05 August 2024
The EU Commission launched its second (four yearly) evaluation report on the General Data Protection Regulation (“GDPR”) on 25 July. Ahead of its second evaluation[1], the EU Commission requested the EU Agency for Fundamental Rights (“FRA”) to report on the challenges, experience and practices identified by Data Protection Authorities (“DPAs”) when implementing the GDPR.
FRA Report
The FRA’s Report[2] is based on responses to a questionnaire based around DPA tasks as listed in Article 57 GDPR.
The questionnaire covered nine areas:
1. Institutional capacity of DPAs | 2. Modern technological challenges | 3. Independence of DPAs |
4. Raising public awareness | 5. Investigatory powers of DPAs | 6. Sanctioning GDPR violations |
7. Cooperation between EU DPAs and the GDPR consistency mechanism | 8. Cooperation with other national regulators | 9. Protection of personal data and competing fundamental rights |
Financial Challenges
A large majority of DPA interviewees emphasised that inadequate financial and human resources are a major obstacle to DPA’s independence and to carrying out the tasks mandated by the GDPR. (FRA Report at pp. 5-7, see GDPR recitals 120, 121 and Articles 52 and 57.)
Dealing with complaints under GDPR
The volume of complaints has become a challenge, even where DPAs have developed practices such as prioritisation, grouping, templates, automation or standard replies, to deal with them more efficiently. The FRA suggests DPAs could exchange information about best practices and the European Data Protection Board (“EDPB”) could offer guidance on implementing criteria and safeguards to ensure each complaint is properly addressed. (FRA Report at pp. 8-9 and FRA Opinion 3 at p.9.)
Using mediation to solve data protection disputes
Belgian law establishes the option of settling data protection complaints through mediation. In 2022, the Belgian DPA (“APD/GBA”) received 177 requests for mediation and handled (and closed) 139 mediation cases. Mediation requests related mainly to data protection issues that concern commercial practices, including – direct marketing; cameras and image processing; as well as data protection in the sphere of professional services.
Amicable settlements | A useful tool for resolving data protection disputes?
Article 5 of the proposal for a procedural regulation enhancing enforcement of the GDPR introduces the option of resolving complaints through amicable settlements. However, a joint opinion of the EDPB and the European Data Protection Supervisor raised doubts that the suggested provisions were clear and comprehensive enough. (FRA Report at p.39 and EDPB – EDPS joint opinion 01/2023 of 19 September 2023[3].)
The European Parliament has subsequently suggested clarifications to the rules governing amicable settlements in its negotiating position on the proposed regulation.[4]
[1] An interim report was made in 2020, two years after GDPR entered into effect
[2] GDPR in practice – Experiences of data protection authorities, 11 June 2024, available here.
[3] EDPB-EDPS Joint Opinion 01/2023, available here. The European Parliament suggested clarifications to the rules regarding amicable settlements in its negotiating position regarding the proposed regulation,.
[4] See the EP Press Release here.
Share us!