On second anniversary of EU data protection law, concerns about enforcement gap increase

PRESS RELEASE - 25.05.2020

On the second anniversary of the EU’s General Data Protection Regulation (GDPR), The European Consumer Organisation (BEUC) warns that problems enforcing the law and disciplining the companies that break it are putting its benefits at risk.

Of particular concern is the current delay with rendering decisions in important cases based on the so-called ‘one-stop-shop’ mechanism which is triggered in case of EU-wide infringements. In such instances the data protection authority where the company is established takes the lead. 

But procedural rules for dealing with complaints are not harmonised in the EU. As a result it becomes more complicated for data subjects – and those (like BEUC’s members) who represent them – to bring legal action. For instance, national laws about who can represent consumers differ which is a risk in case complaints end up being handled by a foreign data protection authority. Complainants also become subject to a different legal system they are not familiar with and may be hampered by high legal costs. This puts them at a disadvantage and hinders effective access to justice.  
BEUC calls for these and other drawbacks to be addressed to ensure the GDPR becomes a reliable instrument to tackle wide-spread data protection violations.

Monique Goyens, Director General of The European Consumer Organisation, commented:

“Thanks to the EU’s data protection law, consumers have a defence against companies that hoover up their data and watch their every step online. But they rely on enforcement authorities to investigate breaches and force companies to adhere to the law. If this is not guaranteed, consumers’ trust in their rights and the institutions which are expected to guard them will melt away. 

“We are still in the learning process about how the GDPR can best help to protect consumers. But the system to enforce the law is already showing its shortcomings. There is a real urgency to fix this considering the massive data surveillance practices consumers are facing every day.”

Our recommendations include:

• The European Data Protection Board (EDPB) should issue guidance for common administrative procedures to handle complaints in cross-border cases.
• Concerned national data protection authorities must continue to play a role in carrying out investigations and supporting the complainants, even if another authority has taken the lead in case of cross-border infringements.
• Data protection authorities and the EDPB should establish a list of organisations which, once vetted by their local authority, should be eligible to represent data subjects in all EU countries.
• Member States need to increase the resources available to their data protection authorities. 


Notes: to Commissioner for Justice and Consumer Reynders with recommendations about enforcement of GDPR