Enforcement of the General Data Protection Regulation (Regulation 2016/679 or GDPR) is organized mainly alongside decentralized procedures, where national supervisory authorities (SAs) are responsible for monitoring and supervising the diverse market of small and large data controllers and processors. Since processing often has a transnational character, enforcement becomes a transnational affair too. Therefore, the GDPR lays down a (complex) cooperation mechanism according to which national SAs in different Member States shall coordinate the outcome of enforcement procedures, in order to address violations together – potentially with involvement of the European Data Protection Board (EDPB) too. While this procedure was, from the outset, infamous for its complexity, concerns regarding under-enforcement of cross-border cases now seem to materialize in practice. This blogpost highlights a number of recommendations that aim to increase the effectiveness of cross-border GDPR enforcement and the protection of data subjects within these procedures.
While the effectiveness of enforcement action can be assessed against the Member States’ obligation to respect the EU’s constitutional principles developed under the umbrella of sincere cooperation, national authorities are bound to respect the EU’s procedural principles too, in particular, the principle of good administration. The recommendations highlighted here are further discussed in my PhD dissertation, defended at the University of Luxembourg in July 2023. These recommendations are developed in the context of enforcement of the GDPR, but contribute to the broader debate of (in)effectiveness and (a lack of) procedural protection in enforcement organized alongside complex composite procedures.
(In)effectiveness of cross-border GDPR enforcement
Since the EU is generally highly dependent upon the Member States’ loyal cooperation in enforcing EU laws, the EU has increasingly intervened in national enforcement procedures aimed at reaching a certain level of uniformity. The EU may do so by harmonizing enforcement powers and laying down procedural rules in legislative instruments. Furthermore, the CJEU played a large role in posing limits to national procedural autonomy. It is now settled case law that national enforcement measures must fulfil legal requirements such as equivalence, effectiveness, proportionality and dissuasiveness, based on the Member States’ duty of sincere cooperation.
In the context of the GDPR, the legislator offered data subjects the right to lodge a complaint with SAs where processing of her or his personal data infringes the GDPR (Article 77 GDPR). SAs are under an obligation to handle these complaints, for which the GDPR offers the SAs an equal set of tasks and powers in the context of investigating and sanctioning (Article 58(1)(2) GDPR). However, SAs shall investigate these complaints only to the extent appropriate (Article 57(1)(f) GDPR). Furthermore, the EU legislator left many steps in the enforcement procedure undetermined, meaning that SAs shall act in accordance with national procedural laws and strategies. This discretion, together with the application of national procedural law, leads to unequal enforcement of the GDPR among the Member States – inter alia with regard to the commencement of formal investigations, the scope of investigations, or the choice for softer or stronger corrective measures. In my dissertation, I conclude that it is difficult (or even impossible) to draw a strict line on the basis of the EU’s constitutional principles regarding which enforcement action, approach or procedure, is still effective, proportionate or dissuasive, and which is not. Particular national rules and practices – such as barring a complainant from exercising her or his right to complain after a particular time-limit or SAs acting in accordance with national fining strategies that propose much lower fines than the maximum fines under the GDPR – may make it excessively difficult for a complainant to exercise her or his right. Hence, Member States do not ensure the full effectiveness of EU law. However, this is not so crystal clear with regard to many other enforcement practices due to the CJEU’s strict interpretation of what renders the exercising of a right virtually impossible or excessively difficult. In my dissertation, I therefore propose to further harmonize particular enforcement steps in order to limit the SAs discretion in enforcement and thereby take away the uncertainty of the CJEU’s limits to enforcement discretion. This could include, for example, harmonizing admissibility criteria of complaints and determining that a complaint procedure shall always end with a legally binding decision opening up avenues for judicial review where a complainant is dissatisfied with the outcome of her or his complaint.
This is especially relevant where the current system to reach consistency in GDPR enforcement, mainly through ‘peer pressure’ among SAs instead of legislative harmonization, does not live up to its promises. Such peer pressure is established by means of far reaching cooperative duties between the lead SA and other concerned SAs (Articles 4(21)(22) and 56 GDPR). Hence, SAs shall exchange information, provide each other with mutual assistance, may organize joint operations, and shall endeavor to reach consensus on the outcome of the enforcement procedure (Articles 60-62 GDPR). While the outcome of a cross-border enforcement procedure is supposed to be a joint effort in which all concerned SAs can have a say, the reality is different. In my dissertation I identify two main issues that hinder SAs from meaningfully cooperating in cross-border GDPR enforcement. First, the cooperation procedure is the least proceduralized process under the GDPR, allowing SAs to interpret their cooperative duties as it may fit national strategies and interests. Therefore, the lead SA can bar other concerned SAs from participating, for instance, by failing to provide relevant information to the other SAs. In such cases, SAs may lack a thorough understanding of the case, which is crucial for meaningful participation in the consensus finding process as laid down in Article 60 of the GDPR. Secondly, SAs may have difficulties (or may even be hindered) to combine their duties stemming from national procedural law with those under the cooperation mechanism. One example forms the strict time limits to open an investigation as laid down in Belgian procedural law, which may expire before other concerned SAs can comment on the need or scope of an investigation (see for example Article 96 of the Act Establishing the Belgian Data Protection Authority).
