Five candles for the GDPR

SYMPOSIUM

stay alert keep smart

FIVE CANDLES FOR THE GDPR

MAY 2023

1. Five Candles for the GDPR – A Symposium

Dominik Düsterhaus

2. Clash of Titans: Articial Intelligence and GDPR - A Modern Bale of Technology and Privacy

Boris Paal

3. International Data Transfers aer Five Years of the GDPR: Postmodern Anxieties

Christopher Kuner

4. What if the new adequacy decision for the EU-US Data Privacy Framework were to be declared invalid – again? Ways forward and out of the international-data-transfer dilemma

Susanne Dehmel

5. e Troubled Transnational Enforcement of the GDPR

Orla Lynskey

6. Are the nes ne? A tale of disharmony and opacity of GDPR enforcement?

Naomi Lintvedt

7. Do data subjects have a right to detailed disclosure of how an automated decision has been made (‘right to explanation’)?

Katrin Blasek

8. Processing in the context of employment – Will there ever be consistent rules under or beyond Article 88 GDPR?

Emilia Fronczak

9. Striking a Balance: Interpreting the Journalistic Exemption of Article 85 GDPR

Päivi Korpisaari

10. Procedures Maer – What to Address in GDPR reform and a new GDPR Procedural Regulation

Herwig C.H. Hofmann and Lisee Mustert

11.GDPR’s Right to Compensation and the Österreichische Post Case (C-300/21): Major Breakthrough or Much Ado about Nothing?

Jonas Knetsch

12. EU Data protection law & politics – A Candle that burns at both ends?

Dominik Düsterhaus

Five Candles for the GDPR – A Symposium

Dominik Düsterhaus

On 25 May 2023, the will have been in full application for EU General DataProtection Regulation 2016/679 5 years. A good reason, we thought, to light some candles in honor of the arguably most advanced and comprehensivedataprotectionregimeworldwide.

While had already put the EU at the forefront of data protection, the GDPR has Directive 95/46/EC adjusted,enhanced,expandedandoperationalisedtheEUregimesotomakeittrulyexemplary.

Its regulatory approach is unique indeed, seing out a number of core principles, rights and obligations, to apply irrespective of who/what, how and where processes EU based data, and championing national diversity,aswellasdualandcooperativeenforcement.

Yet, this anniversary is also an opportunity to shed light on the limitations and shortcomings of the GDPR regime,namelyacertainconceptualvagueness,holeyharmonisationandsub-parenforcement.

Our‘5candlesfortheGDPR’aremeanttodoboth.

roughoutthis month of May, renowned experts and practitioners will share their views on how key GDPR featureshavefaredoverthelastveyearsandwhethertheyaretforthefuture

With no pretense at exhaustivity, we thus look at some topical aspects of EU Data Sovereignty, Legal Diversity,TechnologyNeutrality,PublicaswellasPrivateEnforcement.

Follow our symposium to read about whether the GDPR is t for AI, how global its protective regime is and whether there is a future for the OSS Mechanism as we know it. Are the nes ne? May compensation for non-material harm be conditioned? Must automated decision-making be explained? And what do all those opening clauses allow in terms of harmonisation? ese are the questions which the op-eds of our symposium strive to answer, succinctly and subjectively Offering lile sparks of light, just like the candles on a birthdaycake.

Five Candles for the GDPR

Clash of Titans: Articial Intelligence and GDPR

A Modern Bale of Technology and Privacy

Since the adoption of the General Data Protection Regulation (GDPR) in 2016, the dynamic and 2016/679 disruptive progress of technologies of Articial Intelligence (AI) has raised various questions about how the GDPR should be implemented and applied in order to adequately address the challenges and requirements imposed by AI. As a legal regime, the GDPR has not been designed to regulate AI in particular e GDPR only incidentally touches upon the maer and where it does, establishes strict requirements In this sense, fully automated individual decision-making systems including proling are severely conditioned by Article 22 (1) GDPR. However, as a starting point, it should be noted that the GDPR applies to the use of AI when there is a processing of personal data Moreover, it is complicated to implement any national regulation due to the GPDR’s broad scope and its direct application according to Article 288 (2) of the Treaty on the Functioning of the European Union (TFEU). is is why there is an ongoing discussion regarding the need foradditionalregulationfromtheEuropeanlegislatoronthismaer.

I.DescriptionoftheConict

On the one hand, it is crucial to underline that the GDPR fundamentally approaches the handling of personal data in a restrictive manner. AI technologies, on the other hand, require a vast amount of data (e g., big data) for training and in certain constellations also in their practical application and use, some of these data are extremely sensitive (cf. Art. 9 GDPR).is may be at odds with (some of) the principles set out in Article 5 GDPR. us, a word-by-word application of GDPR to AI could lead to challenging consequences for the deployment of AI in Europe Given this context, the question arises whether AI should follow its path in full compliance with the GDPR interpreted in a strictly language-based manner or whether the interpretation of theGDPR(oreventheGDPRitself)needstobeadjustedtobeconsistentwiththeAIrevolution.

Especiallyinpractice,arathergoal-driveninterpretationoftheGDPRcouldbeabeerapproach.Itmightbe argued that such an approach would be more consistent with the way the Court of Justice of the European Union interprets European law, ie following a telos-oriented approach rather than applying the wording of thelegalprovisionstoostrictly.Indeed,thisdoesnotcontradict thecharacteroftheGDPRitself,whichoen contains open and vague formulations. In addition, a strict application based on restrictive standards may lead to a signicant impediment to the development of AI in Europe and represent a signicant disadvantage inthismarketofthefuture

i. Boris P.Paal, M.Jur (Oxford) is a Professorin Civil Law, Media Law, Information Law, and Data Law, and Director of the Institute of Media and Data Law and Digitalisation at the University of Leipzig. As an author and editor (among others of Gersdorf/Paal on Information and Media Law, and Paal/PaulyontheGDPR)heistheauthorofmorethan200publicationsintheaforementionedareasoflaw.

II.TowardsanAdequateApproachtothePrinciplessetoutinArticle5GDPR

An open-minded analysis of the Article 5 GDPR principles may help to avoid the above-mentioned disadvantageous results In this sense, it could be beer to analyse the core of Article 5 GDPR e main obligationssetout in Article 5(1) GDPR are lawfulness,fairness,accountability, and transparency. However, the principle of lawfulness laid down in Article 5(1)(a) GDPR and Article 6 GDPR is prevailing over other legal maxims of Article 5 GDPR. e principle of lawfulness establishes a general prohibition with the reservation of permission and requires the existence of the data subject’s consent or another legitimate basis underArticle6(1)GDPR eproportionalitytest,whichrequiresasuitablelegalbasis,isfurtherdenedby thegeneralprincipleslaiddowninArticle5GDPR.

With regard to the transparency principle of Article 5(1)(a) GDPR, the transparency in AI may be seen as problematic For instance, the possibility of fullling the retrospective and prospective traceability otherwise required in a ‘transparent manner’ may be questionable with regard to complex AI systems. Comprehensive information about the controller, processor, and data subject concerned is conceivable, but in most cases, due to the technical depth required, it will neither be effective nor meet the requirement of traceability is is congruent with the report Big Data, Articial Intelligence, Machine Learning and Data Protection by the UK Information Commissioner’s Office, which states that ‘the complexity of big data analytics can mean that the processing is opaque to citizens’ Rather, what is needed here is a teleological, purpose-based interpretation of transparency for AI. For example, a partial deviation from the comprehensibility principle may be conceivable for AI, insofar as it cannot be presented comprehensibly due to its technical nature, or only with alienating simplication. However, the question of the purpose of the data processing could be a central element of the transparency obligation in the future Such a shi of the reference point for transparency has already been applied in the UK through the . In Data Protection Act principle, this contradicts the wording of Article 5(1)(a) GDPR. However, an interpretation in line with the wording of the ‘transparent manner’ is at least conceivable if such an explanation of the manner of data processing is not technically possible, for example in cases of machine learning. In view of Recital 58 of the GDPR, however, this is to be treated extremely restrictively, as the transparency and associated information obligationsaretoapplyinparticulartocomplexsystems.

e principle of consent as per Article 4 (11) GDPR in conjunction with the purpose limitation (Article 5 (1)(b) GDPR) could also be interpreted appropriately for AI. In principle, the determination of an explicit and legitimate purpose is required. Furthermore, there must be no incompatibility of the purpose of the processing with the original purpose of collection. Especially the laer is problematic in view of multiple further processing and uses in the application of AI. However, if further processing is compatible with the originalpurpose,itmaybepermissibleinprinciple

e dataminimisation rule according to Article 5(1)(c) GDPR could be deemed as discussable, especially in the context of the necessity of data processing in big data applications. As far as the mere anonymisation of the data does not conict with the purpose of the processing, there should be no regular violation. However, a different situation arises if it is precisely the reference of the data that is important in the context of the use In this case, the interpretation of data minimisation may raise the question of when the data becomes personally identiable (cf. recital 26 GDPR). A conceivable requirement as to when the personal reference

of the data is given could be, for example, the pseudonymisation of the data as an alternative to anonymisation, in cases when anonymisation is not possible. Moreover, synthetic data, which serves as a virtual representation of the initial dataset, could be considered as an alternative method to evade a personal reference andconsequently,theapplicationoftheGDPR.

e storage limitation of Article 5(1)(e) GDPR requires, in the application of the principles of purpose limitation and data minimisation, that the data should only be stored for the absolutely necessary period. When such data is processed for a secondary purpose, the data controller is obliged to justify this. In terms of the learning of AI, this would not pose a problem if the data has been collected particularly to train the AI. In this case, the application of this principlewill run parallelto that of purposelimitation.is is becauseif there isalegitimatepurposefortheprocessing,thestorageofthedataisjustiedaswell.

III.Conclusion

Taking into account the potential negative effects of AI, namely the aspects of mass data collection and biasbased proling, AI should not be exempt from complying with the legal objectives of the GDPR as set down by the European legislator Nevertheless, an interpretation of the GDPR that, unlike the one applied above, does not sufficiently reect the specic characteristics of AI, may lead to drastic impairments to the development and innovation potentials of AI – not only in Europe. To maintain a proper balance between these two aspects, a separate legal framework governing the permissibility of processing operations using AIbased applications should be established. For the establishment of a functional and robust framework, it is necessary to design it in a technology-neutral, predictable and respectful manner that upholds fundamental rights and the principle of reasonableness. e more tailor-made the interpretation and application, the beer the results. is way a workable and resilient framework can be achieved – and the bale of technology and privacy can be pacied. Finally, it is to note that the proposed AI Act unfortunately neither seeks to establish such a comprehensive framework nor fully claries the important relationship with the GDPR –thus,furtherchallengesandproblemsregardingtheapplicationofbothregimesarejustaroundthecorner.

International Data Transfers aer

Five Years of the GDPR:

Postmodern Anxieties

e regulation of international transfers of personal data remains a work in progress ve years aer entry into force of the It reects phenomena oen designated as ‘ ’ , such as legal fragmentation and GDPR postmodern confusedrelationsbetweenlawandpolitics.

Protecting the rights of individuals whose data are transferred under the GDPR is subject to the contradictory impulses of various stakeholders: companies transfer the data of individuals while complaining about the cost of compliance; individuals expect online services to enable innovative uses of their data while giving them control over it; data protection authorities (DPAs) require companies to comply with legal rules on data transfers but oen have difficulty enforcing them; the EU and the US negotiate data transfer arrangements while engaging in mutual recriminations; and EU institutions enact legislation with a short aention span determined by the political priorities of the day Although the GDPR has considerable international inuence as shown by the that have adopted large numbers of countries around the world similar laws, the conicting priorities to which it is subject sometimes makes it seem like a regulatory system onthevergeofanervousbreakdown.

Many of the challenges facing the GDPR’s data transfer regime derive from institutional tensions, a turn toward formalistic mechanisms, problems with enforcement of cross-border cases, and questions about the comparative methodology used to implement it, all of which could be resolved with the necessary political will However, others result from global developments and unresolved questions about how the GDPR shouldinteractwithforeignlegalsystems,whichwillprovemoreintractable

Institutionaltensions

e GDPR gives the Commission the sole power over adequacy decisions, with only a consultative role for the European Data Protection Board (EDPB) and no formal role for the European Parliament, although the laer does adopt e Commission’s legal role of ensuring that fundamen- resolutions on pending decisions tal rights are protected in the legislation it proposes stands in tension with the political reality that it needs to compromisewhen negotiating datatransfer arrangements with third countries. esedual rolesare reected in its of 13 December 2022 to replace the Privacy Shield decision dra adequacy decision for the US

invalidated by the Court of Justice in Facebook Ireland Ltd. ( ). While the protections contained in C-311/18 the new decision represent an improvement over the Privacy Shield, political pressure has led to compromises that seem questionable in light of the fact that the Court admonished the Commission that its evaluation in adequacy decisions must be ‘strict’ and its discretion in issuing them is ‘reduced’ (Schrems, , para C-362/14 78). For example, the data protection principles of the framework can be limited when necessary to comply with a court order or to meet public interest, law enforcement, or national security requirements (Annex I, para 5), which is very close to the formulation that the Court of Justice objected to in Schrems (para 86) and Facebook Ireland Ltd (para 164). In retrospect it seems unfortunate that the GDPR did not grant the EDPB ortheParliamentaco-decisionpowerforadequacydecisions.

