The European Union’s plan to reform its General Data Protection Regulation (GDPR) Procedural Regulation are drawing criticism from privacy advocates. They warn that the reform is aimed at improving cross-border cooperation between data protection authorities (DPAs). However, it could actually create more complications in the system.
What’s the Issue?
Introduced in 2018, the GDPR was designed to give citizens control over how their personal data is used. However, When a complaint is made against a company based in another EU or EEA country, it must go through a lengthy cooperation process. This process involves coordination between the DPA in the complainant’s country and the authority in the company’s home country.
This cross-border system is often slow and unclear. The complaints can take years to resolve. There’s no clear way to hold national authorities accountable if they fail to act. Critics argue this has led to inconsistent enforcement of the GDPR across the EU.
What Is the European Commission Proposing?
To address these issues, the European Commission proposed a new regulation in 2023. It was aimed at harmonizing procedural rules and speeding up decision-making. However, noyb, a privacy advocacy organization, has raised concerns that trilogue negotiations between the Commission, the European Parliament, and the Council have led to a “legislative mess” that could make things even more complicated.
The regulation was supposed to fix inconsistencies between member states, such as how evidence is shared and how hearings are conducted. It also aimed to address how decisions are made across different countries. However, noyb says that the current draft would create as many as ten different types of GDPR procedures, adding unnecessary complexity.
What Do the Experts Say?
Max Schrems, lawyer and founder of noyb, expressed frustration with the current proposal. He said,
“We initially very much supported having clear procedural rules. But this proposal risks becoming the biggest legislative mess I have seen in a long time.”
The organization argues that the new draft law doesn’t address the real problems in cross-border enforcement. Instead, it introduces more complicated paths for handling cases, which could delay decisions even further. Many cases, according to Schrems, already take several years to resolve.
Privacy Advocates Push for Improvements
Noyb and other privacy advocates, including EDRi, are pushing for reforms that protect the right to be heard during the process and ensure that citizens can appeal decisions. They also want to streamline the process since DPAs have varying procedures in different countries, making it difficult for people to access documents or get clear answers.
Noyb argued that the European Commission should have conducted a proper impact assessment before introducing the proposal. They also criticized the Council for rushing to reach its position. Additionally, MEPs were criticized for not being ambitious enough in their approach.
The European Parliament’s Response
MEP Markéta Gregorová, a negotiator on the issue, assured privacy advocates that the European Parliament’s focus was not on weakening the regulation but on creating a fair and functional process. Gregorová said,
“I want to reassure them again: our focus is not on weakening the text, but on delivering a fair and functional process that works for people, authorities, and businesses alike.”
She added that Parliament is committed to ensuring timely decisions, effective remedies, and a stronger voice for all parties, especially the complainants.
What’s Next?
Despite the ongoing discussions, Max Schrems remains skeptical about the proposed changes. He warned,
“This law will not solve problems – but generate more disputes.”
The issue is still under trilogue negotiations between the European Parliament, the Council, and the European Commission, with the next round scheduled for 21 May.
Also Read: EU Plans to Cut Back GDPR Rules to Help Businesses