These concerns do not only influence horizontal cooperation among the SAs, but also vertical cooperation with the EDPB when the latter exercises its dispute resolution or urgent decision-making powers (Articles 64-66 of the GDPR). Especially because the EDPB has no competence to collect information or conduct investigations and is, therefore, highly dependent upon whether it receives a complete file for decision-making from the national SAs. Therefore, I propose to harmonize particular cooperative duties further: e.g., which information – including confidential information – shall be shared with the concerned SAs or the EDPB, and when this shall happen. With regard to the latter, I argue that there is a particular need for early consensus finding on the scope of the investigation and regular updates on the progress of it, as a lack of such agreement can cause large delays in the course of the enforcement procedure. Furthermore, SAs seem in high need of a more user-friendly case management system than the Internal Market Information System currently provides for.
(A lack of) procedural protection in cross-border enforcement procedures
Procedural EU law principles govern the relationship of individuals and the Member States, when the latter act within the scope of EU law. On the basis of the EU’s general principles, national authorities may be required to act in a certain way even when national law does not provide for it. Therefore, general principles may have a so-called ‘integrative’ function. The principle of good administration, studied in my dissertation, brings together a set of rights and principles that guide the administration in enforcement, ultimately to ensure sound and fair outcomes of the procedure. These principles are especially important where the limits posed by the EU’s constitutional principles remain blurry. Good administration may pose more concrete boundaries to national enforcement action. For instance, where the duty of due diligence in enforcement requires that all relevant information (factual and legal) is thoroughly established and reviewed prior to decision-making. This requires from SAs to examine all matters raised by the complainant (see Case T-24/90), to collect and exchange all relevant information with other SAs to ensure that data is complete and accurate (see case T-139/01), to provide reasons for its decisions ensuring that conclusions taken are carefully thought through, and to hear the complainant before a decision adversely affecting her or his interests is taken. These and more rights and principles shall together ensure that violations of the EU’s fundamental right to data protection are handled carefully and fairly.
In my dissertation I conclude, however, that national practices are not always in line with the EU’s general principle of good administration. Especially because SAs act first and foremost in accordance with procedural guarantees as laid down in national law. Therefore, notable differences with regard to compliance with the EU principle of good administration exist. One example entails the definition of ‘parties’ and the right to be heard for complainants. In some Member States the complainant is recognized as a party to the procedure and, hence, she or he is being heard before an enforcement decision is taken – e.g., in Luxembourg where the SA is required “to arrange the broadest possible participation of individuals in administrative decision-making” (Article 1 of the Luxembourgish Law on Administrative Procedures). While in other Member States this right for complainants is limited to situations where the complaint is being dismissed or rejected, which right can even be restricted further for efficiency reasons (e.g., in the Netherlands, see Articles 4:11 and 4:12 of the Dutch Administrative Law Act). I therefore recommend to harmonize procedural guarantees, inter alia, with regard to the definition of ‘parties’ to the enforcement procedure, the persons to be heard, when hearings shall take place, to which documents parties shall have access before being heard, and which concrete legal deadlines SAs shall have to respect within the enforcement procedure.
In my dissertation I proposed to further harmonize enforcement procedures, first, in light of guaranteeing effective enforcement and, secondly, in light of ensuring protected enforcement. While this requires on the one hand increased harmonization with regard to the exercising of enforcement tasks and powers (the latter being harmonized already by the GDPR) and procedural rights and guarantees, it also requires rethinking the way cooperation takes place among the SAs and with the EDPB. While my dissertation looked for solutions within the current system – e.g., by making cooperative duties more concrete – it may be necessary to look further into solutions adjusting key elements of the system. Would it, for example, not make more sense to lift the large cases to the EU level with an increased role for the EDPB?
In July 2023 the Commission published its proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR. While this proposal certainly ticks several boxes that are in need of increased harmonization – such as early consensus finding among the SAs – I doubt whether the proposal as it is will substantially improve cross-border GDPR enforcement and individual protection of complainants within the procedure. In EDPL issue 4/2023 I express my doubts whether particular provisions in the proposal could not even worsen the situation as it is by increasing the outsized role of the lead SA, and by making a very clear distinction between parties under investigation and complainants on the other hand. For example, under the current system concerned SAs may raise objections to a draft decision of the lead SA on any aspect, as long as the objection is relevant and reasoned. The Commission proposal now limits the role of concerned SAs by in consensus finding inter alia by posing restrictions to the subject matter of objections (see EDPB-EDPS Opinion 01/2023, para. 95). Furthermore, the Commission made it explicitly clear that complainants are no party to the investigative procedure and, hence, enjoy less protection than parties under investigation (Recital 25 of the Commission Proposal). Hence, the complainant shall be heard only in limited instances – when her or his decision is dismissed or rejected or on the preliminary findings, but not on the draft or revised draft decision – nor do complainants have generalized access to the file (Article 15 of the Commission Proposal). All in all, there is certainly a risk that poor protection of the EU’s data protection rules by national SAs and the EDPB – a data subject’s fundamental right – may continue to exist.
- Effectiveness and Procedural Protection in Cross-Border GDPR Enforcement - December 31, 2023