Procedural Challenges of Cross-border Cooperation and Consistency in Personal Data Protection in the EU

Rudolf, Grega; Kovač, Polonca

doi:10.2478/nispa-2023-0017

Abstract

Data protection is an increasingly important topic in the European administrative field at national and cross-border levels. Such a trend reflects different phenomena in contemporary society, which further leads to a more focused concern for a harmonised elaboration by the Member States despite their autonomy, in principle, regarding EU law implementation. However, as revealed by the Slovenian case in this article, the European Data Protection Board and national supervising authorities, mostly information commissioners, express the need to regulate some issues more decidedly. Interestingly, yet not surprisingly, their focus is on procedural aspects, as according to administrative science and several European Commission documents, procedure strongly influences the results. As a result, the article elaborates on the relevant procedural issues to be addressed to ensure a harmonised enforcement of the General Data Protection Regulation (GDPR) in force since 2018. Various research methods are employed, combining qualitative, normative, and comparative analyses and quantitative approaches, emphasising statistical data obtained from annual reports for 2020, 2021, and 2022. The results show a lack of procedural provisions in several aspects, including the definition of the parties to the procedure and their defence rights, particularly access to the file, to be heard, and complain, as well as one-stop-shop access to legal protection, deadlines, and investigation powers. Such gaps are expected to be covered by procedural institutions enshrined in National Administrative Procedure Acts (APA). However, as suggested by the Slovenian experience, such a solution is minimal due to differing national regulations and relatively low awareness of APA relevance in data protection even among supervising authorities. Hence, the authors argue that there is a need to develop and adopt standard EU rules to regulate such issues.

Points for Practitioners

The article refers to data protection within theoretical, normative, practical, comparative, and national dimensions. In addition to analysing statistical data regarding procedural issues of cross-collaborative application of GDPR in the Member States - primarily Slovenia - the article provides practical implications of legislative, organisational, and IT adaptations required for harmonising EU-wide enforcement of GDPR. The insights provided herein can support the development of similar solutions in other EU countries. Therefore, the research findings are relevant for practitioners from various European administrations who are in charge of implementing GDPR and, specifically, supervising its implementation, as well as for policymakers and legislators in their respective areas of data protection and administrative procedural law. The findings will also benefit the European Commission when drafting new legislation to enhance cooperation and consistency between Member States in enforcing personal data rights set by GDPR.

