The Future of GDPR Enforcement

The General Data Protection Regulation (GDPR – 2016/679) procedural regulation’s trilogues are ongoing. Based on the Commission’s proposals (Commission Proposal – COM(2023) 348 final), the European Parliament and the Council are discussing several central features of the future implementation of the GDPR supposed to address a series of procedural shortcomings in the current GDPR. These arise mostly from the GDPR’s complex composite enforcement system involving various national and European actors. To contribute to the debate, we spell out the main issues that need to be solved. These include, first, a well-defined role to complainants; second, a framework for discretion by national Data Protection Authorities (DPAs); and third, improving the functioning of the multi-level cooperation amongst various DPAs as well as, in some cases, the European Data Protection Board (EDPB).

Complaints

Today, not all individual complaints concerning potential breaches of GDPR norms are treated equally, with only rudimentary definitions of the role and rights of individuals. Therefore, enforcement procedures are, in principle, within the realm of national authorities applying their national procedural law within the framework of the GDPR and the general principles of EU law. As a result, the handling of complaints, the role of complainants, and their procedural rights (or lack thereof) vary significantly among Member States – despite the obligation for DPAs to monitor and enforce the GDPR as laid down in Article 57(1)(a) of the GDPR. In reality, procedures can become interminably long and slow. In the Land Hessen case (C-768/21), the Court of Justice of the EU (CJEU) needed to explicitly remind the authorities that complaints must be understood as a mechanism devised to ensure the protection of the subject’s rights to privacy and the protection of personal data.

Given this situation, the Commission’s proposal for the GDPR procedural regulation does not harmonise the rights of a complainant as a party to the complaint procedure. Instead, by giving broad discretion to DPAs in handling and investigating complaints, the Commission proposal results in a “downward” harmonisation

It de facto demotes a complainant to the role of an informant (Commission Proposal – COM(2023) 348 final, recital 25). Thus, complainants would enjoy significantly fewer procedural rights compared to those conferred upon data controllers and processors. For example, the preparation of a decision addressed to the controller or processor, the Commission proposes that complainants are given the possibility to submit written observations on the preliminary findings of a DPA. However, complainants will have no right to comment on a revised draft decision, nor will they have generalised access to the case file (Commission Proposal – COM(2023) 348 final, Articles 14-17), allowing them to contribute meaningfully to a draft decision. The European Parliament (EP) tried to address both concerns by first, suggesting amendments reflecting that individual enforcement procedures mainly occur based on individual complaints and second by extending the right to be heard to all parties, including complainants. However, these changes must be reflected in procedural terms as suggested in Article 2(1b) of the EP position on the Commission Proposal.

Regarding the latter, complainants often spend considerable time, energy, and expertise identifying and launching a complaint. Making a diligent investigation to the standards required by the CJEU is hardly possible without detailed input from a complainant (as confirmed by the EP in recital 25a of the EP’s position on the Commission Proposal).

Today, GDPR enforcement relies essentially on public bodies since damages under Article 82 GDPR are not punitive, and proof must be brought of the relation between a specific violation of the GDPR rights and individual alleged damage (see C-300/21 Österreichische Post). Given these difficulties and a lack of incentive to ensure enforcement through private claims, a strong and protected position as complainant is highly relevant where public enforcement via DPAs as independent administrative authorities is the prime means of GDPR enforcement.

The role of a complainant is also linked to the problems of multi-level enforcement, which comes with differences among the Member States regarding the notion of what counts as a “complaint” and questions of admissibility. Differing admissibility standards may lead to double admissibility checks, where complaints are forwarded from one DPA to the lead DPA, making the submission of complaints excessively difficult. Currently, some DPAs can decide not to act or to pause the investigation pending the possible future outcome of another. This considerably limits individual procedural rights. Additionally, differences in the definition of an investigation’s dimension can lead to a lack of investigation and conflicts between DPAs. This element needs to be harmonised by obliging DPAs to adopt a formal decision finalising each individual complaint. Such obligation to adopt binding decisions would help to clarify whether an administration may decide to limit its investigation to certain aspects of the complaint it deems relevant, and if so, under which conditions.

Discretion

The questions concerning the role and handling of complaints also point to an underlying problem: that of diverse notions of discretion. DPAs enjoy discretion within the different procedural phases, including the decision to open an investigation, how an investigation is to be conducted, whether a decision to close the investigation will be taken, whether a violation of the law can be established, and finally, whether a specific sanction or remedy is to be taken. These diverse forms of discretion are subject to different legal provisions in the various Member States, leading to uneven enforcement of the GDPR. As limits to DPA discretion, the CJEU has established in Schrems II (DPC v Facebook Ireland and Schrems C-311/18) and SCHUFA (Joined cases C-26/22 and C-64/22) that DPAs are obliged to handle complaints respecting principles of due diligence in order to fulfil their duty under Article 8(3) of the Charter to protect personal data. DPAs’ independence does not exist to shield them from their obligation to uphold the law but as protection from political influence. These principle-based clarifications of discretion need to be reflected in the GDPR procedural regulation. Equally, the GDPR procedural regulation must address differing investigation and decision-making procedures. Some DPAs close cases by formal decisions, while others address complaints or investigations through informal agreements or settlements. The cross-border nature of GDPR enforcement in the EU means that a lack of formal decision-making may result in a lack of transparency in case handling, incomplete investigations and file-keeping, incomplete follow-up of joined cases, and circumvention of the GDPR’s one-stop-shop mechanism (Gentile and Lynskey 2022).

