I dag var jeg invitert til å delta i en høring i EU-parlamentets LIBE-komité, altså «Committee on Civil Liberties, Justice and Home Affairs». Temaet for høringen var håndhevingen av GDPR, hvor vi i Datatilsynet mener det er rom for forbedringer. Nedenfor følger innlegget jeg holdt. Opptak fra arrangementet er for øvrig tilgjengelig her (multimedia.europarl.europa.eu).
Mr Chair, Members of the LIBE Committee, thank you for the invitation and for the opportunity to share our experiences.
Looking back on the last four years, I believe that we as Data Protection Authorities have come a long way. Adapting to the GDPR has been a learning process for everyone, ourselves included. It appears that more and more enforcement action is being carried out across Europe, and the level of maturity amongst data controllers is ever increasing.
However, the previous four years have also shown that there are enforcement challenges, and these need to be discussed candidly.
Data Protection Authorities lacking sufficient resources is a particularly significant hurdle, and this makes sensible prioritisation difficult. At the Norwegian Data Protection Authority, we aim to focus our efforts towards big, impactful cases. However, we are also mindful of our duty to handle all of the complaints we receive with all due diligence and within a reasonable time. With the current resource situation, we find that it is difficult to achieve both of these goals simultaneously. We constantly work on finding a fair balance between the two that will provide effective protection and vindication of data subjects’ fundamental rights.
Lack of resources also manifests itself in the One-Stop Shop mechanism, where Data Protection Authorities depend on each other to handle cases. If just one Data Protection Authority lacks resources, it can quickly have EU-wide consequences. It should also be noted that the EDPB Secretariat offers invaluable support to Data Protection Authorities, and so their resource situation is essential as well.
Fragmentation of enforcement competence is another issue. For example, in Norway, we in the Data Protection Authority are not competent to enforce the ePrivacy rules. This prevents us from approaching data protection issues in a holistic manner, while data subjects and data controllers may need to correspond with two or even three Norwegian authorities in order to resolve an issue. We are concerned that the upcoming AI Act may lead to further fragmentation if Data Protection Authorities are not designated as the national supervisory authorities under that framework. We hope that this will be contemplated by the legislators.
Another point is that national enforcement cannot be carried out in isolation. At the national level, we see many data controllers that exceed industry standards and that invest in innovations leading to a higher level of data protection. However, these controllers struggle to compete with big, international technology companies that base their business models on intrusive tracking and profiling practices. The big tech companies generally have their main establishment in another EEA Member State, meaning that another Data Protection Authority than ourselves is the lead supervisory authority. Enforcing the GDPR strictly against the national controllers without being able to hold the big technology companies to the same standard, will effectively deter any attempt at data protection friendly innovation.
Of course, this brings us to the interplay between national enforcement and the One-Stop-Shop mechanism. While I do not want to pre-empt the next panel which is dedicated to that topic, it is difficult to avoid saying a few words about how this mechanism works in practice from the perspective of a Data Protection Authority due to its impact on our national enforcement.
In our experience, as many of the practical issues of the One-Stop-Shop mechanism have gradually been resolved, it now works very well for the majority of cases. It is a good tool for sharing our views and assisting each other, and new final decisions are issued regularly.
However, we believe that the One-Stop-Shop may not always work well for those cases where all, or almost all, Data Protection Authorities across the EEA are concerned supervisory authorities. The biggest controllers tend to flock to the same jurisdictions, meaning that just a handful of Data Protection Authorities are responsible for all the biggest cases. Consequently, the enforcement burden is very unevenly shared, which we believe is unfair and unfeasible given the varying resource restraints faced by Data Protection Authorities.
More worrisome, for cross-border cases with effects across Europe, the extent of enforcement will hinge on how a lead supervisory authority uses its discretionary power to scope its own investigations. Furthermore, the national procedural rules in the jurisdiction of the lead supervisory authority will determine how smoothly and timely an EU-wide case is resolved. We are cognisant that both of these factors have caused concern in the data protection community.
Therefore, we would argue that for cross-border cases concerning, let’s say, two thirds or more of the EEA Member States, there may be scope to explore if other enforcement models would be more fit for purpose, for example models entailing more rotation and burden sharing, or entrusting a more direct enforcement role to the EDPB in some cases. In this regard, we have noted that a number of the biggest cases end up going to the EDPB for dispute resolution under Article 65 anyway, and that the EDPB successfully resolves these cases effectively within the applicable legal deadlines. Additionally, as a matter of EEA law, the EDPB has the advantage that its legal authority encompasses the three EEA EFTA States Norway, Iceland and Liechtenstein. A more active role for the EDPB may therefore be a feasible alternative.
In sum: Resources, fragmentation of enforcement competence, and the functioning of the One-Stop Shop mechanism for EU-wide cases pose the greatest challenges for effective enforcement. Fortunately, these are issues to which solutions can be found.
Thank you for your attention.