EU Parliament votes to strengthen GDPR enforcement

Content-Type:

News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources.

[New Africa/Shutterstock]

Members of the European Parliament voted on Wednesday (10 April) on amendments to strengthen the enforcement of the EU’s General Data Protection Regulation (GDPR), however, stakeholders urged for further improvements, particularly regarding complainants’ rights and cross-border matters.

The EU’s General Data Protection Regulation (GDPR), enforced in 2018, is a data protection regulation that governs how personal data is handled by organisations in the European Union, prioritising individuals’ privacy rights.

The amendments to the GDPR Enforcement Procedures Regulation aim to enhance complainants’ rights, clarify enforcement procedures, and address procedural concerns, which German MEP and rapporteur Sergey Lagodinsky of the Greens said will bring legal clarity.

Among other things, the passed amendments to the EU’s landmark data protection regulation change the role of the supervisory authorities and remove some of their obligations to share preliminary findings.

The Parliament missed a chance “to address the serious shortcomings identified at the Committee level” and did not manage to streamline GDPR enforcement processes, as was the original intention of the proposal, said Constantin Gissler, director general at DOT Europe, an association representing internet companies in Europe.

Instead, the amendments could potentially undermine GDPR concepts “through the back door,” he said.

Ursula Pachl, deputy director general of the European Consumer Organisation (BEUC), said in a press statement released on Wednesday,  that while the Parliament’s decision will make it much faster to deal with GDPR complaints, “more still needs to be done to get to a satisfactory outcome for consumers who lodge complaints against a company.”

In cases where data protection authorities deal with cross-border issues, they should have more time to check the main supervisory authority’s work she said.

When different authorities cannot agree on a decision, people who made the complaint should have the chance to be heard, Pachl added.

The new Parliament will follow up on the file after the European Elections on 6-9 June.

Concerns raised over UK Data Protection Bill's impact on EU's GDPR

A letter sent by member of European Parliament Paul Tang, seen by Euractiv, raises questions regarding the potential effects of the UK’s Data Protection Bill on the EU’s General Data Protection Regulation (GDPR).

Supervisory authority

One amendment allows supervisory authorities, which are independent bodies established by each EU member state, to request urgent binding decisions from the European Data Protection Board (EDPB) in procedural disputes.

If a lead supervisory authority cannot meet a deadline due to complex investigations, it can request an extension of up to nine months. Under the amendment, requests must include facts, evidence, legal grounds, and the requested determination or deadline extension. The Board must decide within two weeks, and its determinations are binding.

Under another amendment, supervisory authorities can request ex officio investigations when they suspect a potential GDPR violation affecting data subjects. The leading authority has to approve the request for an investigation or delegate it to another regulatory body. If the supervisory authority’s investigation is approved, a draft decision must be issued within nine months, although extensions can be granted.

Ex officio investigations allow regulatory authorities to independently initiate inquiries into suspected unlawful aid without relying on external complaints.

The vote “threatens the viability of the GDPR’s essential one-stop-shop mechanism, reduces confidentiality protections, restricts rights of investigated parties, and turns the enforcement process into an adversarial one.” Laura Wiesenfeld, policy manager for Europe at the trade association Information Technology Industry Council (ITI), told Euractiv.

The one-stop-shop mechanism allows businesses operating across multiple EU member states, to deal primarily with a single supervisory authority for data protection compliance purposes.

Wiesenfeld urged the Council to collaborate with the industry for effective implementation.

EU court lowers requirements for imposing fines for data protection breaches

The European Court of Justice issued a landmark ruling on Tuesday (5 December) that is set to facilitate the imposition of fines for infringements of the General Data Protection Regulation (GDPR).

Left out

The Parliament voted on removing parts of a provision that would have given complainant entities access to preliminary findings.

Under the removed provision, the lead supervisory authority of a given case would have been obliged to share a non-confidential version of its preliminary findings with the complainant.

It would also set a deadline for the complainant to provide written views on the findings.

A rejected amendment would have required the Chair of the EDPB to provide a statement of reasons to the parties under investigation, and, or the complainant before making a binding decision.

Two amendments were rejected during the plenary session. Both related to establishing fair procedural standards for handling data protection cases ensuring impartial treatment, and the right for parties to be heard before decisions are made, as well as access to case files.

Following the vote, the Chair of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), Juan Fernando López Aguilar, asked for a referral back to the Committee for institutional negotiations, which was adopted.

[Edited by Rajnish Singh]

Read more with Euractiv

Subscribe to our newsletters

Subscribe