Negotiations regarding a US adequacy decision have been ongoing since the late 1990s, and issues concerning data access by US law enforcement have distracted aention and diverted resources from other important data protection questions that have tended to be neglected ese include transferring data for purposes of ; ; data transfers to international humanitarian action data sharing to combat global pandemics international organisations; and protecting fundamental rights in transfers of personal data to authoritarian countriessuchasChina.

For its part, the Court of Justice has played the role of as ‘der Geist, der stets verneint’ (‘the Goethe’s Mephisto spirit that always denies’), invalidating two adequacy decisions covering the US (in Schrems and Facebook Ireland Ltd.) and holding that a dra international agreement with Canada covering the transfer of airline passenger data could not be concluded (Opinion 1/15), while failing to engage fully with important questions concerning what a valid data transfer mechanism does require (as discussed in ). e my recent article Courthasalsostatedthatitdoesnotexpressaviewonthelawofathirdcountry(seeforexampletheOpinion of Advocate General Mengozzi in Opinion 1/15, para 163), which seems disingenuous in light of the fact that the validity of adequacy decisions (Article 45 GDPR) and appropriate safeguards (Articles 46-47) depends inpartonacomparisonbetweenforeignlawandEUstandards(seebelow).

Aturntowardsformalism

Data transfer issues under the GDPR are increasingly addressed through formalistic mechanisms. is risks reducing data protection to a series of complex, untransparent procedures determined by technocrats that aredifficulttoapplyandunderstand.

For example, the EDPB has imposed an increasing number of documentation requirements on parties transferring data (as in its and ), which include preparing Recommendations 01/2020 Guidelines 05/2021 maps to show how data are transferred; conducting ‘data transfer impact assessments’ about the law and practices in third countries; and performing a legal analysis to determine whether the GDPR applies directly to entities in third countries A lack of transparency also plagues adequacy decisions, which are negotiated in secretand which can be based on information that is difficult to nd and understand (see pp. 2-3 of the EDPB Opinion draadequacydecisionfortheUS onthe ).

Problemswithcross-borderenforcement

is formalistic turn is ironic in light of the fact that the most signicant data transfer development in recent years resulted not from action by public authorities, but from the initiative of a single individual, Austrian law student and Max Schrems, whose dogged pursuit of claims against Facebook over several years activist resulted in the landmark judgements of the Court of Justice in Schrems and Facebook Ireland Ltd. National procedural requirements have hindered development of the higher level of cross-border enforcement that the Court foresaw in these two judgments, which and are aempting to address. the EDPB the Commission However, problems with cross-border enforcement are also caused by human and organisational factors in DPAs, such as limited resources and training, linguistic problems, and a lack of technical understanding, and thusrequirepoliticalandorganisationalsolutions.

More general issues facing the GDPR can also affect data transfers, such as a against large lack of enforcement technology companies. is reects the fact that enforcement is the responsibility of Member State courts and DPAs and the EDPB only has a coordination role. As the has European Data Protection Supervisor suggested,newmechanismsforcross-borderdataprotectionenforcementareneeded,suchasthecreationof a single enforcement body with pan-EU competence over cross-border cases, though this would face formidable political obstacles It remains to be seen whether the 1.2 billion Euro ne levied against Facebook and conrmed by an adopted in April 2023 will mark a turning point for EDPB dispute resolution decision moreeffectiveandcoordinatedenforcementofdatatransferrequirements.

eroleofcomparativelaw

e GDPR’s data transfer regime is based on determining whether the law and practice of countries to which data are transferred are sufficient under EU standards It requires comparative exercises such as the Commission and the conducting research on third country law; Commission and foreign officials EDPB delving into the intricacies of each other’s law when negotiating adequacy decisions; and parties analysing thelawofcountriestowhichtheywilltransferdata.

Political philosophers and scholars back to Montesquieu (De l’esprit des lois, Book I, Chap. 3) have warned about the dangers of blindly transplanting concepts and institutions from one legal system to anotherComparing legal systems is a complex endeavour that requires prociency in other languages; a deep knowledge of both one ’ s own system and the foreign system being compared; going beyond the wording of the law to ascertain its purpose and meaning; and protecting against unconscious cultural bias. Basing data transfer instruments on a awed comparative analysis can lead to them being invalidated later on, as demonstrated by therulingsoftheCourtofJusticeininSchrems,FacebookIrelandLtd.,andOpinion1/15.

is complexity can be seen in in the new EU-US framework for data transfers. e signed Executive Order by US President Biden on 7 October 2022 requires intelligence gathering to be ‘proportionate’, and this is mentioned repeatedly in the Commission’s However, as ProfessorVicki Jacksonhas draadequacy decision wrien, while the concept of proportionality is used in some areas of US constitutional doctrine, the structured proportionality analysis used in Member State and EU constitutional law is not. Merely inserting the word ‘proportionate’ into US legal instruments does not necessarily mean that the concept will be

interpreted the same way as in the EU legal system. is shows that greater rigor is needed in the EU’s comparativemethodology.

Globalchallenges

e economic and geo-political signicance of data processing has made countries recognise at the highest political level the need to provide a more stable legal framework for international data transfers (for example, the Digital Minister of Japan, which is currently chair of the G7, the intention to establish an has announced international organisation dealing with transborder data ows). Dealing with such global developments will beoneofthebiggestfuturechallengesfortheGDPR.

is can be seen in the increasing number of data transfer initiatives of various international and regional groups For example, countries including Canada, Japan, the Republic of Korea, the , and the US have UK established ‘ ’ (GCBPRs) as an alternative system for data transfers. Global Cross-Border Privacy Rules

GCBPRs seem designed to provide only a , and so far have had lile practical minimum level of protection relevance. However, if countries in the GCBPR group that are already subject to a Commission adequacy decision (which includes , , , the , and in the future also the US) begin to allow data Canada Japan Korea UK transfers based on this new system, then it could put them on a collision course with the GDPR Regional groups such as and the have also published ASEAN Ibero-American Data Protection Network model contractualclausesforinternationaldatatransfers.

SuchinitiativesraisequestionsabouthowtheGDPR’sdatatransferregimeinteractswithotherlegalsystems e Court of Justice’s insistence on the autonomy of EU law (see Opinion 2/13 of the Court) and on a high level of data protection show that it is hesitant to allow such interactions. Even a Member State constitutional system with a strong history of fundamental rights protection such as that of Germany may be more willing to recognise foreign data protection systems than the Court of Justice (see Judgment of the German Federal ConstitutionalCourtof20April2016,para334).ereareunresolvedtensionsbetweenviewssuchasthose of Advocate General Szpunar, who in his in Google LLC (C-507/17) was sceptical about allowing Opinion EU data protection law to have effect beyond EU borders (see para 53), and those expressed in the judgment of the Grand Chamber of the Court in the same case, which seemed to take a more expansive view of this question (see para 72). is tension inevitably impacts issues such as how far EU law should go in expecting thirdcountrylawtoadoptstandardssimilartoitsown.

Outlook

e problems facing the GDPR oen overshadow its successes. e GDPR has made explicit a number of important legal principles that were previously only implicit; raised public awareness about data transfers; created political momentum in favour of stronger legal protections; strengthened the position of DPAs; and increasedpenaltiesforviolations AllofthishasresultedingreaterrespectforEUdataprotectionlaw

However, EU law must take further steps to address the challenges facing the GDPR’s data transfer regime. is should include the EU institutions beer balancing their legal and political roles; providing simpler and more transparent compliance mechanisms that are more understandable to individuals; addressing proce-

dural impediments to cross-border enforcement; improving the organisational capacity of the DPAs; evaluating foreign legal systems more rigorously; and establishing an EU-wide enforcement body for crossborder cases. e Commission should include such proposals in its next evaluation report on the GDPR, whichisduein2024.

Such steps would help the GDPR’s regulation of data transfers become more effective and relevant over the next ve years and beyond. However, full resolution of the issues surrounding data transfers would also require EU law to reach clarity about the parameters for creating interfaces with foreign legal systems. is will in turn require fundamental decisions to be taken about the place of EU law in the wider world, a process likelytooccupytheEUforyearstocome

What if the new adequacy decision for the EU-US Data Privacy Framework were to be declared invalid – again? Ways forward

e European Court of Justice´s ruling of 16 July, 2020 (C-311/18, Schrems II) continues to cause ripple effects for thousands of businesses worldwide, but especially in Europe and it is still shaping the political debate concerning international data transfers. With the new EU-US Data Privacy Framework, the EU Commissionwants to create a solidlegal basis for the transfer of personal datafrom the EU to the US aer the PrivacyShieldwasdeclaredinvalidwiththeSchremsIIruling.

is Op-ed focuses on the economic effects the decision has had, the impact another failed EU-US agreementwouldhave–andarguesforshiingthelinesthatweredrawninthesand.

Lookingatthepast

e legal situation brought about by the ruling of the Court of Justice has long caused perplexity and a lot of uncertainty within the industry on how to deal with international data transfers e uncertainty relates less to the directly implementable aspect of the ineffectiveness of the adequacy decision on the Privacy Shield. Rather, it concernsthe more subtle consequencesfor international datatransfers in general. According to the ruling, even when using standard contractual clauses within the meaning of Article 46(2)(d) of the GDPR, companies need to assess the legal framework in the country they are transferring data to and, depending on the assessment, need to implement supplementary measures for the protection of the rights and freedoms of datasubjects.

e Court did not make any clear statements on the subsequent questions, on the triggers for the necessity of additional measures and on the nature of the measures themselves, so that this vacuum must be lled by practice.

EU companies are connected around the world. Data transfers to countries outside the EU do not only play a role for international corporations and the global sales markets Smaller companies are also increasingly storing data in the cloud, using soware from US providers and using social networks and web conference systems from international communication providers. Support and IT-security services are oen also offered from locations in Asia. And companies that outsource tasks to external service providers in third countriesoenneedtotransferemployeedatainordertofullltheirtasks

and out of the international-data-transfer dilemma

Susanne

Datatransfers are an essentialpart of the entire economy and indispensablefor research and science, with the US being the most important destination for the data that is being transferred (see ). e prevention or here even obstruction of data transfers is at least as serious for German and European companies as the disruption ofsupplychains.

With its judgment of 16 July, 2020 (C-311/18, Schrems II), the Court of Justice declared the EU Commission’s adequacy decision on the transfer of personal data to the USA (EU-US Privacy Shield) invalid e Court did not consider the level of data protection in the USA to be adequate according to Article 45 GDPR It held that there was a lack of suitable guarantees, enforceable rights and effective legal remedies against requests by intelligence services to surrender personal data of EU citizens that are processed in or transmied to the USA. e ombudsman provided for in the Privacy Shield did not offer sufficient protectionagainsttheintelligenceservicesaccordingtotheCourt.

Lookingatthepresent

With the Privacy Shield struck down, without a grace period in place and no timely solution in sight, companies in Europe had to nd alternative means to make their (necessary) transfers legally compliant again and implement additional measures for more secure transfers. And although the GDPR thankfully provides other means to legally secure data ows, the implementation efforts, investments and process changes were enormous. Non-essential transfers were, in some cases and companies, stopped, providers were changed –butoverall,thelossofthePrivacyShieldshowedhowessentialdatatransfers trulyare.Nobusinessexecutive, no compliance officer, no HR-director or product designer would have gone through the weeks and months of time, money and effort to shi data transfers onto (in most cases) Standard Contractual Clauses if the transfer itself would have been just a ‘nice to have’ e Bitkom working group on Data Protection worked for two years on a systematic approach and tool for the assessment of third country data transfers and the risk mitigating measures. Especially for SMEs the additional layer of legal and organizational costs hurts and slows down their potential for modernisation and innovation. Also, core business processes are run on systems that are based on data owing freely around the globe e digitised economy with its globalised production, the cooperation of research institutions and a follow the sun 24/7 security support system are always in need of legally secure, stable and cost-effective data processing. Many businesses are currently workingwithStandardContractualClausesasalegalmechanismtosecurethetransferinaGDPRcompliant way e efforts to conclude the individual contracts, implement hundreds of different additional measures to comply with the Schrems II ruling in thousands of different combinations (related to the individual contractual agreements between the companies) are demanding. e hurdles for conducting business within and with EU companies are therefore quite high and seem to be geing higher instead of making it easier. And while the GDPR carried the promise of a harmonized framework that would strengthen the competitiveness of EU companies, the status quo shows that the practical difficulties are perceived as too burdensomeandnotstrengtheningtheEUSingleMarket(see ).here

Lookingatthefuture

Seeing that the consequences of the Schrems II ruling continue to impact the globally connected economy massively, the new EU-US Data Privacy Shield could bring back a lot of stability, certainty, and coherence to the data ows between the EU and the US. e successor agreement to the Privacy Shield for data transfers between the EU and the USA is therefore urgently needed e case-by-case reviews that are currently necessary are still a great burden for the European market, thousands of businesses, especially for small and medium-sizedenterprises.

e proposed EU-US Data Privacy Framework is the result of hard work, political compromise and lengthy discussionsbetween the EU Commissionand their US counterparts on the negotiation table Withthe input and expertise of legal as well as data protection and security experts an agreement was draed that addresses the criticisms raised by the Court that had led to the removal of the Privacy Shield. e underlying political agreement has become possible because the US legal framework was adapted by an Executive Order of PresidentBiden.

