Challenges in Transnational GDPR Enforcement and Effective Measures

TRANSNATIONAL GDPR ENFORCEMENT: STILL DEFICIENT-BY-DESIGN? CIPIL Spring Conference 22 March 2024 Dr Orla Lynskey, LSE Law School (o.lynskey@lse.ac.uk)

Problems stemming from EU composite administrative procedures Lack of consensus concerning the meaning of effective enforcement

Diagonal multi-jurisdictional composite procedure: COMPLEX ADMINISTRATIVE CONSTELLATIONS The legislative creation of such complex procedural constructs can only be explained by a lack of awareness of requirements of protection of individual rights and supervisory necessities on the legislature s part. Hoffmann

Procedural Ambiguities and Divergences Without delay Draft decision EU Procedures National Procedures Standing Right to be heard Art 11 Access to file Art 19 and 20 Procedural Fairness Exclusion of complainants from LSA, NSA and EDPB Procedures

Outsized role of the LSA: decisive control over scoping of investigation and corrective measures Lack of Equality between NSAs The Burden of relevant and reasoned objections Lack of equality presents legitimacy and representation issues

Introduction of Summary of Key Issues with capacity for NSAs to intervene through cooperation procedures or procedures Arts 9 and 10 emergency Procedural Regulation Preliminary draft decision: requirement to list all elements to be taken into consideration when calculating the fine Article 14 findings prior to

WHAT IS EFFECTIVE ENFORCEMENT? Whilst the volume of work being completed by the office is ever-intensifying, what has remained elusive in 2021 is any agreed standard by which to measure the impacts and success or otherwise of a regulatory intervention in the form of GDPR that applies to literally everything . DPC, Foreword to Annual Report, 2021

SELECTIVE ENFORCEMENT AND INDIVIDUAL RIGHTS Selective to be effective : The DPC will apply a risk-based regulatory approach to its work, so that its resources are always prioritised on the basis of delivering the greatest benefit to the maximum number of people . (2021 Report, p16). DPAs are free to set their own agenda, but with one limitation which is their obligation to handle complaints (Hijmans) Each authority is required to exercise its responsibility for ensuring that the GDPR is fully enforced with all due diligence . Schrems II, para 112.

THE FULL RANGE OF REMEDIES The supervisory authorities primary responsibility is to monitor the application of the GDPR and to ensure its enforcement Schrems II, paras 108 - Engagement - Amicable resolution - Administrative sanctions: Recital 148 and Article 83(1) GDPR clearly establish a presumption that the DPA will issue effective, proportionate and dissuasive fines or at least take formal corrective action once cognisant of a significant infringement of data protection law . (Erdos, 452). - Remedies that directly target business models

Factors to take into consideration when assessing the extent appropriate to investigate a complaint (Article 4) Procedural Regulation Amicable settlement can be used where agreed by the complainant (Article 5)

Future Perspectives Future Perspectives If complaints and compliance are increasingly automated, should enforcement also take a technological turn? As data protection is a form of mixed-economy regulation, how do you spur as much compliance as possible and how should effectiveness be measured? What explains the reluctance of regulators to use behavioural remedies? Is it desirable to maintain the principle of national procedural autonomy?