy Officer Mikko Niva argued that the GDPR has been a success in putting privacy on the agenda of businesses and boardrooms. Niva said that there are complexities and clarity issues in the framework, which risks making privacy only clear to experts. He cited the definition of private data, the practical application of portability and the scope of data erasure as factors that may cause issues to organisations.
Sophie Genvresse from the French Data Protection Authority (CNIL) said that the rising number of requests from citizens shows that people are now more aware of their right to data protection. However, organisations may not be aware of their rights and obligations. Identifying the party responsible for data processing may be problematic, and there are issues around the proper treatment of requests and complaints: citizens sometimes feel that the issues they raise are not treated thoroughly and transparently.
Following questions from MEPs, Genvresse argued that revising the GDPR would risk harming the rights that citizens now have, and instead, attention should be focused on enforcement. At the same time, the GDPR is a world-first concept, and we are still in the early days of implementing it, she argued.
After the first round of presentations, MEPs argued that people may not feel that they have the rights conferred by the GDPR due to complex processes and a lack of harmonisation. They also criticised the non-dissuasive fines that only represent a small amount of the earnings of tech companies. Additionally, MEPs asked about practical solutions for harmonisation, for example a single EU template for complaints.
Enforcement and collaboration
In the second panel, Mar España Martí (Director of the Spanish Data Protection Authority, AEPD) said that the GDPR is generally successful in responding to the challenges of today. However, national administrative procedures are not sufficiently harmonised, and national Data Protection Authorities (DPAs) lack resources, human and financial, to respond to all claims. She also raised the issue of European legislation that the national authorities do not learn about in advance, even though it impacts them, and may even grant them new competences. National DPAs should be notified in advance through the European Data Protection Board (EDPB), she argued.
Tobias Judin from the Norwegian Data Protection Authority (Datatilsynet) said that national authorities are still adjusting to changes brought by the GDPR. Although the resource situation is challenging, the authority wants to both treat large, systemic cases, and at the same time respond to all requests properly. For the authority, fragmented enforcement is a problem: Datatilsynet is competent to enforce the GDPR, but not the ePrivacy regulation, and the upcoming AI Act could aggravate this problem, said Judin. He found that the one stop shop mechanism is currently working well in the majority of cases, but less so in cases that impact all of the EU single market.
Gwendal le Grand from the EDPB highlighted the Board’s role at the centre of the current enforcement scheme. Its secretariat is facing a steep rise in its workload, and requests to access documents are rising as well. With its current initiatives, the EDPB continues to promote a common European enforcement culture and boost the collaboration of different authorities. When expertise is shared, the national authorities can investigate issues efficiently and establish priorities, said le Grand.
Gloria González Fuster, Research Professor at Vrije Universiteit Brussel, described problems with enforcing rights granted by Article 78 of the GDPR, notably the right to a judicial remedy against a supervisory authority. Because citizens don’t know if their complaint is currently being processed, they are in limbo and cannot enforce their rights, she said. At the same, complaints may be rejected on spurious grounds, for example because of missing attachments.
Commenting on enforcement issues, MEPs spoke in favour of independent national data protection authorities with sufficient resources, and asked how they make case prioritisation decisions.
Significant and cross-border cases
Kicking off the third panel, Maximilian Schrems (Honorary Chairman, European Center for Digital Rights NOYB) argued that procedural issues are currently the main problem for cross-border cases. He described issues with the availability and responsiveness of some data protection authorities. At the same time, the scope of complaints is defined differently across Europe: for example, in Austria, it is defined by the complainant, and in Ireland, by the national authority. Commenting on the one-stop-shop, Schrems argued that the mechanism is undermined by national authorities that do not participate in it with goodwill, for example by withholding evidence and documents. Also, some authorities are more transparent than others, publishing many more documents annually with the same operating budget. Efficiency can be an important factor alongside resources, argued Schrems.
Maria Magierska (PhD Researcher at the European University Institute) highlighted the importance of cross-border cases as a showcase of the GDPR framework in practise. While most national authorities want to collaborate, some problems remain, she said. The current collaboration mechanism is designed in a way that relies on authorities willing to cooperate, and it is problematic that the GDPR provides for no deadline for draft decisions – which sometimes take years to arrive. Magierska called for introducing deadlines, and pointed out that some tools provided by the GDPR, such as joint operations or enforcement, are currently not being used.
Representing the European Commission’s DG JUST, Olivier Micol argued that the one-stop-shop currently works, and pointed out that the co-legislators decided to keep enforcement of the GDPR on the national level. He highlighted the EDPB’s recently-published guidelines for cross-border collaboration as an important step. Micol pointed out that different national authorities have different challenges: some of them deal with larger and better-resourced companies, which will challenge decisions in court. The Commission has already launched four infringement cases as part of the implementation effort, said Micol.
In their reactions, MEPs asked what kind of deadlines should be introduced for decisions, which technical solutions could improve case-handling, and what the impact of the CJEU’s recent ruling on the one-stop-shop is. At the same time, they would like to see the Commission take a more active role in enforcing the law, instead of private actors and NGOs.
Closing the hearing, DG JUST Director-General Ana Gallego welcomed the debate on improving GDPR enforcement. She stated that the GDPR has had a real impact on citizens’ rights, and is being properly implemented and enforced. Enforcement also happens in national courts, as laid out in the regulation. Gallego underlined the importance of smooth collaboration between national authorities.
You can re-watch the hearing in the Parliament’s Multimedia Centre.