.svg)
The European Data Protection Supervisor (EDPS) has said it is high time to deliver on the promise of the General Data Protection Regulation (GDPR) and that it requires a pan-European enforcement model.
Speaking at the EDPS Conference 2022, Wojciech Wiewiórowski said data protection authorities must adopt a pan-European approach to ensure effective enforcement of people’s data protection rights.
“I see a sense of pride behind the GDPR and a sense of expectation that Europe will continue to lead in protecting digital rights. I also hope that certain promises of the GDPR will be better delivered,” Wiewiórowski said.
However, he added that “we are still not seeing sufficient enforcement".
The EU has been considered a benchmark-setter in terms of data protection legislation.
In recent years, however, it has emerged that the lack of strong enforcement hinders Europeans from effectively using their data protection rights.
“[It] is high time to deliver the promise of the landmark EU legislation that the General Data Protection Regulation (GDPR) is,” Wiewiórowski stressed.
“[W]e are still not seeing sufficient enforcement, in particular against bigtech,” he added.
Unequal burdens
One of the unintended impacts of the GDPR has been the huge compliance burden imposed on small and medium-sized enterprises (SMEs).
“Way too often, the GDPR puts its constraints on small entities, but spares the big ones,” the EDPS said.
Instead of levelling the playing field, the EDPS noted that big companies, due to their resources, can benefit from the lack of strong enforcement and “further expand their advantage over small competitors”.
It is also a common practice that individuals have to wait years to enforce their rights even in small and simple cases.
“With the plethora of new legislation, the so-called Digital Rulebook, the data protection framework is at risk of becoming an orphan of the EU law: a hope that once was but no longer is,” the supervisor noted.
In addition, cooperation between data protection authorities is facing challenges as procedural laws governing the enforcement of the GDPR are in the domain of the member states.
Although harmonisation might help to speed up enforcement, “it is by no means a silver bullet”, Wiewiórowski noted.
“For example, harmonising deadlines is hardly advantageous without a common understanding of what constitutes a final complaint decision,” he explained.
Instead, the EDPS called for a European data protection enforcement model to ensure “real and consistent high-level protection” of fundamental rights to data protection and privacy across the EU.
“I do not want a case against my local coffee shop in Gdańsk to be analysed by an office in Brussels. But, I would like the serious cross-border cases to be handled on a central level, on the basis of a simple and transparent procedure.”
For instance, key investigations, based on a certain threshold, could be conducted on a central level, and subject to direct scrutiny of the Court of Justice of the European Union.
“Therefore, overcoming potential issues stemming from incompatible national legislations or patchwork harmonisation attempts.”
Too late, too little
Wiewiórowski also noted that the involvement of the European Data Protection Board (EDPB) has been “too late, and probably too little”.
The role of the EDPB, composed of national data protection authorities, is to enhance the consistent application of data protection rules throughout the EU and promote cooperation between the EU's data protection authorities.
According to the supervisor, the interventions of the EDPB came too late, hence their impact was limited.
To address challenges around the lack of harmonisation, in April the EDPB agreed to enhance cooperation on strategic cases.
As part of this effort, national authorities agreed to identify a number of cross-border cases of strategic importance each year, for which they will set an action plan with a fixed timeline for cooperation.
This initiative has already taken shape in a cooperation agreement in early June, when authorities from France, Lithuania, Netherlands and Poland formed a working group to jointly investigate online clothing sales website vinted.com under a harmonised process.
Nonetheless, Wiewiórowski emphasised that "the commitment of the EDPB Vienna Statement last April is a first step, but many more steps will need to be taken in the future".
