EU bodies agree: GDPR should be easier to enforce across borders

Representatives of the EU Council, Parliament and Commission have agreed on a minor amendment to the General Data Protection Regulation (GDPR). This follows around two years of debate and several months of negotiations. The provisional agreement on a draft aims to improve cooperation between national data protection authorities in the enforcement of the GDPR in cross-border cases. This was announced by the Polish Council Presidency on Monday evening. Accordingly, the new regulations simplify procedures, for example in connection with the rights of complainants and the admissibility of cases.

With its original proposal, the EU Commission wanted to resolve the "Ireland problem" in 2023: The Irish data protection authority is seen by critics as a bottleneck in GDPR enforcement. The Data Protection Commission (DPC) in Dublin is the lead supervisory authority for big tech companies such as Google, Meta Platforms, Apple and X, which have their European headquarters on the island. Other data protection authorities in the EU cannot intervene directly with such data corporations.

In the European Data Protection Board (EDPB) as a joint body of the supervisory authorities, disputes often arise over draft decisions by the Irish DPC, which triggers complicated and lengthy mutual agreement procedures. The Irish authority is then often outvoted. The EU legislators are now focusing on this point in particular to speed up processes.

Standard procedure: 15 months to the final

Regardless of where in the EU a citizen submits a complaint in connection with cross-border data processing, admissibility will in future be assessed based on the same information, the Council Presidency explains. The reform harmonizes the requirements and procedures for hearing complainants in the event of a rejection and provides for common rules for participation in the procedure. The other party's right to be heard is "guaranteed in important phases of the procedure". Both sides will be able to view the preliminary results before the final decision is made to comment.

An agreement on the amendment already appeared to be within reach in May, but the negotiators were still at odds over the deadlines to be set. They have now agreed on a total investigation period of 15 months, which can be extended by 12 months in particularly complex cases. Simple procedures involving cooperation between national data protection authorities should be completed within one year.

Criticism from civil society and the tech industry

The negotiators also agreed on a mechanism for faster processing of complaints. It should enable the lead data protection authority to close a case before the EDPB has to be involved. This option would apply, for example, if an organization admits a breach of the law and accepts potential sanctions. To avoid lengthy discussions between different data protection authorities, consensus building is to be facilitated. For example, the lead authority must promptly send its colleagues in the EU a summary of the most important points of a procedure. A cooperation approach is also envisaged, which means that in simpler cases, not all additional cooperation obligations would have to be complied with.

The EU member states and the European Parliament still have to formalize and confirm the reform. Max Schrems from the data protection organization Noyb maintains his criticism that the amendment makes GDPR procedures "unenforceable" in practice. Enforcement of the standards threatens to be undermined by relatively long deadlines and complex procedures. The IT association CCIA Europe, to which many big tech companies belong, is dissatisfied for another reason: Instead of reducing the bureaucratic burden, it believes that compliance with the GDPR is likely to become even more difficult for companies of all sizes. With a second project, the Commission wants to exempt companies with up to 749 employees from the GDPR documentation obligation. NGOs warn that the Commission is opening a Pandora's box.

(ds)