However, the statements from the European Parliament and other stakeholders regarding the new Framework show how deadlocked aitudes are regarding international data transfers. In this non-factual debate, where individual policy and ideology is mixed into the debate, it is becoming harder and harder to focus on realistic legal requirements and the actual comparability of our legal frameworks And even though the European Data Protection Board welcomed the improvements under the new framework, the relentless debate is already jeopardizing condence in the new agreement. e EU Commission should therefore deal intensively with the concrete points of criticism of the Data Privacy Framework in the coming weeks and explain in detail that these are already addressed by the new regulation. is will help to dispel concerns and hopefullypreventfurtherproceedingsbeforetheCourtofJustice.Companiesneedlegalcertaintysothatthe existingdatablockadecannallybedissolved.

Whatthefuturereallyneeds:Shiingthelinesdrawninthesand

If and when the new EU-US Data Privacy Framework is struck down again, companies, institutions and data protection authorities will once again be in a very uncomfortable position. However, the past has shown that the necessity of having international data transfers in place will make it impossible not to nd new legal methods to secure the existing transfers and establish new ones. It is simply inconceivable that EU-US data transfers will be stopped – with or without the new Framework. e importance of the Framework lies especially in making the transfers easier to handle, especially for SMEsin the EU and therefore strengthening the market again. It also bears a lot of political weight in conveying the important political message that the EU and US are aligning their markets and industrial priorities, enabling one another because our fundamentalmarketrulesareconsideredcomparable.

And while the new Framework could bring back stability and security for thousands of companies, what the EU really should be starting to work on is the development of ideas for a functioning global framework. Because if the EU does not begin looking beyond the EU´s market and our current transatlantic dilemma

soon, legislators and politicians will miss out on the chance to shape the future for citizens and businesses in Europe e data economy and the deployment and use of new technologies such as LLMs (large language models) and AGI (articial general intelligence) need a functioning global framework for data aggregation, use and exchange. e necessary roles and rules for such a global framework are not yet set in stone and if not shaped in the EU´s interest will be developed elsewhere. Current legislative trends and international treaties show that there are already developments ongoing (G7 global data transfer with trust initiatives e.g.) for otherinternationaldatatransferframeworksandrules IftheEUmemberstateswanttosecureeconomicand societal security and progress for its citizens, they need to contemplate mechanisms to connect and align the requirementsoftheGDPRwithotherglobaldatatransfertools.

With the GDPRs transfer mechanisms under pressure from developments within the G7, the Global CBPR Forum, which in 2022 established a multilateral cooperation in promoting global data ows and intends to establish Global Cross Border Privacy Rules, Privacy Recognition for Processors Systems, the ASEAN rules and clauses for data transfers that were introduced in 2021 and a pan-African possibility for an agreement on the way with AfCFTA, the EU needs to shi its focus, stop being wrapped up in itself and start looking outwards With the most data protection regulation and transfer mechanisms experience under its belt, the EU is in a perfect position to move the global dialogue into the right direction, advocate for new mechanisms that can be aligned with the GDPR framework while ensuring stable data ows that enable the European economyandfostercooperationofauthoritieswhilstprotectingitscitizensdataandrighttoprivacy.

e Troubled Transnational Enforcement of the GDPR

e disconnect between the law on the books and the law in practice is a consistent theme in data protection scholarship. Writing in 2014, memorably declared data protection to be a dead leer but lamented Koops that its proponents failed to call time on the legal framework Prior to the entry into force of the , EU GDPR dataprotection law’s fragmented and cumbersome enforcement architecture seemed obviously ill-equipped to deal with data processing by multinational corporations operating at scale and with deep pockets. For instance, issues of transnational signicance needed to be investigated and enforced independently by each interested domestic data protection authority e GDPR sought to address this decit by formalising cooperation between regulators in situations where data processing had a sufficient transnational dimension. In these situations, the regulator in the place of main establishment of the data controller acts as theleadauthority(theone-stop-shop),cooperatingwiththeirconcernedcounterpartsinotherjurisdictions through a cooperation mechanism. In recognition that such cooperation might not always function as desired,theGDPRalsoprovidesforadisputeresolutionmechanism–theconsistencymechanism.Acritical component of this mechanism is that it allows the European Data Protection Board (EDPB), an EU body comprised primarily of representatives of the national data protection authorities, to adopt binding decisions to resolve disputes between regulators conclusively. Since the GDPR’s entry into force the functioning of these cooperation and consistency mechanisms have been the subject of increasingly visceral disputes dragging an array of actors into the debate ranging from the to European Parliament domestic political leaders. How and why did these ostensibly technical procedural innovations become the site of such contestation and what lies ahead for the public transnational enforcement of the GDPR? is contribution will offersomethoughtsonthesequestions.

eStorysoFar

Looking from the outside, the system might appear to be operating sufficiently well indicate Recent gures that in 2022, there were 714 one-stop-shop procedures resulting in 330 nal decisions while only 8 binding consistency decisions have been delivered since the entry into force of the GDPR in 2018. In its two year review of the GDPR, the Commission cautiously observed that the system had yet to ‘deliver its full potential’ while an of the Court has suggested that an appraisal of the system is not yet possible Advocate General while it is in its infancy. However, this has not prevented disquiet emerging about the functioning of the system. e expressed its ‘great concern’ regarding the operation of the one-stop-shop European Parliament laying the blame squarely at the door of the Luxembourgish and Irish regulators which act as lead authorities for many of the big tech companies It also called upon the Commission to initiate infringment proceedings against Ireland for its alleged failure to enfore the GDPR adequately have repea- Civil society organisations

ted such calls although both the and, unusually, the have vociferously Irish regulator Irish government defended the regulator’s record on enforcement. e differences between regulators which the one-stopshop mechanism was designed to bridge are made apparent in the recent interactions between the Irish regulator(theDPC)andtheEDPB.

Following complaints lodged against Facebook, Instagram and Whatsapp (all owned by parent company Meta with headquarters in Ireland) concerning their personal data processing practices, the DPC prepared dra decisions which it shared with other concerned supervisory authorities Taking the Facebook complaint by way of example for present purposes, of the 47 concerned peer regulators, 10 raised objections regarding elements of the dra decision. e primary point of contention was whether Meta’s services could rely on contractual necessity as a legal basis for the provision of ‘personalised’ advertising. Despite the existence indicating the contrary, the Irish DPC maintained that the provision of such of EDPB Guidelines advertisingwascentraltotheservicesofferedbyMetaandformedpartofthecontractconcludedwhenauser accepts the Terms of Service offered. Other regulators disagreed and, in the absence of consensus on this point, the maer was referred to the EDPB for dispute resolution. e EDPB agreed with the DPC that the processing operations infringed transparency requirements but disagreed on the central issue of legal basis, nding that contractual necessity could not be used as a legal basis for data processing for personalised advertising. It also directed the DPC to insert an additional breach (of the fairness principle) and to raise the nes imposed signicantly (to €210 million for the Facebook infringements from €36 million). e DPC thenadoptednaldecisionsreectingtheEDPB’sbindingdeterminations.

While these decisions are of signicant substantive importance, they also raise fundamental procedural questions. e EDPB concluded that the Irish regulator did not handle the complaint with ‘all due diligence’ (para 194). e essence of this nding was that the DPC had failed to investigate Facebook’s processing of special categories of personal data, although the complainant alleged infringements of Article 9 GDPR in its complaint. e DPC argued that it falls within its discretion to determine the scope of the inquiry, taking into account the wrien complaint and that it would have been ‘inappropriate and disproportionate’ to undertake an open-ended investigation of all Facebook’s processing operations (para 163). However, the EDPB emphasised the consequences of this approach, principally that it limits the ability of peer regulators to ‘act andtackletheriskstodatasubjects’(para195).Itconsideredthatthecombinationofthelimitedscopeofthe inquiry as well as the DPC’s treatment of objections from peer regulators as inadmissible impaired the EDPB’scapacitytomakeabindingdetermination.

e EDPB’s analysis culminated in a direction to the Irish regulator to remove its nding that Meta is not legally obliged to rely on consent for its data processing operations and to conduct a fresh investigation to determine whether Facebook processes special categories of data and complies with relevant GDPR obligations. It is this aspect of the EDPB’s decisions that the DPC is challenging before the on the General Court groundsthat:

e EDPB does not have a general supervision role akin to the national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in an open-endedandspeculativeinvestigation.

More specically, it is arguing that the EDPB exceeded its competence and misinterpreted the role given to it by Article 65(1)(a) GDPR. It remains possible that parties to the complaint, either Meta or the complainants, will challenge the DPC’s decision and/or the EDPB decision. Standing to challenge the laer remains in doubt: the General Court has held that a controller was not directly and individually concerned by an EDPB decision, a nding which is currently being before the Court of Justice. is sequence of appealed events lays bare not only the divergence between regulators on issues of , although the Irish substance regulator might simply be viewed as an outlier in its interpretation of the law, but also open questions regardingtheveryobjectivesoftheone-stop-shop

TowardstheEqualityofInterdependentIndependentRegulators

e Commission and the EDPB are keenly aware of the need to smooth the functioning of the OSS. Efforts to date have focused primarily on addressing the national procedural ambiguities and divergences that have added undesirable friction to the cooperation procedure. In its , the EDPB emphasises 2022 Annual Report the initiatives it has taken on enforcement cooperation, including the use of taskforces to guide work on key cross-border issues (such as the use of cookie banners); coordinated investigative work into public sector usage of cloud services and the creation of an expert pool that regulators can draw on for support in their work. More concretely, the European Commission intends to to streamline the propose a Regulation cooperation procedure by harmonising some administrative provisions Signcant improvements to its functioning could be made by coordinating the admissibility of complaints and the status of the parties to administrative procedures as well as adopting procedural deadlines. Once enacted, such a procedural Regulation should therefore tighten the cogs of this new governance mechanism, addressing some of the key concernsraisedbycivilsocietyactorsamongstothers.

A more fundamental question about the balance between the independence of regulators and equality between them nevertheless remains to be addressed. e Irish regulator accuses the EDPB of jurisdictional overreach through its direction to launch fresh investigations into Meta’s data processing activities. is question of jurisdiction might be boiled down to a question of fact: whether the EDPB’s decisions concern maers which are ‘the subject of the relevant and reasoned objection’ as required by Article 65(1)(a). However, it also raises broader issues. As highlights, although EDPB guidelines are non-binding Magierska this scenario raises the question of whether and to what extent data protection authorities can ‘deviate or even distance themselves from their content’ e Irish regulator also hinted that the EDPB’s direction interferes with its discretion as an independent regulator is begs the question of to what extent the actions of the EDPB can legitimately limit the ‘complete independence’ (Article 52(1) GDPR) of data protection authorities. Such limitations appear legitimate, and implicit within the general scheme of the GDPR, for two reasons.

First, it was clear before the GDPR entered into force that the power of the EDPB to issue decisions binding on data protection authorities would compromise the independence of the laer. However, as argued elsewhere, given that the rationale for such complete independence is to secure the effective protection of fundamental rights, this limitation is justied as it serves this precise aim of rendering rights protection more effective Indeed, while the EU Charter species that compliance with data protection rules should be

subject to control by an independent authority, it does not specify that such an authority is a national regulatorleavingthedooropenfortheEDPBtoactastheultimatearbiterofdataprotectioncompliance.

Second, and as with Giulia Gentile, the EDPB and the Court must defend the equality of data protec- argued tion authorities. Many of the problems with the one-stop-shop stem from the preponderant role played by the lead authority, including its initial role in dening the scope and direction of investigations. is outsized role is problematic for numerous reasons, most notably that it limits the role of concerned regulators in protecting fundamental rights; delegitmises the choice of the legislature to curb the actions of the more active authorities to foster a Europeanised approach to enforcement; and, it has prevented national authorities from becoming agents of EU law, as envisaged by the GDPR. e EDPB is therefore legally justied in curtailing the discretion and independence of the Irish regulator precisely to preserve the independence of peer regulators and the legitimacy of the system. While the GDPR does not explicitly refer to the equality between regulators, there is plenty of implicit support for this principle to be found in its provisions (a combined reading of Article 61(1) and recital 13 GDPR, in light of the Article 4(3) TEU and Article 41 EU Charter emphasise the requirement for sincere cooperation). e Irish appeal against the EDPB decision offers the EU Courts the opportunity to expand upon the duty of loyal cooperation in this eld and to emphasise the importance of regulator equality to the future functioning of the cooperation and consistency mechanisms. Independence must be interpreted in light of its ultimate purpose: securing more effective fundamentalrightsprotection.

