Sinds 2018 moet de Algemene Verordening Gegevensbescherming (AVG) garanderen dat alle Europese burgers hun privacyrechten overal in de Europese Unie kunnen uitoefenen. Wanneer deze rechten worden geschonden door een onderneming gevestigd in een andere EU‑/EER‑lidstaat, verloopt de afhandeling via een complex samenwerkingsmechanisme tussen de gegevensbeschermingsautoriteit (DPA) van de lidstaat van de klager en die van de lidstaat van de onderneming. Dit mechanisme vormt de kern van de algemeen erkende handhavingsproblemen van de AVG: klachten raken spoorloos, bestuursbesluiten laten jaren op zich wachten en er bestaat vrijwel geen instrumentarium om tegen inactieve DPA’s op te treden. De EU heeft geprobeerd deze impasse te doorbreken met een ‘procedureverordening inzake AVG‑handhaving’, maar inmiddels wordt duidelijk dat deze voorstellen ernstig tekortschieten. De zogenoemde ‘triloog’-onderhandelingen tussen het Europees Parlement, de lidstaten en de Europese Commissie hebben een wetgevend kluwen opgeleverd dat de procedures naar alle waarschijnlijkheid nog complexer, trager en juridische uitdagender maakt. noyb volgt het dossier nauwgezet en slaat nu de noodklok: er is intensief aanvullend werk nodig, want de huidige aanpak dreigt de situatie juist verder te verslechteren. Het artikel gaat verder in het Engels.
"Simpler & Faster" has become "Complex & Unstable". So far, the GDPR foresees that Data Protection Authorities (DPAs) in 30 EU/EEA countries should "cooperate", but does not clarify how this cooperation should be conducted in detail. National procedures differ widely. Requirements to hearing parties, sharing evidence or formally issuing a valid decision are different in each Member State. Basics such as sharing of information about a case with all authorities do not work in practice. Overall, this has led to extremely slow GDPR procedures, lost documents and failed enforcement actions. Even simple cases, such as an access to information request by a data subject, can take 5 or more years. When the European Commission announced it would fix this mess via a "GDPR Procedural Regulation", the main promise was to finally achieve effective enforcement via faster, streamlined and simpler procedures.
However, as it stands today, the EU institutions are about to produce the exact opposite: an even more complex, inflexible and inconsistent procedural nightmare that will not improve but diminish enforcement of the GDPR.
The European Commission never did a proper impact assessment and stakeholder engagement before introducing its proposal, clearly lacking basic procedural know-how. Following the Commission's broken proposal, the Council delivered a half-baked position, because the Belgian EU Presidency wanted to quickly "close" the file by summer 2024. The European Parliament, contrary to the first promising steps it took to fundamentally reform the Commission's proposal in its previous legislature, seems to have given up almost all ambition under its new leadership.
All in all, this legislative initiative is bound to become an embarrassment for the EU - especially after recent promises to finally take European's fundamental rights to data protection and privacy serious and to proof to the world that the GDPR is the gold standard - not only on paper. The expected outcome would also contradict the EU's aspiration to cut back on complex rules and improve the legal quality of EU legislation. Instead of just simplifying the core procedure, the draft texts under negotiation would lead to roughly ten types of possible GDPR procedures - with various sub-variants, twists and turns.
Max Schrems, Chairman of noyb.eu: "We initially very much supported having clear procedural rules. But this proposal risks to become the biggest legislative mess I have seen in a long time. While the Council and the European Parliament seem to generally agree that the Commission's proposal needs substantive changes, it seems they have not managed to cure the structural problems but rather added even more and more complex elements. The European Parliament has completely given up on introducing well-established procedural approaches. The result is a overloaded system that will make procedures even more complex and slower. Many elements are of such poor legal quality that this law will not solve problems - but generate more disputes."
