The European Union is (finally) coming to grips with the dysfunctionalities of its most famous tech law of all: the General Data Protection Regulation.
The European Commission will propose a new law before the summer that’s aimed at improving how EU countries’ privacy regulators enforce the GDPR, a newly published page on its website showed.
Adopted in 2016, the privacy rulebook was a watershed moment in global tech regulation, forcing companies to abide by new standards such as asking for consent to collect people’s data online against threats of hefty fines of up to 4 percent of global annual turnover. The law effectively became European officials’ poster child of powerful legislation coming out of Brussels.
But five years after EU data protection authorities started their job, as GDPR entered into force, activists, experts and some national privacy watchdogs have become frustrated at what they see as an inefficient system to tackle major cases, especially from Big Tech companies.
Most notably, critics have lamented the powerful role that the Irish Data Protection Commission has under the so-called one-stop shop rule, which directs most major investigations to run through the Irish system because tech companies like Meta, Google, Apple and others have set up their European homes there. Under the GDPR, tech companies are overseen by the national regulator in the EU country where they are headquartered.
Ireland and, to a lesser extent, Luxembourg, where Amazon’s EU headquarters is based, have faced mounting criticism in recent years for lax enforcement, which they deny. The Irish data authority in recent months imposed some major multimillion-euro fines to sanction GDPR infringements from Meta, the parent company of Instagram and Facebook.
Now, a new EU regulation that is expected in the second quarter of 2023 wants to set clear procedural rules for national data protection authorities dealing with cross-border investigations and infringements. The law “will harmonize some aspects of the administrative procedure” in cross-border cases and ” support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms,” the Commission wrote.
Europe’s data protection authorities last year pledged to ramp up cooperation to tackle cases of strategic importance. The European Data Protection Board in October sent the Commission a “wishlist” of procedural law changes to improve the enforcement. Among the ideas are setting deadlines for different procedural steps in the handling of a case and harmonizing the rights of different parties involved in investigations across the EU.
“I think there are parts of the GDPR that definitely have to be adjusted to the future reality,” European Data Protection Supervisor Wojciech Wiewiórowski told POLITICO in an interview last June.
The Commission wants to keep the upcoming regulation very targeted and limited — in part because it is bracing for tense discussions with data privacy watchdogs, campaigners and Big Tech lobbyists.
The GDPR is widely considered the most heavily lobbied EU law in the bloc’s history. It led to a massive expansion of Big Tech’s lobbying power in Brussels, where it now tops the ranks of the biggest spenders in influencing EU decision-making.
But it’s not just lobby groups that are expected to pounce on the Commission’s new privacy law proposal. Regulators themselves have clashed over how to interpret and enforce the GDPR, often triggering dispute resolutions and delaying cases.
The GDPR is widely considered the most heavily lobbied EU law in the bloc’s history | Oliver Hoslet/EPA-EFE
“Nobody will be happy with the Commission proposal as usual, because the data protection authorities agree on the problem but they do not agree on the solutions,” said Olivier Micol, the Commission’s head of unit for data protection which is leading the work on the policy. He was speaking at a Brussels event last month.
Non-governmental organizations want to be more involved in the procedures and companies like Google, Apple and Amazon will push back for fear of new fines, Micol said.
“Big Tech companies will not be very much happy with it because it will make the system more efficient to have more enforcement,” he said.
With the European elections looming in spring 2024, the EU executive will also have a short window of time to push its new text through the EU legislative train. The European Parliament and the EU Council, made up of the 27 EU governments, could have just a few months to negotiate their amendments to the Commission’s legislative present.