Are the nes ne? A tale of disharmony and opacity of GDPR enforcement

e GDPR is oen mentioned in the same breath as administrative nes. Elevated nesgain media aention, and likewise, if a data protection authority (DPA) does not issue nes there is an outcry of the lack of enforcement. Do the nes work in ensuring compliance with the GDPR, and ultimately protect the fundamentalrighttodataprotection?esimpleanswer:Wedon’tknow.

Finesshouldbe‘effective,proportionateanddissuasive’

Article 58 of the GDPR gives the DPAs a variety of corrective powers. Administrative nes in accordance with Article 83 can be imposed in addition to or instead of any of these measures. However, the nes have taken the centre stage While regulatory theory emphasisesthat regulation and enforcement is a step-by-step approach with progressivelymore deterrent sanctions,the successof the GDPR seemsto be measured by the numberandamountofissuednes.

e aim of nes as an enforcement mechanism is to inuence behaviour and ensure compliance by punishing non-compliance. us, nes should have both a punitive and deterrent effect. Economic theory on optimal deterrence says that the expected ne should equal the harm caused by the infringement, or alternativelythegaintotheviolatorplusasafetymargin.

e ne structure of the GDPR is modelled on competition law, and we nd similar nes in the Digital Services Act, Digital Markets Act, Data Act, Data Governance Act and AI Act. However, even if nes have been used under EU competition law for the past decade, there is no evidence that they contribute to beer compliance. found that there has been no overall evaluation of the deterrent effect

e EU Court of Auditors of nesunder competition law, and recommended that the Commissiontake action to perform a study of the deterrenteffectofnes us,replicatingnesfromcompetitionlawalsoreplicatesignoranceoftheireffect.

esizeofnes

At rst glance, the ne of 1,2 billion euro for the continued transfer of personal data to the imposed on Meta US following the Schrems judgment seems high, but it amounts to roughly 1 percent of annual turnover. If thenesaremeanttobedissuasive,theDPAsshouldtakenoteofwhetherthenesissuedundercompetition law have had the desired punitive and deterrent effects. Google has been ned more than 8 billion euro for

infringement of EU competition rules, and yet there are no changes in behaviour as the company continues to be dominant in the European market. In 2019 the US Federal Trade Commission issued a ne of 9 billion USD to Facebook for violating consumers’ privacy. Although high on paper, the ne equaled a month’s revenueandthemarketreactedpositivelywithanincreaseinFacebook’ssharevalue.

is is not to say that nes should not be issued, but rather that the DPAs need to up their nes game if they continue to rely on nes as their main enforcement measure In the case of Meta, the maximum ne would assumably be over 4 billion euro. It would certainly be contested by Meta, but it would make for some interestingcaselaw,andwhowouldn’tlikethat?

And why shouldn’t infringement of a fundamental right protected by the EU Charter be ned as severely as disruptionofthemarketundercompetitionlaw?etoolisgivenintheGDPR,buttheDPAsneedtodecide if they want to use it at full force. e dispute resolutions under Article 65 have shown considerable differences in the approach to enforcement between the DPAs, and especially the seing of nes, as elaborated by is is only partly solved by the binding decisions of the European Data Protection Lynskey Board (EDPB), as the nal decision is with the member state DPA. As commented, more coherent Kuner enforcement may require a pan-European enforcement body. On that note, it should be mentioned that under the European Commission has the power to initiate enforcement procedures and competition rules imposinganyremedy,includingnes

elackoftransparency

Economic theory and responsive regulatory theory point to transparency as essential in the use of sanctions

Ifthereisnopublicityandtransparencyaboutimposednes,thedeterrenteffectswillbelimited.

It is ironic that while transparency is a data protection principle, there are no harmonised transparency requirements for the DPAs enforcement activities Whereas the DPAs are required to draw up an annual report on their activities, this may include a list of types of enforcement measures taken (Article 59). us, it is not a requirement to report enforcement measures, including imposed nes, nor that the list is complete. WhethertheDPAspublishenforcementdecisionsissubjecttonationallaw.SomeMemberStateshavemore restrictive practices, such as Luxembourg (the DPA does not publish dra decisions of imposed nes with reference to ) and Ireland (the DPA is only to the Freedom of Informa- professional secrecy partially subject tion Act). If not limited by national law, the publication of imposed nes is at the discretion of the DPAs. Some DPAs publish lists of all decisions, others a selection, yet others publish press releases for signicant decisions.Inshort,thereisnouniformpractice.

Neither does the EDPB keep an overview e publication of DPA enforcements on are mere their website re-publications of press statements from the DPAs. e EDPB is not given the task of having oversight of enforcement decisions by the DPAs, unless handled in the consistency mechanism (Article 70(1)(y)). Neither is the EDPB required to give an overview of the DPAs’ decisions in their annual report (Article 71). So, although the EDPB is tasked with ensuring ‘the consistent application’ of the GDPR (Article 70(1)), the Board has no mechanisms to keep oversight of the ne practices of the DPAs. us, the EDPB, as well as otherstakeholders,lackaknowledgebasetoevaluateandreviewtheeffectsofnes.

e most comprehensive of nes is offered by a law rm. It is based on publicly available overview information and therefore not complete According to this list, the number of issued nes range from 1(Liechtenstein) to 646 (Spain), with a total of 1822 and an average of 62 per country, with amounts from 28 euro to 746 million euro (with all possible reservations and disclaimers since this is my unscientic counting basedonanincompletedataset).

So how can we possibly know what effect the nes have when we don’t even have a complete overview of the nes? In 2021, the Commiee on Civil Liberties, Justice and Home Affairs (LIBE Commiee) of the European Parliament requested the EDPB to share statistics on, inter alia, enforcement actions of the DPAs. Itisthemostinformative sofarfromtheEDPBonthenepracticesoftheDPAs report

e national DPAs and the EDPB ought to at least publish basic statistics of the number of issued nes, the amounts, how many were contested and the number of nal decisions. is would not be sufficient to evaluatetheeffectofnes,butitwouldprovideforaminimumoftransparency.

Openingtheenforcementtoolbox

e DPAs have other powers at hand than issuing nes. For many controllers the most severe would be an order to erase personal data or a limitation or ban on processing. It can disrupt a business model and even put companiesoutofbusiness.atwouldcertainlyhaveaneffect.

To what extent the DPAs use the other measures foreseen in Article 58 is as opaque as their imposition of nes Many such decisions never reach the headlines, with the occasional case geing aention because nes were not issued. Both the EDPB and the DPAs have a pedagogical task in explaining that enforcement is not only about the nes. is would require transparency on decisions, and that the DPAs evaluate the effects of the measures. Of course, it also requires that they use these corrective powers, and do not shy away from imposingthestrictermeasureswhennecessary

One example is the on a temporary ban on processing by the Norwegian Norwegian DPA’s decision COVID-19 tracing app. It eventually led to the app being discarded and the erasure of the collected personal data.Fortheaffectedindividuals,theeffectwasmorerestorativethananewouldhavebeen.

It is pertinent to question why the by the French DPA in 2019 and the recent decision on Google decisions on Meta’s lack of legal basis for behavioural advertisting by the Irish DPA did not include orders to erase personal data processed without valid legal basis, and in the case of Meta, a temporary ban on processing for behavioural advertising until corrective orders have been implemented Without adequate measures that aim at ceasing or correcting non-compliance, the nes appear more like fees than being ‘effective, proportionateanddissuasive.’

In the , let us not be blinded by the many zeros in a billion. e case on Meta’s transfer of data to the US substantial enforcement measures with effect for the data subjects are the orders to suspend future transfers and to ‘bring its processing operations into compliance … by ceasing the unlawful processing, including storage’. e laer is ambigious. Does ‘ceasing processing including storage’ mean deletion of previously

collected personal data? at would certainly have an effect. However, the Irish DPA does not really agree on the last point, referring to other DPAs insisting on including additional corrective powers When an authority with the power to enforce openly suggests that it does so unwillingy and does not believe it will be disuassive,thenitmostlikelywon’t.

Aention should also be given to the argument made by the Irish DPA that a suspension order would have severe consequences for Meta’s business, and that they ‘cannot ignore the negative nancial consequences that will likely ow from the action that might be required to be taken by Meta Ireland in order to achieve compliance with the orders’ ( ). e logic is peculiar. e very aim of regulation and enforcement is p 204-205 to affect behaviour and to ensure compliance Oen this requires changing business models or altering how goods and services are produced and delivered It is as if competition authorities would say that they cannot order the break up of a cartel because it would affect the companies nancially. With this line of reasoning we can say for certainthat enforcement will have no effect in changing behaviours to ensure compliance with the GDPR.

eenforcementtheatre

When not issuing nes, the DPAs are criticised for being mellow And when seing nes, it can appear that order is reseled, while in fact there may not be any restoration. Aer all, the data subjects are not beneciariesofthenes.Ourconcernshouldthereforenotbethesizeofthenes,butwhethertheDPAsareenforcing the GDPR with the adequate and necessary means in their toolbox to ensure the data protection rights of individuals

Alas,wemaybewatchinganenforcementtheatre–buthowwouldweknow?

Do data subjects have a right to detailed disclosure of how an automated decision has been made (‘right to explanation’)?

I.Introduction

Ifaffectedbyanautomateddecision,datasubjectsshallenjoysafeguardssuchastoexpresstheirpointofview and to contest the decision (Article 22(3) GDPR). Automated decisions and their involved logic shall be explained to data subjects (Article 15(1h) GDPR, Recitals and ). Yet, as of today, there is neither legal 63 71 certainty nor a uniform opinion throughout the EU whether these stipulations create a ‘right to explanation’ – and if so, to what extent – or not. e answer to this question is essential for data subjects given the increasing number of automated decisions, e.g. in human resources departments, on granting loans online or by ‘buy now pay later’ nanciers e current legal uncertainty is caused by a variety of expressions in the GDPR that are either designed too narrowly or do not sufficiently describe how to balance conicting interests. However, there is hope that the upcoming interpretation of the relevant regulations by the European Court of Justice (‘the Court of Justice’) will lead to signicantly more clarity. Nevertheless, to protect datasubjectsmoreeffectively,MemberStatesshouldconsiderstrengtheningtheroleofsupervisorybodies

II.ShortcomingsandloopholesoftheGDPR

e rst crucial point to be discussed is the simple but fundamental question of what constitutes an automated decision and which decisions shall thus be subject to the provisions (in particular Article 22(3), 15(1)(h) GDPR) that have been especially designed to protect the data subjects affected. e denition of Article 22(1) GDPR was intentionally draed narrowly as ‘decisions based solely on automated processing’, shunningtheEP’s ofabroaderwording.Inotherwords:eprovisionisnotapplicable,assoonas suggestion human beings are involved, disregarding that numerous automated data processing operations (e.g. credit scorings) may have predetermined the actual decision of the controller (e.g. a bank that offers a loan). is is very critical, considering for example that thereby those many borrowers are le unprotected who are rated everydaybycredit-agenciessuchasGermany’s‘Schufa’

Further questions arise from the requirement in Article 22 (1) GDPR that automated processing ‘produces legal effects concerning him or her or in a similar way signicantly affects him or her’. Strictly speaking, the legal status of a person is not changed by the fact that he or she is denied a loan or a jobopportunity, especially

since there is no legal right to get a loan or to be hired. Data subjects who claim to be similarly signicantly affected by an automated processing will still bear the burden of proof, which will be even heavier in the case of indirect effects of automated processings as shown in the Uber-case decided by the District Court of Amsterdam Recital 71 respective Guidelines of the EDPB . of the GDPR or the only clarify the cases of credit applications and e-recruitments that are mentioned there. Obviously, orientation is needed on whether it is sufficientthatthedatasubjectfeelsaffectedorwhetheramoreobjectiveperspectiveshouldbeincluded?

If, despite all odds, a decision is affirmed to be automated, data subjects seem to nd an effective tool to protect their rights by using the right of access pursuant to Article 15(1)(h) GDPR. It guarantees access to ‘meaningful information about the logic involved as well as the signicance and envisaged consequences of automated processing operations for the data subject’ However, according to , ‘that right should Recital 63 not adversely affect the rights or freedoms of others, including trade secrets or intellectual property’. And, ‘the result of those considerations should not be a refusal to provide all information to the data subject.’ What this means for data controllers is being discussed very controversially in academia (see and ) and here here practice

Courts and authorities of some Member States demand, with reference to the (p. 25 and EDPB Guidelines 27), that the information provided must be sufficient for the data subject to understand the reasons of the decision and useful for him or her to challenge it. e GDPR does not require the controller to disclose the full algorithm or to provide complex explanation of the algorithm. Instead, the controller shall provide the data subject with general information (notably, on factors taken into account for the decision-making process, and on their respective ‘weight’ on an aggregate level) which is also useful for him or her to challenge the decision. is view has been taken by the and the Gerechtshof Amsterdam Austrian Data Protection Authority

In contrast, the only providesa ‘right to be informed’. Its ruling German Federal Civil Supreme Court (BGH) on credit scores by the Schufa, applying the equivalent provisions of Directive 95/46/EC, balanced the interests now mentioned in Recital 63 in a very different, but controller-friendly way According to this ruling, controllers do not need to inform about the general calculation parameters such as statistical values, the weight of individual calculation elements in determining probability values or the formation of any reference groups. e BGH argues that the basis for scorings do not need to be disclosed. Data subjects must be informed about not more than the data processed concerning him or her ( ). Even though the para. 29 BGH has not seen an automated decision in the respective case, the ruling shows a strong protection of trade secrets. Based on the information granted by the BGH, data subjects will hardly be able to understand the automated decision. ey are le alone with their efforts to express their point of view and to contest the decision. us, the information asymmetry between data processors and data subjects is manifest. is is highly problematic because in Germany hardly any credit decision –be it a traditional bank-loan or a ‘buy nowpaylater’–ismadewithoutaSchufascore.