Additionally, unequal enforcement can become a problem for the acceptability of EU law, the existence of a single market, and arguably contributes to the ongoing competition between business locations (Opinion A-G Geelhoed in Case C-304/02).In the procedure leading up to the decision, often involving well-resourced companies such as Meta, Alphabet or others, an information imbalance exists between a DPA and the company under investigation. The societal knowledge which can be brought to an investigating DPA under a complaint-based system must not be discarded. Therefore, as required above, the DPA’s obligation to, first, investigate a complaint with all due diligence and, second, to close such an investigation with a binding, reviewable decision on every incoming complaint is as essential as the commitment to provide individuals with procedural rights. Procedural rules can be adapted to the degree of general relevance of the case. An example is the two-level decision-making approach in state aid and competition law, allowing for a plausibility test leading to a closure-decision where the initial investigation shows no reason for a more in-depth investigation. Where reasons are found to investigate further, a second phase procedure is opened, also explicitly protecting rights under the general principle of good administration, which include rights of hearing, access to documents and others.

Cooperation and Multi-Levelism

The GDPR had foreseen a system to address inconsistencies in enforcement through the “cooperation mechanism” offering ways for DPAs to address concerns related to under-enforcement of the GDPR by other Member States’ DPAs. AG Bobek (Opinion in C-645/19) described this as offering a sort of DPA “peer pressure avenues”. Under Article 60 GDPR, national authorities must cooperate with other DPAs in cross-border cases to reach a consensus on the outcome of the decision-making procedure. Without clearer procedural regulations, this mechanism cannot live up to its promises. Cooperation is often short-circuited by complaint handling through informal means – e.g., by exchanging information or mutual assistance requests via “voluntary” workflows in the EU’s Internal Market Information System, the IT network used for cooperation. Without legal deadlines or legal consequences attached to a lack of sincere cooperation (Mustert 2023) DPAs’ limited resources will not be used to their fullest potential to actively engage the other concerned DPAs in preparing a draft decision from the moment a complaint is received. In reality, the move to informalism reflects the outsized role of the lead DPA compared to the concerned DPAs. The Commission Proposal aims to improve the current system by outlining cooperation procedures among the DPAs and ensuring meaningful engagement of concerned DPAs at an early stage in the enforcement procedure. – e.g., by requiring the lead DPA to draft and share a summary of various key issues once it has formed a preliminary view on the main issues in the investigation and once it has established preliminary findings (see Commission Proposal – COM(2023) 348 final, Articles 9 and 10). Nevertheless, the EDPB and the European Data Protection Supervisor (EDPS) expressed concerns regarding these proposals: Why, for example, should the lead DPA only have to communicate complex legal and technical assessments? Why is there no requirement for the lead DPA to engage with the concerned DPAs’ comments on the preliminary views? And why does the Commission allow the EDPB to impose restrictions on the maximum length of comments submitted to, for example, the summary of key issues (EDPB/EDPS Opinion 1/2023)? The EP’s positions in the trialogues address these concerns to a certain extent and must be taken seriously.

Additionally, the EDPB’s dispute settlement and urgency procedure (Articles 65, 66 GDPR) may influence the administrative cooperation procedure (e.g., by means of the EDPB’s opinions, guidance, and binding decisions where consensus among the DPAs cannot be reached). Where the EDPB acts, its measures are taken based on a dossier established by a national DPA under national procedural law (see Magierska 2023, Mustert 2021 and 2022). This file may have only limited value because of a restrictive approach to investigating a case (EDPB Decision 5/2022), which in turn, effectively limits the EDPB’s decision-making capacity. The EDPB’s role in decision-making therefore requires upgrading to ensure stronger supranational involvement and coordination, resulting in a more unified interpretation of rules and enforcement approaches in cases with a transnational effect. Possibilities could include equipping the EDPB with powers to initiate dispute resolution when national decisions are not taken within a particular time frame, requesting information from data controllers or processors where the DPAs fail to do so, and allowing the EDPB to conduct a follow-up review of the implementation of its decisions. Procedures should also ensure that the rights of all parties to a procedure, including complainants, can be protected at the EDPB-level.

A further-reaching model, currently not discussed in the trilogue, is a “dual approach” under which large data controllers or processors with more or less EU-wide activities would fall within the remit of an EU agency, while local cases would continue to be addressed by national DPAs. An upgraded EDPB might fulfil such a task. It could be supported by the network of Member State DPAs providing evidence, expertise, the conduct of hearings, and investigative steps. Such a two-level approach is well established, for example, in banking supervision or EU competition law and under the DSA, where large online platforms are addressed under a special regime. Under the GDPR, such a mechanism would reduce the dependency on a single national lead authority bearing the burden of pan-EU enforcement. At the same time, it would simplify access to judicial review since review by the General Court of the CJEU is much more easily accessible to individual plaintiffs from across the EU than a single Member State’s courts. However, such a dual approach requires the modification of the GDPR itself and not merely the adoption of an additional procedural regulation.

Lessons for the GDPR Procedural Regulation

We conclude that the GDPR procedural regulation must concentrate on three points: First, the role of individual complainants must be strengthened by conferring on them the status as a party to the procedures. This will increase the knowledge present in the enforcement system, improve oversight over agency action, and enhance the overall accountability of GDPR enforcement. In contrast, the Commission’s draft, currently under negotiation, relegates the complainant to the role of an informer rather than a party to a procedure. Second, the procedural obligations of DPAs in complaint handling should be identified, including a definition of the scope of an investigation and the obligation to close each complaint with a binding, reasoned decision. Finally, the overall procedure must be streamlined by establishing clear procedures for cooperation among national DPAs and by clarifying the EDPB’s role in the enforcement procedures, especially in significant cases that affect rights-holders in several EU jurisdictions. Overall, this would move the GDPR system towards improving the allocation of powers, ensuring individual procedural rights, thereby enhancing the overall quality and speed of decision-making.