References

Access Now. (2022). Four years under the EU GDPR. How to fix its enforcement, https://www.accessnow.org/wp-content/uploads/2022/07/GDPR-4-year-report-2022.pdf
Search in Google Scholar Back to article
Ágh, A. (2010). Europeanization and Democratization in ECE: Towards Multi-Level and Multi-Actor Governance. Nispacee Journal of Public Administration and Policy, 3(1). https://doi.org/10.2478/v10110-010-0001-1
Search in Google Scholar Back to article
Amministrazione delle Finanze v Simmenthal SpA, Case C-106/77. (1978). CJEU. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A61977CJ0106
Search in Google Scholar Back to article
Balboni, P., Pelino, E., & Scudiero, L. (2014). Rethinking the one-stop-shop mechanism: Legal certainty and legitimate expectation. Computer Law & Security Review, 30(4), 392-402. https://doi.org/10.1016/j.clsr.2014.05.007
Search in Google Scholar Back to article
Barnard-Wills, D., Chulvi, C. P., & De Hert, P. (2016). Data protection authority perspectives on the impact of data protection reform on cooperation in the EU. Computer Law & Security Review, 32(4), 587-598. https://doi.org/10.1016/j.clsr.2016.05.006
Search in Google Scholar Back to article
BE v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C-132/21. (2023). CJEU. https://curia.europa.eu/juris/liste.jsf?num=C-132/21
Search in Google Scholar Back to article
Bergemann, B. (2018). The Consent Paradox: Accounting for the prominent role of consent in data protection. In IFIP advances in information and communication technology (pp. 111-131). https://doi.org/10.1007/978-3-319-92925-5_8
Search in Google Scholar Back to article
Brandão, D. M. (2023). The one-stop-shop and the European Data Protection Board’s role in combatting data supervision forum shopping. International Data Privacy Law. https://doi.org/10.1093/idpl/ipad014
Search in Google Scholar Back to article
CIPL. (2021). GDPR Enforcement Cooperation and the One-Stop-Shop Learning from the First Three Years. https://www.informationpolicycentre.com/cipl-white-papers.html
Search in Google Scholar Back to article
Drechsler, L. C. (2023). Individual Rights in International Personal Data Transfers Under the General Data Protection Regulation. In Review of European Administrative Law (Vol. 16, Issue 1, pp. 35-56). Europa Law Publishing.
Search in Google Scholar Back to article
EDPB. (2020). Article 65 FAQ. https://edpb.europa.eu/system/files/2021-09/20201110_art65_faq_en.pdf
Search in Google Scholar Back to article
EDPB. (2020a). The EDPB: Guaranteeing the same rights for all. https://edpb.europa.eu/system/files/2021-06/2020_06_22_one-stop-shop_leaflet_en.pdf
Search in Google Scholar Back to article
EDPB. (2021). Internal EDPB Document 02/2021 on SAs duties in relation to alleged GDPR infringements, https://edpb.europa.eu/system/files/2022-07/internal_edpb_document_022021_on_sas_duties_in_relation_to_alleged_gdpr_infringements_en.pdf
Search in Google Scholar Back to article
EDPB. (2021a). One-Stop-Shop Leaflet, https://edpb.europa.eu/system/files/2021-06/2020_06_22_one-stop-shop_leaflet_en.pdf
Search in Google Scholar Back to article
EDPB. (2021b). Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities. https://edpb.europa.eu/system/files/2021-08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf
Search in Google Scholar Back to article
EDPB. (2021c). EDPB Annual Report 2020. https://edpb.europa.eu/system/files/2021-06/edpb_aar_2020_fmal_27.05.21.pdf
Search in Google Scholar Back to article
EDPB. (2022). EDPB Letter to the EU Commission on procedural aspects that could be harmonised at EU level, https://edpb.europa.eu/system/files/2022-10/edpb_letter_out2022-0069_to_the_eu_commission_on_procedural_aspects_en_0.pdf
Search in Google Scholar Back to article
EDPB. (2022a). Guidelines 06/2022 on the practical implementation of amicable settlements, https://edpb.europa.eu/system/files/2022-06/edpb_guidelines_202206_on_the_practical_implementation_of_amicable_settlements_en.pdf
Search in Google Scholar Back to article
EDPB. (2022b). Statement on enforcement cooperation, https://edpb.europa.eu/system/files/202204/edpb_statement_20220428_on_enforcement_cooperation_en.pdf
Search in Google Scholar Back to article
EDPB. (2022c). Annual report 2021. https://edpb.europa.eu/system/files/2022-05/edpb_annual_report_2021_en.pdf
Search in Google Scholar Back to article
EDPB. (2023). EDPB Annual Report 2022. https://edpb.europa.eu/system/files/2023-04/edpb_annual_report_2022_en.pdf
Search in Google Scholar Back to article
EDPS. (2022). EDPS Conference report. The future of data protection: Effective enforcement in the digital world, https://edps.europa.eu/system/files/2022-11/22-11-10-edps-conference-report-2022_en.pdf
Search in Google Scholar Back to article
EDRI. (2022). Civil society call and recommendations for concrete solutions to GDPR enforcement shortcomings. https://edri.org/wp-content/uploads/2022/03/EDRi-recommendations-for-better-GDPR-enforcement.pdf
Search in Google Scholar Back to article
