European Commission aiming to reform GDPR enforcement rules in cross-border cases
It has been seven years since the General Data Protection Regulation (GDPR) was adopted and nearly five years since it came into force. A completely unique solution in its inception, now used as a blueprint for similar legislative pieces across the World, the GDPR signified the importance and value that online personal data holds and established strict criteria for data collection and processing. Failure to comply can cost companies dearly, or at least it should, in theory, with fines potentially amounting up to 4% of the company’s global annual turnover.
However, the most challenging aspect concerning GDPR has become investigating and enforcing non-compliant activities. Given that enforcement is the responsibility of relevant national authorities, the effectiveness of the Regulation thus hinges on the effectiveness of the national agency. For example, when looking at available GDPR fine trackers or studies, it becomes evident that the majority of EU Member State agencies either do not have the necessary capacity or the desire to exhaustively address GDPR violations. This is exacerbated by the fact that only a handful of, business-tax-friendly Member States, are responsible for the GDPR enforcement of most technology companies. There have been public reports on how authorities from other Member States voice their frustration for a lack of enforcement actions over the last few years, even though countries like Ireland have recently imposed some considerable fines on US tech companies. This in turn effectively curtails the purpose that GDPR should uphold – respecting EU citizen online privacy and their personal data processing.
With that in mind, it is not surprising that the European Commission has published an initiative to specify the procedural rules that accompany GDPR enforcement. Currently in its feedback period, which opened on 24 February and will close on 24 March 2023, the Commission aims to harmonise procedural rules specifically in cross-border cases. It remains to be seen however to what extent the reformed rules will streamline enforcement actions in the EU.
Businesses have clearly recognised the commercial and reputational impact that the GPDR and similar EU technology regulations hold. Over the last few years, the tech sector has become the biggest contributor to EU lobbying, with the industry’s 612 companies, groups, and associations, contributing over €97 million per a 2021 report. Furthermore, just ten of the largest contributors spent a third of the total amount. Of those ten companies listed, none were headquartered in the EU, one is based in the UK, one in China, and eight in the US. The key legislative pieces that the companies have addressed also include the upcoming Digital Services Act and the Digital Markets Act.