The EU’s trilogue negotiations for a Procedural Regulation that should harmonise and accelerate enforcement of the General Data Protection Regulation (GDPR) will probably have the last meeting this Wednesday (21 May). However, the proposal risks undermining the GDPR's enforcement by introducing excessively long deadlines and overly complex procedures. Despite having a Green Party lead negotiator for the European Parliament, the proposal also structurally discriminates user and gives preferential treatment to Big Tech, while consistently giving up the Parliament's positions. The proposed Regulation not only threatens to paralyse enforcement but may also constitute a violation of core elements of the Right to a Fair Procedure and Good Administration. Consequently, noyb is reviewing the options to bringing an annulment procedure if the Regulation passes in its current form.
- Comparison of Commission proposal and Parliament and Council amendments
- Background article including overview of proposed procedural steps after the first trilogue negotiations
Deadlines first hit in 2030. One of the big promises of the new GDPR procedural regulation was to speed up procedures. However, the regulation is not just extremely complicated, but may also lead to longer procedures. While the European Parliament originally foresaw overall deadlines of as little as 3 months, the agreed deadlines for just some steps of the procedure (planning phase, right to be heard and decision phase) already amount to more than one year. The negotiators still have to decide about the duration for the main part of the procedure: the investigation. This means we likely end up with deadlines of more than two years. Furthermore, the regulation itself is extremely delayed, as the transition period is set to 33 months from publication of the regulation - so some time around 2028. If all of this is added up, it is likely that the first GDPR case that may be running into a deadline would be around 2030.
Max Schrems: "As far as we have heard, there is no final agreement on deadlines. However, the deadlines that are already agreed amount to 7 months just to plan a GDPR procedure and 4 months to issue a decision. Considering that there also needs to be an investigation, we likely talk about 2-3 years for a decision. The European Parliament originally asked for deadlines as short as 3 months. Many Member States have deadlines of 3 to 6 months."
At odds with EU "simplification" agenda. Instead of simplifying and streamlining procedures, the new regulation does the exact opposite: many additional steps in the procedure are added, many documents must be issued in two to three versions for different other authorities and parties. Instead of having one central digital system with all documents, the system will only hold a small number of documents, while most case files will be stored and distributed between the more then 40 EU Data Protection Authorities and must be manually exchanged. All of this will costs tens of thousands of work hours, likely amounting to millions of euros of unnecessary costs across the Member States.
Max Schrems: "This regulation adds tons of extra steps and extra paperwork to the existing procedures. Authorities and businesses will have more work with GDPR procedures - not less. This adds to compliance costs and overloaded authorities, with no benefits for users or companies. This is the exact opposite of what the EU simplification promises."
Structural discrimination of users versus companies. Overall, the regulation also structurally discriminates users. In countless little differences, the regulation makes it much easier for companies to defend their interests than for users to defend their right to data protection. For example: companies can get all documents locally with their lead authority, users have to get the documents delivered from abroad, without any realistic way to even find out that documents exist or take action if documents are not provided. Companies have a "right to be heard" while users only get an "opportunity to make their views known". While companies can (in certain jurisdictions) have a right to an oral hearing, where they can argue with an authority, users only have the option to send a written statement. Many elements of the procedure are governed by the law of the Member State where the company resides - not where the user is based.
Max Schrems: "The entire regulation is tilted against users. In almost every article, companies are preferred and users are discriminated. There is absolutely no 'equality of arms' in this procedure. While EU law usually protects the weaker party, this regulation discriminates against weaker party."
EP "sold out" to Commission and Council. While the draft by the Commission was largely criticised by many sides, the European Parliament undertook a substanical redrafting exercise. While not perfect, the core structural problems of the Commission proposal had been remedied by the Parliament. However, in the negotiations between the Commission, the EU Member States and the Parliament, the Parliament basically gave up almost all of these positions. Almost all provisions concerning the rights of users, short deadlines or transparent procedures were eliminated. Any option to realistically enforce the new rules against Data Protection Authorities that do not comply were sacked.
Max Schrems: "The European Parliament has totally sold out on its core positions. There are just tiny traces left of their original version. This is extremely odd, considering that the Parliament's lead negotiator is a member of the Pirate Party and a member of the Green Group - allegedly fierce fighters for users' rights. During the negotiations in the last months, we got the general feeling that no one cared for this file. The result is absolutely reflective of that."
noyb considers annulment procedures. EU law must comply with basic principles enshrined in the EU Charter of Fundamental Rights. Among them are the right to good administration (Article 41), the right to a fair procedure in a reasonable time (Article 47) or the equal treatment under the law (Article 20). Furthermore, the EU must also ensure that the Fundamental Right to Data Protection in Article 8 of the Charter can be effectively enforced by users. The new regulation seems to structurally violate these requirements. Anyone directly affected can hence bring a so-called annulment procedure at the EU courts to get the regulation declared void - either as a whole, or in large parts. noyb is now reviewing options to bring such challenges.
Max Schrems: "The regulation is so structurally flawed, that the Court of Justice may have to annul it. The current draft likely violates the Charter in multiple ways on access to evidence, fairness, equality of arms and a timely decision. In theory, the regulation could be annulled before it becomes applicable."
