Council’s General Approach on GDPR Procedural
EDRi acknowledges the Council’s positive steps in their General Approach on the Proposal for additional procedural rules concerning the GDPR. Nevertheless, we emphasise the pressing need for enhanced legal certainty and the prevention of actions that could compromise the effectiveness of GDPR enforcement and erode trust, particularly concerning the protection of fundamental rights.
The Justice and Home Affairs (JHA) Council is composed of justice and home affairs ministers from all the EU member states. In their meeting on 14 June, they will announce that the EU Council has reached a so-called General Approach on a proposal to improve the enforcement of the General Data Protection Regulation (GDPR).
EDRi welcomes the advancements of this document, which represents a commendable endeavour to realign the flawed Commission’s proposal. Despite its somewhat convoluted text, probably a consequence of the Belgian presidency’s rushed approach, it strives to tackle crucial issues such as:
- Setting deadlines to prevent the long and tortuous processes we currently have,
- Limiting the excessive margin of manoeuvre of certain data protection authorities (DPAs) and empowering others, as well as enhancing their early cooperation
- Acknowledging the existence of varying case complexities, and,
- Affirming the rights of the parties, although there is room for improvement.
The EU Council, Commission and Parliament have to negotiate the final text before the law enters into force. As the text proceeds to inter-institutional negotiations, it will become imperative to address the practical realities of enforcement on the ground and how this materialises in people’s trust in the legal framework, uphold the foundational principles and ethos of GDPR, and integrate the latest pertinent CJEU case law.
In our position paper, EDRi and Access Now argue that while the GDPR has made strides, its full realisation is yet to be achieved. The future Regulation needs to comprehensively address the challenges posed by cross-border and national procedures, which often become cumbersome and excessively lengthy, failing to yield positive outcomes and presenting significant hurdles for people seeking to regain control over their information.
Our main points of concern fall onto:
- the potentially limited scope of complaint investigation
- the ambiguity regarding the necessity for a decision (even if negative)
- the requirement for ‘amicable settlements’ to be mutually agreed upon rather than potentially imposed by the supervisory authority
- the significance of enabling complainants to voice their opinions regardless of whether the decision affects them ‘adversely’ or not.
There is an urgent need to enhance legal certainty and prevent actions that undermine the effectiveness of and trust in GDPR enforcement. To achieve this, we present recommendations aimed at guiding inter-institutional negotiations to shape a Regulation that truly ensures an efficient and rights-respecting GDPR enforcement.
Recommendations
- The Proposal should have harmonised both cross-border and national procedures. At this stage, co-legislators should at a minimum ensure the full harmonisation of cross-border procedures, thereby clearly addressing and governing conflicts of law through the establishment of minimum standards and the equivalence principle.
- The right to lodge a complaint should be fully harmonised for both national and cross-border complaints and the Regulation should provide common standards on how to file and treat a complaint;
- Data subjects should be provided with clear information on how to exercise their right to lodge a complaint in any official European Economic Area (EEA) language of their choosing.
- Equal rights to be heard should be guaranteed to both parties throughout the entire complaint procedure.
- Both parties should continuously be granted access to documents pertaining to the cases. The Regulation should mandate the creation of a Joint Case File to facilitate this access;
- Any limitation to the right to access files should only be justifiable only if the restrictions are strictly necessary and proportionate;
- The Regulation should not permit the party under investigation to exploit confidentiality in order to undermine the rights of the complainant.
- The Regulation should guarantee that a reasoned decision is consistently provided to the parties within a reasonable time-frame;
- The Regulation should grant parties the right to judicial remedy when Supervisor Authorities (SAs) fail to act within a reasonable time;
- SAs must keep parties updated and informed regarding the progress of the case;
- The Regulation should reflect that amicable settlements are mutual agreements reached between the complainant and the party under investigation, with consensus from all parties involved.
- There is a necessity for enhanced early cooperation among SAs, with a focus on making collaboration more immediate and closely knit;
- Cooperation should be all-encompassing, spanning across all cases, and discretionary pre-eminent powers should not be granted to Lead Supervisory Authorities (LSAs);
- The exchange of information plays a pivotal role in fostering cooperation, which would be improved by the above-mentioned establishment of a Joint Case File;
- Cooperation should also be actively promoted between SAs and other pertinent Member States or EU institutions, especially the European Data Protection Supervisor (EDPS);
- The European Data Protection Board (EDPB) should assume a more central and expanded role beyond the specific actions outlined by the GDPR, in order to sufficiently regulate the new stages of the procedure.
- The five stages of the procedure should be marked by deadlines, primarily imposed on LSAs. These deadlines could be extended in the presence of justification, especially in the context of highly-complex cases. For less intricate cases, the overall duration will be restricted, ensuring the rights of the parties are not compromised. See suggestions for deadlines in Section 8.
