Position paper: GDPR enforcement done right
There is an urgent need to enhance legal certainty and prevent actions that undermine the effectiveness of and trust in GDPR enforcement. EDRi and Access Now have co-drafted a position paper on the EU Proposal for additional procedural rules concerning the General Data Protection Regulation (GDPR).
This position paper responds to the acknowledgment within the data protection community that the full potential of the landmark European Union (EU) data protection law, the GDPR, has yet to be fully realised. The GDPR is a vital instrument to protect people’s rights – not only to data protection, but to other fundamental rights that can be unduly limited by the unlawful processing of their data.
Specifically, this paper addresses the challenges posed by cross-border and national procedures, which often become cumbersome and excessively lengthy, failing to yield positive outcomes and presenting significant hurdles for people seeking to regain control over their information.
There is an urgent need to enhance legal certainty and prevent actions that undermine the effectiveness of and trust in GDPR enforcement.
While recognising that the European Commission’s Proposal to strengthen GDPR enforcement is a significant opportunity, this paper also acknowledges the text’s insufficiencies. As such, we present recommendations aimed at guiding inter-institutional negotiations to shape a Regulation that truly ensures an efficient and rights-respecting GDPR enforcement.
These recommendations are focused on the need for clear rules and deadlines for all involved DPAs and parties, with a key aim of fostering transparency and accountability within the regulatory framework.
Recommendations
- The Proposal should have harmonised both cross-border and national procedures. At this stage, co-legislators should at a minimum ensure the full harmonisation of cross-border procedures, thereby clearly addressing and governing conflicts of law through the establishment of minimum standards and the equivalence principle.
- The right to lodge a complaint should be fully harmonised for both national and cross-border complaints and the Regulation should provide common standards on how to file and treat a complaint;
- Data subjects should be provided with clear information on how to exercise their right to lodge a complaint in any official European Economic Area (EEA) language of their choosing.
- Equal rights to be heard should be guaranteed to both parties throughout the entire complaint procedure.
- Both parties should continuously be granted access to documents pertaining to the cases. The Regulation should mandate the creation of a Joint Case File to facilitate this access;
- Any limitation to the right to access files should only be justifiable only if the restrictions are strictly necessary and proportionate;
- The Regulation should not permit the party under investigation to exploit confidentiality in order to undermine the rights of the complainant.
- The Regulation should guarantee that a reasoned decision is consistently provided to the parties within a reasonable time-frame;
- The Regulation should grant parties the right to judicial remedy when Supervisor Authorities (SAs) fail to act within a reasonable time;
- SAs must keep parties updated and informed regarding the progress of the case;
- The Regulation should reflect that amicable settlements are mutual agreements reached between the complainant and the party under investigation, with consensus from all parties involved.
- There is a necessity for enhanced early cooperation among SAs, with a focus on making collaboration more immediate and closely knit;
- Cooperation should be all-encompassing, spanning across all cases, and discretionary pre-eminent powers should not be granted to Lead Supervisory Authorities (LSAs);
- The exchange of information plays a pivotal role in fostering cooperation, which would be improved by the above-mentioned establishment of a Joint Case File;
- Cooperation should also be actively promoted between SAs and other pertinent Member States or EU institutions, especially the European Data Protection Supervisor (EDPS);
- The European Data Protection Board (EDPB) should assume a more central and expanded role beyond the specific actions outlined by the GDPR, in order to sufficiently regulate the new stages of the procedure.
- The five stages of the procedure should be marked by deadlines, primarily imposed on LSAs. These deadlines could be extended in the presence of justification, especially in the context of highly-complex cases. For less intricate cases, the overall duration will be restricted, ensuring the rights of the parties are not compromised. See suggestions for deadlines in Section 8.