Brussels, 16 June 2022
Ladies and Gentlemen,
It is a pleasure to be with you today and I would like to thank the EDPS, Wojciech, and his team for providing us all with a platform to discuss how to ensure a strong enforcement of data protection rules.
Often, I have to address an audience – law enforcement and security authorities, industry associations – who thinks that we have gone too far with EU data protection rules. I need, then, to argue and convince them of the need for strong data protection rules and a strong enforcement of these rules.
Listening to different point of views is enriching and I am open to consider improvements where needed.
I am also happy to inform you that I very often managed to convince my interlocutors of the benefits of strong personal data protection rules for individuals first, but also for companies and society in general.
Today the exchange is different. We all share the same goal: how to ensure a strong protection of fundamental rights of EU citizens. The question for today is rather: what can we do more? What can we do better?
Before embarking on this discussion, it is helpful to recall the reasons why the legislators designed the current GDPR enforcement model.
The legislator had in mind three main considerations when developing the current system:
First, preserve the principle of proximity. It was considered very important that individuals have the possibility to address their domestic Data Protection Authority. It was felt that citizens would benefit from the possibility to exchange and interface with an authority that shares the same culture and the same language.
This is certainly important for national and local cases, but also for cross-border cases. Cross-border cases all start with a complaint by a citizen or an organisation in a Member State. It is important that citizens can communicate easily with this authority at the beginning of the investigation, but also follow, through this authority, the various steps of the process.
The second consideration was to ensure the functioning of the single market by using the “home country control” principle. This principle guarantees uniform enforcement of rights across the Union to citizens. At the same time, it delivers the benefits of a one stop shop to the companies. This same mechanism is used in other fields of EU law.
Of course, enforcement based on the “home country control principle” is a shared responsibility for all the authorities taking part to the system. This is so for the “lead authority” as well as for the other concerned authorities.
Third, by creating the European Data Protection Board, the legislator wanted to strengthen cooperation among the national authorities. Such cooperation is essential to ensure consistent interpretation and application of the law across the Union. This is important for citizens who should have the same level of protection across the Union.
The legislators aimed at developing a truly European data protection culture.
This system also allows for the involvement of all concerned Data Protection Authorities in the final decision-making process on cross border matters.
The EDPB and the cooperation and consistency mechanism inject an important European dimension in the system. This EU dimension is not an “external” element, it is not a top-down exercise.
The European dimension is the result of the Data Protection authorities working together. It should be an integral part of their work from the investigation stage to the final decision.
All legislations are tested on the ground.
As Commission, we are looking closely at the concrete implementation and we do not hesitate to intervene when needed. We are assessing the possible challenges in enforcing the legislation and how these challenges are or could be addressed.
The effectiveness of the GDPR enforcement should be measured in terms of benefits delivered to the citizens. And benefits to the citizens derive often from the solution of many cases of national or local dimension that are dealt by the DPAs on a daily basis.
However, the number of cross-border cases, those that attract most public attention, is significantly increasing. Some of these cases include large companies and have an impact on many citizens across the Union.
Of course, we should also acknowledge the big challenges related to the GDPR enforcement. And we did indicate some of those in our report on the 2 years of application of the GDPR.
Any possible discussion on “improving” enforcement should not be presented as a “crisis of enforcement of the GDPR” or, as a reason to scratch completely the system.
But the debate on the enforcement of the GDPR is helpful and it is the responsibility of all actors to work together to deliver the best results to citizens.
I listened and will continue to listen with a lot of interest to the views and opinions of all the experts, starting from the Data Protection Authorities and the European Data Protection Board.
Their opinion is particularly relevant as they apply the GDPR, using the One Stop Shop and the cooperation and consistency mechanism daily.
The Commission has consistently underlined the need for all Data Protection Authorities to ramp up their efforts in enforcing the GDPR. A crucial aspect of this, is the need for Data Protection Authorities to cooperate efficiently and effectively, using the tools provided in the GDPR.
