|
|
The EU’s General Data Protection Regulation (GDPR) seeks to guarantee people’s fundamental right to the protection of their personal data in an effective way. However, the disparity, complexity, imbalance between parties and inefficiency of some national legal procedures is making it very hard for consumers, and the organisations defending them, to exercise their rights under the GDPR in an effective way and get companies to comply with the law. This is leaving consumers exposed to Big Tech companies that are profiting from exploiting people’s personal data all across Europe...
BEUC welcomes the Commission’s intention to propose a regulation that harmonises procedural rules on cross-border cases under the General Data Protection Regulation (GDPR). BEUC has three main recommendations for this initiative to be a success:
1. Mutual recognition of admissibility of complaints and data subject representation.
2. Equal procedural rights for all parties involved in a procedure. Data subjects and organisations representing them should have the same right to be heard and same access to the file that defendants do.
3. Efficient and close cross-border cooperation between Data Protection Authorities (DPAs).
BEUC welcomes and supports the European Commission’s initiative to harmonise some procedural rules on cross-border cases under the GDPR. This echoes BEUC’s recommendations in our 2020 report ‘The Long and Winding Road - Two years of the GPDR: A cross-border data protection enforcement case from a consumer perspective’1. In our report we made recommendations about the hurdles BEUC and our member organisations have experienced in our joint action against Google’s location tracking practices.2
We commend the European Data Protection Board (EDPB) for its efforts to foster greater cooperation and create more efficient cross-border enforcement via their guidelines, internal documents, their 2021-2023 Strategy, Work Programme or the ‘Vienna Declaration’.3 We also commend the efforts of the European Data Protection Supervisor (EDPS) to trigger a deeper discussion on how to improve enforcement. However, there is
1 The Long and Winding Road - Two years of the GPDR: A cross-border data protection enforcement case from a consumer perspective, BEUC-X-2020-074, https://www.beuc.eu/sites/default/files/publications/beuc-x-2020-074_two_years_of_the_gdpr_a_cross-border_data_protection_enforcement_case_from_a_consumer_perspective.pdf
2 https://www.beuc.eu/every-step-you-take
3 https://edpb.europa.eu/system/files/2022-04/edpb_statement_20220428_on_enforcement_cooperation_en.pdf
4 See, for example, EDPS Conference Report 2022 - The future of data protection: effective enforcement in the digital world, https://edps.europa.eu/data-protection/our-work/publications/brochures/2022-11-10-edps-conference-report-2022-future-data-protection-effective-enforcement-digital-world_en
a clear need for binding rules to streamline cross-border enforcement, as evidenced by the EDPB’s wish list on GDPR procedural aspects5 sent to the European Commission.
Procedural harmonisation is an essential aspect of GDPR application and enforcement. Some national procedures and DPA practices have a major, negative impact on the rights of data subjects. The upcoming regulation should ensure all procedures, policies and practices relating to data protection are consistent, coherent and standardised to the maximum extent possible, keeping in mind the best interests of data subjects. Effective law enforcement is essential not only to protect the rights of those affected and to maintain public confidence in the GDPR, but also to ensure a level playing field for all responsible parties and to prevent forum shopping. As such, it is in the interest of both data subjects and all companies that comply with the GDPR.
The upcoming proposal should ensure that data subjects can exercise their rights in a fair, effective and affordable way. The upcoming regulation should not constitute a race to the bottom in terms of data subjects’ rights. The Commission and the co-legislators must not risk lowering the level of protection of data subjects. BEUC therefore recommends the European Commission to build on best practices amongst EU countries’ national procedural rules that allow data subjects, and the organisations representing them, the effective exercise of data protection rights. While inspiration could also be taken from other fields of law, it is important to underline the GDPR is a fundamental rights instrument under article 16 of the Treaty on the Functioning of the European Union (TFEU). The GDPR is not an internal market instrument and the rights of data subjects and organisations representing them should be effectively exercised and preserved in line with articles 8 and 41 of the Charter of Fundamental Rights of the European Union....
more at BEUC