III.eOpinionofAdvocateGeneralPikamäeinSCHUFAHolding(C-634/21)

As mentioned above, an upcoming ruling of the Court of Justice gives reason to hope for more clarity. e Wiesbaden Administrative Court (VG Wiesbaden) had to decide on a case in which a bank requested a

Schufa credit score before granting a loan. e loan was not granted and Schufa refused to disclose the calculation methods, as they were protected trade secrets, furthermore the nal decision was taken on the bank’s side. Yet the bank claimed to be unable to provide the data subject with information about how the score wascalculated. Seeing a gap in legal protection, the VG Wiesbaden led a request for preliminary ruling on the question whether Article 22(1) GDPR applies to a credit score that determines a bank’s credit decision. Advocate General Pikamäe addresses it in his with regard to the three problems discussed Opinion above

First, referring to , the Advocate General considers the automatic rejection of ‘online credits’ Recital 71 without human intervention to be a similarly signicant affect pursuant to Article 22(1) GDPR at the datasubjectcannotconcludealoancontractmayaffectitsnancialstatus

In addition, AG Pikamäe argues that using third party scores (e.g. Schufa scores) in banks’ credit decisions constitutes an automated decision pursuant to Article 22(1) GDPR, if that decision (granting the loan or not) is in practice pre-determined by the score to a considerable extent. In that case the score pervades the decisionofthethird-partycontroller( ). para46–inGerman

Furthermore, the AG opines that, to balance the protection of trade secrets and the protection of personal data, the controller must provide the data subject with general information, especially on factors taken into account for the decision-making process, and on their respective ‘weight’ on an aggregate level which is also useful for him or her to challenge the decision. Since its use for the data subject is questionable, disclosure or complexexplanationofthealgorithmisnotrequired( ). paras57andfollowing–inGerman

IV.Forastrongerroleofsupervisorybodies

Information is helpful as long as controllers provide it in a useful way and average data subjects can understand it. Anyone who has ever worked in an interdisciplinary team knows the pitfalls of different professional codes. Granted, Article 12 requiresinformation in an ‘easily accessibleform’. But it can take years for courts to work out a standard code that is recognized as ‘understandable’ with sufficient legal certainty. At the end of the day, data subjects want to rest assured that algorithms work in an error-free, rational and nondiscriminatory way (see ). According to Article 51(1) and (4) GDPR supervisory bodies shall act Recital 71 ‘with complete independence’ and Member States have to provide them ‘with human, technical and nancial resources necessary for the effective performance of their tasks’. So why not think about a stronger role for supervisory bodies instead of hammering out with much energy how information can be useful and understandable. at thought may also be taken up in the discussions on the dra Articial Intelligence Act (see and ). here here

V.Summary

As of today, there is no uniform answer in the EU whether data subjects have a ‘right to explanation’ or only a ‘right to be informed’. Where a ‘right to explanation’ is granted it requires controllers to provide general information, especially on factors taken into account for the decision-making process, and on their respective ‘weight’ on an aggregate level so to be useful for data subjects to challenge an automated decision. e upcoming ruling of the Court of Justice in could now bring legal certainty throughout the SCHUFA Holding EU.Nevertheless,supervisorybodiesshouldplayastrongerroleincontrollingautomateddecisions.

Five Candles for the GDPR

Processing in the context of employment Will there ever be consistent rules under or beyond Article 88 GDPR?

In view of its and predominantly , the GDPR epitomises a certain up to 70 ‘opening’ clauses vague provisions tendency in EU legislation to between directly applicable Regulations and implementa- blur the distinction ble Directives e many possibilities – and occasional obligations – for Member States to make or keep their own rules within the scope of the GDPR have spurred the lucid remark that if this is harmonisation, one wonders what diversity would look like. Indeed, diverging national rules on salient maers such as age limits underArticle8GDPR,automateddecision-makingunderArticle22,representativeactionunderArticle80, freedom of expression and information under Article 85 ( ), or employment-related processing see here underArticle88makeEUdataprotectionlawappearasapatchworkofregimes

Since the clauses’ raisons d’être vary, ranging from limited EU competencies over tributes to specic subject maers or failed legislative agreements, every single one needs to be interpreted individually. is being said, whether they oblige Member Statesto enact provisionsor merelyallow them to, in viewof national particularities or to grant enhanced protection, most of these clauses do not permit exemptions from the GDPR rules and principles. Rather, the laer still apply to and within their remit. As the Court has just conrmed in Hauptpersonalrat (C-34/21, paras 68 – 70), all processing of personal data must comply with the processing principlesinArticle5GDPRandbelawfulwithinthemeaningofoneofthehypothesesexhaustivelylistedin Article 6 GDPR In particular, the last requirement was found to oust a national legal basis for processing employeedatawithoutconsent.

While the Court has thankfully

about Article 88 GDPR in its corrected some misguided conceptions judgment, the very purpose of this provision, i.e. the adoption under national law of specic rules for employeedataprotection,stillgivesrisetoanumberofproblems

It starts with the absence of any such rules in many Member States. A counted 11. But even recent study where specic employee data protection rules exist, they do not necessarily govern the most contentious issues It indeed appears that, just like in other difficult maers (in the eld of data protection, one would mention the or les), Member States’ failure to agree on EU rules mirrors internal data retention ePrivacy divergencesofopinion which,inturn,complicateeffortstolegislate.

is leads to the eternal question of whether employee data protection rules should not rather be harmonisedatEUlevelonceandforall

In the employment context, data protection inevitably intersects and overlaps with employment law, the precise nature of which differs from the abstract GDPR rules and principles. In itself, that intertwinement does not mandate Member State rather than EU level regulation, since any sector-specic rules would do the trick Even though Article 153 TFEU allows only complementary EU legislation in employment maers, workplace data protection is predominantly the laer within the meaning of Article 16 TFEU and has thus correctly been included in the GDPR, although quite sneakily – leing the Member States decide on the specics.

e modalities of data processing and the specic vulnerability of employees faced with ever more sophisticated processing surveillance technology and are the same in all Member States, thus calling for a commonapproach.

For multinational companies and all those simply doing business abroad it can be a costly burden to adjust internal procedures to a wide array of different national rules, particularly since half of all processing operations in a company typically concern employee data. HR are understandably surprised at being allowed to process racial data for diversity monitoring or to perform extensive background checks including an employee’s criminal record in some jurisdictions (only). Online platforms for personnel management needtobereprogrammedinordertocomplywithlocalrules.

e absence of common rules on important aspects of employee data processing is tainting the opportunities provided by the EU’s internal market. As noted some 25 years ago, the ow of employee data and Simitis the centralisation of their processing are natural characteristics of an entrepreneurial activity adapting its organisational structures to a transnational, common market. In current business practice, the diversity of legal regimes sees affluent companies paying for legal advice while smaller companies tend to apply uniform rulesandhopetogetby

e many delicate data protection have only questions arising throughout the COVID-19 pandemic conrmedthatthereshouldbeonecomprehensiveEU-widestandard.

Alas, renewed aempts to harmonise employee data protection at EU level did not survive the GDPR’s lengthy (pre-)legislative process. e European Commission had notably envisaged to lay down harmonised rules for employment relations in the GDPR, but nally resented. Also the initial idea of complementing the ‘General’ Regulation with more specic rules in maers such as employee data by way of delegated acts fell through. For its part, the Parliament did not succeed in its endeavor to see a catalogue of minimum standardsincludedintheRegulation.

What remained as a compromise solution was Article 88 GDPR, which allows Member States to provide, by law or collective agreements and for a number of non-exhaustively listed purposes, for more specic rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context (paragraph 1). ose rules shall include suitable and specic measures to safeguard employees’ human dignity, legitimate interests and fundamental rights (paragraph 2) and be notied to the EuropeanCommission(paragraph3).

NationalrulesadoptedpursuanttoArticle88GDPRthusappeartobestrictlyframed.

is is conrmed by the judgment. You may wish to disagree with the Court’s labelling of Hauptpersonalrat the specication faculty in Article 88 as an ‘opening clause’ comparable to, say, Article 85 GDPR, but what counts is that it nds, rst, that the rules referred to in that provision must have a normative content specic to the area regulated, which is distinct from the general rulesof that Regulation, second, that their objective is to protect employees’ rights and freedoms in respect of the processing of their personal data in the employment context, third, that these rules may cover all the purposes for which the processing of personal data may be carried out in the context of an employment relationship and, fourth, that the Member States have a margin of discretion as regards the processing which is thus subject to those more specic rules. It therefore clearlyfollowsfromthewordingofArticle88GDPR,that‘ morespecic’maynotmeanlessprotective

For the Court of Justice, the very wording also indicates that paragraph 2 circumscribes the discretion of the Member States insofar as it requires them to include suitable and specic measures to protect the data subjects’ human dignity, legitimate interests and fundamental rights. Even though, from a purely semantic standpoint, that conclusion is not compelling, it is accurate from a systemic and purposive point of view Indeed, Article 88 GDPR differs from both the substantive provisions of that Regulation and from its genuine opening clauses like Article 85 GDPR to the extent that it confers bounded discretion: Member States may only adopt more specic rules that meet at least the standard which the GDPR would have set if it hadestablishedsuchrulesitself

However, contrary to what the Court of Justice suggests, the lack of harmonisation ensuing therefrom is not sufficiently counterbalanced by the requirement that the remaining differences ‘ are accompanied by specic and suitable safeguards intended to protect employees’ rights and freedoms with regard to the processing of their personal data in the employment context’. As long as those safeguards are adopted unilaterally by the Member States (such as e.g. ), they may well, thanks to Article L. 261-1 of the Luxembourg Labour Code guidance received from and , ensure the protection sought by the ECtHR case law WP 29’s Opinion 2/2017 GDPR,Article16TFEUandtheapplicablefundamentalrights,butnoharmonisation.

Scholars have a number of issues in need of ‘ more specic rules’ within the meaning of recently identied Article 88 GDPR, i.e. collective rights for employees, the exclusion of certain categories of data or processing purposes, data access rights, limits to the reliance on consent and enhanced protection with regard to algorithmic management suggest ey that a common approach to the laer could be derived from the upcoming , the rules of which could be extended, under national implementing Platform Work Directive laws, to all employees. is would certainly be a viable way of coming up with ‘ more specic’ rules to be applied and interpreted uniformly by the . But of course only in respect of those Member Court of Justice States that choose this option. So still no harmonisation in sight. And beyond the issue of algorithmic management,apatchworkwithbigholes

While, with regard to the issue of collective rights, the different traditionsof worker representation acrossthe Member States may still stand in the way of common rules ercely advocated for by , it is hard to see scholars why such rules cannot be adopted in order to impose restrictions on categories of data or processing purposes,oronrecoursetoemployeeconsent.

But in view of the discretion granted by Article 88 GDPR, even the adoption of such rules in all Member States would not guarantee their consistency On top of that, judicial discretion adds another layer of incertitude (as always). e uncertainties companies are facing under this state of play may be illustrated by a recent case involving and, specically, workow monitoring by means of the Amazon Warehouses in Germany company-owned hand-scanners. Personal data thus obtained were used to manage logistics and evaluate employee performance Earlier this year, the annulled a decision by the Data Hannover administrative court Protection Authority for Lower Saxony nding Amazon’s practice to be in breach of employee data protection rules. While still applying a national provision ( ) which, following the section 26 BDSG Hauptpersonalrat judgment, is poised to be voided, the administrative court found with common sense that such processing of employee data was necessary and appropriate for the purpose of steering logistics, qualifying and objectively evaluating employees and taking personnel management decisions accordingly. Presuming that the same reasoning can ultimately be based on ‘ more specic rules’ enacted in Germany, there is no certainty that courts in other Member States will use similar common sense when interpreting their domestic rules. Whitherconsistency?

Five Candles for the GDPR

Striking a Balance: Interpreting the Journalistic Exemption of Article 85 GDPR

Päivi Korpisaari i

e purpose of the GDPR is to protect the fundamental rights and freedoms of natural persons – especially the right to personal data protection – and to harmonise European personal data regulation. Article 85 GDPR on processing and freedom of expression and information is an exemption to the harmonising aim, leaving discretion to Member States as to how to reconcile the right to protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and those of academic,artisticorliteraryexpression.

