On 4 July 2023, the European Commission presented its proposal for a regulation to make the purely procedural rules of the GDPR clearer, in those cases where the data protection request goes beyond national territory to land in Ireland, more often than not, or in any case in another European country where the contested company is based.
Needless to hide the fact that the complaints collected by the Commission in its periodic review of the GDPR, required by law every four years, have concerned precisely this bottleneck that seems to be Ireland: almost all the big companies have established their headquarters there and this circumstance entails enormous delays, both in investigations and in decisions.
The purpose of the proposed update is to streamline and clarify the procedure, despite the fact that the Privacy Regulation already prescribes that the lead authorities must co-operate and, where possible, delegate (even in the investigation phase) to the national authorities involved.
Illustration through example
As an example, Ireland, after a report from Italy, France and Germany, will, at the beginning of the procedure, have to provide those countries with a summary of the main points of fact and law that will be investigated, together with its own preliminary considerations, including those concerning possible remedies that it would like to request. In this way, the other authorities can immediately form an idea and agree or disagree with their Irish colleague. If this consensus is not reached, then the matter will proceed before the European Data Protection Board (EDPB), as has already happened in the past for some Meta and Twitter cases, where all Supervisors are called upon to have their say. In the case of the two social networks mentioned, the move to the EDPB led to a substantial increase in sanctions.
“If the slowness of the procedures was a frequent complaint from civil society and data subjects, companies (the data controllers) complained about a lack of right to be heard.”
In all those cases where a proceeding has gone before the EDPB, the parties, both the data subject and the data controller, had no right to be heard by the EDPB. This is no small matter as the decision of the EDPB is binding on the national authority. Today, in big tech cases, once the procedure ends before the EDPB, none of the parties has a real right to intervene. This is why the companies involved complain about the oddity of having reached an agreement with their own competent authority, which was then overturned by the EDPB’s ruling, in which they could not make their case heard. While it is therefore right and sacrosanct for the EDPB to intervene, and at the same time to avoid distortions in some jurisdictions (long delays, inappropriate sanctions), it is equally necessary that, before the EDPB makes a ruling, the parties can be heard. This would therefore be a step forward if it were not for the fact that, at the moment, the text proposed by the Commission provides only one week to read the EDPB’s preliminary reasoning and present counter arguments.
Among the other novelties proposed, in addition to more certain procedures, including in the submission of the complaint by the data subjects who, in international cases, will have to follow a uniform pre-established form, there is also the explicit recourse to amicable solutions between the parties. Should the parties reach an agreement, the proceedings will be discontinued.
On a positive note, the powers of the national DPAs will not be affected which, on the contrary, urgently need to be strengthened in terms of staffing and competence, given the new emerging challenges of artificial intelligence.
The article was originally published HERE.