Three key members of the European Commission believe the EU’s best-in-class privacy rules should be enhanced by targeting aspects of data privacy through other laws rather than overhauling the General Data Protection Regulation (GDPR) itself.
In a keynote speech at last week’s European Data Protection Supervisor conference on the future of data protection and enforcement, EU Justice Commissioner Didier Reynders accepted procedures—such as the turnaround of enforcement decisions, especially those of cross-border/Big Tech cases—needed to improve.
However, he added, “Any possible discussion on ‘improving’ enforcement should not be presented as a ‘crisis of enforcement of the GDPR’ or as a reason to scratch completely the system.”
Reynders said reviewing the GDPR might “trigger other requests with completely different objectives” that “may not be effective for citizens.” Rather, he said, looking at ways to improve the system of regulation and enforcement should be the priority.
In his view, “We should first make sure to use all the avenues already existing in the GDPR to strengthen cooperation among DPAs (data protection authorities) and enforcement of the GDPR,” with the European Data Protection Board playing a more active role.
And even though the European Commission does not have direct enforcement powers to oversee the GDPR as it will under the Digital Services Act and the Digital Markets Act, Reynders warned there might be other areas where it could seek to boost GDPR enforcement.
“[W]e are looking closely at the concrete implementation [of the GDPR], and we do not hesitate to intervene when needed,” he said. “We are assessing the possible challenges in enforcing the legislation and how these challenges are or could be addressed.
“The credibility of enforcement lies not only in adopting decisions but also in adopting robust decisions that can stand the courts’ scrutiny.”
In her keynote speech, European Commission Vice-President Věra Jourová said “targeted improvements” to the GDPR would be the best option going forward, including getting DPAs to discuss how they can come up with solutions to improve cooperation and speed up the processing of cross-border cases that are slowed down due to national procedural laws.
“We are at crunch time now over whether enforcement under the GDPR is fit for purpose,” she said.
Many believe the European Commission’s incoming legislation—the Digital Markets Act, the Digital Services Act, the Data Governance Act, and the Data Act—aims to tackle the abuses data-driven businesses are committing when they collect, share, sell, and monetize personal data. These activities might more easily fall under consumer and competition abuses rather than privacy violations.
In her speech addressing the interplay between data protection and competition, European Commission Executive Vice-President Margrethe Vestager said enforcing the new competition rules will need to involve closer cooperation with DPAs.
“[I]t’s important that we maintain our dialogue with data protection agencies when data plays an important part of the competition assessment, as we have done in the past,” she said.