However, varying approaches to the ‘journalistic exemption’ across the Member States have led to uncertainty and raised concerns about both privacy and freedom of expression. Additionally, the evolving nature of journalism– where non-traditional actors such as NGOs, private individuals, and even AI can disseminate information globally – adds complexity to the interpretation of this exemption. is piece focuses on the above-mentionedaspect.

e courts are facing a difficult task when judging these cases In addition to the Court of Justice of the European Union, the European Court of Human Rights also has its say in this ongoing saga. While traditionalmediaoutletsandgenuine‘journalism’mayhaveclearergroundsforclaiming‘journalisticexemption’,we don´t know where the boundaries are when ordinary people, organisations, and the like disseminate opinions and information. On the other hand, traditional media is expanding into areas that in itself cannot beconsideredjournalism.

e purpose of ‘journalistic exemption’ is to ensure the right balance between freedom of expressionandprotectionofpersonaldata

Journalists undoubtedly process substantial amounts of personal data as part of their work, including collection, storage, and publication of data, which could potentially conict with certain principles and requirements of the GDPR. Because of the laer’s wide applicability, some exemptions appear necessary. Otherwise, for example, the principles of transparency, data minimisation and storage limitation that are set out in Article 5 of the GDPR would hinder journalistic activities, as would the exercise of data subject rights.

i. PäiviKorpisaari (@PKorpisaari) is Professorof Communication Law at Faculty of Law, University of Helsinki. Her main elds of research are media and communication law, data protection, tort law, constitutional law, human rights law, and criminal law in respect to ‘freedom of expression offences’. She has been leading several research projects relating to data protection, new technologies and freedom of expression. She has worked as an aorney andservedatdistrictcourtandcourtofappealbeforehercareeratuniversity Formoreinformation onherpublications,pleaseseehere

e requirement of a lawful basis for processing in Articles 6 and 9 GDPR would, in many cases, prohibit the publication of data at is why Article 85 GDPR requires the Member States to reconcile by law the right to protection of personal datawith the right to freedom of expressionand information, including processing for journalisticpurposesandpurposesofacademic,artisticorliteraryexpression.

Whatisjournalism–andshouldjournalistshavewiderfreedomofexpressionthanothers?

Some decades ago, it was easier to dene journalism and hence what was meant by ‘journalistic purpose ’ . Journalism was regarded as a profession, and the concept of journalism was linked to publishing information and other content within the activities of established media companies. Moreover, the same kind of values, strategies and formal codes were widely shared by journalists, and journalistic work was also related to public service (journalists as ’watchdogs’ and disseminators of information), objectivity, autonomy, immediacy (instantaneousworkingpractices)andjournalisticethics( and ). Deuze2005 Deuze2019

e evolving media landscape, where the boundaries between journalism and other forms of public communication have become blurred, presents challenges in dening the privileges granted for journalistic purposes ( ).is raises the question of whether and how we can defend the privileges that are Gleason 2015 grantedforthepurposesofjournalismifsuchalargegroupofpeopleisentitledtothem?

Jurisprudence of the Court of Justice hardly sets limits to the scope of the journalistic exemp-

tion

It is currently unclear what kind of activities can claim the exemption. Some cases resolved during the period of the Personal Data Directive (DPD) ( )) give an indication. When thinking about their signi- 95/46/EC cance it must be taken into account that the present wording in the GDPR ( ) is even wider than the 2016/679 denition in the DPD, because instead of ‘solely for journalistic purposes’ which was the wording in the DPD,theGDPRmentionsonly‘journalisticpurposes’(see )(2).

Korpisaari2022

In Google Spain ( ), the Court of Justice ruled that processing carried out by the operator of a search C-131/12 engine could not benet from derogations relating to journalistic exemption. In 2008 in Satakunnan Markkinapörssi Oy ( ) the Grand Chamber of the Court interpreted the journalistic exemption C-73/07 broadly in a case that concerned publishing the income and assets of some 1.2 million persons – which amounted to one-third of all taxable persons in Finland. According to the Court ‘in order to take account of the importance of the right to freedom of expression in every democratic society’ (para 56), it was necessary ‘to interpret notions relating to that freedom, such as journalism, broadly’ Journalistic exemption did not apply ‘only to media undertakings but also every person engaged in journalism’ (para 58). e Court found that an activity could be ‘classied as “journalistic activities” if their object is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. ey are not limitedtomediaundertakingsandmaybeundertakenforprot-makingpurposes’(para61).

DPD: ‘Member States shall provide for exemptions of derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal datacarried out solelyfor journalistic purposesor the purposeof artistic of literary expressiononly if they are necessary to reconcile the rightto privacy with the rules governing freedom of expression.’ And GDPR 85(1): ‘Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposesofacademic,artisticorliteraryexpression.’

Later in this case the Finnish Supreme Court found (in ) that publication of the entire KHO 2009:82 database that included information on taxable income and assets as such could not be considered journalistic activity but as processing of personal data, which those who published that data had no right to perform. Finally, in 2017, the Grand Chamber of the European Court of Human Rights ruled in Satakunnan Markkinapörssi Oy ( ) that the Finnish authorities had acted within their margin of appreciation and App.931/13 found no violation of freedom of expression which is guaranteed under Article 10 ECHR. e Court emphasised that the rights under Articles 10 and 8 of the Convention deserved equal respect (paras 123, 163), and that the heart of the case lay in striking the right balance between those two competing rights (para 122). Such comprehensive dissemination of personal data had made it accessible in a manner and to an extent that had not been intended by the legislator. It alsodiffered from the manner and extent to which other media outlets published tax data. e outcome of the judgment can be considered fair and correct because, if publishing personal data registers on such a scale were to be exempted from data protection regulation as journalism,itwouldpartiallynullifyprotectionofpersonaldata.

In the most recent CJEU case on the maer, Buivids ( ), Mr Buivids had made a video recording in C-345/17 a police station while making a statement in the context of proceedings that had been brought against him. He had then published the video on the internetsite Youtube showing police officers going about their duties in the police station. e National Data Protection Agency alleged that he had violated personal data protection legislation. e Court of Justice repeated the principles that it and European Court of Human Rights had expressed in Satakunnan Markkinapörssi, namely that exemptions and derogations in relation to protection of data provided must apply only in so far as is strictly necessary in order to reconcile the right to privacy with the right to freedom of expression (paras 63 and 64). Recording and publication of the video constituted interference with the fundamental right to privacy of police officers featured in the video. e factual circumstances of the case had to be considered and it was for the referring court to determine whether thejournalisticexemptionwasapplicable.

Indeed, the Court’s reference to teleological interpretation in the Satakunnan Markkinapörssi Oy and Buivids cases emphasizes that the journalistic exemption should be understood in the context of the aims of the Directive and the overall system it establishes. is approach takes into account the broader fundamental rights framework within the European Union, particularly the Charter of Fundamental Rights of the EuropeanUnion( )anditsArticle52. 212/C326/02

eEuropeanCourtofHumanRightshasacceptedlimitationstoprocessingofpersonaldata inajournalisticcontext

e right to be forgoen, now guaranteed in Article 17 GDPR, has previously been recognised by the ECJ in Google Spain. It has also kept the European Court of Human Rights busy In Hurbain v Belgium (App 57292/16) the claimant was the publisher of a newspaper that had been ordered to render anonymous the digital version of an article published in 1994 and added to the online archive in 2008, in order to respect an individual’s ‘right to be forgoen’. e article mentioned the full name of a person who had caused a fatal road accident. e ECtHR found that the requirement for a publisher to anonymise an article whose lawfulness had not been questioned carried the risk of a chilling effect on press freedom. However, the right to maintain online archives available to the public was not an absolute right but had to be weighed against other rights.

erefore – and because the domestic court had weighed the balance between a data subject´s right to respect for their private life and the applicant’s right to freedom of expression – the Court found no violation offreedomofexpression.ecasehassincebeenreferredtotheGrandChamber.

In M.L. and W.W: v. Germany ( ), the ECtHR prioritised the public’s right to Apps. 60798/10 et 65599/10 access archived material online over the right to be forgoen of individuals convicted of a high-prole crime – the murder of a famous actor In turn, in Biancardi v Italy ( ) the Court did not nd a App 77419/16 violation of freedom of expression when a newspaper editor had been ordered to pay 5000 euros as compensation to each claimant for having refused to de-index an article – on a criminal case– which had long been on theinternetandwaseasilyaccessiblebytypingnamesintoaninternetsearchengine.

ese cases demonstrate the complexity of balancing the right to be forgoen with the right to freedom of expression and information. Each case has been assessed individually, taking into account: the contribution to a debate of public interest; the reputation of the person concerned; the purpose of the article; the subject of the news report; the content, form and consequences of the publication; and the manner and circumstances in which the information was obtained, and its veracity Important are also such criteria as the length of time for which the article had been kept online, the sensitivity of the data and the gravity of the sanction imposed.osecriteriaarealsoimportantwhennationalcourtsaredecidingtheircases.

Conclusions

e EU Commission found in its two-year report on the GDPR ( ) that reconciliation COM(2020) 264 nal of personal data protection and freedom of expression and information is a specic challenge for national legislation. It seems that, at least in the near future, a unied understanding of the scope of the journalistic exemption will not be reached in EU Member States, nor will the EU begin to dene the exemption more precisely. Hopefully, future decisions on the subject from the Court of Justice and the European Court of HumanRightswillhelp.

e ‘journalistic exemption’ must be assessed in the light of the purpose and context of the provision, which are to guarantee dissemination and reception of information as part of freedom of expression. However, the exemption must not be allowed to nullify the protection of privacy and the purposes of the GDPR. erefore, it is crucial to have a comprehensive understanding of the regulation’s objectives and the broader EU fundamental rights framework National courts and the Court of Justice play a vital role in shaping this interpretation, employing teleological analysis to consider the aims pursued by the GDPR and the overall EU fundamental rights system. e European Court of Human Rights’ extensive jurisprudence on reconciling freedom of expression and information and privacy protection also provides valuable interpretationcriteria

In addition, it is worth contemplating whether the concept of a specic ‘journalistic exemption’ is necessary or if protection of freedom of expression and information could be safeguarded without being specically tied to journalism. is is also supported by the fact that the journalistic exemption is only mentioned as one subcategory of the right to freedom of expression and information, along with the purposes of academic, artistic and literary expression. erefore, while the journalistic exemption is important, it should be viewed within the wider context of safeguarding freedom of expressionand information.us, Mr. Buivids’freedom ofexpressionmightbeprotectedevenifthevideohepublishedisnottobeconsideredjournalism.

Procedures Maer – What to Address in GDPR reform and a new GDPR Procedural Regulation

e rst ve years of the GDPR have been an educating experience e GDPR raised the prole of data protection as a fundamental right and a regulatory maer of high importance within the EU, and internationally especially through the Schremscases concerning the ‘ ’ and ‘ ’ adequacy Safe Harbor Privacy Shield decisions. Legislative activity in the EU was also inspirational for a new generation of data protection legislation in various jurisdictions (e.g. California, Japan, Brazil) (see ). But, within the EU, the GDPR here faces a credibility problem which, we would argue, arises mostly from shortcomings of its complex compositeenforcementsystem.

Toobservers ofEUadministrativelaw,theGDPRwas–fromitsconception–(in-)famousforthecomplexity of its system of composite enforcement procedures (see ). e reality conrmed the concerns e rst here ve years of experience show that some procedures can appear interminably long and slow (the ten years of administrative procedures following the original Schrems complaint of 2013 to the Irish Data Protection Commissioner being one example). In view of concerns about procedural shortcomings, the European Commission has work on a new GDPR procedural regulation. But what are the main take-aways announced from experiences with GDPR enforcement that should be reected in a GDPR procedural regulation and possibly GDPR reform? ree big topics come to mind: First, the nature of individual enforcement procedures on the basis of individual complaints. Second, the distribution of enforcement powers between nationalandEuropeanbodies.ird,assessingtheprocedureleadingtothirdcountryadequacydecision.

1.Complaintsandtheroleofpartiestoacomplaintprocedure

e background to the GDPR’s composite structure is, in principle, based on national authorities applying the GDPR plus, in absence of EU law, national procedural law. Under the GDPR, national authorities are required to cooperate with other DPAs ultimately to reach consensus on the outcome of the decisionmaking procedure. Enforcement may be inuenced by the European Data Protection Board (EDPB) via its opinions, guidance, and binding decisions – a competence limited to dispute selement procedures under Article 65 and urgent decision-making under Article 66 of the GDPR. Where the EDPB acts, its measures are taken based on a dossier established by a national DPA under national procedural law (see , and here here here). Additionally, DPAs – as well as individual data processors and controllers – must respect adequacy decisions oftheCommission.

