European Commission plan to improve GDPR enforcement will limit people’s access to justice

Today, 4 July, the European Commission has presented a new regulation aimed at strengthening enforcement of the General Data Protection Regulation (GDPR), which came into application five years ago. This flagship human rights law was intended to help people across the EU protect their data, but with regulators struggling to enforce the law, its success hangs in the balance.

To remedy this situation, Access Now had already joined partner organisations and data protection regulators in asking the European Commission to increase resources for EU national data protection authorities (DPAs) and to propose new legislation to tackle enforcement challenges. While the proposed regulation clarifies how DPAs should work together, it also places limits on how people can participate in complaints they bring to DPAs around misuse of their data.

The regulation must guarantee that people’s concerns will be heard, no matter how DPAs may decide on complaints, and that any violations of rights are resolved within clear deadlines. When it comes to ending their invasive data practices, companies are already dragging their feet. The EU must deliver on its commitment to put people back in control of their data, via legislation that empowers, not disenfranchises, them. As the Parliament and Council get ready to debate the text, they must ensure that this proposal is improved to serve people first and foremost. Estelle Massé, Europe Legislative Manager and Global Data Protection Lead at Access Now

Until now, GDPR complaints have been resolved slowly and variably across the EU. While the GDPR established a cooperation mechanism for DPAs to work together on cross-border cases, most DPAs have continued to rely on national administrative procedures to operate within this system, resulting in a fragmented and delayed application of the law. Among other measures, the regulation proposed today partly harmonises procedures for all DPAs to follow, to ensure consistency and minimise discrepancies. 

The adoption of the GDPR was a legislative success and a milestone moment for fundamental rights, in Europe and beyond. It forms the foundation for delivering on the EU’s wider digital agenda, as well as legislations such as the Digital Markets Act and the Artificial Intelligence Act. The stakes are too high to fail at the enforcement hurdle – we must ensure the GDPR delivers on its promises. Estelle Massé, Europe Legislative Manager and Global Data Protection Lead at Access Now

Access Now looks forward to contributing to debates in the months ahead, to ensure this new regulation realises the ultimate goal of the GDPR: putting people in charge and at the centre of decisions about what happens to their data.

For more information on what this new proposal should include to protect people’s rights, read Access Now’s report, Five years under the EU GDPR: Becoming an enforcement success