BEERG Newsletter - GDPR: Application overreach becoming mission creep?

Derek Mooney writes: This week Andrea Jelinek, Chair of the European Data Protection Board (EDPB), and Wojciech Wiewiórowski, European Data Protection Supervisor (EDPS), wrote an Open Letter to the European Parliament and the European Council, calling on the EU Commission to increase its funding, saying: 

“We are deeply concerned that the 2023 budget, if not substantially increased, will be significantly too small to allow the EDPB and the EDPS to fulfil their tasks appropriately.” 

The EDPB’s Andrea Jelinek added: 

“The EDPB plays an essential role in the implementation of the General Data Protection Regulation (GDPR). There are high expectations regarding the GDPR’s success in reining in data protection abuses, especially by large tech companies. However, the EDPB Secretariat is currently understaffed and at risk of no longer being able to fulfil its legal duties at the service of the EDPB and of the GDPR. Should this happen, the enforcement of individuals’ data protection rights would be weakened and the credibility of the GDPR undermined.”

Their call for extra funding does beg the question: what tasks do they fulfil? It is a question with which BEERG has long wrestled. It was one of the 8 key issues to watch in our 2022 Preview. In that preview we highlighted the growing concerns about the “application overreach” of GDPR, particularly via activist data privacy watchdogs. 

It was also a point made by the European Court of Justice Advocate General Michal Bobek in the course of an opinion, when he warned:

I suspect that either the Court, or for that matter the EU legislature, might be obliged to revisit the scope of the GDPR one day. The current approach is gradually transforming the GDPR into one of the most de facto disregarded legislative frameworks under EU law. That state of affairs is not necessarily intentional. It is rather the natural by-product of the GDPR’s application overreach, which in turn leads to a number of individuals being simply in blissful ignorance of the fact that their activities are also subject to the GDPR.

BEERG has long made the case that not every GDPR breach should constitute an offence… shouldn’t the authorities be required to show that the breach resulted from deliberate misconduct before fines are imposed?  

Yet it seems that the EDPB, in addition to complaining about its 2023 budget, is also preparing proposals it intends to present to the EU Commission later in the year suggesting further changes to the procedural aspects of GDPR enforcement. The EDPB recently held discussions with several high-profile privacy activist groups, including noyb, Access Now and Panoptykon. In April the EDPB adopted a new statement on enforcement cooperation: HERE. In that statement it undertook to 

“…identify a list of procedural aspects that could be further harmonised in EU law to maximise the positive impact of GDPR cooperation. Harmonised horizontal provisions in administrative procedural law could bridge differences in the DPAs’ conduct of (cross-border) proceedings to increase efficiency. The EDPB will also collect best practices as regards the interpretation of national procedural law in a way that ensures a more effective application of the GDPR.”

For far too many people “a more effective application of the GDPR” has been confused for “bigger fines for business” however, in the real world, the world of complex rules and increased cyber-attacks and cyber criminality, bigger fines do not equate to better enforcement… quite the opposite.