Many of the problems in enforcement have arisen from the complex systems set in place for handling complaints (Article 77(1) of the GDPR). DPAs are obliged to handle and investigate to the extent appropriate, individual complaints, if need be, in cooperation with each other is very much relates to the obligation for DPAs to monitor and enforce the GDPR as laid down in Article 57(1)(a) of the GPDR Effective judicial remedies must be granted to individuals to defend the associated substantive and procedural rights inscribed in the GDPR as well as in general principles of EU law (see Recital ). Public enforcement by independent 141 administrative authorities is the prime means of GDPR enforcement. at is crucial in a policy area where damages under Article 82 GDPR are not punitive in nature, and proof must be brought of the relation between a violation of the GDPR rights and an alleged damage (see Case ). C-300/21 Österreichische Post Given these difficulties and a lack of incentive to ensure enforcement through private claims, GDPR enforcementreliesessentiallyonpublicbodies.

Nonetheless, the fact that DPAs have only limited resources has led them to put in place policies of overt and covert selection. Cooperative procedures between DPAs are virtually un-proceduralised in the GDPR –with many problematic ‘ cas de gures’only recently emerging. Problems arise especially from the interaction oflegalsystemsandtheco-existenceofvariousadministrativelawmodelsinEurope.

Uneven enforcement already begins with differences among (2) the Member States regarding the notion of what counts as a ‘complaint’ and questions of admissibility. For example, a complaint admissible under the rules of one DPA may not be admissible under the conditions of the ‘lead authority’ as identied under rules oftheGDPR.DoubleadmissibilitystandardsmayexistbetweenMemberStatesmakingcomplainthandling difficult. e dimension of an investigation and possible decision of a case is also problematic in that it can lead to many different outcomes, lack of investigation and conict between DPAs. Can an administration decide to limit its investigation to certain aspects it deems relevant and if so under which conditions? How about the role of the complainant? In the logic of the GDPR, the individual can lodge a complaint which will be addressed In reality, a complainant is oen treated more like an informer rather than a party to a procedure e decision as to whether or to which degree the complaint is then addressed, depends on a DPA’s resourceallocationandinternalpolicypriorities(seeforexample ).here

Approaches and procedures by DPAs as to an investigation also differ, some closing cases by decisions with more or less strict sanctioning strategies, other DPAs preferring to address complaints or investigations through informal agreements or selements. e cross-border nature of GDPR enforcement in the EU means that a lack of formal decision taking may result in in-transparent case handling, incomplete investigations and le-keeping, incomplete follow up of joined cases, and the impossibility of the DPAs to adequately inform complainants Unequal enforcement can become, on one hand, a problem for the acceptability of EU law and the existence of a single market. e different approaches of regulatory enforcement can, on the otherhand,alsoresultinaracetotheboomincompetitionbetweenbusinesslocations.

e EU legislator had foreseen a system to addressinconsistencies in enforcement throughout the Union. As Advocate-General Bobek has argued, the cooperation mechanism offers ways for DPAs to address concerns related to under-enforcement in the area of data protection by its counterpart in another Member State (see hisOpinion incase ).eseproceduresofferasortof‘ peerpressureavenues’amongtheDPAs.

C-645/19

2. Even within single Member States different criteria of complaints may exist which further confuses the maer E.g., in the Netherlands, an applicant maychoosebetweenbringingarelativelyinformal‘complaint’(‘klachten’)oramoreformalrequestforaction.

Nevertheless,the cooperation procedure is the least proceduralised element of the GDPR. It doesnot live up to its promises. e system is in reality oen short-circuited. Tools arising from the cooperation mechanism do not work where complaint handling by informal means becomes the norm. Cooperation procedures may face problems especially where the lead DPA did not engage the concerned DPAs throughout the entire enforcement process. Problems in the cooperation procedure further arise because of some DPAs’ preference for informal complaint handling which short-circuits the one-stop-shop procedure –only dra decisions shall be submied for consultation to the other concerned DPAs Secondly, where concerned DPAs are actually involved in the cooperation procedure, strict deadlines for reviewing dra decisions prepared by the lead DPA may form a real barrier to meaningful participation. Especially where the lead DPA did not actively engage the other concerned DPAs in the preparation of its dra decision, for which no obligation exists.elaerpointsattheoutsizedrolefortheleadDPA,asemphasizedby inhercontribution. Lynskey

While the inequality among the DPAs forms real barriers to cooperation, another concern is the role of the EDPB and its ability to sele disputes. e high reliance on sincere cooperation of DPAs in this process, and the lack of any information collection or investigation powers on the side of the EDPB effectively limit its decision-making capacity. e EDPB relies on the le of the lead DPA, which may have only limited value becauseofarestrictiveapproachtoinvestigatingacase( ). EDPBDecision5/2022

Given these difficulties in enforcement, companies with cross-border business will increasingly realise that GDPR enforcement tends to be slow and not effective. Some might adjust their businessmodels accordingly.

e GDPR procedural regulation will have to address these issues to avoid the impression of the notion of dataprotectionbeinglessseriousthanonemightthink

2.PossiblesolutionsconcerningthedistributionbetweennationalandEuropeanbodies?

Although formally not being recognized as an EU agency, the EDPB is nevertheless a distinct body from the EU institutions, with its own legal personality, permanently set up by secondary law to perform its tasks under EU law (see ). Currently, its main responsibility is to solve disputes among the national DPAs here when consensus cannot be found on the outcome of decision-making. Examples include disputes on whether the ndings point at an infringement of the GDPR, on the most appropriate, proportionate, and necessary enforcement action to be taken, or on a corrective measure to be imposed. In fullling this role, the EDPB is highly reliant on the sincere cooperation of DPAs with regard to informational input for decisionmaking. Further, the DPAs generally enjoy a certain degree of discretion when implementing the EDPB’s decisionaddressedtonaturalorlegalpersons

Improvements to the current system could be imaginable by further harmonizing cooperation procedures among the DPAs and by strengthening their possibilities to exercise ‘ peer pressure ’ Similarly, the role of the EDPB in decision-making could be upgraded to ensure stronger supranational involvement and coordination and thus a more unied interpretation of rules and enforcement approaches in transnational cases. Inspiration for such upgrade to a more integrated administrative cooperation with an enhanced roleof an EU agency could be found in rules such as those established for dispute resolution by the European Security and Markets Authority (see ). Possibilities could include equipping the Article 35 of the ESMA Regulation

EDPB with powers to initiate dispute resolution when national decisions are not taken within a particular time frame, to request information from data controllers or processors where the DPAs fail to do so, and to allowtheEPDBtoconductafollow-upreviewastotheimplementationofitsdecisions

A further step could then be to introduce a ‘dual approach’. Large data controllers or processors with a more or less EU-wide activity would fall within the remit of an EU agency, for example, an upgraded EDPB. Member State DPAs would be required to provide input into centralized decision-making by providing evidence, conducting hearings, or undertaking similar investigative steps On the other hand, more local cases under this model would continue to be addressed by national DPAs. Such a two-level approach is well established for example in banking supervision or EU competition law. e Commission has just recently presented the list of under the DSA to be addressed under a special regime. e same large online platforms could be applicable, in principle, under the GDPR to reduce the dependency on a single national lead authoritybearingtheburdenofpan-EUenforcement.CentralizingenforcementforcaseswithaUnion-wide dimension could also have the effect of simplifying access to judicial review. European agency decisions would be subject to review by the General Court of the Court of Justice of the European Union, which is muchmoreeasilyaccessibletoindividualplaintiffsfromacrosstheEUthanasingleMemberState’scourts

3.HowabouttheInternationalDimension?

A last concern in the context of credible GDPR enforcement lies in the Commission’s ability to conduct proper adequacy analysis on foreign jurisdictions. e dramatic double-failure of the Commission in the Safe Harbour and the Privacy Shield regimes, which were invalidated by the CJEU for having violated the essence of EU fundamental rights, including the right to an effective remedy, speak for themselves e dras of the concerning the US do not appear to be a promising change of approach, rather new adequacy regime more of the same fare with some cosmetic tweaks. e Commission’s problem in conducting adequacy assessments might be its ‘political capture’, i.e. the Commission’s mixing of foreign trade concerns with fundamentalrightsprotection,aconcernthattheEDPSalreadywarnedofin2012.

A solution may lie in expanding the EDPB’s competences, for instance, based on a system similar to the European supervisory authorities’ competence to develop technical standards in the context of the European system of nancial supervision. While these EU agencies (EBA, EIOPA and ESMA) develop regulatory and implementing technical standards, these need to be adopted by the EU Commission as delegated or implementing acts (Article 290 and 291 TFEU), but the Commission is in principle barred from making changes to these dra standards without consulting the Agency rst. Importantly, this allows for such standards to be more technical or evidence-based, less based on political and strategic considerations of Commissionpolicypreferencesinothermaers (3).

4.Someconsiderations

e complexity of the GDPR’s system of composite enforcement has proven a problem. e lead authority concept is not well executed. Solutions should include some procedural harmonisation and a stronger role of

a real independent data protection authority (Article 8(3) CFR) on the EU level in charge of taking on EUwide cases. We also suggest de-politization of adequacy decisions by adding the preparation and draing of such decisions to the portfolio of an independent EU authority Our suggestions, not all of which could be addressed by a procedural regulation alone, are designed to move the GDPR system in the direction of improving the allocation of powers, ensuring individual procedural rights and thereby the overall quality and speed of decision making. Irrespective of whether the legislator follows these suggestions or not, the problems outlined are benchmarks for assessing whether a possible new procedural regulation for the GDPR actuallyachievestoaddressshortcomingsinthecurrentsituation.

GDPR’s Right to Compensation and the Österreichische Post Case (C-300/21): Major Breakthrough or Much Ado about Nothing?

What if the ‘Copernican Revolution’ announced or the GDPR enforcement through private actions for damageswillnevertakeplaceduetotheinextricableinterplaybetweennationalandEUtortlawrules?

In its recent and much-awaited (also judgment issued on 4 May 2023 in the case UI v Österreichische Post AG known as the ‘Austrian Post Case’), the Court of Justice has made it clear that its margin of appreciation is quite narrow in the eld of private enforcement and that a strong impetus for a case-law based framework for private actions is not to be expected from the Luxembourg court. Seen from this perspective, the judgment willleaveastaleaer-taste.

A quick reminder of the legal context of privacy litigation in the GDPR context: according to Article 82(1), ‘ any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered’. is provision is at the core of the private enforcement of data protection rights; its interpretation has thus major implications for business, administration and other organisations It is also one of the few provisions provided for in a regulation (and not a directive), that can qualify as a direct statutory basis for compensation claimsbroughtbeforenationalcourts.

What makes the issue so complicated is the particular importance of ‘non-material damage’ in GDPR infringement cases,as the violation of dataprotection rulesoen implynon-pecuniary rather than pecuniary harm, especially when claims are made by private individuals. As is well known, the compensation of nonpecuniarylossisdiverselyappreciatedthroughouttheEuropeanUnion.Whereasinsomejurisdictions,such as France, Belgium or Italy, ‘moral harm’ has been identied as a reparable loss for a long time, non-pecuniary loss is still viewed with caution in other EU Member States, legislation or case-law reserving damages only to some cases (mostly personal injury or defamation) or establishing a threshold of seriousness, also known as thedeminimisrule.Itcomesasnosurprise,then,thatinthosejurisdictionswheredamagesforpréjudicemoral are not part of the legal tradition, both litigation and scholarship are far more intense than elsewhere. What is more intriguing is that the French legal database Légiance does not list a single case brought before the courts on the basis of art 82(1) GDPR, while the German legal literature reports on dozens and dozens of trialjudgmentsinthismaer

Evidence, if it were needed, of how closely the Österreichische Post case was followed by EU data protection lawexperts,butalsobytortlawscholarsandpractitionersthroughouttheEuropeanUnion.

In the case, an Austrian citizen sought compensation of €1,000 from the national postal service provider Österreichische Post, which from 2017 to 2019 collected information on the political affinities of the Austrian population. Using an algorithm, it dened ‘target group addresses’ according to socio-demographic criteria, such as name, home address, sex and age, suggesting that a given individual has a high degree of affinity with certainpoliticalparties.

e claimant, who had not consented to the processing of his personal data, argued that he felt great upset, a loss of condence and a feeling of exposure due to the fact that a particular affinity had been established between him and the right-wing populist party FPÖ. While the national courts granted an injunction, they rejected the claim for compensation on the ground that only a loss beyond the threshold of mere discomfort or unpleasantness be eligible for compensation. e Austrian Supreme Court decided to stay the proceedings, referring several questions on the exact interpretation of Article 82(1) GDPR to the Court of Justice. e case provided the Court with the opportunity to clarify whether a non-material damage can be inferred from the sole breach of data protection rules and whether the compensation for non-material harm requires theclaimantstodemonstratethattheirlossexceedagravitythreshold

Itwasclearthatthisrequest,togetherwithatleastsixotherrequestsincasesstillpending( withthe C-340/21 Opinion of the Advocate General C-667/21 Opinion of the Advocate , issued on 27 April 2023; with the General C-687/21 C-741/21 C-182/22 C-456/22 , issued on 25 May 2023; ; ; and ), put the Court of Justice in a very delicate position, as it is a political issue rather than a legal-technical one, which the Luxembourg judges had to address. Indeed, the broader the concept of ‘non-material damage’ were to be interpreted, the more effective private enforcement of data protection rules would become. Or, to put it another way, the establishment of a rule whereby the existence of non-material harm is held as resulting from the sole violationoftheGDPR,wouldmakeprivatetortlawclaimsahighlyefficientinstrumenttoenforcedataprotection rules,withalltheeconomicside-effectsonecanimagine.

