National data protection authorities should see easier cooperation in cross-border privacy cases under updated rules that were rubber stamped by the EU institutions on Monday evening.
The European Commission planned to fix shortcomings in the General Data Protection Regulation (GDPR) – which entered into force in 2018 – by introducing an update in 2023 that was aimed at accelerating decisions and harmonizing procedural rules.
Under the GDPR, national regulators must transfer cases to watchdogs based in other member states when the company is headquartered in another country. But this cross-border system has been panned by privacy advocates as complaints can take years to resolve.
In Monday’s trilogue – the inter-institutional negotiations between the Commission, the European Parliament and the member states – the parties agreed on a mechanism to resolve complaints more swiftly through measures to facilitate consensus-building.
In addition, the rules introduce a 15-month deadline in which an investigation must be completed. It can be extended by 12 months in the most complex cases.
Poland’s Minister for Digital Affairs, Krzysztof Gawkowski, called the deal “a big step towards improving cooperation” between the data protection authorities.
Agustín Reyna, Director General of Consumer group BEUC said in a response that “the agreement marks some progress for those like us, who have been frustrated to see the GDPR’s enforcement as its Achilles heel.”
Reyna added that it is “important given the power of multinationals and the snail pace of GDPR enforcement for the last years.”
NOYB's Max Schrems, a privacy lawyer and activist, told Euronews that while there are some benefits, like deadlines, "the overall result will be less rights and less enforcement for citizens."
"This law is a disgrace as it allows authorities to even enforce less and cut out citizens from procedures about their own rights. The procedure is also needlessly complex and will generate much more work for authorities," he said, adding that this may be subject to annulment by the Courts, because "it ignores basic procedural principles and logic."
The provisional agreement will need a formal confirmation by the member states and the Parliament.
Last month, the Commission presented a simplification package to offer relief to small mid-cap companies burdened by the current scope of the GDPR.
Currently, companies with fewer than 250 employees are exempt from the data privacy rules to reduce their administrative costs, the Commission now proposes to extend this derogation to the so-called small mid-cap companies of up to 500 staff members.
