Five Years of GDPR – Lessons for Procedures, Agencies and Powers

HOFMANN, Herwig C H; Mustert

Download

Contribution to collective works (Parts of books)

Five Years of GDPR – Lessons for Procedures, Agencies and Powers

HOFMANN, Herwig C H; Mustert

2024 • In Paul de Herth; Eleni Kosta; Diana Dimitrova et al. (Eds.) Data Protection and Privacy

Peer reviewed

Permalink
https://hdl.handle.net/10993/60123

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

9781509976003_Data Protection and Privacy 01 LM.pdf

Author postprint (698.26 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

GDPR, Data Protection, Procedure, Hearing, Right to an Effective Remedy, Composite

Abstract :

[en] After five years of GDPR enforcement, the difficulties in the complex enforcement system have become apparent. Challenges for developing procedural rules for putting rights to the protection of personal data are manifold. The GDPR’s model has deficiencies resulting from overly complex composite procedures largely excluding individuals – especially complainants – from being able to play a meaningful role in the procedure, despite the fact that individual complaints raise the real-life issues necessary for enforcement. We argue in this chapter that agency design and the role of agencies in the procedures should be re-thought and, arguably, re-designed. This also is a matter not only for the role of the EDPB but also of the European Commission in the system of data protection.

Disciplines :

European & international law

Author, co-author :

HOFMANN, Herwig C H ; University of Luxembourg > Faculty of Law, Economics and Finance (FDEF) > Department of Law (DL)

Mustert; UU - University of Utrecht [NL] > law

External co-authors :

yes

Language :

English

Title :

Five Years of GDPR – Lessons for Procedures, Agencies and Powers

Publication date :

2024

Main work title :

Data Protection and Privacy

Author, co-author :

Paul de Herth

Eleni Kosta

Diana Dimitrova

Dara Hallinan

Hideyuki Matsumi

Publisher :

Hart, London, United Kingdom

Edition :

1st

Peer reviewed :

Peer reviewed

Focus Area :

Law / European Law

European Projects :

FP7 - 263903 - NORFACE II - New Opportunities for Research Funding Agency Co-operation in Europe II

FnR Project :

INDIGO

Funders :

H2020, FNR Inter
Union Européenne

Available on ORBilu :

since 07 February 2024

Statistics

Number of views

255 (5 by Unilu)