Probably in recognition of the nancial burden possibly arising from such an interpretation, Advocate General ManuelCamposSánchez-Bordona pleaded in for an explicit recognition of a thresholdof his Opinion seriousness, that is an EU-wide de minimis rule in privacy litigation based on Article 82(1) GDPR He consideredas ‘relevant(…)thedistinction,suggestedtotheCourt,betweennon-materialdamageforwhich compensation may be awarded and other inconveniences arising as a result of abuse of the law which, owing to their insignicance, do not necessarily create the right to compensation’, also arguing that this distinction, although difficult to implement in practice, ‘is visible in national legal systems as an inevitable corollary of life insociety’

e Court of Justice decided not to follow the Advocate General’s Opinion, trying to nd a middle ground between a wide interpretation of Article 82(1) GDPR, which would have provided an important stimulus to private enforcement, and the restrictive vision arising, at least in symbolic terms, from the enshrinement of a deminimisrule.

e Court states in its judgment that ‘it cannot be held that any “infringement” of the provisions of the GDPR, by itself, confers (a) right to compensation (…) such an interpretation would run counter to the wording of’ Article 82(1) GDPR However, the Court also decides that ‘making compensation for nonmaterial damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR, since the graduation of such a threshold, on which the possibility or otherwise of obtaining that compensation would depend, would be liable to uctuate according to the assessment ofthecourtsseized’

is means in substance that claimants have to establish the existence of a ‘non-material harm’ and of a causal link between the unlawful data processing and that loss. National courts will also have to assess the alleged loss regardless of any criteria of seriousness, which might exist under domestic tort law. However, the Court ofJusticealsomakesitclearthat‘nationalcourtsmustapplythedomesticrulesofeachMemberStaterelating to the extent of nancial compensation, provided that the principles of equivalence and effectiveness of EU lawarecompliedwith’.

To put it mildly, with these statements, which may seem commonplace, it is likely that the judges in the EU MemberStatesarenotsmarterthanbefore

In this regard, the judgment in the Österreichische Post case is rather disappointing, as the central issue (what exactly means ‘non-material harm’ under Article 82(1) GDPR?) has still not been addressed by the Court’sjudges Boundbythewordingoftheregulation,theydid nothavethefortitudetolaythegroundwork for a European understanding of non-pecuniary loss, leaving it to the national courts to scramble for solutionsinanareawherelegaluncertaintyisnowgreaterthaneverbefore.econtradictoryreactionsprovoked by the judgment (some consumer protection groups see a ‘turn of an era ’ , business representatives are relieved that the Court of Justice has removed the legal basis of a signicant part of the claims) speak for themselves.

In a on the compensation of non-pecuniary loss in GDPR infringement cases, published in journal article August 2022, I wrote that ‘ one cannot exclude the possibility, albeit rather unlikely, that the European Court of Justice decides to avoid this sensitive issue by conferring to the courts of the member states a margin of appreciation’.Itturnsoutthat,contrarytomyearlierbelief,theCourtdidexactlythat.

is, however, is likely to prove the worst possible option, as it will inevitably introduce diverging case law throughout the European Union: depending on cultural sensibilities and recent legal developments, courts of the Member States will most likely adopt different solutions, exacerbating the existing legal uncertainty andgeneratingagenuineriskofforumandlawshopping.

But when it comes down to it, the problems are actually due to the fact that EU lawmakers did not want to establish a comprehensive framework for the private enforcement of data protection rules e same old storyofsacricingtheconsistencyoflegaltextsonthealtarofpoliticalcompromisesàlaBruxelloise.

EU Data protection law & politics A Candle that burns at both ends?

Dominik

“My candle burns at both ends; It will not last the night; But ah, my foes, and oh, my iends — It gives a lovely light!’

OurGDPRbirthdaysymposiumhasbeenquiteapartywithgenerousguestsmakingadozenpreypresents. e grateful guest editor’s nal task shall be to assist the jubilarian in blowing out the candles. Aer all, at ve, some supervision is still a must. is all the more so since, underneath their velvet wrappers, all Op-eds have great incendiary potential. In this sense, accurately set the tone with his clash and bale metaphor. Boris Paal And indeed, as concurs, in its negotiation, application and enforcement, the GDPR Christopher Kuner has always been, and still remains, subject to conicting interests diligently pursued by their proponents. Legislation litigation legal scholarship commercial value of personal data nourishes a host of , , – the huge actorslobbyingonalllevels more lessprotectionrespectively for or .

e tumultuous are widely acknowledged in our Op-eds, calling out ’visceral politics of EU data protection disputes’ ( ), ‘political capture’ ( ), ‘confused relations between law and politics’ Lynskey Hofmann & Mustert ( ) or ‘individual policy and ideology’ fueling the debates ( ). e ‘political compromises à la Kuner Dehmel Bruxelloise’ which deplores certainly mark not only the GDPR and other Jonas Knetsch data protection les mentioned by , but any (EU) legislation possibly affecting business, trade or similar Emilia Fronczak interests. e different strategies aimed at or watering down protective rules are preventing well documented continue to be deployed . As regards the GDPR, they seemingly so to ensure that its vague provisions are applied as desired Particularly telling in this connection is the copious scholarly output on the interpretation ofGDPRprovisionswhich,suchasArticle82,couldboostitseffectiveenforcement.Vigoroussuggestionsin the (predominantly German) legal literature that compensation should be conditioned by a threshold of seriousness indeed appear to have spurred the preliminary ruling reference in , commen- Österreichische Post

Düsterhaus

i

EUDataSovereignty

AlthoughthistermisnotcurrentlyusedinGDPRscholarship,EU seemstoinglydepicta datasovereignty certain euro-centrist belief that, through its virtually unlimited territorial scope, its strict conditions for data transfers, or both, the protection standard granted by the GDPR applies to EU data wherever they go. As both and write in their pieces, this belief may be shaered in view of global practices and Kuner Dehmel international cooperation based on more lenient standards. ere nevertheless seems to be a certain disagreement among the contributors as to how the EU should best confront these realities, some scorning excessive formalism,while others preciselycall for more technical or evidence-based standards, untainted by politicalandstrategicconsiderations

As regards the EU-US Data Privacy Framework, fears that the EP’s and ‘other stakeholders’’ unrea- Dehmel listic claims may jeopardize the reasonable compromise which has arguably been struck. Conversely, ,Kuner whilst conceding improved protections in comparison with the Privacy Shield, notes that political pressure has led to questionable compromises, such as the continued authorization to inect the data protection principles. is assessment is echoed by , who see ‘ more of the same fare with some Hofmann & Mustert cosmetic tweaks’. Whilst the with the laer opinions, both its decision and Irish DPC appears to have sided theframework’sadequacymaystillandonceagainbeamaerfortheEUcourts.

TechnologyNeutrality

Recital 15 of the GDPR states that in order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used is deliberate stance in favor of data protection no maer what technology affects us must not be overlooked when pondering how to accommodate the use of articial intelligence under the GDPR. Even though, as Paal Blasek rightly notes, there is no express provision for this other than Article 22, analysed by , technology neutrality means that the entire Regulation applies whenever personal data is processed and be it only incidentally.

A purpose-based interpretation of the GDPR, advocated by , needs to take into account the holistic Paal approach underpinning the Regulation, as expressed by the requirements of data protection by design and by default set out in its Article 25. In view of the breathtaking progress made by AI developers as of late, it is a pity that a meaningful debate on how DPAs apply the GDPR in this context . But just like has only now begun the legislature’s last-minute reckoning on the need of , it’s a relief that additional safeguards in the dra AI act ithappensatall

Diversity

If, as on EU Law Live, the constant clash of unity and diversity is an essential Judge Saan recently wrote feature of the European Union, the GDPR brilliantly encapsulates the essence of EU law. rightly Fronczak notes the abundance of opening clauses and vague provisions, the laer sometimes outlasting their binding interpretation ( ), while specically calls for judicial guidance on how to strike the Knetsch Korpisaari

balance between dataprotection and freedom of expressionand information.Finally, Lynskey and Hofmann &MustertshowhowtheabsenceofcommonproceduralruleshamperstransnationalGDPRenforcement.

In view of the conicting interests and sensibilities underpinning the regulation of certain maers, total harmonization under EU law is highly illusionary. Even though the GDPR could certainly have le less room for national diversication, allowing specic national rules in elds traditionally not subject to harmonization bears a certain logic Even possibleEU acts laying down such rules would have to leave the Member States some leeway Moreover, as underlines, most questions can indeed be solved under the rules Fronczak of the GDPR. For example, in order to exclude overly broad ideas of what is necessary for the performance of anemploymentcontract,abindinginterpretationofArticle6(1)(b)GDPRwouldsuffice

As regards the genuine opening clause of Article 85 GDPR, one may agree with that there won’t Korpisaari be a unied understanding of its content and scope any time soon. is being said and beyond the general requirement that using this exemption must not void the GDPR rules, it would appear that national legislation not striking an appropriate balance violates both Article 85 GDPR and the applicable Charter rights. In respect of Member States which, unlike Finland, fear transparency as well as freedom of expression, the very real danger of the GDPR being may misused and instrumentalised to obstruct public interest journalism requirespecic .safeguards

e need for at least some common procedural rules facilitating the (transnational) enforcement of the GDPR is universally acknowledged and the hopefully resulting in a Regulation can Commission initiative only be welcomed. It comes (too) late, though, and will take (at least) a very long time to be adopted. In any case and beyond the concrete suggestions made by , it is worth noting that, among the Hofmann & Mustert comments received by the Commission, there is already a very reasonable dra of a possible procedural Regulationsubmiedbynoyb

PublicEnforcement

Whethertheestablishmentofagenuinepan-Europeanenforcementbody,suggestedby , and Kuner Lintvedt Hofmann & Mustert, would take longer than the adoption of common procedural rules is an intriguing, if only futile speculation. Neither will happen any time soon. e opacity, inconsistency and, to some extent, absence of enforcement decision-making could be remedied easily and in no time, though. moreo- Lynskey ver makes a convincing case for the legitimacy of the EDPB’s consistent defense of the prerogatives of all DPAs.

While, as convincingly argues, enforcement is not only about the nes, the circumstances surroun- Lintvedt ding the which the DPC had to inict on Meta appear to support the doubts recently published 1.2 Bln € ne voiced in her piece. Also, under her and calculation, the ne is substantially below the maximum noyb‘s allowed. Finally, as if in response to , Luxembourg‘s CNPD now it may increase its nes and Lintvedt says startdisclosingthenamesofthecompaniesned.

PrivateEnforcement

As poignantly notes, the Copernican revolution of a right to compensation already for the sole Knetsch violation of the GDPR has not taken place. Conversely, the Court in claried that there is Österreichische Post no basis whatsoever in the Regulation for a ‘threshold of seriousness’. us back to square one for private enforcement, it would seem. Over the years, some groundwork has been laid by Austrian activist Max Schrems noyb and his data protection powerhouse , who continue to incite data subjects to avail themselves of possibilities to aggregate claims and/or see their interests pursued by representative action. While Article 80 GDPR gives diversity yet another nod by making such action subject to national law and a tentative by M. Schrems on international jurisdiction to base an atypical class-action by aggregation on the Brussels I rules over consumer contracts failed, to the domestic implementation of the aention now turns EU collective redressdirective,applicablefrom25Juneofthisyear.

Lookingahead

e next Commission review of the GDPR is due in 2024 and this time it may be less cautious than in 2020 even if it will hardly pursue all the proposals that stakeholders and scholars have made over the last years. If the Op-eds of our symposium support the impression that the GDPR and its application, interpretation and enforcement leave much to be desired, this only reects the conicting interests at stake While your guesteditor certainly hopes that the under-enforcement of its rules will be successfully tackled and a lasting solution for fundamental rights compliant data transfers found, there is reason to believe that the Commission will appropriately exercise its duty to supervise the 5-year-old GDPR playing with candles and not give in to a myriad of conicting claims complicating its comprehensible and balanced rules To do so would meanlightingitatbothends.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the publishers.

Permission to use this content must be obtained from the copyright owner.

Editor-in-Chief: Daniel Sarmiento

In-Depth and Weekend Edition Editor

Sara Iglesias Sánchez

Editorial Board:

Maja Brkan, Pablo Ibañez Colomo, Marco Lamandini, Adolfo Martín, Jorge Piernas, Ana Ramalho, René Repasi, Anne-Lise Sibony, Araceli Turmo, Isabelle Van Damme, Maria Dolores Utrilla and Maria Weimer

Subscription prices are available upon request. Please contact our sales department for further information at subscriptions@eulawlivecom