Happy, if everyone is unhappy? While many European political battles take place between two interest groups, this dossier seems to have been a fight between quality lawmaking and an approach that is neither workable nor in line with the most basic procedural principles. Despite warnings from experts, the dossier is simply being pushed through the process over and over again. Many have commented behind closed doors that the text is a "shit show" or that the trilogue negotiations have sadly come to a point where law making is a "sausage factory that produces a sausage - no matter the content". Despite the fact that many players seemed to have realised the problem, little action has been taken. A common theme seems to be "pass it one way or another - as long as it's off my table."
Max Schrems: " This Regulation could have been a game changer for exercising people´s fundamental rights. Instead, it looks like it will waste thousands of hours in already overworked auhorities by prescribing various useless and overly complex procedural steps, which translates to Millions in taxpayer money. At the same time, procedures will be slower and also more complex for business and citizens alike. Enforcement of GDPR rights of normal people will be even harder to reach. Businesses will likely see more legal uncertainty, inaccurate decisions and higher legal costs for additional paperwork and necessary appeals."
Medieval procedural approaches - instead of party rights. The European Commission's original proposal followed an authoritarian spirit. The 'lead' DPAs in the same country as the company (such as the notorious Irish DPC) were shielded as far as possible from the need to cooperate with other DPAs and from listening to the concerned parties. This way, they were supposed to be able to conduct the procedure alone, without being bothered by anyone. But this approach is the opposite of a modern, efficient and transparent administration. It is crucial to involve the parties at an early stage to arrive at factually correct and widely accepted decisions. After all, companies know best how their systems work and complainants know best what their GDPR problem is. Instead, the Commission built the procedure on a purely "inquisitorial system" - literally a medieval approach from the 12th century. Many documents and decisions in the procedure are issued before any investigations or hearing of the parties have been conducted. It appears that many of the concepts have been borrowed from the practice of the Irish Data Protection Commissioner - the DPA that has produced the most disputes with other DPAs and that is known for extremely slow and messy procedures. It is unclear how the relevant elements of the proposed law (particularly in Articles 9 to 17) will interact with much more modern national procedures. The Regulation does not properly define the interplay of EU and national law.
Max Schrems: "The EU Commission's approach was to assume that DPAs know it all. Instead of hearing the parties, as is the case in almost all EU Member States, the EU Commission foresaw that parties would only be heard at the end of the investigation via a 'preliminary decision'. The rights of the parties would therefore be extremely limited. This approach is prone to produce a huge number of inaccurate decisions. After all, companies know best how their systems work and complainants know best what their problem is. It is completely unclear how these concepts interact with national procedural rules. The article that would have clarified this has also been deleted."
"Fast" procedures: 3 or 33 months? One of the last unresolved issues in the current negotiations seem to be deadlines for procedures. So far, DPAs report an average of around 8 months for a decision. In Member States that already have such a deadline in place, the average is at roughly 4.5 months. Therefore, it wasn't irrational that the European Parliament proposed a deadline of 3 months in simple cases and up to 9 months in other cases. However, the Council reportedly proposed a deadline for a decision of up to 33 months. There is so far no agreement if users can bring a case in their home country. Instead, they may have to sue a foreign DPA in another EU jurisdiction over delays. This would make it virtually impossible for most people.
Max Schrems: "On average, the authorities report a duration of about 8 months for procedures. Some of the proposals by Member States are 33 months. This would be the first time you could even raise a delay with a Court, which can in turn take years to decide about a lawsuit over a delay. This is basically a free pass for DPAs to drag out procedures forever..."
Lack of procedural know-how. One structural reason for the questionable outcome of this process may have been that both European Commission, the Parliament and Council have hardly ever dealt with legislation on procedural law. Procedural law is currently a domain of the Member States. So far, the EU has not issued any relevant cross-country administrative procedural law. Even within the Member States, procedural law is usually dealt with by expert lawyers in separate departments at universities and specialised units in national justice ministries. Overall, it seems that this proposal would have needed much more preparation and investment to avoid the current situation where EU lawmakers seem to only kick the can down the road.
Max Schrems: "There is a special breed of lawyer who deals with procedural law. This know-how was clearly lacking in this dossier. It's as if I were to start practising astrophysics tomorrow - the result would probably be of no benefit to humanity".