European Commission. (2020). Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0264
Search in Google Scholar Back to article
European Commission. (2022). Commission work programme 2023. European Commission https://commission.europa.eu/document/download/51991f3f-a49b-4f4d-811e-c854449169d8_en?filename=com_2022_548_3_en.pdf
Search in Google Scholar Back to article
European Commission. (2023). Proposal for a Regulation laying down additional procedural rules relating to the enforcement of GDPR. European Commission. https://commission.europa.eu/document/download/2069ca27-1935-46e0-b857-2e7c4495d20f_en
Search in Google Scholar Back to article
Francis, J. (2023). The Battle for the Soul of the GDPR: Clashing Decisions of Supervisory Authorities Highlight Potential Limits of Procedural Data Protection. Minnesota Law Review: Headnotes, 107. https://minnesotalawreview.org/article/the-battle-for-the-soul-of-the-gdpr-clashing-decisions-of-supervisory-authorities-highlight-potential-limits-of-procedural-data-protection/
Search in Google Scholar Back to article
Fuster, G. G., Ausloos, J., Bons, D., Bygrave, L. A., Da Rosa Lazarotto, B., Drechsler, L., Gkotsopoulou, O., Hristov, C., Irion, K., Jasmontaite, L., Kroese, C., Lynskey, O., & Magierska, M. (2022). The right to lodge a data protection complaint: ok, but then what?: an empirical study of current practices under the GDPR. Access Now. https://www.accessnow.org/wp-content/uploads/2022/07/GDPR-Complaint-study.pdf
Search in Google Scholar Back to article
Galetta, D. (2010). Procedural autonomy of EU Member States: Paradise lost? In Springer eBooks, https://doi.org/10.1007/978-3-642-12547-8
Search in Google Scholar Back to article
Galetta, D. U., Hofmann, H. C. H., Puigpelat, O. M., & Ziller, J. (2015). The General Principles of EU Administrative Procedural Law. European Parliament. https://www.europarl.europa.eu/RegData/etudes/IDAN/2015/519224/IPOL_IDA%282015%29519224_EN.pdf
Search in Google Scholar Back to article
Gentile, G., & Lynskey, O. (2022). Deficient by design? The transnational enforcement of the GDPR. International and Comparative Law Quarterly, 71(4), 799-830. https://doi.org/10.1017/s0020589322000355
Search in Google Scholar Back to article
Giurgiu, A., & Larsen, T. A. (2016). Roles and powers of National Data Protection Authorities. European Data Protection Law Review, 2(3), 342-352. https://doi.org/10.21552/edpl/2016/3/9
Search in Google Scholar Back to article
Giurgiu, A., Boulet, G., & De Hert, P. (2015). EU’s One-Stop-Shop Mechanism: Thinking Transnational. Privacy Laws & Business, 137, 16-18. https://biblio.vub.ac.be/vubirfiles/18304338/pdh_aggbOnestopshopPL_B_International_l37.pdf
Search in Google Scholar Back to article
Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European Regulation that has a Global Impact. International Journal of Market Research, 59(6), 703-705. https://doi.org/10.2501/ijmr-2017-050
Search in Google Scholar Back to article
Hallinan, D. (2020). Broad consent under the GDPR: an optimistic perspective on a bright future. Life Sciences, Society and Policy, 16(1). https://doi.org/10.1186/s40504-019-0096-3
Search in Google Scholar Back to article
Harlow, C., & Rawlings, R. (2014). Process and procedure in EU administration. Hart Publishing, https://doi.org/10.5040/9781474201087
Search in Google Scholar Back to article
Hauptpersonalrat der Lehrerinnen und Lehrer beim Hessischen Kultusministerium v Minister des Hessischen Kultusministeriums, Case C-34/21. (2023a). CJEU. https://curia.europa.eu/juris/document/document.jsf;jsessionid=00DDB1D5FF48D3766374432684703CC2?text=&docid=272066&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=3052141
Search in Google Scholar Back to article
Hijmans, H. (2018). Discussion · How to enforce the GDPR in a strategic, consistent and ethical manner? European Data Protection Law Review, https://doi.org/10.21552/edpl/2018/1/10
Search in Google Scholar Back to article
Hofmann, H. F., & Mustert, L. (2023). Procedures Matter - What to Address in GDPR Reform and a new GDPR Procedural Regulation. Social Science Research Network. https://doi.org/10.2139/ssrn.4492662
Search in Google Scholar Back to article
Informacijski pooblaščenec RS. (2021). Letno poročilo 2020. https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/LetnoPorocilo2020_koncano.pdf
Search in Google Scholar Back to article
Informacijski pooblaščenec RS. (2022). Letno poročilo 2021. https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/LetnoPorocilo2020_koncano.pdf
Search in Google Scholar Back to article
Informacijski pooblaščenec RS. (2023). Letno poročilo 2022. https://www.ip-rs.si/fileadmin/user_upload/Pdf/porocila/LetnoPorocilo2020_koncano.pdf
Search in Google Scholar Back to article
Kneuper, R. (2020). Translating Data Protection into Software Requirements. Proceedings of the 6th International Conference on Information Systems Security and Privacy (ICISSP2020), 257-264. https://doi.org/10.5220/0008873902570264