Number of downloads

111 (3 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Austrian Bundesgesetz über den Schutz personenbezogener Daten, (Datenschutzgesetz) of 31 July 2017, BGBl. I. Nr. 120/2017, (Austrian Federal Data Protection Act).
Autoriteit Persoonsgegevens. ‘Beleidsregels Prioritering Klachtenonderzoek AP’, of 2 October 2018.
Autoriteit Persoonsgegevens. ‘Miljoenennota: Geen verhoging budget AP’, September 2021, available at autoriteitpersoonsgegevens.nl/nl/nieuws/miljoenennota-geen-verhoging-budget-ap.
Barnard-Wills, David, Pauner Chulvi, Cristina and de Hert, Cristina. ‘Data Protection Perspectives on the Impact of Data Protection Reform on Cooperation in the EU.’ Computer Law and Security Review, no. 32 (2016).
Belgian Wet betreffende de oprichting van een Gegevensbeschermingsautoriteit, 3 December 2017, numac: 2017031916, (Act Establishing the Belgian Data Protection Authority).
Boin, Arjen, Busuioc, Madalina and Groenleer, Martijn. ‘Building European Union Capacity to Manage Transboundary Crisis: Network or Lead-Agency Model?’ Regulation and Governance, no. 8 (2014).
Case C-132/93 Steen [1994] ECLI:EU:C:1994:254.
Case C-154/21 Österreichische Post [2023] ECLI:EU:C:2023:3.
Case C-260/89 ERT v DEP [1991] ECLI:EU:C:1991:254.
Case C-304/02 Commission v France [2004] ECLI:EU:C:2004:274, opinion of A-G Geelhoed.
Case C-311/18 Facebook Ireland and Schrems [2020] ECLI:EU:C:2020:559.
Case C-349/07 Sopropé [2008] ECLI:EU:C:2008:746.
Case C-362/14 Schrems [2015] ECLI:EU:C:2015:650.
Case C-518/07 Commission v Germany [2010], ECLI:EU:C:2010:125.
Case C-614/10 Commission v Austria [2012], ECLI:EU:C:2012:631.
Case C-617/10 Akerberg Fransson [2013] ECLI:EU:C:2013:280.
Case C-645/19 Facebook Ireland and others [2021] ECLI:EU:C:2021:5, opinion of A-G Bobek.
Case C-645/19 Facebook Ireland and others v Gegevensbeschermingsautoriteit [2021] ECLI:EU:C:2021:483.
Case T-24/90 Automec v Commission [1992] ECLI:EU:T:1992:97.
Commission Nationale pour la Protection des Données, ‘Procedure relative aux reclamations devant la Commission nationale pour la protection des donnees’, of 16 October 2020.
Commission Staff Working Paper, ‘Impact Assessment’, SEC(2012) 72 final, Accompanying the document Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
Commission. ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: A European Strategy for Data’, [2020] COM(2020) 66 final.
Commission. ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. Commission work programme 2023: A Union standing firm and united’, [2022] COM(2022) 548 final.
Commission. ‘Digital Services Act: Commission designates first set of Very Large Online Platforms and Search Engines’, available at ec.europa.eu/commission/presscorner/detail/en/IP_23_2413.
Commission. ‘Proposal for a Regulation of the European Parliament and of the Council laying down additional rules relating to the enforcement of the GDPR’, COM(2023) 348 final.
Council Document 17025/13 of 4 December 2013, available at data.consilium.europa.eu/doc/document/ST-17025-2013-INIT/en/pdf.
Data Protection Commission, Annual Report 2020, of 25 February 2021.
Data Protection Commission. Decision IN-18-12-2, available at edpb.europa.eu/system/files/2021-09/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf.
De Smedt, Stephanie and Verstraeten, Valerie. ‘Belgium: Substantial Reform of Supervisory Authority and Framework Implementing Act Finally Adopted.’ European Data Protection Law Review, no. 3 (2018).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ L281/31.
Dutch Algemene wet bestuursrecht of 4 June 1992, Stb. 1992, 315, (Dutch General Administrative Law Act).
EDPB. Decision 01/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Whatsapp Ireland under Article 65(1)(a) GDPR, available at edpb.europa.eu/system/files/2021-09/edpb_bindingdecision_202101_ie_sa_whatsapp_ redacted_en.pdf.
EDPB. ‘Decision 05/2022 on the dispute submitted by the Irish SA regarding Whatsapp Ireland Limited (Art. 65 GDPR)’ available at edpb.europa.eu/system/files/2023-01/edpb_ bindingdecision_202205_ie_sa_whatsapp_en.pdf.
EDPB. ‘Guidelines 06/2022 on the practical implementation of amicable settlements’ of 12 May 2022 available at edpb.europa.eu/system/files/2022-06/edpb_guidelines_202206_ on_the_practical_implementation_of_amicable_settlements_en.pdf.
EDPB. ‘Guidelines 09/2020 on relevant and reasoned objections under Regulation 2016/679’, available at edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-092020-relevant-and-reasoned_en.
EDPB-EDPS. Joint Opinion 01/2023 on the Proposal for a Regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679, available at edpb.europa.eu/system/files/2023-09/edpb_edps_jointopinion_202301_proceduralrules_ec_en.pdf.
EDPS. ‘Opinion on the European Data Protection Supervisor on the data protection reform package’, of 7 March 2012 available at edps.europa.eu/sites/edp/files/publication/12-03-07_edps_reform_package_en.pdf.
Fundamental Rights Agency. ‘Access to data protection remedies in EU Member States’ (2014) available at fra.europa.eu/en/publication/2014/access-data-protection-remedieseu-member-states.
Gegevensbeschermingsautoriteit. ‘Opinion on preliminary draft law amending the Act of 3 December 2017 establishing the Data Protection Authority (AH-2022-0020)’, 25 February 2022.
