The GDPR promised better data protection and more efficient rules for companies five years ago. In practice, enforcement of the GDPR is seriously lacking, despite recent hefty fines. The European Commission proposes to streamline the procedural differences between the EU member states in cross-border cases, but will not resolve the real underlying issue. The establishment of a robust pan-European data protection authority for cross-border cases can ensure a high-level of data protection. At the same time, it can prevent the current rather arbitrary and business disruptive enforcement practice. Another benefit is that the local data protection authorities will be better suited to the clear the backlog of enforcement cases in their own country in a more fair-minded manner.

Jumping out of the frying pan into the fire: the GDPR’s flawed compromise

Before the GDPR, multinationals had to deal with a patchwork of local data protection authorities. The GDPR was supposed to simplify this with the one-stop-shop enforcement mechanism. Companies should then only have to deal with one data protection authority within the EU. As most big technology companies are established in Ireland, which has a more business friendly reputation, it was feared that this model would undermine the aimed high-level of data protection. A compromise was reached on the current version of the one-stop-shop. This resulted in complex rules for cross-border cases and unclarity when businesses could benefit from the one-stop-shop. The lead authority of the main establishment of an organization is competent for the coordinated enforcement of cross-border cases, but only in close cooperation with the other concerned data protection authorities. Data subjects can still submit complaints with each data protection authority. In the event of a disagreement, the European Data Protection Board (EDPB), representing all data protection authorities, needs to resolve the dispute between data protection authorities. 

Undermining rights of companies and data subjects

Five years of enforcement under the GDPR shows that the one-stop-shop does not work as intended. It even undermines the rights of the data subjects and investigated companies. Sometimes it can be unpredictable which data protection authority will deem itself as the lead supervisor. Generally, cross border cases are also substantially delayed. It is not unusual that it takes four to five years before some results are achieved. During all these years, companies must deal with significant uncertainties surrounding their relevant business activities. This has a chilling-effect on businesses. Moreover, the Irish data protection authority has become isolated. Other data protection authorities often disagree with its more lenient and slow enforcement practices. This endangers the consistent application of the GDPR even more. It also results in a competitive disadvantage for companies established in other member states. Due to the slow and difficult cooperation between data protection authorities, companies are also confronted with significant increases in the scope of enforcement decisions and imposed fines in a very late stage, sometimes even after completion of the investigation. 

In the meantime, the protection of the rights of data subjects suffers greatly. For example, they often receive little to no feedback from data protection authorities on their complaints. During an investigation they rarely can put forward their views in a meaningful manner. Many complaints are also outright dismissed, or not properly handled, because of the considerable backlog of cases. It is not surprising that data subjects and their representative organizations are increasingly initiating (collective) court actions on their own. 

Transforming the EDPS to EU-wide supervisor

The European Commission’s proposal falls short of addressing the core issues plaguing the GDPR enforcement. To restore confidence and tackle problems head-on, a fundamental change in the enforcement model is necessary. The European Data Protection Supervisor (EDPS) shares our view, indicating that the proposal is “a step in the right direction“, but “it will not solve all structural issues related to the GDPR’s one stop shop mechanism“. A pan-European data protection authority should be established, like the competition law enforcement model. This can be accomplished relatively easy by transforming the EDPS, which currently supervises only EU institutions, to the new EU-wide data protection authority. The EDPS should become competent for enforcing large cross-border cases. It should also request the assistance of the member state data protection authorities where necessary. As a result, the local data protection authorities will have more capacity at their disposal to handle national matters more effectively. This solution is in line with the EDPS’ view that “a pan-European data protection enforcement model is going to be a necessary step“. The fifth anniversary of the GDPR is a good opportunity to draw attention to a structural revision of the GDPR enforcement mechanism.