Search in Google Scholar Back to article
Kovač, P. (2016). The requirements and limits of the codification of administrative procedures in Slovenia according to European trends. Review of Central and East European Law, 41(3-4), 427-461. https://doi.org/10.1163/15730352-04103007
Search in Google Scholar Back to article
Kovač, P. (2019). Procedural dilemmas in implementing GDPR at national level. In EGPA Conference Belfast 11-13 September 2019.
Search in Google Scholar Back to article
Kovač, P., & Rudolf, G. (2022). Social aspects of Democratic safeguards in privacy Rights: a Qualitative study of the European Union and China. Central European Public Administration Review, 20(1), 7-32. https://doi.org/10.17573/cepar.2022.1.01
Search in Google Scholar Back to article
Kuner, C., Bygrave, L. A., Docksey, C., & Drechsler, L. (2020). The EU General Data Protection Regulation (GDPR) : a commentary.
Search in Google Scholar Back to article
Mali, P. (2019). GDPR Articles With Commentary & EU Case Laws, https://www.free-ebooks.net/law-textbooks/GDPR-Articles-With-Commentary-EU-Case-Laws
Search in Google Scholar Back to article
Molak, M. W., & Soukopová, J. (2022). Can institutionalization be considered a trap in defining functional cross-border areas? Coopetition and local public services in borderlands. Nispacee Journal of Public Administration and Policy, 15(2), 122-153. https://doi.org/10.2478/nispa-2022-0016
Search in Google Scholar Back to article
Molnár-Gábor, F., Sellner, J., Pagil, S., Slokenberga, S., Tzortzatou, O., & Nyström, K. (2022). Harmonization after the GDPR? Divergences in the rules for genetic and health data sharing in four member states and ways to overcome them by EU measures: Insights from Germany, Greece, Latvia and Sweden. Seminars in Cancer Biology, 84, 271-283. https://doi.org/10.1016/j.semcancer.2021.12.001
Search in Google Scholar Back to article
Phillips, M. (2018). International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR). Human Genetics, 137(8), 575-582. https://doi.org/10.1007/s00439-018-1919-7
Search in Google Scholar Back to article
Puljak, L., Mladinic, A., & Koporć, Z. (2023). Workload and procedures used by European data protection authorities related to personal data protection: a cross-sectional study. BMC Research Notes, 16(1). https://doi.org/10.1186/sl3104-023-06308-z
Search in Google Scholar Back to article
Roth, P. (2017). “Adequate level of data protection” in third countries post-Schrems and under the general data protection regulation. Journal of law, information and science, 25(1), 49-67.
Search in Google Scholar Back to article
Rudolf, G., & Kovač, P. (2022). Personal data protection and the role of Information Commissioner in the Covid-19 circumstances in Slovenia. V: Crises, vulnerability and resilience in public administration. In 30th NISPAcee Annual Conference. NISPAcee.
Search in Google Scholar Back to article
Ruohonen, J., & Hjerppe, K. (2022). The GDPR enforcement fines at glance. Information Systems, 106, 101876. https://doi.org/10.1016/j.is.2021.101876
Search in Google Scholar Back to article
Ryngaert, C., & Taylor, M. (2020). The GDPR as Global Data Protection Regulation? AJIL Unbound, 114, 5-9. https://doi.org/10.1017/aju.2019.80
Search in Google Scholar Back to article
Senatori, I. (2020). The European Framework Agreement on Digitalisation: a Whiter Shade of Pale? Italian Labour Law e-Journal, 13(2), 159-175. https://doi.org/10.6092/issn.1561-8048/12045
Search in Google Scholar Back to article
Spagnuelo, D., Ferreira, A., & Lenzini, G. (2019). Accomplishing Transparency within the General Data Protection Regulation. ICISSP, 114-125. https://doi.org/10.5220/0007366501140125
Search in Google Scholar Back to article
Utz, C., Degeling, M., Fahl, S., Schaub, F., & Holz, T. (2019). (Un)informed Consent. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, https://doi.org/10.1145/3319535.3354212
Search in Google Scholar Back to article
van der Sloot, B. (2018). Legal consistency after the General Data Protection Regulation and the Police Directive. European Journal of Law and Technology, 9(3), 1-18.
Search in Google Scholar Back to article
Wagner, J., & Benecke, A. (2016). National Legislation within the Framework of the GDPR. European Data Protection Law Review, 2(3), 353-361. https://doi.org/10.21552/edpl/2016/3/10
Search in Google Scholar Back to article
WhatsApp Ireland v European Data Protection Board, Case T-709/21. (2022). CJEU. https://curia.europa.eu/juris/liste.jsf?num=T-709/21&language=EN
Search in Google Scholar Back to article
Wulf, A. J., & Seizov, O. (2022). “Please understand we cannot provide further information”: evaluating content and transparency of GDPR-mandated AI disclosures. AI & SOCIETY, https://doi.org/10.1007/s00146-022-01424-z
Search in Google Scholar Back to article

Procedural Challenges of Cross-border Cooperation and Consistency in Personal Data Protection in the EU

Abstract

Points for Practitioners

Paradigm

My account