The European Union executive on Tuesday presented a new law that would require European privacy regulators to share more information upfront in major privacy cases and more often settle such cases out of court — in an effort to speed up how its General Data Protection Regulation (GDPR) is enforced.
The European Commission suggested a set of new rules to speed up cross-border cases like the ones against Meta, Google, Amazon and others that the bloc’s privacy regulators have finished in past years as POLITICO previously reported Monday. The draft rules include sharing information earlier on to avoid last-minute haggling between authorities and nudging them to avoid litigation in court. Authorities are also asked to broadly keep investigations confidential to protect the process.
“The GDPR is well enforced but we can do better,” Justice Commissioner Didier Reynders said today. “We’ve seen many fines, but sometimes it’s complex and long,” he said, referring to the almost €4 billion in fines imposed since the law came into force in 2018.
Under the GDPR, cross-border investigations are conducted by the national data protection authority of the country where a company has its European headquarters. Many activists, experts and some data protection agencies have criticized the GDPR’s enforcement system for its inefficiencies, blaming a system that gives the Irish — and to a lesser extent the Luxembourgish — privacy authority the reign over cases against Big Tech companies.
The Irish Data Protection Commission (DPC) in past months heavily pushed back against the criticism and imposed several billion euros worth of fines, mostly on Facebook’s parent company Meta, since the GDPR came into force.
The Irish privacy watchdog even took the European Data Protection Board (EDPB) — the pan-EU body of privacy regulators that coordinates complex privacy decisions — to the EU’s top court, alleging it overstepped its remit by compelling Dublin to further investigate cases on WhatsApp, Facebook and Instagram.
The EDPB also asked the Commission to intervene last year, arguing that a patchwork of conflicting national rules for several key investigative steps hindered cooperation among regulators.
Now, the Commission wants a lead authority to share a “summary of key issues” after a preliminary investigation with other national regulators, allowing the latter to comment on the scope of the investigation and the EU-level EDPB group to arbitrate early on in case of disagreement. That would help ease tensions and avoid hard-ball negotiations between different national regulators later on.
Complainants and defendants would also get new rights at different stages of an investigation and complaint. But both activist groups and Big Tech lobby groups criticized the draft law for effectively restricting their involvement in cases, including by limiting access to documents from a complainant.
“This is fundamentally shifting a procedure about the rights of users to a procedure about the rights of companies,” said privacy activist Max Schrems, a key complainant behind some of Europe’s most important privacy investigations.
Reynders suggested the Commission steered clear of tougher reforms of the law, saying it didn’t want to “open the Pandora’s box.” The EU underwent a massive and controversial lobbying campaign when the GDPR was being drafted in 2013-2016.
The Commissioner added that a separate review of the EU’s privacy rulebook is now expected for May 2024. “It will be an opportunity maybe to reinforce again and again the way to work with the GDPR and we will see if it’s possible to have other discussions,” Reynders said.
The European Parliament and EU Council representing the 27 EU governments now have less than a year to discuss and finalize the draft new rules for GDPR enforcement, with European Parliament elections on the horizon in June 2024.
