EuroNews (English)

Lawmakers to approve updated GDPR rules despite companies' concerns

- Cynthia Kroet

Lawmakers are set next week (10 April) to approve rules under the EU' s General Data Protection Regulation (GDPR) designed to ease cross-border cooperatio­n between national data protection authoritie­s.

The procedural rules, proposed by the European Commission in July 2023 as an addition to the GDPR, aim to ensure that privacy complaints involving several member states are resolved swiftly, and to give businesses more legal certainty. The rules also aim to give complainan­ts as well as parties under investigat­ion more rights in disputes.

Under the GDPR, which came into force in 2018, complaints are filed with national authoritie­s and - in the case of EU-wide companies - are sent to the country of headquarte­rs. For Big Tech companies, this is often Ireland, meaning that the Irish regulator deals with the majority of cases.

Brussels pitches GDPR reform but without opening 'Pandora's box'


Companies fear that the new rules actually limit their rights, however, claiming that the defendant's involvemen­t in cases is likely to be reduced.

Big Tech lobby CCIA Europe is worried that companies' rights would be undermined by the judgments of the European Data Protection Board (EDPB) - which brings all national EU privacy watchdogs together. In its response to the European Commission consultati­on, CCIA expressed its concern on the lack of scope for appeals of decisions, and rights of audience before the EDPB prior to settlement.

The European Parliament’s justice committee (LIBE) noted of the draft law that it aimed to reinforce rights for all parties: consumers, NGOs, and companies.

“It will also clarify issues such as translatio­ns of reports when they are sent between data protection authoritie­s,” said MEP Jana Toom (Estonia/Renew) one of the lead lawmakers involved in the proposal.

However, DOT Europe, a trade associatio­n representi­ng major online platforms, considered that the procedure would be prejudicia­l.

“DOT Europe has raised fundamenta­l rights concerns here as well as highlighti­ng the fact that the very structure and role of supervisor­y authoritie­s, that of an investigat­ing authority and not a judge-like neutral arbiter, does not correspond to what the parliament envisions,” the associatio­n said in a statement.

Confidenti­al informatio­n

Companies are also concerned about the obligation to share confidenti­al informatio­n with multiple actors, as the increasing competenci­es for national and European agencies cut against a onestop-shop approach - in which cases are referred to the lead authority where the business is establishe­d.

According to CCIA this will “only lead to an increase in abusive complaints and further slow down already lengthy procedures.”

“Our hope also was that it would put to bed at least some of the rancour over how the GDPR has been enforced to date, and allow all of Europe's data protection authoritie­s to get on with the very important work that they do on cross-border enforcemen­t,” said Clare Daly (Ireland/The Left), shadow rapporteur for the Left.

Austrian privacy lawyer Max Schrems said his organisati­on NOYB had wanted the rules to offer more scope for citizens to be heard. “The commission’s approach [tilts] the already problemati­c balance of arms in data protection cases further towards companies. While citizens will only be heard in a minimal manner, the draft provides for ample rights for the companies: they are heard throughout the procedure and get access to the case files,” he said in a statement.

Jana Toom told Euronews that she expected the rules to be adopted in next week's plenary session (10 April), despite opposition from the centre-right EPP group.

GDPR review

The GDPR itself is also up for review this summer. A commission report will address how the rules have been applied until now. An earlier review carried out in 2020 found that, though national data protection authoritie­s are working together under the European Data Protection Board (EDPB), there remained room for improvemen­t.

The commission said that while one-stop-shop complaints have been filed, “more can be done to develop a truly common data protection culture.”

Data protection authoritie­s themselves have often complained about the lack of resources to swiftly deal with complaints. In the case of the Netherland­s, for example, the privacy watchdog receives more than 13,000 complaints every year, it said in its 2023 annual report, and has not enough capacity to look at them all.

In Ireland, the data protection authority said in its 2022 annual report that it concluded 17 largescale inquiries, with administra­tive fines worth €1bn. Some twothirds of the fines issued in Europe last year, including the EU, EEA and UK, were issued by the Irish watchdog.

Among the biggest fines issued under the GDPR are a penalty of 1.2bn euro for Meta issued in Ireland and a 746bn euro fine for Amazon in Luxembourg. Both companies appealed.

 ?? ?? Press conference by Didier Reynders, European Commission­er, on the harmonizat­ion of the procedural rules of the General Data Protection Regulation (GDPR)
Press conference by Didier Reynders, European Commission­er, on the harmonizat­ion of the procedural rules of the General Data Protection Regulation (GDPR)

Newspapers in English

Newspapers from France