Just before the summer, around EU’s General Data Protection Regulation’s (“GDPR”) birthday, it is usually a time to reflect at the past year and assess the functionality of the GDPR. Now that our beloved regulation has been applicable law for over 3 years, the discussion has shifted from the general interpretation and functionality of data protection obligations to efficient and harmonised enforcement of the GDPR across the EU. How are the data protection authorities handling the current situation?
At the time of the GDPR’s entry into force, much was made of article 83 of the regulation which empowers data protection authorities to impose administrative fines. Multiple businesses providing GDPR-related advisory services used this heavily as a selling point. So far, we have not (yet) seen any fines come even close to 4% of a company’s annual turnover – the maximum amount permitted in the GDPR’s enforcement provisions. However, we have seen that the supervision and enforcement practices of data protection authorities differ among themselves considerably, and that there is increasing pressure on the national authorities to get visible results and more robust supervisory mechanisms in place.
The European Court of Justice’s (ECJ) judgement of 15 June 2021 in case C-645/19 Facebook Ireland & Others highlighted this push for more efficient enforcement by establishing a national authority’s right to take a company to court in their own country – even when not the Lead Authority in the meaning of the GDPR’s One-Stop-Shop rule.
A comparison of the decision-making practices of different EU Member States’ data protection authorities reveals that there are significant inconsistencies among the enforcement practices of different national data protection authorities. There is substantial variation in the amounts and even in the legal basis of the sanctions. For example, the four fines issued in the UK come to a total of about 44 million euros, whereas the 79 fines imposed in Italy are altogether about 76 million euros.
The consistency mechanism also has its hiccups
When a company is established or the data processing takes place in more than one member state, the competent data protection authority will be wherever the group of companies is headquartered. This so-called One-Stop-Shop mechanism is one of the GDPR’s safeguards to ensure that supervisory authorities cooperate with each other. The supervisory authority’s unwillingness to take measures against a company or a mere lack of resources will result in an unstable practice and might cause a distorted competitive landscape. The uneven application of the GDPR’s enforcement mechanism can have a substantial impact on multinational companies, as there can be differences in the actions of supervisory authorities when interpreting the mechanism.
This raises the question of the GDPR’s functionality. This challenge to the One-Stop-Shop has also been noticed in practice and, in response, also in case law. The ECJ’s recent judgement mentioned above softens the interpretation of the One-Stop-Shop mechanism and extends the powers of data protection authorities in relation to multinational companies and cross-border cases. This ruling will preserve the effectiveness of national supervisory authorities’ cooperation and most likely increase the number of cases raised by authorities. A coherent enforcement ecosystem with consistent application is crucial for the protection of natural persons with regard to the processing of personal data and for the free movement of data and capital in the EU. Secondly, the unpredictability of the current operating environment hampers companies and other entities in pursuing GDPR compliance.