BEERG Newsletter - BEERG Comment: Has GDPR just become a way to penalise business?

This is the commentary referenced in last week’s BEERG Newsletter:  

Is the purpose of the General Data Protection Regulation (GDPR) to create a legal framework to ensure that the personal data of EU citizens is properly protected or is it a mechanism to find ways to sue multinational companies, particularly US companies, for multimillion amounts of euros? 

You’d be hard pressed to know. 

When the GDPR was first mooted, the person in charge of introducing it, Commission Vice President, Vivien Reding, said that one of the main benefits of the Regulation, if not the main one, would be the “one stop shop” concept. The Commission believed that rather than having to deal with twenty seven national data protection authorities businesses would only have to deal with one, that of the country in which they were headquartered. The data protection authorities in the home country would liaise with those in other countries, but a business would only have to deal with one authority. 

Commissioner Reding often claimed that GDPR would save European business: €2.3 billion by “drastically cutting red tape” via a “one stop shop for businesses.”  We in BEERG showed at the time that GDPR’s treatment of employee data would increase costs by at least €3.3Bn, as all employers, large or small, must process employee data and the main database that most companies operate is their employee database.

As the Commission outlined at the start. coordinating GDPR across the EU would be the European Data Protection Board (EDPB). But GDPR limited its role to facilitating dialogue between national authorities and exchanges of information. It was not there to tell national authorities what to do…. or it was not supposed to. But like all such bodies, it developed a likening for “mission creep” and “over reach” and began to see itself as the “Uber” data protection authority in Europe. (See Jan 2022 BEERG article on GDPR overreach)

Ireland is the stone in the EDPB’s shoe. Ireland is the European home to many of the American social media and tech giants, Google, Facebook, Twitter and so on. These companies have become the bêtes noire of the data activists and the privacy crusaders. And they think that the Irish authorities are too pragmatic and too slow in dealing with complaints. The activists want these companies to be fined early and fined often. If Ireland won’t do it, then dismantle the one stop shop and centralise things at the European level. 

The fact that the Irish Data Protection Commission is taking the EDPB before the ECJ/CJEU for alleged overreach (as we discussed HERE) does highlight the extent to which many of the protagonists have lost sight of the supposed intention of GDPR to protect personal data. It is also a reminder that any new rules meant to target one sector will disproportionally impact all businesses, large and small.    

Back in early 2021, in this BEERG Newsletter, we warned of a: 

“…a creeping attempt by member state data protection authorities across the EU to unpick Ms Reding’s one big blanket approach and return to the loose patchwork quilt which she rightly criticised as inefficient and costly”.

This creep continued into 2022 with BEUC, the Brussels based umbrella group for 46 national consumer organisations across Europe telling the European Parliament’s Civil Liberties and Home Affairs (LIBE) Committee Public Hearing on "GDPR implementation, enforcement and lessons learned" that the GDPR’s one-stop-shop mechanism was not flexible enough. BEUC called for reforms to the GDPR which it claimed would (a) improve handling of cross border complaints (b) allow more assistance from the national DPA for data subjects and (c) permit more protection by design. 

It seems that this is what European Commission now proposes to do. This blog post from the law firm Covington explains what the Commission is planning to do. It will shortly table a draft Regulation to give effect to its proposals.

The Regulation will need to be approved by the Parliament and the Council of Ministers. National governments will need to pay closer attention to what is happening. They may soon find that power to regulate data issues has slipped from their control and passed to the big tech obsessed Brussels privacy activists… and that its European businesses, large and small, who must pay the price.   

...

MEANWHILE – on Feb 28th the EDPB published its commentary on the EU-U.S. Data Privacy Framework, saying that it welcomed the improvements made under the new arrangement but that it had several concerns and was requesting clarification from the EU Commission. 

The areas which it wishes to have clarified relate to certain rights of data subjects, onward transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism. Not a short list. Put simply, the EDPB’s “welcome” for the framework is very guarded and quite conditional, saying that it would like to see the adoption of an adequacy decision being: 

“…conditional upon the adoption of updated policies and procedures to implement Executive Order 14086 by all U.S. intelligence agencies. The EDPB recommends the Commission to assess these updated policies and procedures and share its assessment with the EDPB.” 

More EDPB overreach?