Particularly in relation to cross border matters, effective cooperation between the Data Protection Authorities is the key requirement for effective enforcement.
Therefore, I welcome the series of guidelines the EDPB has developed concerning the functioning of the cooperation and consistency mechanisms.
The adopted guidelines on these issues streamlined the application of the cooperation and consistency mechanism. This is the result of over one year of intensive common work between Data Protection Authorities.
The outcome of the action against the EDPB decision in the WhatsApp case will bring greater clarity on the functioning of the cooperation and consistency mechanism.
All those who are in favor of a strong enforcement of data protection rules should welcome and support the willingness of the EDPB members to strengthen cooperation on strategic cross-border cases.
In Vienna, the EDPB members have also decided to work on a list of procedural issues which are leading to differences in Data Protection Authorities’ conduct of (cross-border) proceedings. The EDPB intends consider how it may address those differences.
I am looking forward to receiving this list of procedural issues. It will feed into my team’s reflection on how we could support the cooperation between Data Protection Authorities on cross-border cases.
I should also note that the enforcement of the GDPR sometimes touches on novel issues.
There are cases where the Regulation is being interpreted and applied for the first time to new technologies. It requires careful assessment and consideration. Clearly, in such cases, investigations and decisions by Data Protection Authorities will take more time than more routine and more simple cases.
The credibility of enforcement lies not only in adopting decisions, but also in adopting robust decisions that can stand the Courts’ scrutiny. This applies to the substantive analysis as well as to the respect of due process requirements.
Developing a truly common EU data protection culture between Data Protection Authorities is an on-going process. But it is certainly the direction we should follow.
And we should make full use of the tools the GDPR provides, such as joint investigations.
Now I am hearing calls for more “centralisation”.
I understand this to mean putting more enforcement power in the hands of one authority at EU level.
In fact, we already debated similar ideas when drafting the GDPR.
But as I was saying at the beginning, the real question is would centralisation bring concrete benefits to the citizens?
A different enforcement model has been retained more recently for the DMA and DSA.
Let me clarify, first of all, that these newly established enforcement mechanisms do not regulate the processing of personal data. They build on the GDPR.
Data Protection Authorities remain responsible for questions concerning the processing of personal data and compliance with the GDPR.
Second, based on Article 8 of the Charter, the enforcer of data protection rules must be ensured by an independent authority. Therefore the Commission could not have enforcing powers as it has in the DMA as DSA.
These legislations are also applicable to big tech companies and cross-border cases. However, the matters covered by the legislations are different.
When answering the question of what could benefit citizens most, we should consider that proximity and availability of a national authority is very important for citizens.
Let me stress that the new legislations are also important as they may indirectly benefit the protection of personal data. For example, the DMA will stimulate competition and may increase the offer of products and services. This will enable citizens to choose services offering a higher level of privacy and data protection. As we all know, citizens are asking for that more and more. Privacy became an important parameter for competition.
In addition, under all these instruments, close cooperation between supervisory authorities will be necessary.
Here, I would like to take the example of the on-going dialogue between the Consumer Protection Cooperation Network (CPC). It is bringing together national consumer authorities and Data Protection Authorities to discuss the intersection between data protection and consumer law. On 2 May, together with Ms Jelinek, I had the pleasure of taking part in the 4th joint meeting between the authorities and observed their progress.
To conclude, I think that we should, first, make sure to use all the avenues already existing in the GDPR to strengthen cooperation among DPAs and enforcement of the GDPR.
We should really strive to build this European culture for data protection. This should be a “cooperative” exercise and a shared responsibility.
In this, the EDPB may play a key role as we explained in our 2020 Report.
One could also explore the possibility for more targeted initiatives enabling more harmonisation and consistency in procedure.
Using margins and potentialities for improvements to better the system should be our priority. This is in the interest of times and effectiveness.
Opening a discussion to review the GDPR may also trigger other requests with completely different objectives. This may not be effective for citizens as it may delay progress and have some unintended consequences.
I am now appy to listen to your ideas and views.
Thank you