Gegevensbeschermingsautoriteit. ‘Regelement van Interne Orde’, def.003 17 October 2018, available at www.gegevensbeschermingsautoriteit. be/publications/reglement-van-interne-orde.pdf (Internal Rules of Procedure).
Gentile, Giulia and Lynskey, Orla. ‘Deficient by Design? The Transnational Enforcement of the GDPR.’ International and Comparative Law Quarterly 71, no. 4 (2022).
Gonzalez Fuster, Gloria et al. ‘The right to lodge a data protection complaint: OK, but then what? An empirical study of current practices under the GDPR’, 2022, available at www.accessnow.org/cms/assets/uploads/2022/06/Complaint-study-Final-versionbefore-design-June-15.pdf.
Hijmans, Hielke. ‘Article 56 Competence of the lead supervisory authority’, in The EU General Data Protection Regulation (GDPR): a commentary, edited by Christopher Kuner, Lee A Bygrave, Christopher Docksey and Laura Drechsler. Oxford: Oxford University Press, 2020.
Hofmann, Herwig C H. ‘Composite decision making procedures in EU administrative law’ in Legal Challenges in EU Administrative Law, edited by Herwig C H Hofmann and Alexander H Turk. Cheltenham: Edward Elgar, 2009.
Hofmann, Herwig C H. ‘Inquisitorial Procedures and General Principles of Law: The Duty of Care in the Case Law of the European Court of Justice’, in The Nature of Inquisitorial Processes in Administrative Regimes: Global Perspectives, edited by Laverne Jacobs and Sasha Baglay. London: Routledge, 2016.
Hofmann, Herwig C H and Mustert, Lisette. ‘Data Protection’ in Research Handbook on Enforcement, edited by Miroslava Scholten. Cheltenham: Edward Elgar, 2023.
House of the Oireachtas. ‘Report on meeting on 27th April 2021 on the topic of GDPR’, 2021, data.oireachtas.ie/ie/oireachtas/committee/dail/33/joint_committee_on_justice/reports/2021/2021-07-22_report-on-meeting-on-27th-april-2021-on-the-topic-ofgdpr_ en.pdf.
Irish Council for Civil Liberties. ‘Europe’s enforcement paralysis’, 2021, available at www.iccl.ie/wp-content/uploads/2021/09/Europes-enforcement-paralysis-2021-ICCL-reporton-GDPR-enforcement.pdf.
Irish Data Protection Act 2018 (No 7), section 109(2).
Joined Cases C-26/22 and C-64/22 SCHUFA Holding and Others (Libération de reliquat de dette) [2023] ECLI:EU:C:2023:222.
Kelleher, Denis and Murray, Karen. EU data protection law. London: Bloomsbury Professional, 2018.
Lynskey, Orla. ‘The Troubled Transnational Enforcement of the GDPR’, 2023, available at eulawlive.com/op-ed-the-troubled-transnational-enforcement-of-the-gdpr-by-orlalynskey/.
Lynskey, Orla. The Foundations of EU Data Protection Law. Oxford: Oxford University Press, 2015.
McGruer, Jonathan. ‘Emerging Privacy Legislation in the International Landscape: Strategy and Analysis for Compliance.’ Washington Journal of Law, Technology and Arts No. 15 (2020).
Mustert, Lisette. ‘EDPB Decision 1/2023: The Schrems Saga Back on the GDPR’s Enforcement Rails.’ European Data Protection Law Review, no 2 (2023).
Mustert, Lisette. ‘The EDPB’s Second Article 65 Decision – Is the Board Stepping up its Game?’ European Data Protection Law Review, no 3 (2021).
Mustert, Lisette. ‘Cross-border enforcement of the GDPR by independent administrative authorities’. PhD diss., University of Luxembourg, 2023.
Mustert, Lisette. ‘The First Article 65 Decision – Correct and Consistent Application of the GDPR Ensured?’, European Data Protection Law Review, no 1 (2021).
Nijveld, Olga and Steenbergen, Wouter. ‘Het Awb-landschap door een AVG filter.’ Tijdschrift voor Toezicht, no. 4 (2018).
Provan, Keith G and Kenis, Patrick. ‘Modes of Network Governance: Structure, Management, and Effectiveness.’ Journal of Public Administration Research and Theory, no 18 (2008).
Provan, Keith G and Lemaire Robin., ‘Core Concepts and Key Ideas for Understanding Public Sector Organizational Networks: Using Research to Inform Scholarship and Practice.’ Public Administration Review, no 72 (2012).
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) [2016] OJ L119/1.
Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L277.
Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC [2010] OJ L331/84.
Regulation (EU) No 806/2014 of the European Parliament and of the Council of 15 July 2014 establishing uniform rules and a uniform procedure for the resolution of credit institutions and certain investment firms in the framework of a Single Resolution Mechanism and a Single Resolution Fund and amending Regulation (EU) No 1093/2010 [2014] OJ L225/1.
Requejo, Marta. ‘Procedural harmonization and private enforcement in the area of personal data protection.’ Max Planck Institute Luxembourg for Procedural Law Research Paper Series, no 3 (2019).
Scholten, Miroslava. The Political Accountability of EU and US Independent Regulatory Agencies. Brill: Nijhoff, 2015.
Timmermans, Jolien and Chamon, Merijn. ‘Controlling the SRB’s resolution powers’ in Controlling EU Agencies: The Rule of Law in a Multi-jurisdictional Legal Order edited by Miroslava Scholten and Alex Brenninkmeijer. Cheltenham: Edward Elgar, 2020.
Van Kreij, Laurens. ‘Enforcing EU Policies: why do EU legislators prefer new networks of national authorities and not existing EU agencies?’ Journal of European Public Policy 29, no 10 (2022).
Van Kreij, Laurens. ‘Towards a comprehensive framework for understanding EU enforcement regimes.’ European Journal of Risk Regulation, no 10 (2019).