The European Union is coming to grips with the dysfunctionalities of its most famous tech law of all: the General Data Protection Regulation.
The European Commission will propose a new law before the summer that’s aimed at improving how EU countries’ privacy regulators enforce the GDPR, a newly published page on its website showed.
Adopted in 2016, the privacy rule book was a watershed moment in global tech regulation, forcing companies to abide by new standards such as asking for consent to collect people’s data online against threats of hefty fines of up to 4 percent of global annual turnover. The law effectively became European officials’ poster child of powerful legislation coming out of Brussels.
However, five years after EU data protection authorities started their job, as GDPR entered into force, activists, experts and some national privacy watchdogs have become frustrated at what they see as an inefficient system to tackle major cases, especially from Big Tech companies.
Most notably, critics have lamented the powerful role that the Irish Data Protection Commission has under the so-called one-stop shop rule, which directs most major investigations to run through the Irish system because tech companies like Meta, Google, Apple and others have set up their European homes there. Under the GDPR, tech companies are overseen by the national regulator in the EU country where they are headquartered.
Ireland and, to a lesser extent, Luxembourg, where Amazon’s EU headquarters is based, have faced mounting criticism in recent years for lax enforcement, which they deny. The Irish data authority in recent months imposed some major multimillion-euro fines to sanction GDPR infringements from Meta, the parent company of Instagram and Facebook.
Now, a new EU regulation that is expected in the second quarter of 2023 wants to set clear procedural rules for national data protection authorities dealing with cross-border investigations and infringements.
The Commission wrote that the law “will harmonize some aspects of the administrative procedure” in cross-border cases and” support a smooth functioning of the GDPR cooperation and dispute resolution mechanism.”
Europe’s data protection authorities last year pledged to ramp up cooperation to tackle cases of strategic importance. The European Data Protection Board in October sent the Commission a ‘wish list’ of procedural law changes to improve the enforcement. Among the ideas are setting deadlines for different procedural steps in the handling of a case and harmonizing the rights of different parties involved in investigations across the EU.
The Commission wants to keep the upcoming regulation very targeted and limited — in part because it is bracing for tense discussions with data privacy watchdogs, campaigners and Big Tech lobbyists.
The GDPR is widely considered the most heavily lobbied EU law in the bloc’s history. It led to a massive expansion of Big Tech’s lobbying power in Brussels, where it now tops the ranks of the biggest spenders in influencing EU decision-making.
It’s not just lobby groups that are expected to pounce on the Commission’s new privacy law proposal. Regulators themselves have clashed over how to interpret and enforce the GDPR, often triggering dispute resolutions and delaying cases.
Olivier Micol, the Commission’s head of unit for data protection, which is leading the work on the policy, said, “nobody will be happy with the Commission proposal as usual, because the data protection authorities agree on the problem, but they do not agree on the solutions. Big Tech companies will not be very happy with it because it will make the system more efficient and have more enforcement.”
With the European elections looming in spring 2024, the EU executive will also have a short window of time to push its new text through the EU legislative train. The European Parliament and the EU Council, made up of the 27 EU governments, could have just a few months to negotiate their amendments to the Commission’s legislative present.
Source: Politico
