Proximity, Amicable Settlements, and how the EU Guts GDPR Enforcement
The European Union (EU) legislator is working on a new Regulation to modify the General Data Protection Regulation (GDPR). The reform’s main aim is to strengthen the GDPR’s enforcement by further harmonising the procedures related to “cross-border” personal data processing. One crucial element here is that this harmonisation will affect the handling in Ireland of massive amounts of complaints submitted against “big tech” from individuals all over Europe. The European Commission published a legislative proposal in July 2023, the European Parliament adopted its position after the first reading in April 2024, and the Council agreed on its general approach on 13 June 2024.
Unfortunately, the reform features deeply troubling elements. It seeks to mainstream a controversial Irish approach to dealing with data protection complaints, namely “amicable settlements” that the Irish Data Protection Authority (DPA) can in some cases decide that have been struck between individuals and digital corporations. Those “settlements” are not always to the benefit of data subjects. Further, and rather problematically, the reform foreshadows the end of the principle of proximity, which was a key part of the GDPR’s enforcement design. Gutting – or at least eroding – the proximity principle should ring alarm bells for anyone concerned with effective judicial remedies in the EU.
In this blog post I explain why eroding the principle of proximity and further advancing questionable “amicable settlements” by the Irish DPA would be a catastrophe for European data protection law. In short, the legislator should stop both projects – gutting proximity and mainstreaming “amicable settlements” – in the final trilogues.
The principle of proximity allows individuals faced with a GDPR infringement to lodge a complaint with a data protection authority (DPA) of their choice: the authority of the place of the alleged infringement, of their place of work, or of their habitual residence. If the DPA with which they lodged the appeal happens not to be the one competent to take a decision on the case because of the processing’s “cross-border” nature, the local authority will forward the complaint, triggering what is known as the “one-stop-shop” procedure. In these situations, it is the DPA of the Member State of the main establishment of the entity that takes the lead in deciding the case. A data subject living in Brussels who has a problem with Instagram, for instance, can lodge a complaint with the Belgian DPA without having to worry about whether Instagram is based in Belgium or not. The Belgian DPA shall know that Meta has its main establishment in Ireland and invite the Irish DPA to lead the path towards a decision on the case.
That is, actually, only one aspect of the principle of proximity. There is a second important element, connected to the broader picture of effective judicial remedies in the GDPR. If a complainant wishes to contest the final DPA decision, they can always take the authority to court in the authority’s respective Member State. To prevent a situation whereby a data subject living in Brussels who lodged a complaint with the Belgian DPA would be forced to fly to Dublin to contest a DPA decision that would not satisfy them, the GDPR establishes that if the final decision is to dismiss or reject a complaint, it shall be the local DPA that, formally, adopts it. Then it is possible for the individual to follow up the case locally, in Brussels, because even if the procedure reached Ireland at some point, technically the contested decision will have been taken by the Belgian DPA. Long story short, the principle of proximity seeks to localise proceedings as much as possible.
Localising proceedings was one of the GDPR’s main achievements. Years ago, Austrian activist Max Schrems famously had to crowd-fund his journey to Ireland to litigate his data rights. That was generally acknowledged as a significant problem in terms of access to remedies. Not everyone has the time, resources, and skills necessary to defend their data protection rights in an unknown country, and nobody should be forced to do so precisely to fight, as a lone individual on unfamiliar territory, against some of the largest, most powerful, and data-hungry platforms operating in Europe.
False friends
The special GDPR arrangement allowing data subjects to confidently lodge complaints with the DPA of their choice is now under threat. This is happening in the context of the mainstreaming into EU data protection law of “amicable settlements”. This special Irish procedure works as follows: when the Irish DPA is confronted with a complaint, it can take the initiative to contact the entity that allegedly infringed the GDPR to look for a solution, and, in case of positive reaction, eventually informs the complainant of the fact that a solution has been found and that they should thus accept an “amicable resolution”. Unless the complainant reacts within a predetermined given time, they are regarded as fully satisfied, and the complaint is then considered formally “withdrawn”. The Irish DPA – that is, the Data Protection Commission, DPC – has closed hundreds and hundreds of one-stop-shop cases in this manner since the GPDR became applicable. In 2023, it submitted 229 notifications of “amicable resolutions achieved in cross-border complaints”. In contrast, during the same year, in the context of the one-stop-shop it only issued 18 draft decisions and adopted even less final decisions (12 in total).
The DPC has in the past discreetly managed to convince the members of the European Data Protection Board (EDPB) that all this is compatible with the GDPR, by accepting, as a small concession to their peculiar practices, to mark the withdrawal of the complaint by adopting a formal notification. The persistent problem is, however, that – coming back to the example above – this decision to regard the complaint as withdrawn is taken in Ireland, by the Irish DPA, and can only be contested in front of Irish courts.
Thus, if the Irish DPA would, for instance, decide that a complaint I lodged with the Belgian DPA is closed (perhaps because I did not react on time, maybe because I did not understand their language, possibly because I never knew my GDPR rights depended on me opening unsolicited communications from distant authorities), and I would wish to contest the validity of their decision, I would have to travel to Ireland and figure out how to launch proceedings there. Just like in 1998. Just like before the GDPR and the EU Charter of Fundamental Rights.
This creates a situation in which access to data protection remedies depends on the establishment of the data controller or processor. This goes to the disadvantage of every EU-based Meta user who does not live in Ireland, impacting millions of EU residents. We may end up in a situation which basically caters to large digital companies, rather than individuals. If it goes ahead, the reform threatens the credibility and effectiveness of data protection complaints against large social networks. This goes very much against the idea of the digital single market, and further erodes trust in the free flow of personal data. And, de facto, it grants a joker to all US-based companies that have their main establishment in Ireland.
Irish coffee a-go-go
The currently discussed legislative proposal on enforcement by further harmonising the procedures related to “cross-border” personal data processing should put an end to existing ambiguities and problematic developments in DPA practices, and make sure that the GDPR is fully respected. The European Commission fast-tracked its text and published it without even carrying out an impact assessment, arguing that no assessment was necessary because the initiative would not affect the rights of data subjects as set out by the GDPR.
The Council’s general approach explicitly endorses the Irish exemption, based on the idea that procedures for “amicable settlements” may just vary depending on national law, which is the ultimate irony for an instrument that is supposed to “further harmonise” the procedures of a Regulation, the GDPR, the objective of which was, and is, full harmonisation of EU data protection law. The European Parliament seems to be completely lost on the whole subject, taking the alternative view that “amicable settlements” would be something that individuals and data controllers negotiate between them. The European Data Protection Supervisor (EDPS) and the EDPB published in September 2023 an Opinion where some concerns did transpire, followed by relatively shy calls for clarifications.
In the GDPR’s legislative process it took some time for the legislator to balance the perils of the “one-stop-shop” procedure, finding the best way to protect the interests of data subjects while not over-burdening data controllers and processors. Hopefully also this time, at some point, someone will realise the importance of getting this right.