The European Commission has proposed surgical changes to the bloc’s landmark data privacy law.
The law, known as the General Data Protection Regulation (GDPR), redefines the meaning of privacy in the 21st century and gives Europeans the right to decide who has access to their personal data, calls for reform Make and file legal complaints.
It has also established in law the now famous “right to be forgotten”, which citizens can invoke to permanently remove their data from a company’s register.
But five years after its implementation, the legacy of the GDPR is far from spotless.
Government bodies, the private sector, privacy advocates and civil society organizations have raised concerns about how the law is being implemented, including the high fees required to file a case, varying procedures and solutions between member states. long waiting periods are involved.
Another long-standing point of contention is the relationship between each member state’s data protection authorities (DPAs).
European Justice Commissioner Didier Randers said on Tuesday, “In five years we can count more than 711 final decisions taken by data protection authorities. This clearly shows that the GDPR is well implemented. But we Can do better.”
Under the GDPR, enforcement falls under the jurisdiction of the country in which the company has established its European headquarters. Most of the GDPR cases have a nationwide dimension and involve only a single DPA.
However, in some cases, the nature of the breach is transboundary and multiple authorities are called upon to consider it. This cooperation has often proved fraught and complicated, causing delays and damages to the litigant side.
Particular attention has been given to the Irish DPA, which has to deal with the most high-profile cases given the abundance of large tech companies in Ireland.
Earlier this year, a disagreement between the Irish DPA and other national authorities led to the intervention of the European Data Protection Board (EDPB) in a case against Meta, resulting in record breaking penalty Value €1.2 billion.
To address these continuing tensions, the European Commission has put forward a regulation that introduces targeted improvements to the GDPR’s procedural rules with a focus on cross-border litigation.
The proposed obligations would compel the leading DPA to involve officials from other relevant countries in the early stages of the process to collectively discuss the essence of the case, including its legal scope, potential violations, collection of evidence and technical assessment.
The commission says that this communication line will facilitate consensus and help resolve disputes before they spiral out of control. The new rules will harmonize requirements for the admissibility of cross-border cases and guarantee that citizens are treated equally in all member states, regardless of their nationality.
In other words, work closer to work better.
“What we are trying to do here is to better implement the GDPR through common rules in cross-border cases, to harmonize different rules at the national level and to make sure that reacting before now Possible because now, sometimes, it takes too long to organize the process until the final decision,” Randers said.
The commissioner rejected calls for a complete revision of the law, arguing that the time was not appropriate to hold such talks between EU co-legislators, and defended the country-of-origin principle, which gives citizens direct Allows to contact DPA in their native language.
The GDPR is a “very young child”, said Reynders. “It’s been five years and we have to continue to see how the best we can do is to implement the GDPR.”
“At the moment we don’t want to reopen Pandora’s box,” he said.
But it may be a matter of time until Brussels realizes that the GDPR needs a centralized entity on top of a national DPA to effectively hold Big Tech accountable, the Center on Regulation in Europe says Alexandre de Streil, director of the digital research programme. (Sere).
“This reform is a step in the right direction, but it probably won’t be enough,” De Streel told Euronews in an interview. “For Big Tech – companies that are present globally – you need a European regulator. It cannot be just the country of origin acting for all Europeans.”
De Streel said, the failures of GDPR enforcement had a clear impact on the regulation that came after 2018, such as the Digital Services Act (DSA) and the Digital Markets Act (DMA), both of which give final authority to the European Commission. Supervisor role.
The academic said the emergence of AI-powered chatbots, which are trained with vast amounts of data to learn new tasks on their own, further reinforces the need for a comprehensive change.
Referring to giants such as Meta, Apple, De Streel said, “The country of origin principle was created for small companies that wanted to grow in the international market, not for companies that have already grown. It There is a great misunderstanding.” Amazon, Google and TikTok, whose market value is much higher than the GDP of Ireland.
Sorry Comments are closed