Reforming GDPR enforcement is easier said than done

The first serious proposals to change the EU’s General Data Protection Regulation emerged last week, but the path to viable enforcement reform is a tricky one.

Wojciech Wiewiórowski, the European Data Protection Supervisor, said at a Brussels conference* last week that enforcement of the GDPR against Big Tech is failing, and called for a more centralized approach.

He thus became the first senior official to acknowledge a point of failure in the EU’s landmark privacy law, although the signs have been there for some time: MLex first predicted the failure of the “one-stop shop” mechanism for cross-border cases, which include most Big Tech enforcement, more than two years ago.

The mechanism requires cross-border cases to be handled by the national regulator where the target company has its EU headquarters. That has placed a huge burden on the Irish Data Protection Commission in particular, which is struggling with the workload and has been accused by some activists of going soft on the tech giants (a charge it denies).

For all the undoubted success of the GDPR, which has inspired privacy regulation around the world, its failure to land a glove on the companies that should arguably be its main target risks becoming an embarrassment for the EU.

But if identifying the problem is easy enough, solving it is not.

One apparently obvious solution — to centralize GDPR enforcement with the European Commission, in the style of antitrust law — falls down because the GDPR deals with citizens’ fundamental rights; these must be overseen by an independent regulator, which the commission is not.

Wiewiórowski said he unequivocally does not want to water down the rights contained in the GDPR, which appears to rule out that option.

EU justice commissioner Didier Reynders said last week that enforcement shouldn’t be entirely centralized, even with an independent regulator, because it’s important for individual citizens to have recourse to a local enforcer, rather than an office in Brussels.

Clearly, though, that logic stumbles when it comes to the one-stop shop. For someone in Warsaw with a complaint against Facebook, an office in Dublin is no less remote than one in Brussels.

Pandora’s box

Wiewiórowski’s proposal is to bulk up the European Data Protection Board, the umbrella body of national regulators that already has a role in one-stop shop cases when they are disputed.

He suggested introducing a new litigation chamber, an approach already used by the French and Belgian regulators. This would function as a dedicated, expert body within the EDPB, MLex understands.

But giving this body any meaningful power runs into a procedural problem: the EDPB is not a full-blown regulator. It is empowered to adjudicate in cases which reach the dispute resolution mechanism, but not to investigate and enforce in the same way as a national authority.

If Wiewiórowski wants the EDPB to have the power to take on cases at an early stage and become more like a regulator, the GDPR will probably have to be formally reformed, experts say.

That is an eventuality that Wiewiórowski wants to avoid. “The EDPS is not proposing to reopen the discussions on the substance of GDPR and is not, and never will be, endorsing any attempts to weaken its principles,” he said.

But the law can’t be reopened only for procedural reform. It would also be exposed to proposed changes to its substance, with all the attendant political and lobbying complexities that implies. As Reynders put it last week, “it will be a Pandora's box to try to open a real discussion about the content of the GDPR.”

Procedural possibilities

The EDPB is currently analyzing existing procedural obstacles that are impeding cross-border cases, and it expects to present ideas to the European Commission later this year, MLex understands. But any meaningful progress will probably require the reformist camp to get creative with the EDPB’s existing powers.

There are several avenues that reformers could pursue based on the provisions of the GDPR, experts say.

Article 64 of the GDPR states that any data protection authority, the chair of the EDPB, or the European Commission can “request that any matter of general application or producing effects in more than one member state be examined by the [EDPB] with a view to obtaining an opinion,” under certain conditions.

Article 64 is yet to be used, but presents a clear, existing route to more involvement by the EDPB.

Article 65 — the dispute resolution mechanism cited as a sticking point — could also form part of the EDPB’s more central role. At a meeting in Vienna in April, the board’s members agreed to “streamline” Article 65, meaning it could make decisions via that mechanism more quickly.

Article 66 contains the GDPR’s “urgency provision,” which could serve the same function. Under this rule, national authorities can request an urgent opinion or urgent decision from the EDPB. It has been used a handful of times since the GDPR came into force four years ago on Big Tech decisions made by the Irish regulator that had descended into deadlock in the EDPB’s dispute procedure.

The EDPB will come up with “strategic” cases for better cooperation based on the "number of people affected, common recurring problems that we see in each country and the impact of certain players on data processing," Marie-Laure Denis, president of France’s data protection authority, said in a recent interview.

Limited reform

All of these options still place the EDPB as second fiddle to national enforcers, which are endowed with judicial-style evidence-gathering and investigatory powers. It remains to be seen whether they can stem the fundamental issues arising from the GDPR’s decentralized enforcement model.

Whatever the route to change, it is now in the public domain that one of the most senior and influential EU data protection figures does not think that GDPR enforcement is working, at least against Big Tech.

Through some creative interpretation of existing provisions, and perhaps a few amendments to the EDPB’s rules of procedure — a simpler task than reforming the law — the EDPB could be given a bigger role; but it could not be the full-blown centralized enforcer that Wiewiórowski appears to envision.

EU regulators and legislators might pursue both paths sequentially: small-scale changes based on existing GDPR provisions at first, and possible full-scale reform in the longer term. People involved agree that any reform wouldn’t happen until the next EU administration comes into power, in 2025.

The battle for effective GDPR enforcement will continue for years to come; Wiewiórowski just fired the first shot.

*EDPS 2022, The future of data protection: effective enforcement in the digital world, Brussels, June 16-17, 2022